-
Notifications
You must be signed in to change notification settings - Fork 25.4k
Change reporting_user role to leverage reserved kibana privileges #132766
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
bcb49a5
to
efecf69
Compare
8d03426
to
52c0b3e
Compare
3 tasks
Kibana PR: elastic/kibana#231533 |
Pinging @elastic/es-security (Team:Security) |
...core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java
Show resolved
Hide resolved
slobodanadamovic
approved these changes
Aug 18, 2025
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 👍
Hi @legrego, I've created a changelog YAML for you. Note that since this PR is labelled |
This was referenced Aug 18, 2025
legrego
added a commit
to legrego/elasticsearch
that referenced
this pull request
Aug 18, 2025
…astic#132766) * Change reporting_user role to leverage reserved kibana privileges * [CI] Auto commit changes from spotless * Mark reporting_user role as deprecated * Update docs/changelog/132766.yaml * Update release notes --------- Co-authored-by: elasticsearchmachine <[email protected]>
legrego
added a commit
to legrego/elasticsearch
that referenced
this pull request
Aug 18, 2025
…astic#132766) * Change reporting_user role to leverage reserved kibana privileges * [CI] Auto commit changes from spotless * Mark reporting_user role as deprecated * Update docs/changelog/132766.yaml * Update release notes --------- Co-authored-by: elasticsearchmachine <[email protected]>
elasticsearchmachine
pushed a commit
that referenced
this pull request
Aug 18, 2025
…32766) (#133078) * Change reporting_user role to leverage reserved kibana privileges * [CI] Auto commit changes from spotless * Mark reporting_user role as deprecated * Update docs/changelog/132766.yaml * Update release notes --------- Co-authored-by: elasticsearchmachine <[email protected]>
elasticsearchmachine
pushed a commit
that referenced
this pull request
Aug 18, 2025
…32766) (#133079) * Change reporting_user role to leverage reserved kibana privileges * [CI] Auto commit changes from spotless * Mark reporting_user role as deprecated * Update docs/changelog/132766.yaml * Update release notes --------- Co-authored-by: elasticsearchmachine <[email protected]>
rjernst
pushed a commit
to rjernst/elasticsearch
that referenced
this pull request
Aug 18, 2025
…astic#132766) * Change reporting_user role to leverage reserved kibana privileges * [CI] Auto commit changes from spotless * Mark reporting_user role as deprecated * Update docs/changelog/132766.yaml * Update release notes --------- Co-authored-by: elasticsearchmachine <[email protected]>
szybia
added a commit
to szybia/elasticsearch
that referenced
this pull request
Aug 19, 2025
…improv * upstream/main: (92 commits) ESQL: mark LOOKUP JOIN as ExecutesOn.Any by default (elastic#133064) Fix 404s in REST API landing page (elastic#133086) Fix release tests for OptimizerVerificationTests (elastic#133100) Make Glob non-recursive (elastic#132798) Update ES|QL function list for release versions (elastic#133096) Split transport version func test into abstract base (elastic#133035) Omit project ID from snapshot metrics (elastic#133098) Mute org.elasticsearch.xpack.esql.analysis.AnalyzerTests testNoDenseVectorFailsForMagnitude elastic#133013 Mute org.elasticsearch.xpack.esql.optimizer.OptimizerVerificationTests testRemoteEnrichAfterCoordinatorOnlyPlans elastic#133015 Mute org.elasticsearch.test.rest.yaml.CcsCommonYamlTestSuiteIT test {p0=search/160_exists_query/Test exists query on _id field} elastic#133097 Rename initial to unreferenced in transport versions (elastic#133082) Rename exception type header (elastic#133045) ESQL: Pluggable tests for Operator status (elastic#132876) ESQL: Mark new signatures in MIN and MAX (elastic#132980) Don't try to serialize half-baked cluster info (elastic#132756) migrate ml_rollover_legacy_indices transport version (elastic#133008) Enable `exclude_source_vectors` by default for new indices (elastic#131907) Expose APIs needed by flush during translog replay (elastic#132960) Change reporting_user role to leverage reserved kibana privileges (elastic#132766) Update TasksIT for batched execution (elastic#132762) ...
