* Move ui/flyout to overlay core service
* Remove onClose in parameter (use FlyoutSession instead)
* Fix tests
* Remove old inspector tests
* Proper TODO message
* Convert flyout service to class
* Use correct i18n
* Resolving weird merge conflicts
* Fix panel plugin test
* Change new platform access
* Add more tests
* Remove commented tests
* Revert test fix (core is actually not fixed yet)
* Fix tests
* Expose onClose as Observable
* Use jest.doMock
* Fix typos
* Core start() -> setup()
* Remove @extends EventEmitter docs
* Refactor and test flyoutservice
* Fix comments: promise -> observable
* Fix tests
* Explicitly define OverlaySetup
* Fix OverlaySetup type signature
* Update Core API review file and docs
* Remove redudant if case
* Change FlyoutRef.onClose into a promise
* Remove redundante cleanup
* Use promise.finally
* Remove targetDomElement from openFlyout()
There's no need to support multiple targetDomElements per FlyoutService
and the current implementation handled this use case incorrectly.
Instead of adding complexity to try to support it, remove this from the
function signature.
* Fix + test to ensure child components are unmounted when a new flyover is displayed
* Wrap flyover in i18n Context component
* TSlint -> ESlint + test improvements
* Modify import APIs to handle special use cases from the previous import process
* Cleanup
* Add more examples to the docs
* Make title come from data inside file
* Fix some broken tests
* Fix docs
* Fix docs wording
* Apply PR feedback pt1
* Apply PR feedback pt2
This commit introduces two changes:
- Adds new platform plugins as a new bundles to the optimizer
- A PluginsService in the UI that loads plugin bundles, initializes plugins, and manages the lifecycle of plugins.
* Generate core API docs from TSDoc comments
Uses api-extractor and api-documenter to generate documentation for
the Kibana core API from TSDoc comments in the source code.
Documentation can be generated using `npm run docs:api`.
I used --no-verify to ignore the following pre-commit hook errors:
1. Filenames MUST use snake_case - api-extractor.json
It's possible to specify a different config file, but I prefer to keep the "standard" config file name.
2. UNHANDLED ERROR: Unable to find tsconfig.json file selecting "common/core_api_review/kibana.api.ts". Ensure one exists and it is listed in "src/dev/typescript/projects.ts"
This is not a source file, so safe to ignore.
* Flesh out API docs a little bit
* Ignore snake_case check for api-extractor.json
* Ignore api-extractor's review file from pre-commit check
* Try to fix build failing by using masters yarn.lock
* I'm being stupid
* Found a better home for ignoring common/core_api_review/kibana.api.ts
* Node script for detecting core API changes
I initially wanted to include this as a precommit hook, but it takes
quite long to execute (~12s) so might be better suited as a test or
as part of the release process.
The script currently fails because api-extractor uses an older version
of typescript.
* Fix tslint precommit hook ignore condition
* Write tsdoc-metadata.json into ./build
* Add LogMeta and ElasticSearch to exported types & docs
* Suppress logging when running api-extractor from script
* Improve check_core_api_changes script and run as test
* Inline api-extractor.json config
* Fix check_core_api_changes --help flag
* LogMeta TSDoc comments
* check_core_api_changes: fail if api-extractor produces warnings or errors
And print more useful messages to the console
* Move ignored ts files list into dev/file
* Add back build:types since api-exporter cannot operate on source files
* Upgrade api-exporter/documenter
* api-extractor: independantly analyze core/public and core/server
Becasue of https://github.com/Microsoft/web-build-tools/issues/1029
api-extractor can't use core/index.ts as a single entry point for
analyzing the public and server API's as isolated namespaces.
Instead we analyze these projects separately. This introduces other
problems like the api review files and documentation always being
called "kibana." from the package.json filename.
* Build types as part of build task
* Include types in typescript browser compilation
* Force inclusion of core/public for building types
* Fix api review filename in api-exporter errors
* Update docs and API review files
* Fix api-extractor warnings
* Remove ts file ignored list since it's no longer necessary
* Rename exported api package name
* Review comments
* Export other missing types
* Upgrade api-documenter to latest beta
* Export more missing types
* Fix warnings and add api-exporter to Jenkins tests
* Correctly handle runBuildTypes() exceptions
* Fix another swallowed exception
* Fix api-extractor warnings after master merge
* chore(NA): first changes on every package.json order to support new babel 7. chore(NA): build for kbn-pm with babel 7.
* chore(NA): patch babel register to load typescrit
* chore(NA): first working version with babel 7 replacing typescript compiler.
