mirror of
https://github.com/elastic/kibana.git
synced 2025-04-23 17:28:26 -04:00
184 commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Brandon Kobel
|
7943f9895d
|
Feature Controls - Read only badges (#35252) (#35758)
* Adding readonly badge to the discover application
* Dashboard get a badge
* Visualize gets a badge
* Timelion gets a badge
* Canvas gets a badge
* Maps gets a badge
* Infra gets a badge
* Graph gets a badge
* Dev Tools gets a badge
* Index Patterns get badges
* Advanced Settings get badges
* Infra and i18n are super chill friends
* Using proper i18n prefix for xpack
* Adding badges to the uptime application
* APM gets a badge!
* Adding functional tests for the discover read-only badge
* Functional tests for everyone!
* Removing unused import
* Fixing chrome service mock
* Switching from ChromeBadge | null to ChromeBadge | undefined
* Fixing canvas badge assertst
* Fixing Logs ui capabilities
* More ChromeBrand | null to ChromeBrand | undefined related changes
* Using named badges
* Revert "Using named badges"
This reverts commit
|
||
Tim Roes
|
a33da0fcd3
|
Remove notification dependency from uiSettings (#35239) (#35287)
* Remove notification dependency from uiSettings * Update API docs * Fix prettier Still had eslint not setup correctly for TS files * Change i18n id |
||
Rudolf Meijering
|
59a74b1851
|
[new-platform] Explicitly define core setup types (#34817) (#35209)
* Explicitly define BasePathSetup type
* Explicitly define I18nSetup type
* Explicitly define InjectedMetadataSetup type
* Explicitly define FatalErrorSetup type
* Fix lint errors
* Fix BasePathSetup types
* Fix lint errors
* Clarify basePath add() docs
* Upgrade api-documenter for 'do not edit' header
* Use @link references on CoreSetup to improve doc navigation
* Add comment that links to upstream api-documenter issue
* PR Comments: make FatalErrorsService.add() private
* Revert "PR Comments: make FatalErrorsService.add() private"
This reverts commit
|
||
Mikhail Shustov
|
69c5551d7d
|
[New platform] HTTP & Security integration (#34631) (#35181)
* Add Auth session * add lifecycles * add types for hapi-auth-cookie * expose interceptors from http service * add integration tests * update tests * session storage cleanup * get SessionStorage type safe * add redirect, clear cookie security integration tests * add tests for onRequest * add tests for onAuth * register Auth interceptor only once * refactor redirect tests * fix typings, change error message, test suit naming * add integration test for session validation * add tests for cookie session storage * update docs * add integration tests for onRequest * update docs * cleanup onRequest integration tests * Generate docs for AuthToolkit & OnRequestToolkit * add test for an exception in interceptor * add test OnRequest interceptors dont share request object * cleanup * address comments from @eli * improve typings for onRequest * improve plugin typings * re-generate docs * only server defines cookie path * cookieOptions.password --> cookieOptions.encryptionKey * CookieOption --> SessionStorageCookieOptions * address comments @joshdover * resolve conflict leftovers * update @types/hapi-auth-cookie deps * update docs |
||
Brandon Kobel
|
438bfa49ae
|
Feature Controls (#31652) (#35014)
* Restructure user profile for granular app privs (#23750) merging to feature branch for further development * Introducing uiCapabilities, removing config providers & user profile (#25387) ## Summary Introduces the concept of "UI Capabilities", which allows Kibana applications to declare capabilities via the `uiCapabilities` injected var, and then use them client-side via the `ui/capabilities` module to inform their rendering decisions. * GAP - Actions Restructured and Extensible (#25347) * Restructure user profile for granular app privs (#23750) merging to feature branch for further development * Fixing saved object capability checking * Beginning to restructure actions to be used for all action building * Using actions to build ui capabilities * dropping /read from client-side userprovide ui capabilities * Adding some actions * Using different syntax which will hopefully help with allowing apps to specify the privileges themselves * Exposing all saved object operations in the capabilities * Using actions in security's onPostAuth * Only loading the default index pattern when it's required * Only using the navlinks for the "ui capabilities" * Redirecting from the discover application if the user can't access kibana:discover * Redirecting from dashboard if they're hidden * Features register their privileges now * Introducing a FeaturesPrivilegesBuilder * REmoving app from the feature definition * Adding