szybia
added a commit
to szybia/elasticsearch
that referenced
this pull request
Aug 19, 2025
* upstream/main: (58 commits) ESQL: mark LOOKUP JOIN as ExecutesOn.Any by default (elastic#133064) Fix 404s in REST API landing page (elastic#133086) Fix release tests for OptimizerVerificationTests (elastic#133100) Make Glob non-recursive (elastic#132798) Update ES|QL function list for release versions (elastic#133096) Split transport version func test into abstract base (elastic#133035) Omit project ID from snapshot metrics (elastic#133098) Mute org.elasticsearch.xpack.esql.analysis.AnalyzerTests testNoDenseVectorFailsForMagnitude elastic#133013 Mute org.elasticsearch.xpack.esql.optimizer.OptimizerVerificationTests testRemoteEnrichAfterCoordinatorOnlyPlans elastic#133015 Mute org.elasticsearch.test.rest.yaml.CcsCommonYamlTestSuiteIT test {p0=search/160_exists_query/Test exists query on _id field} elastic#133097 Rename initial to unreferenced in transport versions (elastic#133082) Rename exception type header (elastic#133045) ESQL: Pluggable tests for Operator status (elastic#132876) ESQL: Mark new signatures in MIN and MAX (elastic#132980) Don't try to serialize half-baked cluster info (elastic#132756) migrate ml_rollover_legacy_indices transport version (elastic#133008) Enable `exclude_source_vectors` by default for new indices (elastic#131907) Expose APIs needed by flush during translog replay (elastic#132960) Change reporting_user role to leverage reserved kibana privileges (elastic#132766) Update TasksIT for batched execution (elastic#132762) ...
darnautov
pushed a commit
to elastic/kibana
that referenced
this pull request
Aug 20, 2025
## Summary We want to switch the reserved `reporting_user` role to use a "reserved privilege definition" and uses just that privilege. This PR satisfies the Kibana requirements. There is a corresponding Elasticsearch PR: elastic/elasticsearch#132766 ## Testing **NOTE: PNG/PDF reporting requires a Trial, or Gold+ license** 1. Create `test_reporting_user` role ``` POST /_security/role/test_reporting_user { "cluster": [], "indices": [], "application": [{ "application": "kibana-*", "privileges": ["reserved_reporting_user"], "resources": ["*"] }] } ``` 2. Create `test_analyst_user` role ``` POST /_security/role/test_analyst_user { "cluster": [], "indices": [ { "names": ["kibana_sample_*"], "privileges": ["all"], "field_security": { "grant": ["*"], "except": [] }, "allow_restricted_indices": false } ], "applications": [ { "application": "kibana-.kibana", "privileges": [ "feature_discover_v2.read", "feature_dashboard_v2.read", "feature_canvas.read", "feature_visualize_v2.read" ], "resources": ["space:default"] } ], "run_as": [], "metadata": {}, "transient_metadata": { "enabled": true } } ``` 3. Create a test user with just those two roles. Install sample data. Log in using the new test user. 4. Test cases | App | Reporting feature |-|- | Dashboard | PDF, PNG, CSV (from saved search panel action) | Discover | CSV | Canvas | PDF | Lens | PDF, PNG | Stack Management | List reports, download reports, view report info, delete reports 6. As admin, create an additional Space which the test user should not have access to. Ensure the test user does not have access to those spaces. 7. Remove the `test_reporting_user` role from the user and ensure they do not see any Reporting controls in the UI, and can not access Stack Management > Reporting. ## Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - ~~[ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)~~ - ~~[ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials~~ - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - ~~[ ] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)~~ - ~~[ ] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations.~~ - ~~[ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed~~ - [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [x] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. --------- Co-authored-by: Larry Gregory <[email protected]>
darnautov
pushed a commit
to darnautov/kibana
that referenced
this pull request
Aug 20, 2025
