* saved objects: allow partial update without references
For normal attributes, the update API for saved objects supports partial
updates, where it will only attempt to change those attributes you
specify. References should behave the same way otherwise they will be
replaced entirely if you call update without specifying the original
references.
* Add KQL functionality in the find function of the saved objects
wip
rename variable from KQL to filter, fix unit test + add new ones
miss security pluggins
review I
fix api changes
refactor after reviewing with Rudolf
fix type
review III
review IV
for security put back allowed logic back to return empty results
remove StaticIndexPattern
review V
fix core_api_changes
fix type
* validate filter to match requirement type.attributes.key or type.savedObjectKey
* Fix types
* fix a bug + add more api integration test
* fix types in test until we create package @kbn/types
* fix type issue
* fix api integration test
* export nodeTypes from packages @kbn/es-query instead of the function buildNodeKuery
* throw 400- bad request when validation error in find
* fix type issue
* accept api change
* renove _ to represent private
* fix unit test + add doc
* add comment to explain why we removed the private
Introduces "saved queries". Saved queries are a new saved object type similar to saved searches but more limited in scope. They allow users to store the the query string in the query bar and optionally the set of filters and timefilter in order to reload them anywhere a query is expected: Discover, Visualize, Dashboard, anywhere that uses our full SearchBar component.
* Adding "style-src 'unsafe-inline' 'self'" to default CSP rules
* Updating jest snapshot
* Fixing api integration smoke test
* Verifying all CSP responses
* Fixing OIDC implicit flow test
* More dashboard migrations
* address review comments
* remove unused translations
* use logger instead of console
* remove need for lodash
* clean up translations
* Add ui metric tracking so we have a better idea whether being stricter with migrations will cause issues
* undo trackUiMetric... not available when migrations run
* Move src/legacy/server/saved_objects -> src/core/server/saved_objects
* Fix SavedObject import references after moving files to core
* First pass at SavedObjects api docs
* Expose and import all saved object types through core/server
* Don't expose SavedObjectsManagement from core and fix imports
* Improve typings for SavedObject error helpers
* Fix type errors after master merge
* Fix SavedObjectErrorHelpers tests
* Modify the relationships API and UI
* Remove type validation on export
* Update relationship test snapshots
* Change relationships table titles
* Change relationships UI to share one table
* Add server side logic to inject meta data into saved objects from plugins
* Manually enable each type of saved object to support
* Use injected vars to determine what types are import / exportable
* Fix some broken tests
* Remove unused translations
* Fix relationships mocha tests
* Remove tests that ensured types are restricted, functionality removed
* Move kfetch logic into separate file
* Add inAppUrl to missing types
* Add tooltip to management table titles that aren't links
* Make relationships screen support filtering by type
* Fix failing tests
* Add refresh support for inAppUrls
* Add error notifications when export API call fails
* Add relationship direction
* Fix broken tests
* Remove graph workspace from import / export
* Use parent / child terminology for relationships
* Use direct relationship terminology
* Flip view / edit logic in saved object management app
* Make config saved object redirect to advanced settings
* Fix broken tests
* Remove unused translations
* Code cleanup
* Add tests
* Add fallback overwrite confirmation object title
* Enforce supported types on import, export and resolve import errors
* Fix broken tests
* Fix broken tests pt2
* Fix broken tests pt3
* Test cleanup
* Use server.decorate to access savedobjectschemas
* Fix some broken tests
* Fix broken tests, add new title to relationships screen
* Fix some broken tests
* Handle dynamic versions
* Fix inAppUrl structure in tests
* Re-use generic canGoInApp
* Fix broken tests
* Apply maps PR feedback
* Apply PR feedback pt1
* Apply PR feedback pt2
* Add savedObjectsManagement to uiExports
* Fix broken tests
* Fix encodeURIComponent implementation
* Merge 403 and unsupported type errors into single error
* Apply suggestion
* Remove import / exportable by default, opt-in instead
* Fix type config to show up properly in the table
* Change config type title and fix tests
* Remove isImportableAndExportable where set to false (new default)
* Remove comments referencing to authorization
* Add unit tests for spaces
* Add unit tests for security plugin
* Change can* signature to be the same as their equivalent function, apply PR feedback
* Cleanup git diff
* Revert "Change can* signature to be the same as their equivalent function, apply PR feedback"
This reverts commit b657ac8fc1.
* Revert "Add unit tests for security plugin"
This reverts commit 6287a8cecf.
* Revert "Add unit tests for spaces"
This reverts commit 2674a9d78f.
* Revert "Remove comments referencing to authorization"
This reverts commit 9618c2cc3a.
* Revert "Merge 403 and unsupported type errors into single error"
This reverts commit 99aea10c0f.
* Add CUSTOM_ELEMENT_TYPE for import / export
* Fix broken tests
* Fix broken tests pt2
* Prevent crashing app when inAppUrl is undefined
* Exclude usage stats when `exclude_usage` flag is specified
* Entirely excluding the usage key altogether
* Adding API integration test
* Fixing param name in comment + adding more info to comment
* Fix API test copy-pasta
* Fixing test assertion syntax
* Restructure user profile for granular app privs (#23750)
merging to feature branch for further development
* Introducing uiCapabilities, removing config providers & user profile (#25387)
## Summary
Introduces the concept of "UI Capabilities", which allows Kibana applications to declare capabilities via the `uiCapabilities` injected var, and then use them client-side via the `ui/capabilities` module to inform their rendering decisions.
* GAP - Actions Restructured and Extensible (#25347)
* Restructure user profile for granular app privs (#23750)
merging to feature branch for further development
* Fixing saved object capability checking
* Beginning to restructure actions to be used for all action building
* Using actions to build ui capabilities
* dropping /read from client-side userprovide ui capabilities
* Adding some actions
* Using different syntax which will hopefully help with allowing apps to
specify the privileges themselves
* Exposing all saved object operations in the capabilities
* Using actions in security's onPostAuth
* Only loading the default index pattern when it's required
* Only using the navlinks for the "ui capabilities"
* Redirecting from the discover application if the user can't access
kibana:discover
* Redirecting from dashboard if they're hidden
* Features register their privileges now
* Introducing a FeaturesPrivilegesBuilder
* REmoving app from the feature definition
* Adding navlink specific ations
* Beginning to break out the serializer
* Exposing privileges from the authorization service
* Restructuring the privilege/resource serialization to support features
* Adding actions unit tests
* Adding features privileges builders tests
* Adding PrivilegeSerializer tests
* Renaming missed usages
* Adding tests for the privileges serializer
* Adding privileges tests
* Adding registerPrivilegesWithCluster tests
* Better tests
* Fixing authorization service tests
* Adding ResourceSerializer tests
* Fixing Privileges tests
* Some PUT role tests
* Fixing read ui/api actions
* Exposing features from xpackMainPlugin
* Adding navlink:* to the "reserved privileges"
* navlink -> navLink | nav_linknavlink -> navLink | nav_linknavlink ->
navLink | nav_linknavlink -> navLink | nav_linknavlink -> navLink |
nav_linknavlink -> navLink | nav_linknavlink -> navLink |
nav_linknavlink -> navLink | nav_linknavlink -> navLink | nav_link
* Automatically determining navlink based ui capabilities
* Backing out changes that got left behind
* Using ui actions for navlinks
* Adding TODOs
* Ui -> UI
* Deleting unused file
* Removing api: [] as it's not necessary anymore
* Fixing graph saved object privileges
* Privileges are now async
* Pushing the asycnchronicity to the privileges "service"
* Adding TODO
* Providing initial value for reduce
* adds uiCapabilities to test_entry_template
* Adding config to APM/ML feature privileges
* Commenting out obviously failing test so we can get CI greeenn
* Fixing browser tests
* Goodbyyeee
* Adding app actions to the reserved privileges
* update snapshot
* UI/API changes to facilitate disabling features within spaces (#24235)
* Restructure user profile for granular app privs (#23750)
merging to feature branch for further development
* Introducing uiCapabilities, removing config providers & user profile (#25387)
## Summary
Introduces the concept of "UI Capabilities", which allows Kibana applications to declare capabilities via the `uiCapabilities` injected var, and then use them client-side via the `ui/capabilities` module to inform their rendering decisions.
* GAP - Actions Restructured and Extensible (#25347)
* Restructure user profile for granular app privs (#23750)
merging to feature branch for further development
* Fixing saved object capability checking
* Beginning to restructure actions to be used for all action building
* Using actions to build ui capabilities
* dropping /read from client-side userprovide ui capabilities
* Adding some actions
* Using different syntax which will hopefully help with allowing apps to
specify the privileges themselves
* Exposing all saved object operations in the capabilities
* Using actions in security's onPostAuth
* Only loading the default index pattern when it's required
* Only using the navlinks for the "ui capabilities"
* Redirecting from the discover application if the user can't access
kibana:discover
* Redirecting from dashboard if they're hidden
* Features register their privileges now
* Introducing a FeaturesPrivilegesBuilder
* REmoving app from the feature definition
* Adding navlink specific ations
* Beginning to break out the serializer
* Exposing privileges from the authorization service
* Restructuring the privilege/resource serialization to support features
* Adding actions unit tests
* Adding features privileges builders tests
* Adding PrivilegeSerializer tests
* Renaming missed usages
* Adding tests for the privileges serializer
* Adding privileges tests
* Adding registerPrivilegesWithCluster tests
* Better tests
* Fixing authorization service tests
* Adding ResourceSerializer tests
* Fixing Privileges tests
* Some PUT role tests
* Fixing read ui/api actions
* Exposing features from xpackMainPlugin
* Adding navlink:* to the "reserved privileges"
* navlink -> navLink | nav_linknavlink -> navLink | nav_linknavlink ->
navLink | nav_linknavlink -> navLink | nav_linknavlink -> navLink |
nav_linknavlink -> navLink | nav_linknavlink -> navLink |
nav_linknavlink -> navLink | nav_linknavlink -> navLink | nav_link
* Automatically determining navlink based ui capabilities
* Backing out changes that got left behind
* Using ui actions for navlinks
* Adding TODOs
* Ui -> UI
* Deleting unused file
* Removing api: [] as it's not necessary anymore
* Fixing graph saved object privileges
* Privileges are now async
* Pushing the asycnchronicity to the privileges "service"
* Adding TODO
* Providing initial value for reduce
* adds uiCapabilities to test_entry_template
* Adding config to APM/ML feature privileges
* Commenting out obviously failing test so we can get CI greeenn
* Fixing browser tests
* Goodbyyeee
* Adding app actions to the reserved privileges
* Begin to allow features to be disabled within spaces
typescript fixes
additional cleanup
attempt to resolve build error
fix tests
more ts updates
fix typedefs on manage_spaces_button
more import fixes
test fixes
move user profile into xpack common
Restructure space management screen
fix SASS references
design edits
remove Yes/No language from feature toggles
fix casing
removed unused imports
update snapshot
fix sass reference for collapsible panel
Fix sass reference, take 2
* Restructure user profile for granular app privs (#23750)
merging to feature branch for further development
* extract migration logic into testable unit
* Introducing uiCapabilities, removing config providers & user profile (#25387)
## Summary
Introduces the concept of "UI Capabilities", which allows Kibana applications to declare capabilities via the `uiCapabilities` injected var, and then use them client-side via the `ui/capabilities` module to inform their rendering decisions.