* fix(NA): common preset declaration in order to make it work with babel-loader.
* chore(na): organizing babel preset env package json.
* chore(NA): mocha tests enabled.
* fix(NA): typo on importing
* test(NA): majority of x-pack tests ported to use babel-jest
* fix(NA): report info button test with babel-jest.
* fix(NA): polling service tests.
* test(na): fix server plugins plugin tests.
* test(NA): batch of test fixs for jest tests under babel-jest hoisting.
* chore(NA): add babel plugin to hoist mock prefixed vars on jest tests.
* chore(NA): update yarn.lock file.
* chore(NA): tests passing.
* chore(NA): remove wrong dep
* chore(NA): fix tsconfig
* chore(NA): skip babel for ts-jest.
* chore(NA): selectively apply the plugin to strip off namespace from ts files.
* chore(NA): remove not needed changes from ts tests
* chore(NA): removed ts-jest dependency. chore(NA): migrate ts tests on x-pack to use babel-jest with the new pattern.
* chore(NA): migrate kibana default distribution typescript tests to run with babel-jest and the new test mock pattern.
* chore(NA): merge and solve conflicts with master.
* chore(NA): fix problems reported by eslint
* chore(NA): fix license ovveride for babel-plugin-mock-imports
* chore(NA): update jest integration tests for kbn pm
* chore(NA): update babel jest integration tests for kbn pm.
* test(NA): update jest integration snapshot for kbn pm.
* chore(NA): apply changes according to the pull request reviews.
* chore(NA): apply changes according to the pull request reviews.
* refact(NA): migrate jest tests to the new pattern.
* fix(NA): babel 7 polyfill in the tests bundle.
* chore(NA): restore needed step in order to compile x-pack with typescript.
* chore(NA): change build to compile typescript with babel for the oss code. chore(NA): change transpile typescript task to only transpile types for x-pack. refact(NA): common preset for babel 7
* Revert "chore(NA): change build to compile typescript with babel for the oss code. chore(NA): change transpile typescript task to only transpile types for x-pack. refact(NA): common preset for babel 7"
This reverts commit 2707d538f5.
* fix(NA): import paths for tabConfigConst
* chore(NA): fix transpiling error on browser tests
* chore(NA): simplify kbn babel preset package.
* chore(NA): migrate build to use babel transpiler for typescript excluding xpack.
* fix(NA): introduced error on test quick task.
* fix(NA): fix preset for client side code on build.
* fix(NA): build with babel
* fix(NA): negated patterns in the end.
* fix(NA): kbn_tp_sample_panel_action creation.
* fix(NA): babel typescript transform plugin workaround when exporting interface name.
* refact(NA): remove not needed type cast to any on jest test.
* docs(NA): add developement documentation about jest mocks test pattern.
* chore(NA): missing unmerged path.
* chore(NA): fix jest tests for template.
* [CCR] Client integration tests (table lists) (#33525)
* Force user to re-authenticate if token refresh fails with `400` status code. (#33774)
* Improve performance of the Logstash Pipeline Viewer (#33793)
Resolves#27513.
_This PR is a combination of #31293 (the code changes) + #33570 (test updates). These two PRs were individually reviewed and merged into a feature branch. This combo PR here simply sets up the merge from the feature branch to `master`._
Summary of changes, taken from #31293:
## Before this PR
The Logstash Pipeline Viewer UI would make a single Kibana API call to fetch all the information necessary to render the Logstash pipeline. This included information necessary to render the detail drawer that opens up when a user clicks on an individual vertex in the pipeline.
Naturally, this single API call fetched _a lot_ of data, not just from the Kibana server but also, in turn, from Elasticsearch as well. The "pro" of this approach was that the user would see instantaneous results if they clicked on a vertex in a pipeline and opened the detail drawer for that vertex. The "cons" were the amount of computation Elasticsearch had to perform and the amount of data being transferred over the wire between Elasticsearch and the Kibana server as well as between the Kibana server and the browser.
## With this PR
This PR makes the Kibana API call to fetch data necessary for **initially** rendering the pipeline — that is, with the detail drawer closed — much lighter. When the user clicks on a vertex in a pipeline, a second API call is then made to fetch data necessary for the detail drawer.
## Gains, by the numbers
Based on a simple, 1-input, 1-filter, and 1-output pipeline.
* Before this PR, the Elasticsearch `logstash_stats` API responses (multiple calls were made using the `composite` aggregation over the `date_histogram` aggregation) generated a total of 1228 aggregation buckets (before any `filter_path`s were applied but across all `composite` "pages"). With this PR, the single `logstash_stats` API response (note that this is just for the initial rendering of the pipeline, with the detail drawer closed) generated 12 buckets (also before any `filter_path`s were applied). That's a **99.02% reduction** in number of buckets.