navlink specific ations * Beginning to break out the serializer * Exposing privileges from the authorization service * Restructuring the privilege/resource serialization to support features * Adding actions unit tests * Adding features privileges builders tests * Adding PrivilegeSerializer tests * Renaming missed usages * Adding tests for the privileges serializer * Adding privileges tests * Adding registerPrivilegesWithCluster tests * Better tests * Fixing authorization service tests * Adding ResourceSerializer tests * Fixing Privileges tests * Some PUT role tests * Fixing read ui/api actions * Exposing features from xpackMainPlugin * Adding navlink:* to the "reserved privileges" * navlink -> navLink | nav_linknavlink -> navLink | nav_linknavlink -> navLink | nav_linknavlink -> navLink | nav_linknavlink -> navLink | nav_linknavlink -> navLink | nav_linknavlink -> navLink | nav_linknavlink -> navLink | nav_linknavlink -> navLink | nav_link * Automatically determining navlink based ui capabilities * Backing out changes that got left behind * Using ui actions for navlinks * Adding TODOs * Ui -> UI * Deleting unused file * Removing api: [] as it's not necessary anymore * Fixing graph saved object privileges * Privileges are now async * Pushing the asycnchronicity to the privileges "service" * Adding TODO * Providing initial value for reduce * adds uiCapabilities to test_entry_template * Adding config to APM/ML feature privileges * Commenting out obviously failing test so we can get CI greeenn * Fixing browser tests * Goodbyyeee * Adding app actions to the reserved privileges * update snapshot * UI/API changes to facilitate disabling features within spaces (#24235) * Restructure user profile for granular app privs (#23750) merging to feature branch for further development * Introducing uiCapabilities, removing config providers & user profile (#25387) ## Summary Introduces the concept of "UI Capabilities", which allows Kibana applications to declare capabilities via the `uiCapabilities` injected var, and then use them client-side via the `ui/capabilities` module to inform their rendering decisions. * GAP - Actions Restructured and Extensible (#25347) * Restructure user profile for granular app privs (#23750) merging to feature branch for further development * Fixing saved object capability checking * Beginning to restructure actions to be used for all action building * Using actions to build ui capabilities * dropping /read from client-side userprovide ui capabilities * Adding some actions * Using different syntax which will hopefully help with allowing apps to specify the privileges themselves * Exposing all saved object operations in the capabilities * Using actions in security's onPostAuth * Only loading the default index pattern when it's required * Only using the navlinks for the "ui capabilities" * Redirecting from the discover application if the user can't access kibana:discover * Redirecting from dashboard if they're hidden * Features register their privileges now * Introducing a FeaturesPrivilegesBuilder * REmoving app from the feature definition * Adding navlink specific ations * Beginning to break out the serializer * Exposing privileges from the authorization service * Restructuring the privilege/resource serialization to support features * Adding actions unit tests * Adding features privileges builders tests * Adding PrivilegeSerializer tests * Renaming missed usages * Adding tests for the privileges serializer * Adding privileges tests * Adding registerPrivilegesWithCluster tests * Better tests * Fixing authorization service tests * Adding ResourceSerializer tests * Fixing Privileges tests * Some PUT role tests * Fixing read ui/api actions * Exposing features from xpackMainPlugin * Adding navlink:* to the "reserved privileges" * navlink -> navLink | nav_linknavlink -> navLink | nav_linknavlink -> navLink | nav_linknavlink -> navLink | nav_linknavlink -> navLink | nav_linknavlink -> navLink | nav_linknavlink -> navLink | nav_linknavlink -> navLink | nav_linknavlink -> navLink | nav_link * Automatically determining navlink based ui capabilities * Backing out changes that got left behind * Using ui actions for navlinks * Adding TODOs * Ui -> UI * Deleting unused file * Removing api: [] as it's not necessary anymore * Fixing graph saved object privileges * Privileges are now async * Pushing the asycnchronicity to the privileges "service" * Adding TODO * Providing initial value for reduce * adds uiCapabilities to test_entry_template * Adding config to APM/ML feature privileges * Commenting out obviously failing test so we can get CI greeenn * Fixing browser tests * Goodbyyeee * Adding app actions to the reserved