* Design edits (#12)
enables customize avatar popover
update tests, and simplify editing space identifier
remove references to user profile
remove unused test suite
remove unnecessary sass import
removes security's capability_decorator
* fix i18n
* updates toggleUiCapabilities to use new feature definitions
* cleanup and testing
* remove references to old feature interface
* readd lost spacer
* adds feature route testing
* additional i18n
* snapshot update
* copy edits
* fix ml app icon
* add missing export
* remove unnecessary sass import
* attempt to fix build
* fix spaces api tests
* esArchiver mapping updates
* rename toggleUiCapabilities -> toggleUICapabilities
* removes shared collapsible_panel component in favor of plugin-specific components
* some copy and style adjustments
* fix test following rebase
* add lost types file
* design edits
* remove stale export
* feature feedback; fixes cached disabled features
* GAP: Security disables UI capabilities (#25809)
* Restructure user profile for granular app privs (#23750)
merging to feature branch for further development
* Fixing saved object capability checking
* Beginning to restructure actions to be used for all action building
* Using actions to build ui capabilities
* dropping /read from client-side userprovide ui capabilities
* Adding some actions
* Using different syntax which will hopefully help with allowing apps to
specify the privileges themselves
* Exposing all saved object operations in the capabilities
* Using actions in security's onPostAuth
* Only loading the default index pattern when it's required
* Only using the navlinks for the "ui capabilities"
* Redirecting from the discover application if the user can't access
kibana:discover
* Redirecting from dashboard if they're hidden
* Features register their privileges now
* Introducing a FeaturesPrivilegesBuilder
* REmoving app from the feature definition
* Adding navlink specific ations
* Beginning to break out the serializer
* Exposing privileges from the authorization service
* Restructuring the privilege/resource serialization to support features
* Adding actions unit tests
* Adding features privileges builders tests
* Adding PrivilegeSerializer tests
* Renaming missed usages
* Adding tests for the privileges serializer
* Adding privileges tests
* Adding registerPrivilegesWithCluster tests
* Better tests
* Restructure user profile for granular app privs (#23750)
merging to feature branch for further development
* Fixing authorization service tests
* Adding ResourceSerializer tests
* Fixing Privileges tests
* Some PUT role tests
* Fixing read ui/api actions
* Introducing uiCapabilities, removing config providers & user profile (#25387)
## Summary
Introduces the concept of "UI Capabilities", which allows Kibana applications to declare capabilities via the `uiCapabilities` injected var, and then use them client-side via the `ui/capabilities` module to inform their rendering decisions.
* Exposing features from xpackMainPlugin
* Adding navlink:* to the "reserved privileges"
* navlink -> navLink | nav_linknavlink -> navLink | nav_linknavlink ->
navLink | nav_linknavlink -> navLink | nav_linknavlink -> navLink |
nav_linknavlink -> navLink | nav_linknavlink -> navLink |
nav_linknavlink -> navLink | nav_linknavlink -> navLink | nav_link
* Automatically determining navlink based ui capabilities
* Backing out changes that got left behind
* Using ui actions for navlinks
* Adding TODOs
* Ui -> UI
* Deleting unused file
* Removing api: [] as it's not necessary anymore
* Fixing graph saved object privileges
* Privileges are now async
* Pushing the asycnchronicity to the privileges "service"
* Adding TODO
* Providing initial value for reduce
* adds uiCapabilities to test_entry_template
* Adding config to APM/ML feature privileges
* Commenting out obviously failing test so we can get CI greeenn
* Fixing browser tests
* First, very crappy implementation
* Adding tests for disabling ui capabilities
* All being set to false no longer requires a clone
* Using _.mapValues makes this a lot more readable
* Checking those privileges dynamically
* Fixing some broken stuff when i introduced checkPrivilegesDynamically
* Adding conditional plugin tests
* Renaming conditional plugin to optional plugin
* Fixing type errors
* GAP - Actions Restructured and Extensible (#25347)
* Restructure user profile for granular app privs (#23750)
merging to feature branch for further development
* Fixing saved object capability checking
* Beginning to restructure actions to be used for all action building
* Using actions to build ui capabilities
* dropping /read from client-side userprovide ui capabilities
* Adding some actions
* Using different syntax which will hopefully help with allowing apps to
specify the privileges themselves
* Exposing all saved object operations in the capabilities
* Using actions in security's onPostAuth
* Only loading the default index pattern when it's required
* Only using the navlinks for the "ui capabilities"
* Redirecting from the discover application if the user can't access
kibana:discover
* Redirecting from dashboard if they're hidden
* Features register their privileges now
* Introducing a FeaturesPrivilegesBuilder
* REmoving app from the feature definition
* Adding navlink specific ations
* Beginning to break out the serializer
* Exposing privileges from the authorization service
* Restructuring the privilege/resource serialization to support features
* Adding actions unit tests
* Adding features privileges builders tests
* Adding PrivilegeSerializer tests
* Renaming missed usages
* Adding tests for the privileges serializer
* Adding privileges tests
* Adding registerPrivilegesWithCluster tests
* Better tests
* Fixing authorization service tests
* Adding ResourceSerializer tests
* Fixing Privileges tests
* Some PUT role tests
* Fixing read ui/api actions
* Exposing features from xpackMainPlugin
* Adding navlink:* to the "reserved privileges"
* navlink -> navLink | nav_linknavlink -> navLink | nav_linknavlink ->
navLink | nav_linknavlink -> navLink | nav_linknavlink -> navLink |
nav_linknavlink -> navLink | nav_linknavlink -> navLink |
nav_linknavlink -> navLink | nav_linknavlink -> navLink | nav_link
* Automatically determining navlink based ui capabilities
* Backing out changes that got left behind
* Using ui actions for navlinks
* Adding TODOs
* Ui -> UI
* Deleting unused file
* Removing api: [] as it's not necessary anymore
* Fixing graph saved object privileges
* Privileges are now async
* Pushing the asycnchronicity to the privileges "service"
* Adding TODO
* Providing initial value for reduce
* adds uiCapabilities to test_entry_template
* Adding config to APM/ML feature privileges
* Commenting out obviously failing test so we can get CI greeenn
* Fixing browser tests
* Goodbyyeee
* Adding app actions to the reserved privileges
* Restructure user profile for granular app privs (#23750)
merging to feature branch for further development
* Introducing uiCapabilities, removing config providers & user profile (#25387)
## Summary
Introduces the concept of "UI Capabilities", which allows Kibana applications to declare capabilities via the `uiCapabilities` injected var, and then use them client-side via the `ui/capabilities` module to inform their rendering decisions.
* GAP - Actions Restructured and Extensible (#25347)
* Restructure user profile for granular app privs (#23750)
merging to feature branch for further development
* Fixing saved object capability checking
* Beginning to restructure actions to be used for all action building
* Using actions to build ui capabilities
* dropping /read from client-side userprovide ui capabilities
* Adding some actions
* Using different syntax which will hopefully help with allowing apps to
specify the privileges themselves
* Exposing all saved object operations in the capabilities
* Using actions in security's onPostAuth
* Only loading the default index pattern when it's required
* Only using the navlinks for the "ui capabilities"
* Redirecting from the discover application if the user can't access
kibana:discover
* Redirecting from dashboard if they're hidden
* Features register their privileges now
* Introducing a FeaturesPrivilegesBuilder
* REmoving app from the feature definition
* Adding navlink specific ations
* Beginning to break out the serializer
* Exposing privileges from the authorization service
* Restructuring the privilege/resource serialization to support features
* Adding actions unit tests
* Adding features privileges builders tests
* Adding PrivilegeSerializer tests
* Renaming missed usages
* Adding tests for the privileges serializer
* Adding privileges tests
* Adding registerPrivilegesWithCluster tests
* Better tests
* Fixing authorization service tests
* Adding ResourceSerializer tests
* Fixing Privileges tests
* Some PUT role tests
* Fixing read ui/api actions
* Exposing features from xpackMainPlugin
* Adding navlink:* to the "reserved privileges"
* navlink -> navLink | nav_linknavlink -> navLink | nav_linknavlink ->
navLink | nav_linknavlink -> navLink | nav_linknavlink -> navLink |
nav_linknavlink -> navLink | nav_linknavlink -> navLink |
nav_linknavlink -> navLink | nav_linknavlink -> navLink | nav_link
* Automatically determining navlink based ui capabilities
* Backing out changes that got left behind
* Using ui actions for navlinks
* Adding TODOs
* Ui -> UI
* Deleting unused file
* Removing api: [] as it's not necessary anymore
* Fixing graph saved object privileges
* Privileges are now async
* Pushing the asycnchronicity to the privileges "service"
* Adding TODO
* Providing initial value for reduce
* adds uiCapabilities to test_entry_template
* Adding config to APM/ML feature privileges
* Commenting out obviously failing test so we can get CI greeenn
* Fixing browser tests
* Goodbyyeee
* Adding app actions to the reserved privileges
* Update x-pack/plugins/security/server/lib/authorization/disable_ui_capabilities.ts
Co-Authored-By: kobelb <brandon.kobel@gmail.com>
* Update x-pack/plugins/security/server/lib/authorization/check_privileges_dynamically.ts
Co-Authored-By: kobelb <brandon.kobel@gmail.com>
* Disabling all ui capabilities if route is anonymous
* More typescript
* Even more typescript
* Updating snapshot
* Less any
* More safer
* Another one
* Restructure user profile for granular app privs (#23750)
merging to feature branch for further development
* Introducing uiCapabilities, removing config providers & user profile (#25387)
## Summary
Introduces the concept of "UI Capabilities", which allows Kibana applications to declare capabilities via the `uiCapabilities` injected var, and then use them client-side via the `ui/capabilities` module to inform their rendering decisions.
* GAP - Actions Restructured and Extensible (#25347)
* Restructure user profile for granular app privs (#23750)
merging to feature branch for further development
* Fixing saved object capability checking
* Beginning to restructure actions to be used for all action building
* Using actions to build ui capabilities
* dropping /read from client-side userprovide ui capabilities
* Adding some actions
* Using different syntax which will hopefully help with allowing apps to
specify the privileges themselves
* Exposing all saved object operations in the capabilities
* Using actions in security's onPostAuth
* Only loading the default index pattern when it's required
* Only using the navlinks for the "ui capabilities"
* Redirecting from the discover application if the user can't access
kibana:discover
* Redirecting from dashboard if they're hidden
* Features register their privileges now
* Introducing a FeaturesPrivilegesBuilder
* REmoving app from the feature definition
* Adding navlink specific ations
* Beginning to break out the serializer
* Exposing privileges from the authorization service
* Restructuring the privilege/resource serialization to support features
* Adding actions unit tests
* Adding features privileges builders tests
* Adding PrivilegeSerializer tests
* Renaming missed usages
* Adding tests for the privileges serializer
* Adding privileges tests
* Adding registerPrivilegesWithCluster tests
* Better tests
* Fixing authorization service tests
* Adding ResourceSerializer tests
* Fixing Privileges tests
* Some PUT role tests
* Fixing read ui/api actions
* Exposing features from xpackMainPlugin
* Adding navlink:* to the "reserved privileges"
* navlink -> navLink | nav_linknavlink -> navLink | nav_linknavlink ->
navLink | nav_linknavlink -> navLink | nav_linknavlink -> navLink |
nav_linknavlink -> navLink | nav_linknavlink -> navLink |
nav_linknavlink -> navLink | nav_linknavlink -> navLink | nav_link
* Automatically determining navlink based ui capabilities
* Backing out changes that got left behind
* Using ui actions for navlinks
* Adding TODOs
* Ui -> UI
* Deleting unused file
* Removing api: [] as it's not necessary anymore
* Fixing graph saved object privileges
* Privileges are now async
* Pushing the asycnchronicity to the privileges "service"
* Adding TODO
* Providing initial value for reduce
* adds uiCapabilities to test_entry_template
* Adding config to APM/ML feature privileges
* Commenting out obviously failing test so we can get CI greeenn
* Fixing browser tests
* Goodbyyeee
* Adding app actions to the reserved privileges
* update snapshot
* Update x-pack/plugins/security/server/lib/authorization/check_privileges.ts
Co-Authored-By: kobelb <brandon.kobel@gmail.com>
* Update x-pack/plugins/security/server/lib/authorization/check_privileges.ts
Co-Authored-By: kobelb <brandon.kobel@gmail.com>
* Fixing type errors
* Only disabling navLinks if a feature is registered for them
* Adding non i18n'ed tooltip
* Making metadata and tooltip optional
* i18n'ing tooltips
* Responding to peer review comments
* GAP - Role API Structure (#26740)
* Updated the role api PUT structure
* Minimum is an array now
* Updating get route to naively support the new structure
* Renaming and removing some serialized methods
* Updating Role PUT api tests
* Fixing PUT jest tests
* Fixing GET tests
* Updating PrivilegeSerializer tests
* Renaming features to feature for the GET, so we're consistent
* Validating features and feature privileges
* Update x-pack/plugins/security/server/lib/authorization/privilege_serializer.test.ts
Co-Authored-By: kobelb <brandon.kobel@gmail.com>
* Update x-pack/plugins/security/server/lib/authorization/privilege_serializer.test.ts
Co-Authored-By: kobelb <brandon.kobel@gmail.com>
* Update x-pack/plugins/security/server/lib/authorization/privilege_serializer.test.ts
Co-Authored-By: kobelb <brandon.kobel@gmail.com>
* Renaming some variables/members of the PrivilegesSerializer
* Fixing privileges serializer tests
* Fixing register privileges with cluster tests
* Fixing the role creation for the api integration tests
* Generalizing regex within the feature registry
* update tests
* [GAP] - Support infra features (#26955)
## Summary
This PR adds the `Infrastructure` and `Logs` apps as toggle-able features via Granular Application Privileges.