…231533) ## Summary We want to switch the reserved `reporting_user` role to use a "reserved privilege definition" and uses just that privilege. This PR satisfies the Kibana requirements. There is a corresponding Elasticsearch PR: elastic/elasticsearch#132766 ## Testing **NOTE: PNG/PDF reporting requires a Trial, or Gold+ license** 1. Create `test_reporting_user` role ``` POST /_security/role/test_reporting_user { "cluster": [], "indices": [], "application": [{ "application": "kibana-*", "privileges": ["reserved_reporting_user"], "resources": ["*"] }] } ``` 2. Create `test_analyst_user` role ``` POST /_security/role/test_analyst_user { "cluster": [], "indices": [ { "names": ["kibana_sample_*"], "privileges": ["all"], "field_security": { "grant": ["*"], "except": [] }, "allow_restricted_indices": false } ], "applications": [ { "application": "kibana-.kibana", "privileges": [ "feature_discover_v2.read", "feature_dashboard_v2.read", "feature_canvas.read", "feature_visualize_v2.read" ], "resources": ["space:default"] } ], "run_as": [], "metadata": {}, "transient_metadata": { "enabled": true } } ``` 3. Create a test user with just those two roles. Install sample data. Log in using the new test user. 4. Test cases | App | Reporting feature |-|- | Dashboard | PDF, PNG, CSV (from saved search panel action) | Discover | CSV | Canvas | PDF | Lens | PDF, PNG | Stack Management | List reports, download reports, view report info, delete reports 6. As admin, create an additional Space which the test user should not have access to. Ensure the test user does not have access to those spaces. 7. Remove the `test_reporting_user` role from the user and ensure they do not see any Reporting controls in the UI, and can not access Stack Management > Reporting. ## Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - ~~[ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)~~ - ~~[ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials~~ - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - ~~[ ] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)~~ - ~~[ ] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations.~~ - ~~[ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed~~ - [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [x] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. --------- Co-authored-by: Larry Gregory <[email protected]> (cherry picked from commit f9be58b) # Conflicts: # x-pack/platform/test/reporting_api_integration/reporting_and_security/default_reporting_user_role.ts
darnautov
pushed a commit
to darnautov/kibana
that referenced
this pull request
Aug 20, 2025
…231533) ## Summary We want to switch the reserved `reporting_user` role to use a "reserved privilege definition" and uses just that privilege. This PR satisfies the Kibana requirements. There is a corresponding Elasticsearch PR: elastic/elasticsearch#132766 ## Testing **NOTE: PNG/PDF reporting requires a Trial, or Gold+ license** 1. Create `test_reporting_user` role ``` POST /_security/role/test_reporting_user { "cluster": [], "indices": [], "application": [{ "application": "kibana-*", "privileges": ["reserved_reporting_user"], "resources": ["*"] }] } ``` 2. Create `test_analyst_user` role ``` POST /_security/role/test_analyst_user { "cluster": [], "indices": [ { "names": ["kibana_sample_*"], "privileges": ["all"], "field_security": { "grant": ["*"], "except": [] }, "allow_restricted_indices": false } ], "applications": [ { "application": "kibana-.kibana", "privileges": [ "feature_discover_v2.read", "feature_dashboard_v2.read", "feature_canvas.read", "feature_visualize_v2.read" ], "resources": ["space:default"] } ], "run_as": [], "metadata": {}, "transient_metadata": { "enabled": true } } ``` 3. Create a test user with just those two roles. Install sample data. Log in using the new test user. 4. Test cases | App | Reporting feature |-|- | Dashboard | PDF, PNG, CSV (from saved search panel action) | Discover | CSV | Canvas | PDF | Lens | PDF, PNG | Stack Management | List reports, download reports, view report info, delete reports 6. As admin, create an additional Space which the test user should not have access to. Ensure the test user does not have access to those spaces. 7. Remove the `test_reporting_user` role from the user and ensure they do not see any Reporting controls in the UI, and can not access Stack Management > Reporting. ## Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - ~~[ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)~~ - ~~[ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials~~ - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - ~~[ ] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)~~ - ~~[ ] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations.~~ - ~~[ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed~~ - [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [x] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. --------- Co-authored-by: Larry Gregory <[email protected]> (cherry picked from commit f9be58b) # Conflicts: # src/platform/packages/private/kbn-reporting/public/share/share_context_menu/register_csv_modal_reporting.tsx # src/platform/packages/private/kbn-reporting/public/share/share_context_menu/register_pdf_png_modal_reporting.tsx # src/platform/test/functional/page_objects/export_page.ts # x-pack/platform/plugins/private/reporting/server/plugin.test.ts # x-pack/test/api_integration/apis/features/features/features.ts # x-pack/test/reporting_api_integration/reporting_and_security/default_reporting_user_role.ts # x-pack/test/reporting_api_integration/services/scenarios.ts # x-pack/test/reporting_functional/services/scenarios.ts
