…mption

* Beginning to use the ES APIs to insert/check privileges

* Removing todo comment, I think we're good with the current check

* Adding ability to edit kibana application privileges

* Introducing DEFAULT_RESOURCE constant

* Removing unused arguments when performing saved objects auth check

* Performing bulkCreate auth more efficiently

* Throwing error in SavedObjectClient.find if type isn't provided

* Fixing Reporting and removing errant console.log

* Introducing a separate hasPrivileges "service"

* Adding tests and fleshing out the has privileges "service"

* Fixing error message

* You can now edit whatever roles you want

* We're gonna throw the find error in another PR

* Changing conflicting version detection to work when user has no
application privileges

* Throwing correct error when user is forbidden

* Removing unused interceptor

* Adding warning if they're editing a role with application privileges we
can't edit

* Fixing filter...

* Beginning to only update privileges when they need to be

* More tests

* One more test...

* Restricting the rbac application name that can be chosen

* Removing DEFAULT_RESOURCE check

* Supporting 1024 characters for the role name

* Renaming some variables, fixing issue with role w/ no kibana privileges

* Throwing decorated general error when appropriate

* Fixing test description

* Dedent does nothing...

* Renaming some functions

…19511)

* Manually porting over the AuditLogger for use within the security audit
logger

* HasPrivileges now returns the user from the request

* Has privileges returns username from privilegeCheck

* Adding first eventType to the security audit logger

* Adding authorization success message

* Logging arguments when authorization success

* Fixing test description

* Logging args during audit failures

* Porting over the saved objects tests, a bunch are failing, I believe
because security is preventing the requests

* Running saved objects tests with rbac and xsrf disabled

* Adding users

* BulkGet now tests under 3 users

* Adding create tests

* Adding delete tests

* Adding find tests

* Adding get tests

* Adding bulkGet forbidden tests

* Adding not a kibana user tests

* Update tests

* Renaming the actions/privileges to be closer to the functions on the
saved object client itself

* Cleaning up tests and removing without index tests

I'm considering the without index tests to be out of scope for the RBAC
API testing, and we already have unit coverage for these and integration
coverage via the OSS Saved Objects API tests.

* Fixing misspelling

* Adding ability to specify filters when calling the repository

* Implementing find filtering

* Revert "Adding ability to specify filters when calling the repository"

This reverts commit 9da30a1.

* Adding integration tests for find filtering

* Adding forbidden auth logging

* Adding asserts to make sure some audit log isn't used

* Adding more audit log specific tests

* Necessarly is not a work, unfortunately

* Fixing test

* More descriptive name than "result"

* Better unauthorized find message?

* Adding getTypes tests

defaults

…nges (#19839)

* Adding start to supporting basic license and switching to plat/gold

* Initialize application privilages on XPack license change

* restore mirror_status_and_initialize

* additional tests and peer review updates

* Introducing watchStatusAndLicenseToInitialize

* Adding some tests

* One more test

* Even better tests

* Removing unused mirrorStatusAndInitialize

* Throwing an error if the wrong status function is called

* Basic implementation, rather sloppy

* Cleaning stuff up a bit

* Beginning to write tests, going to refactor how we build the privileges

* Making the buildPrivilegesMap no longer return application name as the
main key

* Using real privileges since we need to use them for the legacy fallback

* Adding more tests

* Fixing spelling

* Fixing test description

* Fixing comment description

* Adding similar line breaks in the has privilege calls

* No more settings

* No more rbac enabled setting, we just do RBAC

* Using describe to cleanup the test cases

* Logging deprecations when using the legacy fallback

* Cleaning up a bit...

* Using the privilegeMap for the legacy fallback tests

* Now with even less duplication

* Removing stray `rbacEnabled` from angularjs

@kobelb this seems unrelated to our RBAC Phase 1 work, but I was able to consistently reproduce this on my machine.

Here's a fix for the latest flaky test @kobelb

…#19915)

causing issues that were really hard to replicate

No more hard-coded types! This will make it so that plugins that register their own mappings just transparently work.

This updates RBAC Phase 1 to work against the latest master. Specifically:
1. Removes `xpack_main`'s `registerLicenseChangeCallback`, which we introduced in `security-app-privs`, in favor of `onLicenseInfoChange`, which was recently added to master
2. Updated `x-pack/plugins/security/server/lib/watch_status_and_license_to_initialize.js` to be compliant with rxjs v6

* Retrying initialize 20 times with a scaling backoff

* Logging error when we are registering the privileges

* Beginning to use alternate callWithRequest fallback

* Only use legacy fallback when user has "some" privileges on index

* Logging useLegacyFallback when there's an authorization failure

* Adding tests, logging failure during find no types fallback

* Switching to using an enum instead of success/useLegacyFallback

* Using _execute to share some of the structure

* Moving comment to where it belongs

* No longer audit logging when we use the legacy fallback

initializing

* Logging legacy fallback deprecation on login

* Consolidation the privileges/authorization folder

* Exposing rudimentary authorization service and fixing authenticate tests

* Moving authorization services configuration to initAuthorization

* Adding "actions" service exposed by the authorization

* Fixing misspelling

* Removing invalid and unused exports

* Adding note about only adding privileges

* Calling it initAuthorizationService

* Throwing explicit validation  error in actions.getSavedObjectAction

* Deep freezing authorization service

* Adding deepFreeze tests

* Checking privileges in one call and cleaning up tests

* Specifying the application on the "authorization service"

* Moving watchStatusAndLicenseToInitialize to be below initAuthorizationService

* Using short-hand propery assignment

* validate elasticsearch has_privileges response before trusting it

* address feedback

* Beginning to work on external role management APIs

* Refactoring GET tests and adding more permutations

* Adding test for excluding other resources

* Adding get role tests

* Splitting out the endpoints, or else it's gonna get overwhelming

* Splitting out the post and delete actions

* Beginning to work on POST and the tests

* Posting the updated role

* Adding update tests

* Modifying the UI to use the new public APIs

* Removing internal roles API

* Moving the rbac api integration setup tests to use the public role apis

* Testing field_security and query

* Adding create role tests

* We can't update the transient_metadata...

* Removing debugger

* Update and delete tests

* Returning a 204 when POSTing a Role.

* Switching POST to PUT and roles to role

* We don't need the rbacApplication client-side anymore

* Adding delete route tests

* Using not found instead of not acceptable, as that's more likely

* Only allowing us to PUT known Kibana privileges

* Removing transient_metadata

* Removing one letter variable names

* Using PUT instead of POST when saving roles

* Fixing broken tests

)

…1033)

* rbac functional tests

*  changes to the test file

* RBAC_functional test

*  incorporating review feedback

* slight modification to the addPriv() to cover all tests

* removed the @ in secure roles and perm file in the describe block  and made it look more relevant