* [GAP] - Enables xpack_main to populate UI Capabilities (#27031)
## Summary
Currently, plugins that register features via `xpackMainPlugin.registerFeature({...})` also have to specify their own `uiCapabilities` via `injectDefaultVars`, which is counter-intuitive and cumbersome. We've accepted this complexity for OSS plugins, but x-pack and third-party plugins should not have to concern themselves with such implementation details.
This PR removes that requirement for x-pack and third-party plugins, so all they have to do is register features, and ensure that their feature privileges contain the appropriate UI Capabilities in the `ui` property.
### Notes
This implementation intentionally does not alter UI Capabilities that come in via OSS Kibana. The capabilities defined there should be the source of truth, regardless of which distribution is used.
### Example
<pre>
xpackMainPlugin.registerFeature({
id: 'graph',
name: 'Graph',
icon: 'graphApp',
<b>navLinkId: 'graph',</b>
privileges: {
all: {
app: [],
savedObject: { ... },
<b>ui: ['showWriteControls'],</b>
},
read: {
app: [],
savedObject: { ... },
<b>ui: ['someOtherCapability],</b>
}
}
});
</pre>
Will be translated to the following UI Capabilities:
```
uiCapabilities: {
navLinks: {
graph: true
},
graph: {
showWriteControls: true,
someOtherCapability: true,
}
}
```
xpack_main is **not responsible** for disabling UI capabilities, so this will initialize all capabilities with a value of `true`.
* Hide write controls for the visualization application (#26536)
* Hide write controls for the timelion application (#26537)
* blacklist feature ids (#27493)
* [GAP] - Support management links (#27055)
## Summary
This enables management links to be toggled via UI Capabilities.
## TODO
- [x] Implement spaces controls
- [x] Implement security controls
- [x] Testing
- [ ] (optional) - dedicated display for managing management links?
* Enables the feature catalogue registry to be controlled via uiCapabil… (#27945)
* Enables the feature catalogue registry to be controlled via uiCapabilities
* update snapshot
* xpack_main populates uiCapabilities with the full list of catalogue entries
* builds application privileges using catalogue actions
* prevent 'catalogue' from being registered as a feature id
* fix mocha tests
* fix merge
* update snapshots
* GAP - Discover and NavLinks Functional Testing (#27414)
* Adding very basic Discover tests
* Ensuring discover is visible in both spaces
* Parsing the DOM to determine the uiCapabilities
* Making this.wreck `any` because the type definitions suck
* Specifying auth when requesting ui capabilities
* Beginning architecture to support permutation testing
* Adding documentation of the different configurations we'd like to test
* Fixing type errors
* Beginning to work on the framework to test the combinations
* Adding some factories
* Pushing forward, not a huge fan of what I have right now
* The new-new
* Less weird types
* Revising some things after talking with Larry
* Switching from wreck to axios
* Restructuring some files
* Changing to a space with all features, and a space with no features
* Beginning to add the security only tests
* Adding a navLinksBuilder
* Adding spaces only tests
* Not disabling ui capabilities, or authing app/api access when we
shouldn't be
* Can't get rid of management
* Adding more user types
* More users, this is starting to really suck
* Renaming some things...
* Revising which users we'll test in which ui capabilities "test suite"
* Adding some more user scenarios for the security_only configuration
* Adding security_only user scenarios
* Adding space scenarios
* Fixing type errors
* Udpating the readme for the spaces we're testing with
* Adding global read discover security ui functional tests
* Adding tests to make sure save buttons are shown/hidden
The actual implementation is broken somewhere
* Fixing tests after GIS is added and conflicts happened for infra
* Adding discover ui capability tests
* Fixing navlinks tests
* Adding discover view tests
* Adding UI tests for spaces being disabled
* Fixing tests
* Removing wreck dependency, it's garbage
* Fixing typo
* Updating ui capabilities README.md and adding another user for the
security and spaces ui capability tests
* Updating yarn lock file
* Consolidation some types
* Adding VisualizeDisabledSpace to the scenarios.
* Fixing esArchives with .kibana_2
* Disable features optional again
* Adding ensureCurrentUrl: false
* Fixing space selector tests
* Fixing gis privileges, they use saved objects
* Fixing find's element staleness checks
* Update x-pack/test/functional/es_archives/spaces/disabled_features/data.json
Co-Authored-By: kobelb <brandon.kobel@gmail.com>
* Generalizing logic to get appNavLinksText
* Removing duplicate license header
* Adding GIS mappingst
* Fixing readme
* We love our future selfs
* Adding GisRead scenario
* Whoops
* Adding note about funky syntax for use with exhaustive switches
* Using a centralized list of features
* Give it some time
* Even more time?
* Space Management - accessibility & i18n improvements (#28195)
## Summary
1) Improves the accessibility for the spaces management screen:
- Customize Space Avatar popover now receives focus when toggled
- Labels are more descriptive, providing context
- Delete Space modal correctly focuses
2) Improves i18n support
- fixed a couple hard-coded strings
3) Adds a "Features" column to the spaces grid page, which shows a brief summary of the number of features enabled for each space:
Related: https://github.com/elastic/kibana/issues/28184
* Feature Controls - spaces - functional tests (#28213)
* adds tests for /api/features/v1 endpoint
* update failing management test
* Fc/run ui capability tests (#28362)
* Running the UI Capability Tests as part of the normal CI runs
* Adding uptime feature to get these tests passing
* Adding features and sorting
* Adding uptime security_only uiCapability tests, and fixing devTools
* Fixing the docs
* Fixing section panel i18n issue
* Removing unused import
* Updating snapshots
* Feature Controls - The new new role API (#28441)
These changes allow us to build the most recent UI where spaces can be "grouped" and edited at once. This changes the kibana section of the role definition to the following:
```
{
kibana: [
{
base: ['read'],
feature: {
discover: ['all'],
dashboard: ['all']
},
spaces: ['*']
},
{
base: ['read'],
feature: {
discover: ['all'],
dashboard: ['all']
},
spaces: ['marketing', 'sales']
}
]
}
```
If the `spaces` property isn't provided (for example if the user isn't using Spaces) then it'll default to `['*']`.
There are a few other stipulations that we're implementing with this approach.
1. Each "item" can be for 1 to many spaces OR globally. We can't specify both space privileges and global privileges in the same "item" because for Spaces we translate `all` to `space_all`, etc. so we can give them different privileges, and this becomes problematic when trying to serialize/deserialize to ES.
2. Additionally, each space can only appear once. The ES model would allow this, but the role management UI becomes more complicated if we were to allow this when calculating effective privileges.
* Feature Controls - Discover Save Button Test #28500 (#28501)
* Adding some debug logs
* Setting ui settings using the functional services
* Doing the same for the spaces disabled features
* Removing console.log debug statements
* Using save instead of showWriteControls
* Reload when adjusting visible features within the users active space (#28409)
## Summary
Changes to the visible features within a space are not visible until the page is refreshed. Because of this, when a user is editing their active space, their changes are not immediately visible.
This updates the space management screen to force a refresh when updating the visible features inside the active space. It also introduces a modal warning that this will happen:
* Throwing error if we register a feature after getAll is called (#29030)
* Throwing error if we register a feature after getAll is called
* Fixing some tests
* Fixing feature route tests
* Removing unused imports
* Fixing merge conflict
* Feature Controls - Fixing fallout of removing the legacy fallback (#29141)
* Fixing use of mode.useRbacFoRequest to mode.useRbac
* Fixing ui capability tests
* [Feature Controls] - Fix a11y for customize feature section (#29174)
## Summary
Fixes the displayed and announced text for the "show"/"hide" button of the Customize Visible Features section of the spaces management page.
This was inadvertently broken following a merge from master at some point.
* Feature Controls: Fixing k7's new "nav links" (#29198)
* Fixing k7's new applist for feature controls
* Renaming appSwitcher to appsMenu
* Feature Controls - Dashboard (#29139)
* Using addRouteSetupWork to implement the redirect
* Using centralized addSetupWork
* Fixing dashboard functional feature privileges tests
* Ensuring landing page and create dashboard redirect to the home-page
* Adding more tests to ensure the redirects work properly
* Adding disabled space feature tests for Dashboards
* Update src/ui/public/capabilities/route_setup.ts
Co-Authored-By: kobelb <brandon.kobel@gmail.com>
* Update test/functional/page_objects/common_page.js
Co-Authored-By: kobelb <brandon.kobel@gmail.com>
* Fixing ui capability tests after adding createNew
* Removing unnecessary `return undefined`
* requireUICapabilities -> requireUICapability
* Updating dashboard ui capability tests
* Fixing issue with the selection column appearing on Dashboards
* Fixing ui capability dashboard space only tests
* [FC] - Move management and catalogue entries out of privilege definition (#28354)
* Moves catalogue and management entries from privilege defintion to base feature definition
* Update new management menu to respect items disabled via UI Capabilities
* add test
* re-add index pattern entries
* re-add advanced settings icon
* fix tests
* remove management and catalogue entries from read-only users
* bring it back now y'all
* catalogue updates for xpack plugins
* Introduces 'grantWithBaseRead' flag
* update privileges from all -> read where necessary
* rename feature builder functions
* catalogue and management items should cascade to privileges when not specified
* add catalogue entry for uptime app
* Simplify feature registrations using inherited catalogue/management entries
* consolidate and fix privilege building logic
* rename variables
* remove debug code
* remove duplicate lodash import
* Update x-pack/plugins/xpack_main/server/lib/feature_registry/feature_registry.ts
Co-Authored-By: legrego <lgregorydev@gmail.com>
* [GAP] - Role Management UI (#26840)
---------
Edge-case scenarios:
1) [x] '*' and spaces in the same "entry"
Handled via `_transform_errors` at the API level. Renders a partial read-only view in the UI.
2) [x] same space appearing in multiple "entries"
Handled via `_transform_errors` at the API level. Renders a partial read-only view in the UI.
3) [x] base and feature privileges being set on the same "entry"
UI does not allow this to be set, but UI is smart enough to display the correct effective privilege in this case.
4) [x] multiple base privileges set in the same "entry"
UI does not allow this to be set, but UI is smart enough to apply the most permissive base privilege when displaying and performing privilege calculations.
5) [x] multiple feature privileges for the same "entry" (ml_all and ml_read)
UI does not allow for this to be set, but UI is smart enough to apply the most permissive base privilege when displaying and performing privilege calculations.