darnautov
added a commit
to elastic/kibana
that referenced
this pull request
Aug 20, 2025
…31533) (#232384) # Backport This will backport the following commits from `main` to `9.1`: - [Add `reporting_user` feature for reserved set of privileges (#231533)](#231533) <!--- Backport version: 10.0.1 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Tim Sullivan","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-08-20T11:57:52Z","message":"Add `reporting_user` feature for reserved set of privileges (#231533)\n\n## Summary\n\nWe want to switch the reserved `reporting_user` role to use a \"reserved\nprivilege definition\" and uses just that privilege. This PR satisfies\nthe Kibana requirements. There is a corresponding Elasticsearch PR:\nhttps://github.com/elastic/elasticsearch/pull/132766\n\n## Testing\n**NOTE: PNG/PDF reporting requires a Trial, or Gold+ license**\n\n1. Create `test_reporting_user` role\n\n ```\n POST /_security/role/test_reporting_user\n {\n \"cluster\": [],\n \"indices\": [],\n \"application\": [{\n \"application\": \"kibana-*\",\n \"privileges\": [\"reserved_reporting_user\"],\n \"resources\": [\"*\"]\n }]\n }\n ```\n\n2. Create `test_analyst_user` role\n\n ```\n POST /_security/role/test_analyst_user\n {\n \"cluster\": [],\n \"indices\": [\n {\n \"names\": [\"kibana_sample_*\"],\n \"privileges\": [\"all\"],\n \"field_security\": {\n \"grant\": [\"*\"],\n \"except\": []\n },\n \"allow_restricted_indices\": false\n }\n ],\n \"applications\": [\n {\n \"application\": \"kibana-.kibana\",\n \"privileges\": [\n \"feature_discover_v2.read\",\n \"feature_dashboard_v2.read\",\n \"feature_canvas.read\",\n \"feature_visualize_v2.read\"\n ],\n \"resources\": [\"space:default\"]\n }\n ],\n \"run_as\": [],\n \"metadata\": {},\n \"transient_metadata\": {\n \"enabled\": true\n }\n }\n ```\n\n3. Create a test user with just those two roles. Install sample data.\nLog in using the new test user.\n4. Test cases\n\n | App | Reporting feature\n |-|-\n | Dashboard | PDF, PNG, CSV (from saved search panel action)\n | Discover | CSV\n | Canvas | PDF\n | Lens | PDF, PNG\n| Stack Management | List reports, download reports, view report info,\ndelete reports\n\n6. As admin, create an additional Space which the test user should not\nhave access to. Ensure the test user does not have access to those\nspaces.\n7. Remove the `test_reporting_user` role from the user and ensure they\ndo not see any Reporting controls in the UI, and can not access Stack\nManagement > Reporting.\n\n## Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- ~~[ ] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)~~\n- ~~[ ]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas added for features that require explanation or tutorials~~\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- ~~[ ] If a plugin configuration key changed, check if it needs to be\nallowlisted in the cloud and added to the [docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)~~\n- ~~[ ] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.~~\n- ~~[ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed~~\n- [ ] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [x] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.\n\n---------\n\nCo-authored-by: Larry Gregory <[email protected]>","sha":"f9be58be65e59b85dc6c4d8fa74970a4f8c1971e","branchLabelMapping":{"^v9.2.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","backport:version","v9.2.0","v9.1.3","v9.0.6"],"title":"Add `reporting_user` feature for reserved set of privileges","number":231533,"url":"https://github.com/elastic/kibana/pull/231533","mergeCommit":{"message":"Add `reporting_user` feature for reserved set of privileges (#231533)\n\n## Summary\n\nWe want to switch the reserved `reporting_user` role to use a \"reserved\nprivilege definition\" and uses just that privilege. This PR satisfies\nthe Kibana requirements. There is a corresponding Elasticsearch PR:\nhttps://github.com/elastic/elasticsearch/pull/132766\n\n## Testing\n**NOTE: PNG/PDF reporting requires a Trial, or Gold+ license**\n\n1. Create `test_reporting_user` role\n\n ```\n POST /_security/role/test_reporting_user\n {\n \"cluster\": [],\n \"indices\": [],\n \"application\": [{\n \"application\": \"kibana-*\",\n \"privileges\": [\"reserved_reporting_user\"],\n \"resources\": [\"*\"]\n }]\n }\n ```\n\n2. Create `test_analyst_user` role\n\n ```\n POST /_security/role/test_analyst_user\n {\n \"cluster\": [],\n \"indices\": [\n {\n \"names\": [\"kibana_sample_*\"],\n \"privileges\": [\"all\"],\n \"field_security\": {\n \"grant\": [\"*\"],\n \"except\": []\n },\n \"allow_restricted_indices\": false\n }\n ],\n \"applications\": [\n {\n \"application\": \"kibana-.kibana\",\n \"privileges\": [\n \"feature_discover_v2.read\",\n \"feature_dashboard_v2.read\",\n \"feature_canvas.read\",\n \"feature_visualize_v2.read\"\n ],\n \"resources\": [\"space:default\"]\n }\n ],\n \"run_as\": [],\n \"metadata\": {},\n \"transient_metadata\": {\n \"enabled\": true\n }\n }\n ```\n\n3. Create a test user with just those two roles. Install sample data.