* Before this PR, the Elasticsearch `logstash_stats` API responses added up to 70319 bytes. With this PR, the single `logstash_stats` API response for the same pipeline is 746 bytes. That's a **98.93% reduction** in size.
* Before this PR, the Elasticsearch `logstash_state` API response was 7718 bytes. With this PR, the API response for the same pipeline is 2328 bytes. That's a **69.83% reduction** in size.
* Before this PR the Kibana API response was 51777 bytes. With this PR, the API response for the same pipeline is 2567 bytes (again, note that this is just for the initial rendering of the pipeline, with the detail drawer closed). That's a **95.04% reduction** in size.
* [Maps] split settings into layer and source panels (#33788)
* [Maps] split settings into layer and source panels
* fix SCSS import
* [env] exit if starting as root (#21563)
* [env] exit if starting as root
* fix windows
* s/--allow-root
* Typescript sample panel action (#33602)
* Typescript sample panel action
* Update EUI version to match main cabana version
* update yarn.lock
* add back typings include
* use correct relative path
* Home page "recent links" should communicate saved object type #21896 (#33694)
* adds object type for screen order
* adds object type for pointer hovering
* Update src/legacy/ui/public/chrome/directives/header_global_nav/components/header.tsx
Co-Authored-By: rockfield <philipp.b@ya.ru>
* [@kbn/expect] "fork" expect.js into repo
* [eslint] autofix references to expect.js
* [tslint] autofix all expect.js imports
* now that expect.js is in strict mode, avoid reassigning fn.length
* Add first draft of uptime docs.
* Add first draft of uptime docs.
* Implement PR feedback.
* Add role info to uptime docs
* Impelement some more PR feedback.
* Attempt to add more copy focusing on the 'why' of each piece of the docs.
* uptime docs: grammar, formatting, order
* move location of uptime docs
* Implement more PR feedback.
* Add screenshots.
This adds the new source configuration ui to the documentation of both the Infrastructure UI and the Logs UI. It also removes the `BETA` badge to reflect the status change.
fixeselastic/kibana#31124
Co-authored-by: Brandon Morelli <bmorelli25@gmail.com>
* Reporting: register a single ESQueue worker, simultaneous poll for all export types
* more typescript
* PLUGIN_ID constant
* move down log / internal state
* fix tests
* jest test for createWorker
* assert arguments to queue.registerWorker
* logic move
* make ts ignore specific
* minor reversion to fix some esqueue worker tests
* cherry-pick fd2bc9b
* Return errors when objects are missing references
* Fix import tslint
* Fix failing jest tests
* Fix x-pack integration tests
* Rename ensureReferencesExist to validateReferences
* Fix test naming to use validateReferences
* Update resolve_import_errors API to reflect new type attribute
* Validate references for search type as well
* Clarify comment
* Apply PR feedback
* Modify saved object bulkGet to be able to filter fields
* Apply PR feedback
* Add link to Maps docs in Kibana getting started with sample data
* Update docs/getting-started/add-sample-data.asciidoc
Co-Authored-By: nreese <reese.nathan@gmail.com>
* [Maps] getting started documentation
* [DOCS] Edits for Maps Getting Started
* [DOCS] Incorporates review comments
* [DOCS] Rewrite section on sample data
* [DOCS] Adds link to add sample data page
* Initial work
* Add overwrite and skip support
* Cleanup and add tests
* Move code into separate files
* Remove reduce
* New API parameters
* Add support to replace references
* Add better error handling
* Add spaces tests
* Fix return type in collectSavedObjects
* Apply PR feedback
* Update jest tests due to jest version upgrade
* Add docs
* WIP
* Split import routes pt1
* Add tests
* Fix broken tests
* Update docs and fix broken test
* Add successCount to _import endpoint
* Make skip by default in resolution API
* Update tests for removal of skips
* Add back support for skips
* Add success count
* Add back resolve import conflicts x-pack tests
* Remove writev from filter stream
* Delete _mock_server.d.ts file
* Rename lib/import_saved_objects to lib/import
* Filter records at stream level for conflict resolution
* Update docs
* Add tests to validate documentation
* Return 200 instead of other code for errors, include errors array
* Change [] to {}
* Apply PR feedback
* Fix import object limit to not return 500
* Change some wording in the docs
* Fix status code
* Apply PR feedback pt2
* Lower maxImportPayloadBytes to 10MB
* Add unknown type tests for import
* Add unknown type tests for resolve_import_conflicts
* Fix tslint issues
* Prefer third-party plugin development in plugins instead of kibana-extra
* Fix failing recursive directory creation and removal
* Add new built version of kbn-pm
