[7.x] - Deprecate excluding ML from base privileges (#115445)

Co-authored-by: Joe Portner <5295965+jportner@users.noreply.github.com>
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>

x-pack/plugins/security/common/licensing/license_features.ts

@@ -65,6 +65,11 @@ export interface SecurityLicenseFeatures {
    */
   readonly allowRbac: boolean;
 
+  /**
+   * Indicates if Machine Learning features are available.
+   */
+  readonly allowML: boolean;
+
   /**
    * Indicates whether we allow sub-feature privileges.
    */

x-pack/plugins/security/common/licensing/license_service.test.ts

@@ -28,6 +28,7 @@ describe('license features', function () {
       allowRbac: false,
       allowSubFeaturePrivileges: false,
       allowAuditLogging: false,
+      allowML: false,
       allowLegacyAuditLogging: false,
     });
   });
@@ -51,6 +52,7 @@ describe('license features', function () {
       allowRbac: false,
       allowSubFeaturePrivileges: false,
       allowAuditLogging: false,
+      allowML: false,
       allowLegacyAuditLogging: false,
     });
   });
@@ -75,6 +77,7 @@ describe('license features', function () {
             "allowAuditLogging": false,
             "allowLegacyAuditLogging": false,
             "allowLogin": false,
+            "allowML": false,
             "allowRbac": false,
             "allowRoleDocumentLevelSecurity": false,
             "allowRoleFieldLevelSecurity": false,
@@ -97,6 +100,7 @@ describe('license features', function () {
             "allowAuditLogging": true,
             "allowLegacyAuditLogging": true,
             "allowLogin": true,
+            "allowML": true,
             "allowRbac": true,
             "allowRoleDocumentLevelSecurity": true,
             "allowRoleFieldLevelSecurity": true,
@@ -134,10 +138,12 @@ describe('license features', function () {
       allowRbac: true,
       allowSubFeaturePrivileges: false,
       allowAuditLogging: false,
+      allowML: false,
       allowLegacyAuditLogging: false,
     });
-    expect(getFeatureSpy).toHaveBeenCalledTimes(1);
+    expect(getFeatureSpy).toHaveBeenCalledTimes(2);
     expect(getFeatureSpy).toHaveBeenCalledWith('security');
+    expect(getFeatureSpy).toHaveBeenCalledWith('ml');
   });
 
   it('should not show login page or other security elements if security is disabled in Elasticsearch.', () => {
@@ -160,6 +166,7 @@ describe('license features', function () {
       allowRbac: false,
       allowSubFeaturePrivileges: false,
       allowAuditLogging: false,
+      allowML: false,
       allowLegacyAuditLogging: false,
     });
   });
@@ -185,6 +192,7 @@ describe('license features', function () {
       allowRbac: true,
       allowSubFeaturePrivileges: false,
       allowAuditLogging: false,
+      allowML: false,
       allowLegacyAuditLogging: true,
     });
   });
@@ -210,14 +218,18 @@ describe('license features', function () {
       allowRbac: true,
       allowSubFeaturePrivileges: true,
       allowAuditLogging: true,
+      allowML: false,
       allowLegacyAuditLogging: true,
     });
   });
 
   it('should allow to login, allow RBAC, role mappings, access agreement, sub-feature privileges, and DLS if license >= platinum', () => {
     const mockRawLicense = licenseMock.createLicense({
       license: { mode: 'platinum', type: 'platinum' },
-      features: { security: { isEnabled: true, isAvailable: true } },
+      features: {
+        security: { isEnabled: true, isAvailable: true },
+        ml: { isEnabled: true, isAvailable: true },
+      },
     });
 
     const serviceSetup = new SecurityLicenseService().setup({
@@ -235,6 +247,7 @@ describe('license features', function () {
       allowRbac: true,
       allowSubFeaturePrivileges: true,
       allowAuditLogging: true,
+      allowML: true,
       allowLegacyAuditLogging: true,
     });
   });

