Delete Filters in Dashboards are not appearing for readonly roles after ROR


(Roger Seth) #1

@sscarduzio Noticed something i wanted to bring to your attention. After installing ROR Pro, In the dashboards, when we select a visualization, and drill down into a specific time interval, in a readonly role, the “delete” icon has disappeared.
While we want readonly capabilities across the kibana stack as intended, the “delete” icon is something we dont want removed as its a very common feature that people use to delete filters on the dashboards and it doesnt impact and write functionality. Is there a way for us to fix the ACL rule so as to allow this? PS : not sure if this is a bug because of the “ro” access in kibana_access entry!

- name: "::RO::"
  auth_key: converse:converseread
  kibana_access: ro
  indices: [ ".kibana", ".kibana-devnull", "logstash-*"]
  kibana_hide_apps: ["readonlyrest_kbn", "timelion", "kibana:dev_tools", "kibana:management"]
  verbosity: info

image


(Simone Scarduzio) #2

Hi Roger, I really think the absence of the delete button is coming from ROR UI mods in case the kibana access of the current user is RO or RO strict.

A workaround is to add custom style tag via the kibana.yml file and change the visibility of that specific CSS selector. Will have a look and try to not hide it from the next version of ROR PRO/Enterprise.


(Roger Seth) #3

thanks @sscarduzio - that will be great. For now we are telling our users to refresh the whole screen to go back to default filterless view. this will only be a problem for the users who are enabling multiple filters and want to delete them one by one but we can live with it until the release!

cheers


(Roger Seth) #4

@sscarduzio Any idea when this could be targetted for release? FYI we are targetting a release for the day after 7/12 EST. Were curious to see if the overlay fix for enabling delete filters even on “ro” could be available before that? No worries if this isn’t possible.


(Simone Scarduzio) #5

Hi Roger,

Please test 1.16.22, there is a fix already.


(Roger Seth) #6

image

odd. I logged in as an “ro” user but i still don’t see the delete icon.

it does appear in the “rw” role

image


(Simone Scarduzio) #7

Strange, what browser is this? I have those in my dev env. No cache involved?


(Roger Seth) #8

hey @sscarduzio
We tried this on different platforms (windows/MacOS) - deleted cache as well as worked in incognito mode (All in Chrome). Went live and this is also replicated in our PROD environment. Let me know if you need any specific info/dev tool logs etc from me to help debug this?


(Simone Scarduzio) #9

OK Chrome should definitely work with the selector we are using. Let me try to reproduce this using a stock ES & Kibana distribution, so that I replicate your environment more closely.


(Simone Scarduzio) #10

Hi Roger,
I just installed the latest ROR on a stock Kibana instance downloaded from Elastic website.

[email protected]:/me/tmp/kibana-6.3.0-darwin-x86_64$ cat plugins/readonlyrest_kbn/package.json  |grep version
  "version": "1.16.22",
    "version": "6.3.0"

Then I created a kibana_access: ro user called “rouser”

Then I logged in as “rouser” and added a filter to the “discover” view. Hovered over the filter and the icons are there. Also works if I press the said icons.

Not sure what’s the difference between my and your environment at this point.


(Roger Seth) #11

hey @sscarduzio - I can replicate what you are seeing on local but not on AWS EC2. Any chance you tried this on the cloud?


(Simone Scarduzio) #12

I tried this locally too. Why should it be any different? Any caching in between you and your deployment?


(Roger Seth) #13

Nope - let me walk through our deployment.

Create 6.3.0 Stack using CFTs
Install ROR on Elastic through User-Data
Install ROR on Kibana through User-Data
Ping “awating optimization of browser bundles”
Test Kibana Dashboards through RO and RW roles.

Each deloyment is transactionally isolated and brand new. Our proxies are pass through and don’t cache requests as well (i thought perhaps some problems over there). So technically, there’s no difference between the way we spin up our stack on local vs EC2.


(Simone Scarduzio) #14

So well, nothing comes to mind except super basic suggestions like: is the user data script pulling the right ROR build for Kibana?


(Roger Seth) #15

Looks like the right one.


(Roger Seth) #16

Also attaching my ROR ACL.

- name: "::RO::"
  auth_key: readonly:readonly
  kibana_access: ro
  indices: [ ".kibana", ".kibana-devnull", "logstash-*"]
  kibana_hide_apps: ["readonlyrest_kbn", "apm", "monitoring", "timelion", "kibana:dev_tools", "kibana:management"]
  verbosity: info

(Roger Seth) #17

It turned out that one of our plugins was overwrriting the commons.styles CSS file where you had put the fixes.
After changing the order of install, the delete filter fix was visible.
Thanks @sscarduzio. We’re good with this fix