--------
## Summary
This updates the role management UI to allow application privileges to be customized globally and per-space.
## TODO:
- [x] [First Design review](https://github.com/legrego/kibana/pull/13)
- [ ] Second Design review
- [ ] Copy review
- [x] i18n
- [x] Handle deleted/unknown features
- [x] Handle deleted/unknown spaces
- [x] Cleanup & refactoring
- [x] Testing
* [Feature Controls, Spaces] - Don't load bundles for hidden apps (#29617)
## Summary
This enables the spaces plugin to issue a 404 if the requested application is disabled within the users active space.
To enable this functionality, the `app` property was moved to the root feature level, with the option to override at the privilege level. This follows the same logic as `catalogue` and `management` sections.
This will enable automatic app "protections" for those which only specify a single UI application, including:
1) Timelion
2) Canvas
3) Monitoring
4) APM
5) Code (when it merges)
6) GIS
7) Graph
8) ML
* [Feature Controls] - Copy Edits (#29651)
## Summary
Copy edits from today's session
* [Feature Controls] - Rename-a-thon (#29709)
* post-merge cleanup
* [Feature Controls] - fixes from recent merge from master (#29826)
## Summary
this pr will contain any required changes to fix CI from the recent merge from master, which includes the new k7 redesign design and dark mode
* Feature Controls: Adding privileges tooltip for Dev Tools (#30008)
* Adding privileges tooltip for Dev Tools
* appeasing the linter
* [Feature Controls] - Fix displayed space base privilege (#30133)
## Summary
This fixes the displayed space base privilege when a global base privilege is influencing the dropdown control:
1) Add global 'read' privilege
2) Configure space privilege -- note default base privilege of 'read'
3) Change space base privilege to 'custom'
Prior to this fix, the dropdown would not honor the change; it would keep 'read' as the selected option.
* Feature Controls: Adding read privileges for advanced settings and index patterns (#30106)
* Adding read privileges for advanced settings and index patterns
* Fixing the tests and the actual code itself
* Feature Controls - spaces not a security mechanism warning (#29853)
* Changing copy for the spaces not a security mechanism warning
* Using Gail's wording
* [Feature Controls] - Fixes from merging from master (8.0) (#30267)
* improve typings
* fix xpack_main type definitions
* test updates
* Fc/functional test move (#29835)
* Moving dashboard feature control tests to the dashboard application
* Moving more tests around
* Fixing some tests, no longer using uiSettings service, doesn't play
nicely with spaces
* Fixing esarchived issue
* Renaming some files
* [Feature Controls] - Readonly view for Advanced Settings using UICapabilities (#30243)
## Summary
This builds on the work done in https://github.com/elastic/kibana/pull/30106 to enable a read-only mode for the Advanced Settings screen:
- Input fields are disabled
- Save options are not displayed
- "Reset to default" options are not displayed
* Feature Controls: No Wildcards (#30169)
* A poorly named abstraction enters the room
* No more wildcards, starting to move some stuff around
* Splitting out the feature privilege builders
* Using actions instead of relying on their implementation
* We don't need the saved object types any longer
* Explicitly specifying some actions that used to rely on wildcards
* Fixing api integration test for privileges
* Test fixture plugin which adds the globaltype now specifies a feature
* Unauthorized to find unknown types now
* Adding tests for features with no privileges
* Update x-pack/test/saved_object_api_integration/security_and_spaces/apis/find.ts
Co-Authored-By: kobelb <brandon.kobel@gmail.com>
* Adding back accidentally deleted test
* Using the shared XPackMainPlugin definition
* Fixing privileges
* [Feature Controls] - Readonly mode for Canvas using UICapabilities (#29264)
## Summary
Updates Canvas to respect UICapabilities when determining if a user has read or read/write access to the application:
1) Adds a `showWriteControls` UI Capability to the Canvas's `all` privilege.
2) Removes the `setCanUserWrite` Redux action
3) Sets the initial (and only) state for `state.transient.canUserWrite` based on the UI Capability.
Closes https://github.com/elastic/kibana/issues/27695
* [Feature Controls] - Readonly mode for Maps using UICapabilities (#30437)
## Summary
This updates the maps application to support a read-only mode:
1) Removes selection/delete from Maps listing page
2) Removes "save" option
## TODO:
- [x] Functional UI Tests
* Add typings for x-pack/test to support .html imports (#30570)
We're importing `ui/capabilities` from the x-pack/test project, which
implicitly traverses into typings which are potentially importing .html
files, so we have to teach TypeScript about it.
* [Feature Controls] - Readonly mode for Timelion using UICapabilities (#30128)
## Summary
Updates Timelion to respect UICapabilities when determining if a user has read or read/write access to the application.
A previous PR was responsible for hiding the save controls, but this PR adds testing and the appropriate UICapabilities to the registered privilege definition.
* remove stray debug code
* [Feature Controls] - Updates from src/ui move to src/legacy/ui (#30678)
* dummy commit
* fix import path
* update message identifier
* fix snapshot
* remove unused translations
* Feature Controls: Adding read/write privileges for all applications (#30732)
* Adding read/write privileges for all applications
* Using default for advanced settings, canvas, maps and timelion
* Update x-pack/test/ui_capabilities/security_only/tests/canvas.ts
Co-Authored-By: kobelb <brandon.kobel@gmail.com>
* Update x-pack/test/ui_capabilities/security_only/tests/canvas.ts
Co-Authored-By: kobelb <brandon.kobel@gmail.com>
* Update x-pack/test/ui_capabilities/security_only/tests/maps.ts
Co-Authored-By: kobelb <brandon.kobel@gmail.com>
* Update x-pack/test/ui_capabilities/security_only/tests/maps.ts
Co-Authored-By: kobelb <brandon.kobel@gmail.com>
* Update x-pack/test/ui_capabilities/security_only/tests/timelion.ts
Co-Authored-By: kobelb <brandon.kobel@gmail.com>
* [Feature Controls] - Readonly mode for Visualize using UICapabilities (#29714)
* enable read-only view, and enable app redirection for visualize app
* Hide 'Edit Visualization' dashboard context menu item if visualizations are not editable
* Hide 'Add new visualization' button if action is not available
* show 'Visualize' button on discover view only if viz app is available
* update tests
* allow visualizations to be created, but not saved for read-only users
* adds functional tests for visualize
* add tests for showing/hiding the visualize button in the discover app
* fix visualize tests following merge from master
* tests for edit viz feature from dashboards
* cleanup
* remove unnecessary call to set ui settings
* remove unused variables
* reduce flakyness of tsvb tests
* renames visualize.showWriteControls => visualize.save
* fix ui capability tests
* fix tests
* fix references to timePicker page object
* fix ts errors
* adds 'editable' property to embeddable metadata instead of hardcoded capability checks
* Remove unnecessary read-only considerations
* revert unnecessary mock changes
* [Feature Controls] - Adds missing uptime icon (#30716)
## Summary
Adds missing feature icon for Uptime application.
Needs https://github.com/elastic/kibana/pull/30678 to merge before this will go green.
* Feature Controls - Fix branch (#31135)
* Updating snapshot
* Switching visualize to use the default branch of the switch
* Fixing esarchive
* Feature Controls - Graph (#30762)
* Adding graph functional tests
* Fixing Privilieges API test
* Adding graph ui capability tests
* Update x-pack/test/ui_capabilities/security_only/tests/graph.ts
Co-Authored-By: kobelb <brandon.kobel@gmail.com>
* Update x-pack/test/ui_capabilities/security_only/tests/graph.ts
Co-Authored-By: kobelb <brandon.kobel@gmail.com>
* Update x-pack/test/ui_capabilities/security_and_spaces/tests/graph.ts
Co-Authored-By: kobelb <brandon.kobel@gmail.com>
* Update x-pack/test/ui_capabilities/security_only/tests/graph.ts
Co-Authored-By: kobelb <brandon.kobel@gmail.com>
* Update x-pack/test/ui_capabilities/spaces_only/tests/graph.ts
Co-Authored-By: kobelb <brandon.kobel@gmail.com>
* Apply suggestions from code review
Co-Authored-By: kobelb <brandon.kobel@gmail.com>
* Removing hard-coded constants
* Adding Graph delete button
* Fixing ui capability tests
* [Feature Controls] - Fixes page width for spaces management screen (#30723)
## Summary
Fixes the skinny spaces management screen following the redesign of the overall management area.
Needs https://github.com/elastic/kibana/pull/30678 to merge before this will go green.
* Feature Controls - Dev Tools (#30712)
* Adding functional tests
* Addingn Dev_Tools ui capability tests
* Adding some api tests for console's API
* Apply suggestions from code review
Co-Authored-By: kobelb <brandon.kobel@gmail.com>
* Moving uiCapability definition
* Giving user_1 dashboard access to space_2
* Using the default in the switch for devtools/visualize
* Using forceLogout, maps are leaving us on a 404 page
* Fixing privileges API tests
* Feature Controls- Fix Merge Conflicts (#31651)
* Removing duplicated and outdated tests
* Updating snapshot
* Fixing type script errors
* Getting rid of some double quotes
* Adding saved_object:url access to discover temporarily to fix tests
* Fixing dashboard tests, updating snapshots
* Fixing security only find tests
* Removing reduntant test
* Trying to give it more time
* Fixing it 20 seconds to redirect away from the create new dashboard
* Feature Controls - No more route defaults for dashboards (#31767)
* No more route defaults for dashboards
* Verbose logging...
* Changing some ciGroups to try to narrow down the problem
* Revert "Verbose logging..."
This reverts commit 3198e73b61.
* Revert "No more route defaults for dashboards"
This reverts commit 525cd94dc5.
* Chaning the method in which we do the redirect
* Fixing type issue
* Update index.ts
* Update index.ts
* Feature Controls - Only allowing features to register all and read privileges (#31526)
* Only allowing features to register all and read privileges
* Making all and read optional properties required some existence checks
* Using Aleh's superior solution!
* No more unnecessary `as any`
* Feature Controls - Saved Object Management (#31332)
* Adding savedObject uiCapabilities that mirror the savedobject actions
* Using uiCapabilities to limit which types to search for
* Restricting which saved objects can be deleted based on type
* Hiding "view in app" button when we aren't allowed to
* Filtering the saved objects relationships based on the valid saved
object types
* Using dedicated savedObjectsManagement ui capabilities
* Adding readonly mode of viewing an object
* Displaying View In App if you can actually do so
* No more operations
* Moving saved objects ui capability population to kibana plugin
* Updating x-pack jest tests
* Adding security only saved objects management ui capability tests
* Adding security and spaces tests
* Adding spaces only saved objects managment ui capability tests
* Adding saved object management listing page functional tests
* Adding functional tests for edit visualization
* Consolidating canViewInApp and getInAppUrl into the same file
* Fixing imports
* One more stray import/export
* Adding back esFrom source
* Revert "Adding back esFrom source"
This reverts commit dfb626ace3.
* Updating jest snapshots
* Updating privileges
* Adding some logging
* Back to 10 seconds
* Trying to get more logs...
* Back to normal logging levels
* Fixing ui capability tests
* Putting timeouts back.