x-pack/plugins/security/common/licensing/license_service.ts

@@ -68,6 +68,15 @@ export class SecurityLicenseService {
     );
   }
 
+  private isMLEnabledFromRawLicense(rawLicense: Readonly<ILicense> | undefined) {
+    if (!rawLicense) {
+      return false;
+    }
+
+    const mlFeature = rawLicense.getFeature('ml');
+    return mlFeature !== undefined && mlFeature.isAvailable && mlFeature.isEnabled;
+  }
+
   private calculateFeaturesFromRawLicense(
     rawLicense: Readonly<ILicense> | undefined
   ): SecurityLicenseFeatures {
@@ -85,6 +94,7 @@ export class SecurityLicenseService {
         allowRoleDocumentLevelSecurity: false,
         allowRoleFieldLevelSecurity: false,
         allowRbac: false,
+        allowML: false,
         allowSubFeaturePrivileges: false,
         layout:
           rawLicense !== undefined && !rawLicense?.isAvailable
@@ -93,6 +103,8 @@ export class SecurityLicenseService {
       };
     }
 
+    const allowML = this.isMLEnabledFromRawLicense(rawLicense);
+
     if (!this.isSecurityEnabledFromRawLicense(rawLicense)) {
       return {
         showLogin: false,
@@ -105,6 +117,7 @@ export class SecurityLicenseService {
         allowRoleDocumentLevelSecurity: false,
         allowRoleFieldLevelSecurity: false,
         allowRbac: false,
+        allowML,
         allowSubFeaturePrivileges: false,
       };
     }
@@ -124,6 +137,7 @@ export class SecurityLicenseService {
       // Only platinum and trial licenses are compliant with field- and document-level security.
       allowRoleDocumentLevelSecurity: isLicensePlatinumOrBetter,
       allowRoleFieldLevelSecurity: isLicensePlatinumOrBetter,
+      allowML,
       allowRbac: true,
     };
   }

x-pack/plugins/security/common/model/deprecations.ts

@@ -9,17 +9,17 @@
 import type { DeprecationsDetails, GetDeprecationsContext } from '../../../../../src/core/server';
 import type { Role } from './role';
 
-export interface PrivilegeDeprecationsRolesByFeatureIdResponse {
+export interface PrivilegeDeprecationsRolesResponse {
   roles?: Role[];
   errors?: DeprecationsDetails[];
 }
 
-export interface PrivilegeDeprecationsRolesByFeatureIdRequest {
+export interface PrivilegeDeprecationsRolesRequest {
   context: GetDeprecationsContext;
-  featureId: string;
+  featureId?: string;
 }
 export interface PrivilegeDeprecationsService {
-  getKibanaRolesByFeatureId: (
-    args: PrivilegeDeprecationsRolesByFeatureIdRequest
-  ) => Promise<PrivilegeDeprecationsRolesByFeatureIdResponse>;
+  getKibanaRoles: (
+    args: PrivilegeDeprecationsRolesRequest
+  ) => Promise<PrivilegeDeprecationsRolesResponse>;
 }

x-pack/plugins/security/common/model/index.ts

@@ -34,7 +34,7 @@ export {
   RoleMapping,
 } from './role_mapping';
 export {
-  PrivilegeDeprecationsRolesByFeatureIdRequest,
-  PrivilegeDeprecationsRolesByFeatureIdResponse,
+  PrivilegeDeprecationsRolesRequest,
+  PrivilegeDeprecationsRolesResponse,
   PrivilegeDeprecationsService,
 } from './deprecations';

x-pack/plugins/security/public/nav_control/nav_control_service.test.ts

@@ -19,7 +19,7 @@ import { SecurityNavControlService } from './nav_control_service';
 const validLicense = {
   isAvailable: true,
   getFeature: (feature) => {
-    expect(feature).toEqual('security');
+    expect(['security', 'ml']).toContain(feature);
 
     return {
       isAvailable: true,

x-pack/plugins/security/server/deprecations/index.ts

@@ -15,3 +15,4 @@ export {
   KIBANA_ADMIN_ROLE_NAME,
   KIBANA_USER_ROLE_NAME,
 } from './kibana_user_role';
+export { registerMLPrivilegesDeprecation } from './ml_privileges';