\nLog in using the new test user.\n4. Test cases\n\n | App | Reporting feature\n |-|-\n | Dashboard | PDF, PNG, CSV (from saved search panel action)\n | Discover | CSV\n | Canvas | PDF\n | Lens | PDF, PNG\n| Stack Management | List reports, download reports, view report info,\ndelete reports\n\n6. As admin, create an additional Space which the test user should not\nhave access to. Ensure the test user does not have access to those\nspaces.\n7. Remove the `test_reporting_user` role from the user and ensure they\ndo not see any Reporting controls in the UI, and can not access Stack\nManagement > Reporting.\n\n## Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- ~~[ ] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)~~\n- ~~[ ]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas added for features that require explanation or tutorials~~\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- ~~[ ] If a plugin configuration key changed, check if it needs to be\nallowlisted in the cloud and added to the [docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)~~\n- ~~[ ] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.~~\n- ~~[ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed~~\n- [ ] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [x] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.\n\n---------\n\nCo-authored-by: Larry Gregory <[email protected]>","sha":"f9be58be65e59b85dc6c4d8fa74970a4f8c1971e"}},"sourceBranch":"main","suggestedTargetBranches":["9.1","9.0"],"targetPullRequestStates":[{"branch":"main","label":"v9.2.0","branchLabelMappingKey":"^v9.2.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/231533","number":231533,"mergeCommit":{"message":"Add `reporting_user` feature for reserved set of privileges (#231533)\n\n## Summary\n\nWe want to switch the reserved `reporting_user` role to use a \"reserved\nprivilege definition\" and uses just that privilege. This PR satisfies\nthe Kibana requirements. There is a corresponding Elasticsearch PR:\nhttps://github.com/elastic/elasticsearch/pull/132766\n\n## Testing\n**NOTE: PNG/PDF reporting requires a Trial, or Gold+ license**\n\n1. Create `test_reporting_user` role\n\n ```\n POST /_security/role/test_reporting_user\n {\n \"cluster\": [],\n \"indices\": [],\n \"application\": [{\n \"application\": \"kibana-*\",\n \"privileges\": [\"reserved_reporting_user\"],\n \"resources\": [\"*\"]\n }]\n }\n ```\n\n2. Create `test_analyst_user` role\n\n ```\n POST /_security/role/test_analyst_user\n {\n \"cluster\": [],\n \"indices\": [\n {\n \"names\": [\"kibana_sample_*\"],\n \"privileges\": [\"all\"],\n \"field_security\": {\n \"grant\": [\"*\"],\n \"except\": []\n },\n \"allow_restricted_indices\": false\n }\n ],\n \"applications\": [\n {\n \"application\": \"kibana-.kibana\",\n \"privileges\": [\n \"feature_discover_v2.read\",\n \"feature_dashboard_v2.read\",\n \"feature_canvas.read\",\n \"feature_visualize_v2.read\"\n ],\n \"resources\": [\"space:default\"]\n }\n ],\n \"run_as\": [],\n \"metadata\": {},\n \"transient_metadata\": {\n \"enabled\": true\n }\n }\n ```\n\n3. Create a test user with just those two roles. Install sample data.\nLog in using the new test user.\n4. Test cases\n\n | App | Reporting feature\n |-|-\n | Dashboard | PDF, PNG, CSV (from saved search panel action)\n | Discover | CSV\n | Canvas | PDF\n | Lens | PDF, PNG\n| Stack Management | List reports, download reports, view report info,\ndelete reports\n\n6. As admin, create an additional Space which the test user should not\nhave access to. Ensure the test user does not have access to those\nspaces.\n7. Remove the `test_reporting_user` role from the user and ensure they\ndo not see any Reporting controls in the UI, and can not access Stack\nManagement > Reporting.\n\n## Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- ~~[ ] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)~~\n- ~~[ ]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas added for features that require explanation or tutorials~~\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- ~~[ ] If a plugin configuration key changed, check if it needs to be\nallowlisted in the cloud and added to the [docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)~~\n- ~~[ ] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.