* Feature Controls - UI capability API integration tests with fixture plugins (#32086)
* Only testing the foo plugin for security and spaces
* Using the foo plugin with the security_only tests
* Changing spaces only tests to use the foo plugin
* Using list of features from api, and fixing bug with the spaces
interceptor
* Adding catalogue tests, which are alluding to another bug
* saved_objects catalogue aren't driven by ui capabilites presently
* Expanding the coverage for the spaces only catalogue tests
* Fixing some catalogue asserts
* Fixing catalogue tests for spaces_only, I had it backwards
* Adjusting Readme, adding "global read" scenario for security only tests
* Responding to PR feedback
* Adding back saved objects tests I accidentally deleted
* Fixing typescript issues, we can't import EUI on the server
* Fixing eslint error
* Updating Jest snapshots, fixing chrome mock
* Fixing dashboard listing test
* Adding missing await and forcing logout for graph functional tests
* Putting i18n string back
* Fixing type script issue
* Fixing canvas assert because of merge
* Fixing saved object api error assertations
* user-action is now a saved object type
* Fixing typescript error
* Fixing saved object actions as a result of the merge
* Feature Controls - Infrastructure and Logging (#31843)
* hide infra/logs apps if disabled via UICapabilities
* adds tests
* adds UICapability tests for infra and log apps
* update expected privilege/action mapping
* adds feature controls security tests for infraHome
* adds infra spaces feature control tests
* remove debug code
* a sample readonly implementation, ignoring 'logs' privileges
* ts fixes
* fix capability expectations
* Removing RequiresUICapability component, since there are no usages
* Driving the source configuration seperately for logs/infrastructure
* Adding infrastructure feature controls security functional tests
* Adding spaces infrastructure tests
* Adding logs functional tests
* Reworking the ui capability tests to be more consistent
* Fixing privileges API
* Forcing logout
* Fixing comma issue introduced by merge
* Fix merge conflicts and loading/unloading esarchives more consistently
* Removing unnecessary !!
* Fixing saved object management tests
* Fixing more tests
* Using the new context APIs
* Revert "Using the new context APIs"
This reverts commit 4776f1fc86.
* Adding future version of ui capabilities react provider
* Switching the order of the HOC's for infra and making the future the
default
* Applying Felix's PR feedback
* Protecting Infra's GraphQL APIs
* Updating privileges list
* Using the introspection query
* No longer using apollo context library, rephrasing test descriptions
* Fixing issue introduced by merge conflict, I forgot a }
* Putting back missplaced data test subj
* Updating jest snapshots
* Feature Controls - Short URLs (#32418)
* Discover is showing creating short urls properly
* Adding Discover functional tests
* When dashboards show the share menu you can always create short urls
* Visualize now displays the short urls link appropriately
* Dashboard all gets access to saved objects and updating privileges api
test
* Updating and adding short url test to url panel content
* Fixing misspelling
* Updating jest snapshot
* Adding comment why allowShortUrl is always true for Dashboards
* Updating snapshots
* Fixing snapshots, mocking chrome.getInjected
* Feature Controls - Uptime (#32577)
* Adding uptime functional tests
* Enabling feature controls for uptime
* Updating the privileges API's actions
* Using a single access tag for limiting API access
* Revising the behavior of maps read-only mode (#33338)
* Feature Controls - APIs (#32915)
* Using HapiJS's scopes to perform authorization on api endpoints
* Revert "Using HapiJS's scopes to perform authorization on api endpoints"
This reverts commit f73810c22d.
* Switching the syntax of the api tags
* Fixing privileges API
* Typescriptifying some dependencies of the api authorization extensions
* Using dedicated typescript file for api post auth filtering
* Adding tests and restructuring the flow of the api authorization
* Adjusting uptime's usage of privileges and the privileges test
* Integrating PR feedback
* Fixing graph test subject, thanks Joe!
* Consolidating hideWriteControls dashboard listing test
* Reusing maps constants
* Adding type to saved object management ui capability tests
* Feature Controls - Index Pattern Management (#33314)
* Enabling feature controls for index patterns
* Updating privileges API tests
* Fixing saved object management's view index patterns in app logic
* Fixing forgotten canViewInApp tests
* Fixing maps spaces functional tests
* Feature Controls - Differentiating the privileges with the same actions (#32266)
* Differentiating the privileges with the same actions
* The types for the lodash.uniqwith packare aren't right, and we need to
customize the isEqual also, so we're gonna do it ourselves
* Fixing dev tools ui capability
* Removing are equivalent privileges prevention, it's not what we really
need
* Requiring all to be more permissive than read on startup
* Transparently differentiating "all" from "read" feature privileges
* Fixing jest tests
* Adding the allHack: action to the space and global base privileges
* Changing actions to be readonly
* Adding JSDoc's for the Actions class and specifically the `allHack`
action
* Making the import of xpack_main types consistent
* Feature Controls: APM (#32812)
* Adding APM read privilege and adding functional UI tests
* Beginning to validate the APM routes are protected properly
* Protecting APM's APIs
* Specifying CI group
* Fixing privileges
* Adding forgotten apm show ui capability
* Fixing apm's privileges
* Fixing merge-conflict with privileges allHack: and APM
* address canvas feedback (#34269)
* [Feature Controls] - Plugin postInit (#29172)
## Summary
Throwing this up as a straw ~man~ person. If we like it, I can split it out and point the OSS changes against master if we'd prefer.
Introduces a `postInit` plugin hook that is called after all plugins have gone through their `preInit` and `init` phases, which allows the security plugin to call `registerPrivilegesWithCluster` after all plugins have had an opportunity to register their features.
* Feature Controls - Adds bulk toggle for showing/hiding features within a space (#34288)
## Summary
Adds a "Change all" option to the spaces management screen to allow all features to be shown/hidden:
Closes#34184
* Feature Controls - Unregistered Applications Authorization (#34122)
* Converting the app authorization to use typescript
* Adding jest tests
* Only authorizing app routes that are registered for features
* Using ProtectedApplications to lazily get feature applications
* Removing unneeded mocked headers as part of the authorization
* Adding some logging for the app authorization
* Fixing imports, thanks tslint --fix!
* Updating snapshots
* Feature Controls - Disable privilege form until spaces are selected (#34386)
## Summary
This disables the privilege selection until one or more spaces are selected in the role management form:
* Feature Controls - Visualize read-only create new (#34209)
* Allowing users to create new visualizations, even if they can't be saved
* Fixing privileges and tests
* Updating snapshot
* Removing visualize edit ui capability
* Feature Controls - Actions Version Prefix (#34405)
* Prefixing actions with version
* Updating privileges api integration test
* Update x-pack/plugins/security/server/lib/authorization/actions/saved_object.ts
Co-Authored-By: kobelb <brandon.kobel@gmail.com>
* Requiring version to be a not empty string
* Updating jest snapshots
* Changing the 403 messages for the saved object client
* Fixing ui/chrome mock
* Feature Controls - Displaying share menu on dashboards when in read-only mode (#34207)
* Displaying share menu on dashboards when in read-only mode
* Fixing test description, thanks Luke!
* Fixing dashboard view mode tests because the share menu is now visible
* migrate from tslint to eslint
* Feature Controls - Reserved Role Apps (#30525)
* Removing feature privileges from ml/monitoring/apm
* Adding monitoring/ml/apm as hard-coded global privileges
* A poorly named abstraction enters the room
* No more wildcards, starting to move some stuff around
* Splitting out the feature privilege builders
* Using actions instead of relying on their implementation
* We don't need the saved object types any longer
* Explicitly specifying some actions that used to rely on wildcards
* Fixing api integration test for privileges
* Test fixture plugin which adds the globaltype now specifies a feature
* Unauthorized to find unknown types now
* Adding reserved privileges tests
* Adding reserved privileges in a designated reserved bucket
* Fixing ui capability tests
* Adding spaces api tests for apm/ml/monitoring users
* Adding more roles to the security only ui capability tests
* You can put a role with reserved privileges using the API
* Adding support to get roles with _reserved privileges
* Adding APM functional tests
* Adding monitoring functional tests
* Fixing typo
* Ensuring apm_user, monitoring_user alone don't authorize you
* Adding ml functional tests
* Fixing test
* Fixing some type errors
* Updating snapshots
* Fixing privileges tests
* Trying to force this to run from source
* Fixing TS errors
* Being a less noisy neighbor
* Forcing logout for apm/dashboard feature controls security tests
* Fixing the security only ui capability tests
* Removing test that monitoring now tests itself
* Fixing some ui capability tests
* Cleaning up the error page services
* Fixing misspelling in comment
* Using forceLogout for monitoring
* Removing code that never should have been there, sorry Larry
* Less leniency with the get roles
* Barely alphabetical for a bit
* Apply suggestions from code review
Co-Authored-By: kobelb <brandon.kobel@gmail.com>
* Removing errant timeout
* No more hard coded esFrom source
* More nits
* Adding back esFrom source
* APM no longer uses reserved privileges, reserved privileges are
pluggable
* Fixing typescript errors
* Fixing ui capability test themselves
* Displaying reserved privileges for the space aware and simple forms
* Removing ability to PUT roles with _reserved privileges.
Removing ability to GET roles that have entries with both reserved and
feature/base privileges.
* Updating jest snapshots
* Changing the interface for a feature to register a reserved privilege to
include a description as well
* Displaying features with reserved privileges in the feature table
* Adjusting the reserved role privileges unit tests
* Changing usages of expect.js to @kbn/expect
* Changing the CalculatedPrivilege's _reserved property to reserved
* Allowing reserved privileges to be assigned at kibana-*
* Updating forgotten snapshot
* Validating reserved privileges
* Updating imports
* Removing --esFrom flag, we don't need it anymore
* Switching from tslint's ignore to eslint's ignore
* Feature Controls - Adds feature registration to plugin generator (#34537)
## Summary
This updates the plugin generator to allow plugin authors to automatically register their feature with the Feature Registry, for control via Spaces/Security.
Running:
```
elastic-mbp:kibana larry$ node scripts/generate_plugin.js test-plugin
? Provide a short description An awesome Kibana plugin
? What Kibana version are you targeting? master
? Should an app component be generated? Yes
? Should translation files be generated? Yes
? Should a hack component be generated? Yes
? Should a server API be generated? Yes
? Should SCSS be used? Yes
```
Generates the following:
```js
import { resolve } from 'path';
import { existsSync } from 'fs';
import { i18n } from '@kbn/i18n';
import exampleRoute from './server/routes/example';
export default function (kibana) {
return new kibana.Plugin({
require: ['elasticsearch'],
name: 'test_plugin',
uiExports: {
app: {
title: 'Test Plugin',
description: 'An awesome Kibana plugin',
main: 'plugins/test_plugin/app',
},
hacks: [
'plugins/test_plugin/hack'
],
styleSheetPaths: [resolve(__dirname, 'public/app.scss'), resolve(__dirname, 'public/app.css')].find(p => existsSync(p)),
},
config(Joi) {
return Joi.object({
enabled: Joi.boolean().default(true),
}).default();
},
init(server, options) { // eslint-disable-line no-unused-vars
const xpackMainPlugin = server.plugins.xpack_main;
if (xpackMainPlugin) {
const featureId = 'test_plugin';
xpackMainPlugin.registerFeature({
id: featureId,
name: i18n.translate('testPlugin.featureRegistry.featureName', {
defaultMessage: 'test-plugin',
}),
navLinkId: featureId,
icon: 'discoverApp',
app: [featureId, 'kibana'],
catalogue: [],
privileges: {
all: {
api: [],
savedObject: {
all: [],
read: ['config'],
},
ui: ['show'],
},
read: {
api: [],
savedObject: {
all: [],
read: ['config'],
},
ui: ['show'],
},
},
});
}
// Add server routes and initialize the plugin here
exampleRoute(server);
}
});
}
```
* Updating core system docs
* Fixing infra's dates with data for the functional tests
* [Feature Controls] - Move UICapabilities to the new platform (#30585)
## Summary
This moves the UI Capabilities service into the new platform, shimming into the old platform in a way that is consistent with the `i18n` service.
* Fixing uptime functional api tests
* Removing .only...
* Modify import APIs to handle special use cases from the previous import process
* Cleanup
* Add more examples to the docs
* Make title come from data inside file
* Fix some broken tests
* Fix docs
* Fix docs wording
* Apply PR feedback pt1
* Apply PR feedback pt2
Adds two fields to the IndexPattern Field:
* parent - the name of the field this field is a child of
* subType - The type of child this field is. Currently the only valid value is multi but we could expand this to include aliases, object children, and nested children.
