Fixes introduced here will work only for new installation where the index in the opensearch does not exists. To address this issue I’ve created follow-up task -
Krzysztof JaśkiewiczApril 7, 2023 at 7:58 AM
3.5.x cherry picks:
Krzysztof JaśkiewiczMarch 27, 2023 at 6:36 PM
reporting PR: useradm-enterprise PR:
Krzysztof JaśkiewiczMarch 23, 2023 at 8:38 PM
Edited
first step to solve the issue:
Krzysztof JaśkiewiczMarch 23, 2023 at 11:02 AM
the only reporting endpoint we have in role definitions is /devices/search, so all other endpoints are accessible only by admin users; also in the reporting we apply RBAC in the /devices/* handlers (search and aggregate) but not in the /deployments/devices/* handlers
Reproduction:
accept a device
add it to a static group
create a role with access to the aforementioned static group
create a user with only the created role
log in as the newly created user
wait for the RBAC error responses to come in
dashboard widget usage no longer possible (it was until 3.4)
device filtering no longer possible
expectation:
dashboard widget usage possible for the group the role has access to
filtering possible within the group the role has access to
Refs:
video from e2e
screen shot