I'm trying to check if a user has a specific role using the following Node.js function. However, the clusterClient.asInternalUser.security.getUser() function returns information about all users in Kibana. My goal is to obtain the roles of the logged-in user.
const checkUserRole = (router, clusterClient) => {
router.post(
{
path: '/api/check-user-role',
validate: false,
},
async (context, request, response) => {
try {
// Using getUser function to retrieve user information
const user = await clusterClient.asInternalUser.security.getUser();
// Check if the user has a specific role
if (user && user.roles && user.roles.includes('X')) {
return response.ok({ body: { hasRole: true } });
} else {
return response.ok({ body: { hasRole: false } });
}
} catch (error) {
return response.badRequest({ body: { message: error.message } });
}
}
);
};
Is this function correctly checking if the user has a specific role? What would be the best approach to retrieve logged-in user information? Any suggestions would be appreciated. We have basic version.Thank you!
This route handler will not check if the currently-logged in user has the X role. I believe that will check against the user specified in the elasticsearch.user setting kibana.yml.
Note: checking if the currently-logged in user belongs to specific role will not work when using some kinds of authentication, specifically API keys. If the user with the X role creates an API key, when using that API key the role will not be found. This is because API keys are encoded with the privileges that the roles offer at the time the key was created, and the key doesn't have information about the names of the roles that gave those privileges. To work around that, consider using the Kibana Application Privilege model instead.
For more on the Kibana Application Privilege model, see:
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.