The thinking behind implementing these two new properties instead of a simple isMultiField flag is that it should be generic enough to describe other sorts of parent -> child relationships between fields.
* Track user actions for creating, updating, and deleting and index lifecycle policy.
* Track user actions for attaching an index, attaching an index template, and detaching an index.
* Track app load action.
* Track usage of cold phase, warm phase, set priority, and freeze index.
* Track retry step user action.
* Track clicks on the policy name to edit it.
* Refactor constants to be in root of public.
* Add support to user actions API for comma-delimited action types.
* Refactor rollups trackUserRequest to be easier to understand.
* Use underscores instead of dashes for user action app names.
* Switch from componentWillMount to componentDidMount/useEffect.
- Standardize use of HashRouter within app.js to avoid calling useEffect when leaving the app.
* [@kbn/expect] "fork" expect.js into repo
* [eslint] autofix references to expect.js
* [tslint] autofix all expect.js imports
* now that expect.js is in strict mode, avoid reassigning fn.length
* cherry-pick fd2bc9b
* Return errors when objects are missing references
* Fix import tslint
* Fix failing jest tests
* Fix x-pack integration tests
* Rename ensureReferencesExist to validateReferences
* Fix test naming to use validateReferences
* Update resolve_import_errors API to reflect new type attribute
* Validate references for search type as well
* Clarify comment
* Apply PR feedback
* Modify saved object bulkGet to be able to filter fields
* Apply PR feedback
* Initial work
* Add overwrite and skip support
* Cleanup and add tests
* Move code into separate files
* Remove reduce
* New API parameters
* Add support to replace references
* Add better error handling
* Add spaces tests
* Fix return type in collectSavedObjects
* Apply PR feedback
* Update jest tests due to jest version upgrade
* Add docs
* WIP
* Split import routes pt1
* Add tests
* Fix broken tests
* Update docs and fix broken test
* Add successCount to _import endpoint
* Make skip by default in resolution API
* Update tests for removal of skips
* Add back support for skips
* Add success count
* Add back resolve import conflicts x-pack tests
* Remove writev from filter stream
* Delete _mock_server.d.ts file
* Rename lib/import_saved_objects to lib/import
* Filter records at stream level for conflict resolution
* Update docs
* Add tests to validate documentation
* Return 200 instead of other code for errors, include errors array
* Change [] to {}
* Apply PR feedback
* Fix import object limit to not return 500
* Change some wording in the docs
* Fix status code
* Apply PR feedback pt2
* Lower maxImportPayloadBytes to 10MB
* Add unknown type tests for import
* Add unknown type tests for resolve_import_conflicts
* Fix tslint issues
* Add user_action app with API endpoint for tracking user actions.
* Track 'Create rollup job' action and publish it in the collector.
* Extract fetchUserActions into a generic helper inside of xpack/server/lib.
* Add trackUserRequest helper.
* Initial work for new server side export API
* Revert UI changes, API only in this PR
* Remove whitespace at top of export.asciidoc
* Add tests around limitations
* Add comment
* Convert some files to typescript
* Move Boom.boomify to where the errors are created
* Use Boom.badRequest for now
* Fix lint issue
* Move files
* Update tests
* Add functional test
* Export all documents by default
* Update test assertions
* Use ~10000 saved objects in export api integration test
* Convert route to typescript, add content-type response header
* Move some tests to api_integration
* Use new sort and rename functions/variables
* Move tests to API integration
* Cleanup and finalize api integration tests
* Make type or objects required but not both in the same call
* Add spaces / security tests
* Add noTypeOrObjects to security / spaces tests
* Use json-stable-stringify and add tests for export ordering
* Address self feedback, add without kibana index test
* Only allow export API to export index-pattern, dashboard, visualization and search type objects
* Make import export size configurable and fix broken tests
* Fix broken tests
* Move test config to mock server
* Add more typescript types instead of using any
* Convert request from GET to POST
* Fix saved objects mixin test
* Update src/legacy/server/saved_objects/lib/export.ts
Co-Authored-By: mikecote <mikecote@users.noreply.github.com>
* Apply PR feedback
* Fix lint error
* Update test snapshots due to jest upgrade
* Add error handling for bulkGet
* Split export API into two endpoints
* Update src/legacy/server/saved_objects/routes/export_by_type.test.ts
Co-Authored-By: mikecote <mikecote@users.noreply.github.com>
* Update docs/api/saved-objects/export_by_type.asciidoc
Co-Authored-By: mikecote <mikecote@users.noreply.github.com>
* Update docs/api/saved-objects/export_by_type.asciidoc
Co-Authored-By: mikecote <mikecote@users.noreply.github.com>
* Update src/legacy/server/saved_objects/routes/export_objects.test.ts
Co-Authored-By: mikecote <mikecote@users.noreply.github.com>
* Apply PR feedback
* MockServer -> createMockServer
* Revert back to single API
* Re-apply PR feedback
* Saved Objects routes and service should be able to hide objects.
* Remove context providers as a feature.
* Respository should be creatable to include hidden types.
* Fixes failing unit tests.
* Fixes issues with filter method.
* Adds check to get method for allowed types.
* Adds tests for get,delete,bulkGet,find
* Remove need for schema in saved objects api.
* Remove more traces of schema validation added to rest api.
* Remove inclusion of hidden types in route specific client.
* Removes getAvailableTypes as it is no longer used.
* Fixing up initialization of components.
* Moves default setting for includeHiddenTypes
* Allows for single value or array in assertAllowedTypes.
* Adds type assertion to bulkCreate, and incrementCounter with tests.
* Conversion to boolean should be more explicit.
* Repository should restrict types allowed to be manipulated.
* Saved objects should use the right root type.
Privileges should have unit test.
* All saved objects APIs should validate types.
* No need for test to be typescript if under test not ts.
* Handle extraTypes being undefined.
* Routes should verify that they do not allow invalid types.
* Bulk create should be tested.
* Saved objects mixin does not need extra blank lines.
* Saved objects integration tests should test unknown types.
* Integration tests should test for bad request with unknown type.
* Adds missing privileges to global all.
* Tests should use valid types.
Tests should have accurate expectations.
* Fix bulkCreate to assert allowed types.
* Fix unknown search field tests.
* Adjust expectations for unknown type in saved object api.
* Saved object integration should return proper responses.
* Fix expect to use a separated matcher.
* Should expect forbidden responses for unauthorized users.
* Should expect 400 when trying to use unknown types.
* Removes unwanted .only call.
* Adjust repository to throw error unless it has allowed types.
* Unknown types should return 403s and empty results where applicable
* Removes type validation from saved object API.
* Captures and returns appropriate exceptions for type assertion.
* Properly filtter c'tor params to repository.
* Checking allowed type should be bool check function.
* Cleanup test situation descriptions.
* Updating snapshot file for jest tests.
* Changes expected results for find from saved object service.
* Expect an empty response when attempting to access an unsupported type.
* Adds test coverage for new error methods added.
Adds create test to repository.
* Adds bulkGet, bulkCreate unsupported type errors.
* First step in refactoring saved object service.
Adding missing test coverage of saved object service creation.
* Move extra saved objects test to legacy folder.
* Adds references filtering by allowed type.
* Adds more coverage for mixin repository creation.
* Removes unnecessary decorate on server object for unused method.
* Revert reworking how kibana migrator uses mappings.
* Revert "Adds references filtering by allowed type."
This reverts commit 92b07d4b92.
* Adds check for unexpected callCluster type.
* Should cover as many parts of the mixin as possible.
* More expectations to tests.
* Keeps ordering of created items but does not pass unsupported types.
* Fix a failing before hook test.
* Should not use escaped single quotes inside template literals.
Co-Authored-By: njd5475 <njd5475@gmail.com>
* Changed how check is done in repository.
* Remove unused mappings file.
* Cleans up a couple of nits.
* Adds test for overwrite option being passed if it is in the url.
* Missed semicolon.
This commit accompanies the four that precede it. Rather than squash
them altogether, the four previous commits all do nothing except move
files to help avoid conflicts.
Modify the way migrations detect mapping changes. The previous approach simply
diffed the index mappings against the mappings defined in Kibana. The problem was
that sometimes the index mappings will *always* differ. For example, if an index template
is affecting the .kibana* indices. Or if Elasticsearch adds a new magical mapping that
appears in the index, even though not specified (this happened in the 7.0 release). So,
instead of diffing, we now store hashes of our mappings in _meta, and compare against
those.
See https://github.com/elastic/elasticsearch/pull/38254
Using the `version` parameter to implement optimistic concurrency is not going to be supported in 7.0, so we need to replace our usage of document version with the new `_seq_no` and `_primary_term` parameters. These fields are returned in the same way that `_version` was returned on all read/write requests except for search, where it needs to be requested by sending `seq_no_primary_term: true` in the body of the search request. These parameters are sent back to Elasticsearch on write requests with the `if_seq_no` and `if_primary_term` parameters, and are functionally equivalent to sending a `version` in a write request before elastic/elasticsearch#38254.
To make these updates I searched the code base for uses of a `version` and `_version`, then triaged each usage, so I'm fairly confident that I got everything but it's possible something slipped through the cracks, so if you know of any usage of the document version field please help me out by double checking that I converted it.
- [x] **Saved Objects**: @elastic/kibana-platform, @elastic/es-security - for BWC and ergonomics the `version` provided by the Saved Objects client/API was not removed, it was converted from a number to a string whose value is `base64(json([_seq_no, _primary_term]))`. This allows the Saved Objects API and its consumers to remain mostly unmodified, as long as the underlying value in the version field is irrelevant. This was the case for all usages in Kibana, only thing that needed updating was tests and TS types.
- [x] **Reporting/esqueue**: @joelgriffith, @tsullivan - the version parameter was used here specifically for implementing optimistic concurrency, and since its usage was contained within the esqueue module I just updated it to use the new `_seq_no` and `_primary_term` fields.
- [x] **Task Manager**: @tsullivan @njd5475 - Like esqueue this module uses version for optimistic concurrency but the usage is contained with the module so I just updated it to use, store, and request the `_seq_no` and `_primary_term` fields.
- [ ] **ML**: @elastic/ml-ui - Best I could tell the only "version" in the ML code refers to the stack version, 077245fed8
- [ ] **Beats CM**: @elastic/beats - Looks like the references to `_version` in the code is only in the types but not in the code itself. I updated the types to use `_seq_no` and `_primary_term`, and their camelCase equivalents where appropriate. I did find a method that used one of the types referencing version but when investigating its usage it seemed the only consumer of that method was itself so i removed it. 52d890fed7
- [x] **Spaces (tests)**: @elastic/kibana-security - The spaces test helpers use saved objects with versions in a number of places, so I updated them to use the new string versions where the version was predictable, and removed the assertion on version where it wasn't. We test the version in the saved objects code so this should be fine.
* csp: nonce and unsafe-eval for scripts
To kick things off, a rudimentary CSP implementation only allows
dynamically loading new JavaScript if it includes an associated nonce
that is generated on every load of the app.
A more sophisticated content security policy is necessary, particularly
one that bans eval for scripts, but one step at a time.