privileges * Begin to allow features to be disabled within spaces typescript fixes additional cleanup attempt to resolve build error fix tests more ts updates fix typedefs on manage_spaces_button more import fixes test fixes move user profile into xpack common Restructure space management screen fix SASS references design edits remove Yes/No language from feature toggles fix casing removed unused imports update snapshot fix sass reference for collapsible panel Fix sass reference, take 2 * Restructure user profile for granular app privs (#23750) merging to feature branch for further development * extract migration logic into testable unit * Introducing uiCapabilities, removing config providers & user profile (#25387) ## Summary Introduces the concept of "UI Capabilities", which allows Kibana applications to declare capabilities via the `uiCapabilities` injected var, and then use them client-side via the `ui/capabilities` module to inform their rendering decisions. * Design edits (#12) enables customize avatar popover update tests, and simplify editing space identifier remove references to user profile remove unused test suite remove unnecessary sass import removes security's capability_decorator * fix i18n * updates toggleUiCapabilities to use new feature definitions * cleanup and testing * remove references to old feature interface * readd lost spacer * adds feature route testing * additional i18n * snapshot update * copy edits * fix ml app icon * add missing export * remove unnecessary sass import * attempt to fix build * fix spaces api tests * esArchiver mapping updates * rename toggleUiCapabilities -> toggleUICapabilities * removes shared collapsible_panel component in favor of plugin-specific components * some copy and style adjustments * fix test following rebase * add lost types file * design edits * remove stale export * feature feedback; fixes cached disabled features * GAP: Security disables UI capabilities (#25809) * Restructure user profile for granular app privs (#23750) merging to feature branch for further development * Fixing saved object capability checking * Beginning to restructure actions to be used for all action building * Using actions to build ui capabilities * dropping /read from client-side userprovide ui capabilities * Adding some actions * Using different syntax which will hopefully help with allowing apps to specify the privileges themselves * Exposing all saved object operations in the capabilities * Using actions in security's onPostAuth * Only loading the default index pattern when it's required * Only using the navlinks for the "ui capabilities" * Redirecting from the discover application if the user can't access kibana:discover * Redirecting from dashboard if they're hidden * Features register their privileges now * Introducing a FeaturesPrivilegesBuilder * REmoving app from the feature definition * Adding navlink specific ations * Beginning to break out the serializer * Exposing privileges from the authorization service * Restructuring the privilege/resource serialization to support features * Adding actions unit tests * Adding features privileges builders tests * Adding PrivilegeSerializer tests * Renaming missed usages * Adding tests for the privileges serializer * Adding privileges tests * Adding registerPrivilegesWithCluster tests * Better tests * Restructure user profile for granular app privs (#23750) merging to feature branch for further development * Fixing authorization service tests * Adding ResourceSerializer tests * Fixing Privileges tests * Some PUT role tests * Fixing read ui/api actions * Introducing uiCapabilities, removing config providers & user profile (#25387) ## Summary Introduces the concept of "UI Capabilities", which allows Kibana applications to declare capabilities via the `uiCapabilities` injected var, and then use them client-side via the `ui/capabilities` module to inform their rendering decisions. * Exposing features from xpackMainPlugin * Adding navlink:* to the "reserved privileges" * navlink -> navLink | nav_linknavlink -> navLink | nav_linknavlink -> navLink | nav_linknavlink -> navLink | nav_linknavlink -> navLink | nav_linknavlink -> navLink | nav_linknavlink -> navLink | nav_linknavlink -> navLink | nav_linknavlink -> navLink | nav_link * Automatically determining navlink based ui capabilities * Backing out changes that got left behind * Using ui actions for navlinks * Adding TODOs * Ui -> UI * Deleting unused file * Removing api: [] as it's not necessary anymore * Fixing graph saved object privileges * Privileges are now async * Pushing the asycnchronicity to the privileges "service" * Adding TODO * Providing initial value for reduce * adds