* Initial work for new server side export API
* Revert UI changes, API only in this PR
* Remove whitespace at top of export.asciidoc
* Add tests around limitations
* Add comment
* Convert some files to typescript
* Move Boom.boomify to where the errors are created
* Use Boom.badRequest for now
* Fix lint issue
* Move files
* Update tests
* Add functional test
* Export all documents by default
* Update test assertions
* Use ~10000 saved objects in export api integration test
* Convert route to typescript, add content-type response header
* Move some tests to api_integration
* Use new sort and rename functions/variables
* Move tests to API integration
* Cleanup and finalize api integration tests
* Make type or objects required but not both in the same call
* Add spaces / security tests
* Add noTypeOrObjects to security / spaces tests
* Use json-stable-stringify and add tests for export ordering
* Address self feedback, add without kibana index test
* Only allow export API to export index-pattern, dashboard, visualization and search type objects
* Make import export size configurable and fix broken tests
* Fix broken tests
* Move test config to mock server
* Add more typescript types instead of using any
* Convert request from GET to POST
* Fix saved objects mixin test
* Update src/legacy/server/saved_objects/lib/export.ts
Co-Authored-By: mikecote <mikecote@users.noreply.github.com>
* Apply PR feedback
* Fix lint error
* Update test snapshots due to jest upgrade
* Add error handling for bulkGet
* Split export API into two endpoints
* Update src/legacy/server/saved_objects/routes/export_by_type.test.ts
Co-Authored-By: mikecote <mikecote@users.noreply.github.com>
* Update docs/api/saved-objects/export_by_type.asciidoc
Co-Authored-By: mikecote <mikecote@users.noreply.github.com>
* Update docs/api/saved-objects/export_by_type.asciidoc
Co-Authored-By: mikecote <mikecote@users.noreply.github.com>
* Update src/legacy/server/saved_objects/routes/export_objects.test.ts
Co-Authored-By: mikecote <mikecote@users.noreply.github.com>
* Apply PR feedback
* MockServer -> createMockServer
* Revert back to single API
* Re-apply PR feedback
* [Docs/Reporting] Fix Troubleshooting page issues, Add section in Get Started
Close https://github.com/elastic/kibana/issues/31518
* update some gs headings
* Kibana doesn't download Chromium!
* Note about verbose logging
* sections
* full path
* has been
It might occur that users hit the `Caught error spawning Chromium` error.
This is usually linked to missing font packages on the system.
This sub-list has been extracted from [the puppeteer troubleshooting page](https://github.com/GoogleChrome/puppeteer/blob/master/docs/troubleshooting.md) and as a follow up of the issue https://github.com/elastic/kibana/issues/28123
Let me know if I should review the package list or the text.
I might also add directions on how to check Chromium debug logs if necessary.
* Allow select settings to specify labels for their values
* Rename kuery setting to KQL
* Change docs for KQL setting
* Add warnings for unused options
* Address review
* Remove chinese translation for modified string
* Fix translations again (... should have pulled first)
* Remove old chinese translation
This commit accompanies the four that precede it. Rather than squash
them altogether, the four previous commits all do nothing except move
files to help avoid conflicts.
* csp: warn legacy browsers that do not support CSP
The new csp.warnLegacyBrowsers configuration is enabled by default, and
it shows a warning message to any legacy browser when they access Kibana
to indicate that they are not enforcing the basic security protections
of the current install.
The protections check is the same as csp.strict, so this feature is
designed to be used as an alternative to aid in BWC. When csp.strict is
enabled, warnLegacyBrowsers is effectively ignored.
* fix ChromeService tests
* more test fixes
* csp injectvars in legacy test bundle
* update warning text and make it translatable
* no need to warn in legacy browser unit tests
* tests for chrome legacy browser warning
* document legacy browser warning breaking change
* update csp warning toast message
* add period, remove dev code
* Removing deprecated xpack.monitoring.report_stats setting
* Remove from docs
* Update check in xpack_main plugin to not look at monitoring settings any more
A content security policy is a great addition to the protections built
into Kibana, but it's not effective in older browsers (like IE11) that
do not enforce the policy.
When CSP strict mode is enabled, right before the Kibana app is
bootstrapped, a basic safety check is performed to see if "naked" inline
scripts are rejected. If inline scripting is allowed by the browser,
then an error message is presented to the user and Kibana never attempts
to bootstrap.