* img-src is not necessary if the goal is not to restrict
* configurable CSP owned by security team
* smoke test
* remove x-content-security-policy
* document csp.rules
* fix tsconfig for test
* switch integration test back to regular js
* stop looking for tsconfig in test
* grrr, linting errors not caught by precommit
* docs: people -> you for consistency sake
Co-Authored-By: epixa <court@epixa.com>
* Add new references attribute to saved objects
* Add dual support for dashboard export API
* Use new relationships API supporting legacy relationships extraction
* Code cleanup
* Fix style and CI error
* Add missing spaces test for findRelationships
* Convert collect_references_deep to typescript
* Add missing trailing commas
* Fix broken test by making saved object API consistently return references
* Fix broken api integration tests
* Add comment about the two TS types for saved object
* Only return title from the attributes returned in findRelationships
* Fix broken test
* Add missing security tests
* Drop filterTypes support
* Implement references to search, dashboard, visualization, graph
* Add index pattern migration to dashboards
* Add references mapping to dashboard mppings.json
* Remove findRelationships from repository and into it's own function / file
* Apply PR feedback pt1
* Fix some failing tests
* Remove error throwing in migrations
* Add references to edit saved object screen
* Pass types to findRelationships
* [ftr] restore snapshots from master, rely on migrations to add references
* [security] remove `find_relationships` action
* remove data set modifications
* [security/savedObjectsClient] remove _getAuthorizedTypes method
* fix security & spaces tests to consider references and migrationVersion
* Add space id prefixes to es_archiver/saved_objects/spaces/data.json
* Rename referenced attributes to have a suffix of RefName
* Fix length check in scenario references doesn't exist
* Add test for inject references to not be called when references array is empty or missing
* some code cleanup
* Make migrations run on machine learning data files, fix rollup filterPath for savedSearchRefName
* fix broken test
* Fix collector.js to include references in elasticsearch response
* code cleanup pt2
* add some more tests
* fix broken tests
* updated documentation on referencedBy option for saved object client find function
* Move visualization migrations into kibana plugin
* Update docs with better description on references
* Apply PR feedback
* Fix merge
* fix tests I broke adressing PR feedback
* PR feedback pt2
This PR adds two usage stats to our telemetry for KQL:
* How many times people click the opt in/out toggle in the query bar UI
* Which language Kibana admins have set as the global default in advanced settings
### Review notes
This is generally ready for review. We are awaiting https://github.com/elastic/elasticsearch/issues/32777 to improve handling when users do not have any access to Kibana, but this should not hold up the overall review for this PR.
This PR is massive, there's no denying that. Here's what to focus on:
1) `x-pack/plugins/spaces`: This is, well, the Spaces plugin. Everything in here is brand new. The server code is arguably more important, but feel free to review whatever you see fit.
2) `x-pack/plugins/security`: There are large and significant changes here to allow Spaces to be securable. To save a bit of time, you are free to ignore changes in `x-pack/plugins/security/public`: These are the UI changes for the role management screen, which were previously reviewed by both us and the design team.
3) `x-pack/test/saved_object_api_integration` and `x-pack/test/spaces_api_integration`: These are the API test suites which verify functionality for:
a) Both security and spaces enabled
b) Only security enabled
c) Only spaces enabled
What to ignore:
1) As mentioned above, you are free to ignore changes in `x-pack/plugins/security/public`
2) Changes to `kibana/src/server/*`: These changes are part of a [different PR that we're targeting against master](https://github.com/elastic/kibana/pull/23378) for easier review.
## Saved Objects Client Extensions
A bulk of the changes to the saved objects service are in the namespaces PR, but we have a couple of important changes included here.
### Priority Queue for wrappers
We have implemented a priority queue which allows plugins to specify the order in which their SOC wrapper should be applied: `kibana/src/server/saved_objects/service/lib/priority_collection.ts`. We are leveraging this to ensure that both the security SOC wrapper and the spaces SOC wrapper are applied in the correct order (more details below).
### Spaces SOC Wrapper
This wrapper is very simple, and it is only responsible for two things:
1) Prevent users from interacting with any `space` objects (use the Spaces client instead, described below)
2) Provide a `namespace` to the underlying Saved Objects Client, and ensure that no other wrappers/callers have provided a namespace. In order to accomplish this, the Spaces wrapper uses the priority queue to ensure that it is the last wrapper invoked before calling the underlying client.
### Security SOC Wrapper
This wrapper is responsible for performing authorization checks. It uses the priority queue to ensure that it is the first wrapper invoked. To say another way, if the authorization checks fail, then no other wrappers will be called, and the base client will not be called either. This wrapper authorizes users in one of two ways: RBAC or Legacy. More details on this are below.
### Examples:
`GET /s/marketing/api/saved_objects/index-pattern/foo`
**When both Security and Spaces are enabled:**
1) Saved objects API retrieves an instance of the SOC via `savedObjects.getScopedClient()`, and invokes its `get` function
2) The Security wrapper is invoked.
a) Authorization checks are performed to ensure user can access this particular saved object at this space.
3) The Spaces wrapper is invoked.
a) Spaces applies a `namespace` to be used by the underlying client
4) The underlying client/repository are invoked to retrieve the object from ES.
**When only Spaces are enabled:**
1) Saved objects API retrieves an instance of the SOC via `savedObjects.getScopedClient()`, and invokes its `get` function
2) The Spaces wrapper is invoked.
a) Spaces applies a `namespace` to be used by the underlying client
3) The underlying client/repository are invoked to retrieve the object from ES.
**When only Security is enabled:**
(assume `/s/marketing` is no longer part of the request)
1) Saved objects API retrieves an instance of the SOC via `savedObjects.getScopedClient()`, and invokes its `get` function
2) The Security wrapper is invoked.
a) Authorization checks are performed to ensure user can access this particular saved object globally.
3) The underlying client/repository are invoked to retrieve the object from ES.
## Authorization
Authorization changes for this project are centered around Saved Objects, and builds on the work introduced in RBAC Phase 1.
### Saved objects client
#### Security without spaces
When security is enabled, but spaces is disabled, then the authorization model behaves the same way as before: If the user is taking advantage of Kibana Privileges, then we check their privileges "globally" before proceeding. A "global" privilege check specifies `resources: ['*']` when calling the [ES _has_privileges api.](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-has-privileges.html). Legacy users (non-rbac) will continue to use the underlying index privileges for authorization.
#### Security with spaces
When both plugins are enabled, then the authorization model becomes more fine-tuned. Rather than checking privileges globally, the privileges are checked against a specific resource that matches the user's active space. In order to accomplish this, the Security plugin needs to know if Spaces is enabled, and if so, it needs to ask Spaces for the user's active space. The subsequent call to the `ES _has_privileges api` would use `resources: ['space:marketing']` to verify that the user is authorized at the `marketing` space. Legacy users (non-rbac) will continue to use the underlying index privileges for authorization. **NOTE** The legacy behavior implies that those users will have access to all spaces. The read/write restrictions are still enforced, but there is no way to restrict access to a specific space for legacy auth users.
#### Spaces without security
No authorization performed. Everyone can access everything.
### Spaces client
Spaces, when enabled, prevents saved objects of type `space` from being CRUD'd via the Saved Objects Client. Instead, the only "approved" way to work with these objects is through the new Spaces client (`kibana/x-pack/plugins/spaces/lib/spaces_client.ts`).
When security is enabled, the Spaces client performs its own set of authorization checks before allowing the request to proceed. The Spaces client knows which authorization checks need to happen for a particular request, but it doesn't know _how_ to check privileges. To accomplish this, the spaces client will delegate the check security's authorization service.
#### FAQ: Why oh why can't you used the Saved Objects Client instead!?
That's a great question! We did this primarily to simplify the authorization model (at least for our initial release). Accessing regular saved objects follows a predictible authorization pattern (described above). Spaces themselves inform the authorization model, and this interplay would have greatly increased the complexity. We are brainstorming ideas to obselete the Spaces client in favor of using the Saved Objects Client everywhere, but that's certainly out of scope for this release.
## Test Coverage
### Saved Objects API
A bulk of the changes to enable spaces are centered around saved objects, so we have spent a majority of our time automating tests against the saved objects api.
**`x-pack/test/saved_object_api_integration/`** contains the test suites for the saved objects api. There is a `common/suites` subfolder which contains a bulk of the test logic. The suites defined here are used in the following test configurations:
1) Spaces only: `./spaces_only`
2) Security and spaces: `./security_and_spaces`
3) Security only: `./security_only`
Each of these test configurations will start up ES/Kibana with the appropriate license and plugin set. Each set runs through the entire test suite described in `common/suites`. Each test with in each suite is run multiple times with different inputs, to test the various permutations of authentication, authorization type (legacy vs RBAC), space-level privileges, and the user's active space.
### Spaces API
Spaces provides an experimental public API.
**`x-pack/test/spaces_api_integration`** contains the test suites for the Spaces API. Similar to the Saved Objects API tests described above, there is a `common/suites` folder which contains a bulk of the test logic. The suites defined here are used in the following test configurations:
1) Spaces only: `./spaces_only`
2) Security and spaces: `./security_and_spaces`
### Role Management UI
We did not provide any new functional UI tests for role management, but the existing suite was updated to accomidate the screen rewrite.
We do have a decent suite of jest unit tests for the various components that make up the new role management screen. They're nested within `kibana/x-pack/plugins/security/public/views/management/edit_role`
### Spaces Management UI
We did not provide any new functional UI tests for spaces management, but the components that make up the screens are well-tested, and can be found within `kibana/x-pack/plugins/spaces/public/views/management/edit_space`
### Spaces Functional UI Tests
There are a couple of UI tests that verify _basic_ functionality. They assert that a user can login, select a space, and then choose a different space once inside: `kibana/x-pack/test/functional/apps/spaces`
## Reference
Notable child PRs are listed below for easier digesting. Note that some of these PRs are built on other PRs, so the deltas in the links below may be outdated. Cross reference with this PR when in doubt.
### UI
- Reactify Role Management Screen: https://github.com/elastic/kibana/pull/19035
- Space Aware Privileges UI: https://github.com/elastic/kibana/pull/21049
- Space Selector (in Kibana Nav): https://github.com/elastic/kibana/pull/19497
- Recently viewed Widget: https://github.com/elastic/kibana/pull/22492
- Support Space rename/delete: https://github.com/elastic/kibana/pull/22586
### Saved Objects Client
- ~~Space Aware Saved Objects: https://github.com/elastic/kibana/pull/18862~~
- ~~Add Space ID to document id: https://github.com/elastic/kibana/pull/21372~~
- Saved object namespaces (supercedes #18862 and #21372): https://github.com/elastic/kibana/pull/22357
- Securing saved objects: https://github.com/elastic/kibana/pull/21995
- Dedicated Spaces client (w/ security): https://github.com/elastic/kibana/pull/21995
### Other
- Public Spaces API (experimental): https://github.com/elastic/kibana/pull/22501
- Telemetry: https://github.com/elastic/kibana/pull/20581
- Reporting: https://github.com/elastic/kibana/pull/21457
- Spencer's original Spaces work: https://github.com/elastic/kibana/pull/18664
- Expose `spaceId` to "Add Data" tutorials: https://github.com/elastic/kibana/pull/22760Closes#18948
"Release Note: Create spaces within Kibana to organize dashboards, visualizations, and other saved objects. Secure access to each space when X-Pack Security is enabled"
* Use an instance of SavedObjectsSerializer for migrations and the repository
* Fixing spelling of serialization
* Making the serializer conditionally include and prepend id with ns
* Adding repository tests for the namespaces
* Implementing find
* Modifying the SOCs to pass the options with the namespace
* Centralizing omitting the namespace when using serializer.rawToSavedObject
* Passing the schema through to the SavedObjectRepositoryProvider
* Changing the schema to work with undefined ui exports schemas
* Adding schema tests
* Making the complimentary serialization test use the namespace
* Fixing uiExports
* Fixing some tests
* Fixing included fields for the find
* Fixing include field tests, they're checking length also...
* Updating Repository test after adding namespace to always included
fields
* Renaming UIExportsSavedObjectTypeSchema to SavedObjectsSchemaDefinition
* Completing rename... forgot to save usages
* Fixing issue with the serialization.isRawSavedObject and the trailing :
There have been several failures in this test, seemingly caused by a lack of sorting in the results. It makes sense that since both migrations are run simultaneously that sometimes one would succeed and sometimes another would, so I've just sorted the results before checking.
cc: @chrisdavies
* Allow sample data set to install multiple indices
* create insertDataIntoIndex function to better encapsulate bulk insert
* move everything under bulk insert
* add comment in createIndexName
Migrations are the mechanism by which saved object indices are kept up to date with the Kibana codebase. Plugin authors can write their plugins to work with a certain set of mappings. Migrations ensure that the index actually conforms to those expectations.