uiCapabilities to test_entry_template * Adding config to APM/ML feature privileges * Commenting out obviously failing test so we can get CI greeenn * Fixing browser tests * First, very crappy implementation * Adding tests for disabling ui capabilities * All being set to false no longer requires a clone * Using _.mapValues makes this a lot more readable * Checking those privileges dynamically * Fixing some broken stuff when i introduced checkPrivilegesDynamically * Adding conditional plugin tests * Renaming conditional plugin to optional plugin * Fixing type errors * GAP - Actions Restructured and Extensible (#25347) * Restructure user profile for granular app privs (#23750) merging to feature branch for further development * Fixing saved object capability checking * Beginning to restructure actions to be used for all action building * Using actions to build ui capabilities * dropping /read from client-side userprovide ui capabilities * Adding some actions * Using different syntax which will hopefully help with allowing apps to specify the privileges themselves * Exposing all saved object operations in the capabilities * Using actions in security's onPostAuth * Only loading the default index pattern when it's required * Only using the navlinks for the "ui capabilities" * Redirecting from the discover application if the user can't access kibana:discover * Redirecting from dashboard if they're hidden * Features register their privileges now * Introducing a FeaturesPrivilegesBuilder * REmoving app from the feature definition * Adding navlink specific ations * Beginning to break out the serializer * Exposing privileges from the authorization service * Restructuring the privilege/resource serialization to support features * Adding actions unit tests * Adding features privileges builders tests * Adding PrivilegeSerializer tests * Renaming missed usages * Adding tests for the privileges serializer * Adding privileges tests * Adding registerPrivilegesWithCluster tests * Better tests * Fixing authorization service tests * Adding ResourceSerializer tests * Fixing Privileges tests * Some PUT role tests * Fixing read ui/api actions * Exposing features from xpackMainPlugin * Adding navlink:* to the "reserved privileges" * navlink -> navLink | nav_linknavlink -> navLink | nav_linknavlink -> navLink | nav_linknavlink -> navLink | nav_linknavlink -> navLink | nav_linknavlink -> navLink | nav_linknavlink -> navLink | nav_linknavlink -> navLink | nav_linknavlink -> navLink | nav_link * Automatically determining navlink based ui capabilities * Backing out changes that got left behind * Using ui actions for navlinks * Adding TODOs * Ui -> UI * Deleting unused file * Removing api: [] as it's not necessary anymore * Fixing graph saved object privileges * Privileges are now async * Pushing the asycnchronicity to the privileges "service" * Adding TODO * Providing initial value for reduce * adds uiCapabilities to test_entry_template * Adding config to APM/ML feature privileges * Commenting out obviously failing test so we can get CI greeenn * Fixing browser tests * Goodbyyeee * Adding app actions to the reserved privileges * Restructure user profile for granular app privs (#23750) merging to feature branch for further development * Introducing uiCapabilities, removing config providers & user profile (#25387) ## Summary Introduces the concept of "UI Capabilities", which allows Kibana applications to declare capabilities via the `uiCapabilities` injected var, and then use them client-side via the `ui/capabilities` module to inform their rendering decisions. * GAP - Actions Restructured and Extensible (#25347) * Restructure user profile for granular app privs (#23750) merging to feature branch for further development * Fixing saved object capability checking * Beginning to restructure actions to be used for all action building * Using actions to build ui capabilities * dropping /read from client-side userprovide ui capabilities * Adding some actions * Using different syntax which will hopefully help with allowing apps to specify the privileges themselves * Exposing all saved object operations in the capabilities * Using actions in security's onPostAuth * Only loading the default index pattern when it's required * Only using the navlinks for the "ui capabilities" * Redirecting from the discover application if the user can't access kibana:discover * Redirecting from dashboard if they're hidden * Features register their privileges now * Introducing a FeaturesPrivilegesBuilder * REmoving app from the feature definition * Adding navlink specific ations * Beginning to break out the serializer * Exposing privileges from the authorization service * Restructuring