Description
openedon Jul 4, 2024
Kibana version: 8.14.1
Elasticsearch version: 8.14.1
Server OS version: Ubuntu 20.04.6
Browser version: Edge 126.0.2592.81
Browser OS version: Windows 10 22H2
Original install method (e.g. download page, yum, from source, etc.): ECE
Describe the bug:
Disabling features in a space impacts the API privileges on that feature. Discovered when trying to delete Data Views from a Space with superuser role.
Steps to reproduce:
- All actions performed as superuser.
- Create a space with Data Views disabled:
POST kbn:/api/spaces/space
{
"id": "test",
"name": "Test-Space",
"disabledFeatures": [
"indexPatterns"
]
}
- In my case Data Views had been added before features were disabled but at this point I can't even create a Data View:
POST kbn:/s/test/api/data_views/data_view
{
"data_view": {
"title": "logs-*",
"name": "Logs DV"
}
}
Response:
{
"statusCode": 400,
"error": "Bad Request",
"message": "Operation failed due to insufficient access, id: undefined"
}
- Works fine if the disabled feature is dropped:
PUT kbn:/api/spaces/space/test
{
"id": "test",
"name": "Test-Space",
"disabledFeatures": [
]
}
Expected behavior:
As a superuser I should be able to create and delete Data Views as required for a target space even if the feature is disabled.
Screenshots (if relevant):
Errors in browser console (if relevant):
Provide logs and/or server output (if relevant):
Any additional context:
I can work around this by making an API call to edit the disabledFeature list but this is not ideal in a production environment.