~~\n- ~~[ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed~~\n- [ ] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [x] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.\n\n---------\n\nCo-authored-by: Larry Gregory <[email protected]>","sha":"f9be58be65e59b85dc6c4d8fa74970a4f8c1971e"}},{"branch":"9.1","label":"v9.1.3","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.0","label":"v9.0.6","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Tim Sullivan <[email protected]>
darnautov
added a commit
to elastic/kibana
that referenced
this pull request
Aug 20, 2025
…31533) (#232396) # Backport This will backport the following commits from `main` to `9.0`: - [Add `reporting_user` feature for reserved set of privileges (#231533)](#231533) <!--- Backport version: 10.0.1 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Tim Sullivan","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-08-20T11:57:52Z","message":"Add `reporting_user` feature for reserved set of privileges (#231533)\n\n## Summary\n\nWe want to switch the reserved `reporting_user` role to use a \"reserved\nprivilege definition\" and uses just that privilege. This PR satisfies\nthe Kibana requirements. There is a corresponding Elasticsearch PR:\nhttps://github.com/elastic/elasticsearch/pull/132766\n\n## Testing\n**NOTE: PNG/PDF reporting requires a Trial, or Gold+ license**\n\n1. Create `test_reporting_user` role\n\n ```\n POST /_security/role/test_reporting_user\n {\n \"cluster\": [],\n \"indices\": [],\n \"application\": [{\n \"application\": \"kibana-*\",\n \"privileges\": [\"reserved_reporting_user\"],\n \"resources\": [\"*\"]\n }]\n }\n ```\n\n2. Create `test_analyst_user` role\n\n ```\n POST /_security/role/test_analyst_user\n {\n \"cluster\": [],\n \"indices\": [\n {\n \"names\": [\"kibana_sample_*\"],\n \"privileges\": [\"all\"],\n \"field_security\": {\n \"grant\": [\"*\"],\n \"except\": []\n },\n \"allow_restricted_indices\": false\n }\n ],\n \"applications\": [\n {\n \"application\": \"kibana-.kibana\",\n \"privileges\": [\n \"feature_discover_v2.read\",\n \"feature_dashboard_v2.read\",\n \"feature_canvas.read\",\n \"feature_visualize_v2.read\"\n ],\n \"resources\": [\"space:default\"]\n }\n ],\n \"run_as\": [],\n \"metadata\": {},\n \"transient_metadata\": {\n \"enabled\": true\n }\n }\n ```\n\n3. Create a test user with just those two roles. Install sample data.\nLog in using the new test user.\n4. Test cases\n\n | App | Reporting feature\n |-|-\n | Dashboard | PDF, PNG, CSV (from saved search panel action)\n | Discover | CSV\n | Canvas | PDF\n | Lens | PDF, PNG\n| Stack Management | List reports, download reports, view report info,\ndelete reports\n\n6. As admin, create an additional Space which the test user should not\nhave access to. Ensure the test user does not have access to those\nspaces.\n7. Remove the `test_reporting_user` role from the user and ensure they\ndo not see any Reporting controls in the UI, and can not access Stack\nManagement > Reporting.\n\n## Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- ~~[ ] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)~~\n- ~~[ ]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas added for features that require explanation or tutorials~~\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- ~~[ ] If a plugin configuration key changed, check if it needs to be\nallowlisted in the cloud and added to the [docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)~~\n- ~~[ ] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.~~\n- ~~[ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed~~\n- [ ] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [x] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.\n\n---------\n\nCo-authored-by: Larry Gregory <[email protected]>","sha":"f9be58be65e59b85dc6c4d8fa74970a4f8c1971e","branchLabelMapping":{"^v9.2.