* csp: nonce and unsafe-eval for scripts
To kick things off, a rudimentary CSP implementation only allows
dynamically loading new JavaScript if it includes an associated nonce
that is generated on every load of the app.
A more sophisticated content security policy is necessary, particularly
one that bans eval for scripts, but one step at a time.
* img-src is not necessary if the goal is not to restrict
* configurable CSP owned by security team
* smoke test
* remove x-content-security-policy
* document csp.rules
* fix tsconfig for test
* switch integration test back to regular js
* stop looking for tsconfig in test
* grrr, linting errors not caught by precommit
* docs: people -> you for consistency sake
Co-Authored-By: epixa <court@epixa.com>
* Add new references attribute to saved objects
* Add dual support for dashboard export API
* Use new relationships API supporting legacy relationships extraction
* Code cleanup
* Fix style and CI error
* Add missing spaces test for findRelationships
* Convert collect_references_deep to typescript
* Add missing trailing commas
* Fix broken test by making saved object API consistently return references
* Fix broken api integration tests
* Add comment about the two TS types for saved object
* Only return title from the attributes returned in findRelationships
* Fix broken test
* Add missing security tests
* Drop filterTypes support
* Implement references to search, dashboard, visualization, graph
* Add index pattern migration to dashboards
* Add references mapping to dashboard mppings.json
* Remove findRelationships from repository and into it's own function / file
* Apply PR feedback pt1
* Fix some failing tests
* Remove error throwing in migrations
* Add references to edit saved object screen
* Pass types to findRelationships
* [ftr] restore snapshots from master, rely on migrations to add references
* [security] remove `find_relationships` action
* remove data set modifications
* [security/savedObjectsClient] remove _getAuthorizedTypes method
* fix security & spaces tests to consider references and migrationVersion
* Add space id prefixes to es_archiver/saved_objects/spaces/data.json
* Rename referenced attributes to have a suffix of RefName
* Fix length check in scenario references doesn't exist
* Add test for inject references to not be called when references array is empty or missing
* some code cleanup
* Make migrations run on machine learning data files, fix rollup filterPath for savedSearchRefName
* fix broken test
* Fix collector.js to include references in elasticsearch response
* code cleanup pt2
* add some more tests
* fix broken tests
* updated documentation on referencedBy option for saved object client find function
* Move visualization migrations into kibana plugin
* Update docs with better description on references
* Apply PR feedback
* Fix merge
* fix tests I broke adressing PR feedback
* PR feedback pt2
* Allow passing a default operator to use on find operations
* Default operator to OR like elasticsearch to avoid passing null
* Add dashboard search tests
* Make search_operator optional
* Fix query_params.test.js
* Include searchOperator in saved_object_finder
* Apply PR feedback
* Rename searchOperator to defaultSearchOperator
* [dashboard+gis] remove dark mode options
* [reporting/extract] restore fixtures
* remove mentions of old `.theme-dark` class
* import panel styles from panel/_index.scss
* Remove mode.initialize and change useRbacForRequest to useRbac
* Updating saved object api tests
* Fixing spaces api integration tests
* Removing unused "expect legacy forbidden" declarations and imports
* Updating docs
* Update docs/migration/migrate_7_0.asciidoc
Co-Authored-By: kobelb <brandon.kobel@gmail.com>
* Update docs/migration/migrate_7_0.asciidoc
Co-Authored-By: kobelb <brandon.kobel@gmail.com>
* Updating comment that mentions the scenario when we aren't using RBAC
* Adding back the authorization section of the config
When a config setting is marked as unused using the deprecations, it's
still required to show up in the config declarations so an error isn't
thrown on startup.
