Skip to content

Fix anonymous access to status page #24706

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 14, 2018
Merged

Fix anonymous access to status page #24706

merged 2 commits into from
Nov 14, 2018

Conversation

@legrego
Copy link
Member

@legrego legrego commented Oct 27, 2018
edited
Loading

Fixes #17922

This PR allows the status page to be accessed without authentication when status.allowAnonymous is set to true. This functionality previously existed, but was broken some time ago.

What's changed

  1. When accessing the status page anonymously, the page will be loaded with default advanced settings. The user-specified advanced settings cannot be loaded, because access to the config saved object requires authentication & authorization.
  2. When accessing the status page anonymously, the page will be loaded without the user profile in the main Kibana nav. Since this is an anonymous user, there is no sense in loading the profile. Additionally, the profile tries to resolve the current user, which requires authentication.
  3. When accessing the status page anonymously, the page will be loaded without the space avatar in the main Kibana nav. Having the status page load within the context of any space requires authentication & authorization.
  4. When accessing the status page anonymously, the banner warning of license expiration is disabled, because this requires fetching x-pack license info, which in turn requires authentication.

@legrego legrego added the Team:Security Platform Security: Auth, Users, Roles, Spaces, Audit Logging, etc t// label Oct 27, 2018
@elasticmachine
Copy link
Contributor

elasticmachine commented Oct 27, 2018

💔 Build Failed

@legrego
Copy link
Member Author

legrego commented Oct 27, 2018

Retest

@elasticmachine
Copy link
Contributor

elasticmachine commented Oct 27, 2018

💚 Build Succeeded

@legrego legrego requested a review from kobelb October 28, 2018 13:34
legrego
legrego commented Oct 31, 2018
View reviewed changes
kobelb
kobelb reviewed Oct 31, 2018
View reviewed changes
@legrego legrego force-pushed the statusPage/allowAnon branch from 6281a5e to f0187a4 Compare November 1, 2018 13:23
@elasticmachine
Copy link
Contributor

elasticmachine commented Nov 1, 2018

💚 Build Succeeded

@legrego
Copy link
Member Author

legrego commented Nov 1, 2018

@kobelb ready for re-review whenever you are

kobelb
kobelb approved these changes Nov 1, 2018
View reviewed changes
Copy link
Contributor

@kobelb kobelb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@legrego legrego removed the v6.5.0 label Nov 2, 2018
@legrego
Copy link
Member Author

legrego commented Nov 2, 2018

We missed the 6.4.3 and 6.5.0 deadlines, so we will target this for 7.0, 6.6, and the next available 6.5.x release, if possible.

@legrego legrego added the v6.5.1 label Nov 9, 2018
@legrego legrego force-pushed the statusPage/allowAnon branch from f0187a4 to 80a9475 Compare November 13, 2018 15:52
@elasticmachine
Copy link
Contributor

elasticmachine commented Nov 13, 2018

💔 Build Failed

@legrego legrego force-pushed the statusPage/allowAnon branch from 80a9475 to 35e598c Compare November 13, 2018 19:37
@elasticmachine
Copy link
Contributor

elasticmachine commented Nov 13, 2018

💚 Build Succeeded

@spalger spalger added v6.5.1 and removed v6.5.1 labels Nov 14, 2018
@legrego legrego merged commit d8f8a0c into elastic:master Nov 14, 2018
@legrego legrego mentioned this pull request Nov 14, 2018
Merged
legrego added a commit to legrego/kibana that referenced this pull request Nov 14, 2018
@legrego
Fix anonymous access to status page (elastic#24706)
4269090 
* fix status.allowAnonymous

* address PR feedback
@legrego legrego mentioned this pull request Nov 14, 2018
Merged
legrego added a commit to legrego/kibana that referenced this pull request Nov 14, 2018
@legrego
Fix anonymous access to status page (elastic#24706)
38ca313 
* fix status.allowAnonymous

* address PR feedback
spalger pushed a commit that referenced this pull request Nov 20, 2018
@legrego
Fix anonymous access to status page (#24706) (#25678)
3dc7928 
* fix status.allowAnonymous

* address PR feedback
spalger pushed a commit that referenced this pull request Nov 20, 2018
@legrego
[6.5] Fix anonymous access to status page (#24706) (#25679)
3ab10c1 
* Fix anonymous access to status page (#24706)

* fix status.allowAnonymous

* address PR feedback

* fix backport
@spalger
Copy link
Contributor

spalger commented Nov 20, 2018

6.x/6.6: 3dc7928
6.5: 3ab10c1

@legrego
Copy link
Member Author

legrego commented Nov 26, 2018

Thanks for taking care of the merges while I was out @spalger!

@legrego legrego deleted the statusPage/allowAnon branch November 26, 2018 14:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kobelb kobelb kobelb approved these changes

Assignees

No one assigned

Labels

release_note:fix Team:Security Platform Security: Auth, Users, Roles, Spaces, Audit Logging, etc t// v6.5.2 v6.6.0 v7.0.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

status.allowAnonymous: true doesn't allow access to /status

4 participants

@legrego @elasticmachine @spalger @kobelb