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","backport:version","v9.2.0","v9.1.3","v9.0.6"],"title":"Add `reporting_user` feature for reserved set of privileges","number":231533,"url":"https://github.com/elastic/kibana/pull/231533","mergeCommit":{"message":"Add `reporting_user` feature for reserved set of privileges (#231533)\n\n## Summary\n\nWe want to switch the reserved `reporting_user` role to use a \"reserved\nprivilege definition\" and uses just that privilege. This PR satisfies\nthe Kibana requirements. There is a corresponding Elasticsearch PR:\nhttps://github.com/elastic/elasticsearch/pull/132766\n\n## Testing\n**NOTE: PNG/PDF reporting requires a Trial, or Gold+ license**\n\n1. Create `test_reporting_user` role\n\n ```\n POST /_security/role/test_reporting_user\n {\n \"cluster\": [],\n \"indices\": [],\n \"application\": [{\n \"application\": \"kibana-*\",\n \"privileges\": [\"reserved_reporting_user\"],\n \"resources\": [\"*\"]\n }]\n }\n ```\n\n2. Create `test_analyst_user` role\n\n ```\n POST /_security/role/test_analyst_user\n {\n \"cluster\": [],\n \"indices\": [\n {\n \"names\": [\"kibana_sample_*\"],\n \"privileges\": [\"all\"],\n \"field_security\": {\n \"grant\": [\"*\"],\n \"except\": []\n },\n \"allow_restricted_indices\": false\n }\n ],\n \"applications\": [\n {\n \"application\": \"kibana-.kibana\",\n \"privileges\": [\n \"feature_discover_v2.read\",\n \"feature_dashboard_v2.read\",\n \"feature_canvas.read\",\n \"feature_visualize_v2.read\"\n ],\n \"resources\": [\"space:default\"]\n }\n ],\n \"run_as\": [],\n \"metadata\": {},\n \"transient_metadata\": {\n \"enabled\": true\n }\n }\n ```\n\n3. Create a test user with just those two roles. Install sample data.\nLog in using the new test user.\n4. Test cases\n\n | App | Reporting feature\n |-|-\n | Dashboard | PDF, PNG, CSV (from saved search panel action)\n | Discover | CSV\n | Canvas | PDF\n | Lens | PDF, PNG\n| Stack Management | List reports, download reports, view report info,\ndelete reports\n\n6. As admin, create an additional Space which the test user should not\nhave access to. Ensure the test user does not have access to those\nspaces.\n7. Remove the `test_reporting_user` role from the user and ensure they\ndo not see any Reporting controls in the UI, and can not access Stack\nManagement > Reporting.\n\n## Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- ~~[ ] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)~~\n- ~~[ ]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas added for features that require explanation or tutorials~~\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- ~~[ ] If a plugin configuration key changed, check if it needs to be\nallowlisted in the cloud and added to the [docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)~~\n- ~~[ ] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.~~\n- ~~[ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed~~\n- [ ] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [x] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.\n\n---------\n\nCo-authored-by: Larry Gregory <[email protected]>","sha":"f9be58be65e59b85dc6c4d8fa74970a4f8c1971e"}},"sourceBranch":"main","suggestedTargetBranches":["9.1","9.0"],"targetPullRequestStates":[{"branch":"main","label":"v9.2.0","branchLabelMappingKey":"^v9.2.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/231533","number":231533,"mergeCommit":{"message":"Add `reporting_user` feature for reserved set of privileges (#231533)\n\n## Summary\n\nWe want to switch the reserved `reporting_user` role to use a \"reserved\nprivilege definition\" and uses just that privilege. This PR satisfies\nthe Kibana requirements. There is a corresponding Elasticsearch PR:\nhttps://github.com/elastic/elasticsearch/pull/132766\n\n## Testing\n**NOTE: PNG/PDF reporting requires a Trial, or Gold+ license**\n\n1. Create `test_reporting_user` role\n\n ```\n POST /_security/role/test_reporting_user\n {\n \"cluster\": [],\n \"indices\": [],\n \"application\": [{\n \"application\": \"kibana-*\",\n \"privileges\": [\"reserved_reporting_user\"],\n \"resources\": [\"*\"]\n }]\n }\n ```\n\n2. Create `test_analyst_user` role\n\n ```\n POST /_security/role/test_analyst_user\n {\n \"cluster\": [],\n \"indices\": [\n {\n \"names\": [\"kibana_sample_*\"],\n \"privileges\": [\"all\"],\n \"field_security\": {\n \"grant\": [\"*\"],\n \"except\": []\n },\n \"allow_restricted_indices\": false\n }\n ],\n \"applications\": [\n {\n \"application\": \"kibana-.kibana\",\n \"privileges\": [\n \"feature_discover_v2.read\",\n \"feature_dashboard_v2.read\",\n \"feature_canvas.read\",\n \"feature_visualize_v2.read\"\n ],\n \"resources\": [\"space:default\"]\n }\n ],\n \"run_as\": [],\n \"metadata\": {},\n \"transient_metadata\": {\n \"enabled\": true\n }\n }\n ```\n\n3. Create a test user with just those two roles. Install sample data.\nLog in using the new test user.\n4. Test cases\n\n | App | Reporting feature\n |-|-\n | Dashboard | PDF, PNG, CSV (from saved search panel action)\n | Discover | CSV\n | Canvas | PDF\n | Lens | PDF, PNG\n| Stack Management | List reports, download reports, view report info,\ndelete reports\n\n6. As admin, create an additional Space which the test user should not\nhave access to. Ensure the test user does not have access to those\nspaces.