* Adding note about watcher jobs
* Update docs/migration/migrate_7_0.asciidoc
Co-Authored-By: kobelb <brandon.kobel@gmail.com>
* [DOCS] Adds documentation for index lifecycle policies
* [DOCS] Updated image for policy options to show all menu items
* Update create-policy.asciidoc
* [DOCS] Incorporated review comments on hot and warm phase
* [DOCS] Additional changes to warm phase
* [DOCS] Removed the word open in the warm phase
* Updating docs
- Configure data sources via config/kibana.yml
- Fix typo
* Adding timestamp override
* Documenting all settings
* Removing changes from a different PR
* Add settings docs
* Adding all the settings
* Updating docs based on feed back from PR
* Adding periods to lines; changing disabled to present tense
* Updates to docs per PR
* Updates per PR
* Fixes per PR
* Disabling TLSv1 from being enabled by default
* Adding breaking change docs
* Update docs/migration/migrate_7_0.asciidoc
Co-Authored-By: kobelb <brandon.kobel@gmail.com>
* Using the schema defaults
* Fixing type definitions
* Adjusting logic for no supported protocols
* Adding minSize: 1 to the supported protocols
* [APM] Fixes#24204 by adding default configs to kibana.yml
* [APM] fixes#25940 by adding APM config to control top transation group agg size
* Revert the default configs added to kibana.yml and define joi validations for `xpack.apm.ui.transactionGroupBucketSize`
* fix broken test for incorrect config
* [APM] add docs entry for `xpack.apm.ui.transactionGroupBucketSize`
* Add a note about index migrations to the kibana setup docs
* Tewak the migrations asciidocs for clarity
* docs: refine saved object migration details
Breaking down the migration process into sections helps people find
and link to relevant information more easily.
The focus is on ongoing maintenance of Kibana, whereas the initial new
experience in 6.5.0 is treated as a note of clarification.
Error handling should be expanded in the future to include details about
specific known error cases.
* Adding option to always present the certificate when connecting to ES
* Updating docs
* Adding some more tests
* Adding alwaysPresentCertificate option to monitoring
* Limiting the number of spaces
* Adding docs
* Adding forgotten fixture
* Fixing tslint error
* Adjusting docs
* Changing test descriptions from Boom.badRequest to bad request
* Updating error snapshots
### Review notes
This is generally ready for review. We are awaiting https://github.com/elastic/elasticsearch/issues/32777 to improve handling when users do not have any access to Kibana, but this should not hold up the overall review for this PR.
This PR is massive, there's no denying that. Here's what to focus on:
1) `x-pack/plugins/spaces`: This is, well, the Spaces plugin. Everything in here is brand new. The server code is arguably more important, but feel free to review whatever you see fit.
2) `x-pack/plugins/security`: There are large and significant changes here to allow Spaces to be securable. To save a bit of time, you are free to ignore changes in `x-pack/plugins/security/public`: These are the UI changes for the role management screen, which were previously reviewed by both us and the design team.
3) `x-pack/test/saved_object_api_integration` and `x-pack/test/spaces_api_integration`: These are the API test suites which verify functionality for:
a) Both security and spaces enabled
b) Only security enabled
c) Only spaces enabled
What to ignore:
1) As mentioned above, you are free to ignore changes in `x-pack/plugins/security/public`
2) Changes to `kibana/src/server/*`: These changes are part of a [different PR that we're targeting against master](https://github.com/elastic/kibana/pull/23378) for easier review.
## Saved Objects Client Extensions
A bulk of the changes to the saved objects service are in the namespaces PR, but we have a couple of important changes included here.
### Priority Queue for wrappers
We have implemented a priority queue which allows plugins to specify the order in which their SOC wrapper should be applied: `kibana/src/server/saved_objects/service/lib/priority_collection.ts`. We are leveraging this to ensure that both the security SOC wrapper and the spaces SOC wrapper are applied in the correct order (more details below).
### Spaces SOC Wrapper
This wrapper is very simple, and it is only responsible for two things:
1) Prevent users from interacting with any `space` objects (use the Spaces client instead, described below)
2) Provide a `namespace` to the underlying Saved Objects Client, and ensure that no other wrappers/callers have provided a namespace. In order to accomplish this, the Spaces wrapper uses the priority queue to ensure that it is the last wrapper invoked before calling the underlying client.
### Security SOC Wrapper
This wrapper is responsible for performing authorization checks. It uses the priority queue to ensure that it is the first wrapper invoked. To say another way, if the authorization checks fail, then no other wrappers will be called, and the base client will not be called either. This wrapper authorizes users in one of two ways: RBAC or Legacy. More details on this are below.
### Examples:
`GET /s/marketing/api/saved_objects/index-pattern/foo`
**When both Security and Spaces are enabled:**
1) Saved objects API retrieves an instance of the SOC via `savedObjects.getScopedClient()`, and invokes its `get` function
2) The Security wrapper is invoked.
a) Authorization checks are performed to ensure user can access this particular saved object at this space.
3) The Spaces wrapper is invoked.
a) Spaces applies a `namespace` to be used by the underlying client
4) The underlying client/repository are invoked to retrieve the object from ES.
**When only Spaces are enabled:**
1) Saved objects API retrieves an instance of the SOC via `savedObjects.getScopedClient()`, and invokes its `get` function
2) The Spaces wrapper is invoked.
a) Spaces applies a `namespace` to be used by the underlying client
3) The underlying client/repository are invoked to retrieve the object from ES.