the privilege/resource serialization to support features * Adding actions unit tests * Adding features privileges builders tests * Adding PrivilegeSerializer tests * Renaming missed usages * Adding tests for the privileges serializer * Adding privileges tests * Adding registerPrivilegesWithCluster tests * Better tests * Fixing authorization service tests * Adding ResourceSerializer tests * Fixing Privileges tests * Some PUT role tests * Fixing read ui/api actions * Exposing features from xpackMainPlugin * Adding navlink:* to the "reserved privileges" * navlink -> navLink | nav_linknavlink -> navLink | nav_linknavlink -> navLink | nav_linknavlink -> navLink | nav_linknavlink -> navLink | nav_linknavlink -> navLink | nav_linknavlink -> navLink | nav_linknavlink -> navLink | nav_linknavlink -> navLink | nav_link * Automatically determining navlink based ui capabilities * Backing out changes that got left behind * Using ui actions for navlinks * Adding TODOs * Ui -> UI * Deleting unused file * Removing api: [] as it's not necessary anymore * Fixing graph saved object privileges * Privileges are now async * Pushing the asycnchronicity to the privileges "service" * Adding TODO * Providing initial value for reduce * adds uiCapabilities to test_entry_template * Adding config to APM/ML feature privileges * Commenting out obviously failing test so we can get CI greeenn * Fixing browser tests * Goodbyyeee * Adding app actions to the reserved privileges * Update x-pack/plugins/security/server/lib/authorization/disable_ui_capabilities.ts Co-Authored-By: kobelb <brandon.kobel@gmail.com> * Update x-pack/plugins/security/server/lib/authorization/check_privileges_dynamically.ts Co-Authored-By: kobelb <brandon.kobel@gmail.com> * Disabling all ui capabilities if route is anonymous * More typescript * Even more typescript * Updating snapshot * Less any * More safer * Another one * Restructure user profile for granular app privs (#23750) merging to feature branch for further development * Introducing uiCapabilities, removing config providers & user profile (#25387) ## Summary Introduces the concept of "UI Capabilities", which allows Kibana applications to declare capabilities via the `uiCapabilities` injected var, and then use them client-side via the `ui/capabilities` module to inform their rendering decisions. * GAP - Actions Restructured and Extensible (#25347) * Restructure user profile for granular app privs (#23750) merging to feature branch for further development * Fixing saved object capability checking * Beginning to restructure actions to be used for all action building * Using actions to build ui capabilities * dropping /read from client-side userprovide ui capabilities * Adding some actions * Using different syntax which will hopefully help with allowing apps to specify the privileges themselves * Exposing all saved object operations in the capabilities * Using actions in security's onPostAuth * Only loading the default index pattern when it's required * Only using the navlinks for the "ui capabilities" * Redirecting from the discover application if the user can't access kibana:discover * Redirecting from dashboard if they're hidden * Features register their privileges now * Introducing a FeaturesPrivilegesBuilder * REmoving app from the feature definition * Adding navlink specific ations * Beginning to break out the serializer * Exposing privileges from the authorization service * Restructuring the privilege/resource serialization to support features * Adding actions unit tests * Adding features privileges builders tests * Adding PrivilegeSerializer tests * Renaming missed usages * Adding tests for the privileges serializer * Adding privileges tests * Adding registerPrivilegesWithCluster tests * Better tests * Fixing authorization service tests * Adding ResourceSerializer tests * Fixing Privileges tests * Some PUT role tests * Fixing read ui/api actions * Exposing features from xpackMainPlugin * Adding navlink:* to the "reserved privileges" * navlink -> navLink | nav_linknavlink -> navLink | nav_linknavlink -> navLink | nav_linknavlink -> navLink | nav_linknavlink -> navLink | nav_linknavlink -> navLink | nav_linknavlink -> navLink | nav_linknavlink -> navLink | nav_linknavlink -> navLink | nav_link * Automatically determining navlink based ui capabilities * Backing out changes that got left behind * Using ui actions for navlinks * Adding TODOs * Ui -> UI * Deleting unused file * Removing api: [] as it's not necessary anymore * Fixing graph saved object privileges * Privileges are now async * Pushing the asycnchronicity to the privileges "service" * Adding TODO * Providing initial value for reduce * adds uiCapabilities to