* [Tests] Add http integration test setup
* Base path tests
* SSL tests
* Eslint fixes
* Remove env from config schema
* Rename folders so no_rewrite and rewrite match configs/tests
* wip
* Use self-signed cert for SSL test
* Improve basepath tests
* Run base path proxy server in dev mode for now
* Remove env from x-pack reporting config
* Remove redundant base-path tests
* Test SSL with redirectHttpFromPort set
* Test SSL with redirectHttpFromPort set
* Flesh out comments
* Remove some cruft
* Add SSL tests to CI run
* add now query parameter to sample data install endpoint
* joi returns date, so no need to create a new one
* add API functional tests for now parameter
* Support legacy use cases for passthrough
* Support generic case too
* Add legacy flag
* Do not format api field names in legacy mode
* Add basic test for legacy parameter
* Add more tests
* [Stats API] Set API field names per spec
* fix jest tests
* fix api integration test
* trash the original metrics collector
- constantly accumulating stats over time does not align with the existing behavior, which is to reset the stats to 0 whenever they are pulled
* move some logic out of the collector types combiner into inline
- change the signature of sourceKibana
* Make a new stats collector for the API
- to not clear the data when pulling via the api
- fetching is a read-only thing
* isolate data transforms for api data and upload data
* no static methods
* remove external in bytes
* remove the _stats prefix for kibana and reporting
* update jest test snapshot
* fix collector_types_combiner test
* fix usage api
* add test suite todo comment
* reduce some loc change
* roll back mysterious change
* reduce some more loc change
* comment correction
* reduce more loc change
* whitespace
* comment question
* fix cluster_uuid
* fix stats integration test
* fix bulk uploader test, combineTypes is no longer external
* very important comments about the current nature of stats represented and long-term goals
* add stats api tests with/without authentication
* fix more fields to match data model
* fix more tests
* fix jest test
* remove TODO
* remove sockets
* use snake_case for api field names
* restore accidental removal + copy/paste error
* sourceKibana -> getKibanaInfoForStats
* skip usage test on legacy endpoint
* fix api tests
* more comment
* stop putting a field in that used to be omitted
* fix the internal type to ID the usage data for bulk uploader
* correct the kibana usage type value, which is shown as-is in the API
* more fixes for the constants identifying collector types + test against duplicates
* add a comment on a hack, and a whitespace fix
* Added coverage around search and dashboard tests.
* Added tests to check for whether the resource is available. If not, return 404.
* Skipped two tests due to https://github.com/elastic/kibana/issues/19713. Added error handling for relationships API for when no result is found. Return 404.
* Applied patch file per PR.
* Applied Chris patch and tested locally. No failures.
* Removed ajv and utilised joi for schema validation.
* Fixed package.json.
* Copied package.json description from master.
* Reverted package.json and made proper edit.
In order to make the license that applies to each file as clear as possible, and to be consistent with elasticsearch, we are adding Apache 2.0 license headers to the top of each file.
Existence of this header is enforced by eslint and tslint and missing headers were automatically added in the last commit by running:
```
node scripts/eslint --fix && node scripts/tslint --fix
```
* Revert "[DOCS] Removes redundant index.asciidoc files (#19192)"
This reverts commit d11b5aae9a.
* Revert "[typescript] add typescript support for the server and browser (#19104)"
This reverts commit c6112067fc.
* Revert "Option to run kibana from build for CI (#19125)"
This reverts commit 5969860303.
* Not working proto code
* More proto code
* Work in progress
* Just go back to non interactive searching, much easier
* This should be on the server
* Revert "[@kbn/ui-framework] move ui-framework to a package (#17085)"
This reverts commit ef3339bd7a.
* Revert "Revert "[@kbn/ui-framework] move ui-framework to a package (#17085)""
This reverts commit ce9ce14e1060c426090b55a5367de3ff4329e681.
* Use BasicTable properly
* Table improvements
* Small tweaks to the table
* Improvements
* Flyout mostly working
* Remove in memory table
* Getting close
* Tweaks
* Revamping server code, still need to support editing
* Progress
* Fix export
* Updates and passing functional tests
* Better links in relationships flyout
* Add skip import option
* Fixes around importing and removing unnecessary code
* Remove tags for now
* Tests for lib/
* Some fixes
* Ensure we clear index pattern cache
* Parity with master
* Revert any changes in package.json
* Reset any changes in this file
* Move the new argumen to the end to prevent test failures
* Fix functional tests
* Add relationship tests
* Fix tests
* API integration tests for relationships
* Ensure we're properly waiting for things to happen
* Fix test issue
* Wait for the table to finish loading instead of the whole page
* Tests for objects_table
* Componentry tests
* Ensure this is grabbing the right field
* Update snapshot
* Fixes with importing index patterns
* PR feedback
* PR feedback
* PR feedback
* Update snapshot
* PR feedback
* Update snapshot
* Respect the savedObjects:perPage config
* Updates from PR feedback
* More updates from PR feedback
* Make this more efficient
* Add debugging for functional test failures
* Wait longer
* Wrap each button accessor with a retry.try
* Try wrapping this in a retry.try
* Debug
* Lets make sure it is visible
* Maybe the short timeout is affecting this - use the default timeout which should be higher and allow more time for the animation to finish
* Rewrite this per suggestions from stacey
Restructure testing with kbn-test package
- Run with multiple configs, move cli options to config
- Package-ify kbn-test
- Eventually we'll have functional_test_runner live in a package
of its own, and then this kbn-test will use that as a dependency,
probably still as a devDependency.
- Implement functional_tests_server
- Collapse single and multiple config apis into one command
Use kbn-es
Replace es_test_cluster + es_test_config with kbn/test utils
Implement new createEsTestCluster
Improve scripts, jsdocs, cli top-level tools
Lift error handling to the top level
* [Stats] Add metrics collector and stats API
* uptime_ms in the process namespace
* make uptime_in_millis always equal process.uptime_ms
* fix api integration test
* fix api integration test better
* fix false positive with last change
* change object detection, add fallbacks to return undefined
* [Server/Routes] organize status routes together with others
* remove flaky assertion
* move all the status stuff into src/server/status
* sugar on imports/exports
* fix lint/jest test
* comment and todo
* [mocha] use custom reporter for legible results in jenkins
* [jest] use custom result processor for legible results in jenkins
* [karma] enable junit output on CI
* [mocha/junitReporter] accept rootDirectory as configuration
* [jest/reporter] use reporters option added in jest 20
* [toolingLog] remove black/white specific colors
* [dev/mocha/junit] no reason for junit to be a "reporter"
* typos
* [dev/mocha/junit] use else if
* [karma/junit] use string#replace for explicitness
* [junit] use test file path as "classname"
* [ftr/mocha] no longer a "console" specific reporter
* [es][savedObjects/index] put template on each savedObject write
The elasticsearch plugin currently checks for the Kibana index on each iteration of the healthCheck, and creates it if it does not exist. This removes that step from the healthCheck and instead, before each savedObject is written to elasticsearch, ensures that Elasticsearch has the necessary index template should the write result in index creation.
The healthCheck still has the `patchKibanaIndex()` logic, which checks the type in the Kibana index and adds any missing types. This step now does nothing when the Kibana index does not exist, and does what it has always done when it does.
* [ftr] remove unused kibanaIndex service
(cherry picked from commit b1ef897dafeb6d43fe279776e44a9d793a389dc3)
* [savedObjects/integration] create now creates kibana index
* [es/healthCheck] remove use of format()
* [es/healthCheck/tests] use sinon assertions
* [es/patchKibanaIndex] test for kibana index missing behavior
* [savedObjects/errors] add tests for EsAutoCreateIndexError
* [savedObjects/config] deprecate and remove savedObjects.indexCheckTimeout config
* use dangling commas consistently
* [ui/error_auto_create_index] fix class names
* [ui/savedObjectsClient] no need to specify basePath
* [eslint] fix linting issue
Integration tests should go into the corresponding directory under
`test` and should use the appropriate testing framework that is designed
for long-running tests like those. Tests under __tests__ directories
should be fast-running unit tests only.
Integration tests should go into the corresponding directory under
test and should use the appropriate testing framework that is designed
for long-running tests like those. Tests under tests directories
should be fast-running unit tests only.
* [savedObjects/delete+bulk_get] add failing tests
* [savedObjects/delete+bulk_get] improve 404 handling
* [savedObjects/client] fix mocha tests
* [savedObjects/tests] remove extra test wrapper
* [apiIntegration/kbnServer] basically disable es healthcheck
* [savedObjects/create] add integration test
* [savedObjects/find] add failing integration tests
* [savedObjects/find] fix failing test
* [savedObjects/client] explain reason for generic 404s
* [savedObjects/get] add integration tests
* [savedObjects/find] test request with unkown type
* [savedObjects/find] add some more weird param tests
* [savedObjects/find] test that weird params pass when no index
* [savedObjects/update] use generic 404
* fix typos
* [savedObjects/update] add integration tests
* remove debugging uncomment
* [savedObjects/tests] move backup kibana index delete out of tests
* [savedObjects/tests/esArchives] remove logstash data
* [savedObjects] update test
* [uiSettings] remove detailed previously leaked from API
* [functional/dashboard] wrap check that is only failing on Jenkins
* [savedObjects/error] replace decorateNotFound with createGenericNotFound
* fix typo
* [savedObjectsClient/errors] fix decorateEsError() test
* [savedObjectsClient] fix typos
* [savedObjects/tests/functional] delete document that would normally exist
* [savedObjectsClient/tests] use sinon assertions
* [savedObjects/apiTests] create without index responds with 503 after #14202
* Re-enable filter editor suggestions
* Use search instead of include
* Escape query
* Show spinner
* Use include rather than search
* Add additional regex and explanation for parameters
* Add suggestions API test
* Make sure test actually runs
* Use send instead of query
* Fix suggestions API test
* Ensure that conflict fields can be searchable and/or aggregatable in the UI
* Use `some` instead of `reduce`
* Revert UI changes
* Attempt to convert multiple ES types to kibana types, and if they all resolve to the same kibana type, there is no conflict
* Add comma back
* Cleaner code
* Add tests
* Update failing test to handle searchable and aggregatable properly
* Add functional test to ensure similar ES types are properly merged
* Update tests
* Revert shard size
* [indexPatterns] remove support for time patterns
* Revert "[indexPatterns] remove support for time patterns"
This reverts commit 4263e37c66.
* [indexPatterns] remove ability to create time-based patterns
* [indexPattern/routes] fix export of routes for stub
* [Storage] export Storage class for testing
* [indexPatterns/unsupportedTimePatterns] add tests
* [indexPatterns] focus warning check module
* [indexPatterns/tests] fix method name
* add metion of this change to migration docs
* disable warnings by default until we have a migration tool
* prevent the warning from disapearing
* fix grammar
* enabled warnings in the tests
* [indexPatterns] support cross cluster patterns
* [vis] remove unused `hasTimeField` param
* [indexPatterns/create] fix method name in view
* [indexPatterns/create] disallow expanding with ccs
* [indexPatterns/create] field fetching is cheaper, react faster
* [indexPatterns/resolveTimePattern/tests] increase readability
* [tests/apiIntegration/indexPatterns] test conflict field output
* [indexPatterns/fieldCaps/readFieldCapsResponse] add unit tests
* [test/apiIntegration] ensure random word will not be valid
* [indexPatterns/ui/client] remove unused import
* remove use of auto-release-sinon
* [indexPatterns/create] don't allow expand when cross cluster
* [indexPatternsApiClient/stub] use angular promises
* [indexPatterns/create] add tests for base create ui behaviors