**When only Security is enabled:**
(assume `/s/marketing` is no longer part of the request)
1) Saved objects API retrieves an instance of the SOC via `savedObjects.getScopedClient()`, and invokes its `get` function
2) The Security wrapper is invoked.
a) Authorization checks are performed to ensure user can access this particular saved object globally.
3) The underlying client/repository are invoked to retrieve the object from ES.
## Authorization
Authorization changes for this project are centered around Saved Objects, and builds on the work introduced in RBAC Phase 1.
### Saved objects client
#### Security without spaces
When security is enabled, but spaces is disabled, then the authorization model behaves the same way as before: If the user is taking advantage of Kibana Privileges, then we check their privileges "globally" before proceeding. A "global" privilege check specifies `resources: ['*']` when calling the [ES _has_privileges api.](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-has-privileges.html). Legacy users (non-rbac) will continue to use the underlying index privileges for authorization.
#### Security with spaces
When both plugins are enabled, then the authorization model becomes more fine-tuned. Rather than checking privileges globally, the privileges are checked against a specific resource that matches the user's active space. In order to accomplish this, the Security plugin needs to know if Spaces is enabled, and if so, it needs to ask Spaces for the user's active space. The subsequent call to the `ES _has_privileges api` would use `resources: ['space:marketing']` to verify that the user is authorized at the `marketing` space. Legacy users (non-rbac) will continue to use the underlying index privileges for authorization. **NOTE** The legacy behavior implies that those users will have access to all spaces. The read/write restrictions are still enforced, but there is no way to restrict access to a specific space for legacy auth users.
#### Spaces without security
No authorization performed. Everyone can access everything.
### Spaces client
Spaces, when enabled, prevents saved objects of type `space` from being CRUD'd via the Saved Objects Client. Instead, the only "approved" way to work with these objects is through the new Spaces client (`kibana/x-pack/plugins/spaces/lib/spaces_client.ts`).
When security is enabled, the Spaces client performs its own set of authorization checks before allowing the request to proceed. The Spaces client knows which authorization checks need to happen for a particular request, but it doesn't know _how_ to check privileges. To accomplish this, the spaces client will delegate the check security's authorization service.
#### FAQ: Why oh why can't you used the Saved Objects Client instead!?
That's a great question! We did this primarily to simplify the authorization model (at least for our initial release). Accessing regular saved objects follows a predictible authorization pattern (described above). Spaces themselves inform the authorization model, and this interplay would have greatly increased the complexity. We are brainstorming ideas to obselete the Spaces client in favor of using the Saved Objects Client everywhere, but that's certainly out of scope for this release.
## Test Coverage
### Saved Objects API
A bulk of the changes to enable spaces are centered around saved objects, so we have spent a majority of our time automating tests against the saved objects api.
**`x-pack/test/saved_object_api_integration/`** contains the test suites for the saved objects api. There is a `common/suites` subfolder which contains a bulk of the test logic. The suites defined here are used in the following test configurations:
1) Spaces only: `./spaces_only`
2) Security and spaces: `./security_and_spaces`
3) Security only: `./security_only`
Each of these test configurations will start up ES/Kibana with the appropriate license and plugin set. Each set runs through the entire test suite described in `common/suites`. Each test with in each suite is run multiple times with different inputs, to test the various permutations of authentication, authorization type (legacy vs RBAC), space-level privileges, and the user's active space.
### Spaces API
Spaces provides an experimental public API.
**`x-pack/test/spaces_api_integration`** contains the test suites for the Spaces API. Similar to the Saved Objects API tests described above, there is a `common/suites` folder which contains a bulk of the test logic. The suites defined here are used in the following test configurations:
1) Spaces only: `./spaces_only`
2) Security and spaces: `./security_and_spaces`
### Role Management UI
We did not provide any new functional UI tests for role management, but the existing suite was updated to accomidate the screen rewrite.
We do have a decent suite of jest unit tests for the various components that make up the new role management screen. They're nested within `kibana/x-pack/plugins/security/public/views/management/edit_role`
### Spaces Management UI
We did not provide any new functional UI tests for spaces management, but the components that make up the screens are well-tested, and can be found within `kibana/x-pack/plugins/spaces/public/views/management/edit_space`
### Spaces Functional UI Tests
There are a couple of UI tests that verify _basic_ functionality. They assert that a user can login, select a space, and then choose a different space once inside: `kibana/x-pack/test/functional/apps/spaces`
## Reference
Notable child PRs are listed below for easier digesting. Note that some of these PRs are built on other PRs, so the deltas in the links below may be outdated. Cross reference with this PR when in doubt.