\n7. Remove the `test_reporting_user` role from the user and ensure they\ndo not see any Reporting controls in the UI, and can not access Stack\nManagement > Reporting.\n\n## Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- ~~[ ] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)~~\n- ~~[ ]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas added for features that require explanation or tutorials~~\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- ~~[ ] If a plugin configuration key changed, check if it needs to be\nallowlisted in the cloud and added to the [docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)~~\n- ~~[ ] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.~~\n- ~~[ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed~~\n- [ ] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [x] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.\n\n---------\n\nCo-authored-by: Larry Gregory <[email protected]>","sha":"f9be58be65e59b85dc6c4d8fa74970a4f8c1971e"}},{"branch":"9.1","label":"v9.1.3","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"9.0","label":"v9.0.6","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> --------- Co-authored-by: Tim Sullivan <[email protected]> Co-authored-by: Brandon Kobel <[email protected]>
legrego
added a commit
to elastic/docs-content
that referenced
this pull request
Aug 26, 2025
This marks the `reporting_user` role as deprecated, in favor of custom roles which leverage Kibana feature privileges. Relates: elastic/elasticsearch#132766 --------- Co-authored-by: shainaraskas <[email protected]>
qn895
pushed a commit
to qn895/kibana
that referenced
this pull request
Aug 26, 2025
…231533) ## Summary We want to switch the reserved `reporting_user` role to use a "reserved privilege definition" and uses just that privilege. This PR satisfies the Kibana requirements. There is a corresponding Elasticsearch PR: elastic/elasticsearch#132766 ## Testing **NOTE: PNG/PDF reporting requires a Trial, or Gold+ license** 1. Create `test_reporting_user` role ``` POST /_security/role/test_reporting_user { "cluster": [], "indices": [], "application": [{ "application": "kibana-*", "privileges": ["reserved_reporting_user"], "resources": ["*"] }] } ``` 2. Create `test_analyst_user` role ``` POST /_security/role/test_analyst_user { "cluster": [], "indices": [ { "names": ["kibana_sample_*"], "privileges": ["all"], "field_security": { "grant": ["*"], "except": [] }, "allow_restricted_indices": false } ], "applications": [ { "application": "kibana-.kibana", "privileges": [ "feature_discover_v2.read", "feature_dashboard_v2.read", "feature_canvas.read", "feature_visualize_v2.read" ], "resources": ["space:default"] } ], "run_as": [], "metadata": {}, "transient_metadata": { "enabled": true } } ``` 3. Create a test user with just those two roles. Install sample data. Log in using the new test user. 4. Test cases | App | Reporting feature |-|- | Dashboard | PDF, PNG, CSV (from saved search panel action) | Discover | CSV | Canvas | PDF | Lens | PDF, PNG | Stack Management | List reports, download reports, view report info, delete reports 6. As admin, create an additional Space which the test user should not have access to. Ensure the test user does not have access to those spaces. 7. Remove the `test_reporting_user` role from the user and ensure they do not see any Reporting controls in the UI, and can not access Stack Management > Reporting. ## Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - ~~[ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)~~ - ~~[ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials~~ - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - ~~[ ] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)~~ - ~~[ ] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations.~~ - ~~[ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed~~ - [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [x] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. --------- Co-authored-by: Larry Gregory <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
auto-backport
Automatically create backport pull requests when merged
>deprecation
:Security/Authorization
Roles, Privileges, DLS/FLS, RBAC/ABAC
Team:Security
Meta label for security team
v9.0.6
v9.1.3
v9.2.0
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR reverts #118058 in favor of a reserved Kibana privilege.
Updates the built-in
reporting_user
role to leverage a newreporting_user
reserved privilege. This more closely aligns with the way this role behaved in previous versions.This also marks the role as
deprecated
again, with the recommendation to leverage Kibana's feature privileges for more fine-grained control over reporting features.