### UI
- Reactify Role Management Screen: https://github.com/elastic/kibana/pull/19035
- Space Aware Privileges UI: https://github.com/elastic/kibana/pull/21049
- Space Selector (in Kibana Nav): https://github.com/elastic/kibana/pull/19497
- Recently viewed Widget: https://github.com/elastic/kibana/pull/22492
- Support Space rename/delete: https://github.com/elastic/kibana/pull/22586
### Saved Objects Client
- ~~Space Aware Saved Objects: https://github.com/elastic/kibana/pull/18862~~
- ~~Add Space ID to document id: https://github.com/elastic/kibana/pull/21372~~
- Saved object namespaces (supercedes #18862 and #21372): https://github.com/elastic/kibana/pull/22357
- Securing saved objects: https://github.com/elastic/kibana/pull/21995
- Dedicated Spaces client (w/ security): https://github.com/elastic/kibana/pull/21995
### Other
- Public Spaces API (experimental): https://github.com/elastic/kibana/pull/22501
- Telemetry: https://github.com/elastic/kibana/pull/20581
- Reporting: https://github.com/elastic/kibana/pull/21457
- Spencer's original Spaces work: https://github.com/elastic/kibana/pull/18664
- Expose `spaceId` to "Add Data" tutorials: https://github.com/elastic/kibana/pull/22760Closes#18948
"Release Note: Create spaces within Kibana to organize dashboards, visualizations, and other saved objects. Secure access to each space when X-Pack Security is enabled"
Allows Kibana users to configure the max_concurrent_shard_requests param used by Kibana when sending _msearch requests. Exposes the config as an advanced setting. By default we won't send the param at all, relying on the ES default instead.
* [config] logging.useUTC -> logging.timezone
* docs
* [env] exit if starting as root
* fix import path
* add link and timezone example
* Revert "[env] exit if starting as root"
This reverts commit f6e9090833a5180fe360a9ff54543c37c0ca3a58.
GitHub's asciidoc parser handles `*` characters fine but markdown thinks its italicizing unless you escape the first asterisk. Subsequent asterisks on the same line can stay unescaped and should work fine.
* Add clarification for server.ssl.supportedProtocols setting
Added clarification that the setting has to be an array. With the current wording you can assume that you can just add it as a simple string.
* Update settings.asciidoc
* Update settings.asciidoc
extra dot
* [DOCS] New tutorial for exploring Kibana with sample data set
* [DOCS] Incorporated review comments into sample tutorial
* [DOCS] GS: Edits for consistency
* Beginning to work on the role management APIs. Added docs for GET
* Adding PUT docs
* Adding PUT details
* Adding delete docs
* Fixing linking
* Adding Kibana privileges section
* Fixing dashboard only mode docs
* Fixing a few more references to managing roles
* Beginning to work on authorization docs, might be moving some to
stack-docs
* Collapsing authorization description in the kibana privileges page
* Adding audit logging section
* Revising the language on the Kibana role management section
* Splitting back out the auth/privileges and adding legacy fallback
details
* Revising language around impact of disabling security
* Changing Kibana to {kib} and Elasticsearch to {es}
* Beginning to work on developer centric docs
* Fixing some formatting, adding some diagrams
* Adding note about the role management APIs
* Adding overview, fixing small syntax issues
* Fixing chunk name for transitioning to application privileges
* Adjusting tone for the authorization introduction
* Changing the tone and structure of the RBAC docs
* Deleting blog stuff after refactoring
* Addressing first round of peer review comments
* Fixing endpoints links
* Peer review suggested edits
* Addressing other PR feedback
This is a breaking change that removes the
`xpack.monitoring.node_resolver` setting. This setting was deprecated in
5.6, and in 6.1 the setting was limited to `uuid` explicitly. Beginning in
7.0, after this is merged, the setting will no longer exist.
* add _bulk_create rest endpoint
* document bulk_create api
* provide 409 status code when conflicts exist
* add overwrite and version to documenation
* clean up assert statements and 2 places where bulkCreate is getting used with new output
* properly stub bulkCreate return
* remove version of documenation example
The float tags are required here to keep the subheadings on the same
page in the website. And, since link tags are global, we need to give them unique
names to avoid cross-linking errors.
These changes need to be backported to all 6.X releases.
Adding new documentation about the APM UI and definitions of terminology and more.
* Images added to docs
* Adding Using APM UI page contents
* Including new APM UI page
* Updated Watcher copy
* Copy feedback from @gchaps