test_entry_template * Adding config to APM/ML feature privileges * Commenting out obviously failing test so we can get CI greeenn * Fixing browser tests * Goodbyyeee * Adding app actions to the reserved privileges * update snapshot * Update x-pack/plugins/security/server/lib/authorization/check_privileges.ts Co-Authored-By: kobelb <brandon.kobel@gmail.com> * Update x-pack/plugins/security/server/lib/authorization/check_privileges.ts Co-Authored-By: kobelb <brandon.kobel@gmail.com> * Fixing type errors * Only disabling navLinks if a feature is registered for them * Adding non i18n'ed tooltip * Making metadata and tooltip optional * i18n'ing tooltips * Responding to peer review comments * GAP - Role API Structure (#26740) * Updated the role api PUT structure * Minimum is an array now * Updating get route to naively support the new structure * Renaming and removing some serialized methods * Updating Role PUT api tests * Fixing PUT jest tests * Fixing GET tests * Updating PrivilegeSerializer tests * Renaming features to feature for the GET, so we're consistent * Validating features and feature privileges * Update x-pack/plugins/security/server/lib/authorization/privilege_serializer.test.ts Co-Authored-By: kobelb <brandon.kobel@gmail.com> * Update x-pack/plugins/security/server/lib/authorization/privilege_serializer.test.ts Co-Authored-By: kobelb <brandon.kobel@gmail.com> * Update x-pack/plugins/security/server/lib/authorization/privilege_serializer.test.ts Co-Authored-By: kobelb <brandon.kobel@gmail.com> * Renaming some variables/members of the PrivilegesSerializer * Fixing privileges serializer tests * Fixing register privileges with cluster tests * Fixing the role creation for the api integration tests * Generalizing regex within the feature registry * update tests * [GAP] - Support infra features (#26955) ## Summary This PR adds the `Infrastructure` and `Logs` apps as toggle-able features via Granular Application Privileges. * [GAP] - Enables xpack_main to populate UI Capabilities (#27031) ## Summary Currently, plugins that register features via `xpackMainPlugin.registerFeature({...})` also have to specify their own `uiCapabilities` via `injectDefaultVars`, which is counter-intuitive and cumbersome. We've accepted this complexity for OSS plugins, but x-pack and third-party plugins should not have to concern themselves with such implementation details. This PR removes that requirement for x-pack and third-party plugins, so all they have to do is register features, and ensure that their feature privileges contain the appropriate UI Capabilities in the `ui` property. ### Notes This implementation intentionally does not alter UI Capabilities that come in via OSS Kibana. The capabilities defined there should be the source of truth, regardless of which distribution is used. ### Example <pre> xpackMainPlugin.registerFeature({ id: 'graph', name: 'Graph', icon: 'graphApp', <b>navLinkId: 'graph',</b> privileges: { all: { app: [], savedObject: { ... }, <b>ui: ['showWriteControls'],</b> }, read: { app: [], savedObject: { ... }, <b>ui: ['someOtherCapability],</b> } } }); </pre> Will be translated to the following UI Capabilities: ``` uiCapabilities: { navLinks: { graph: true }, graph: { showWriteControls: true, someOtherCapability: true, } } ``` xpack_main is **not responsible** for disabling UI capabilities, so this will initialize all capabilities with a value of `true`. * Hide write controls for the visualization application (#26536) * Hide write controls for the timelion application (#26537) * blacklist feature ids (#27493) * [GAP] - Support management links (#27055) ## Summary This enables management links to be toggled via UI Capabilities. ## TODO - [x] Implement spaces controls - [x] Implement security controls - [x] Testing - [ ] (optional) - dedicated display for managing management links? * Enables the feature catalogue registry to be controlled via uiCapabil… (#27945) * Enables the feature catalogue registry to be controlled via uiCapabilities * update snapshot * xpack_main populates uiCapabilities with the full list of catalogue entries * builds application privileges using catalogue actions * prevent 'catalogue' from being registered as a feature id * fix mocha tests * fix merge * update snapshots * GAP - Discover and NavLinks Functional Testing (#27414) * Adding very basic Discover tests * Ensuring discover is visible in both spaces * Parsing the DOM to determine the uiCapabilities * Making this.wreck `any` because the type definitions suck * Specifying auth when requesting ui capabilities * Beginning architecture to support permutation testing * Adding documentation of the different configurations we'd like to test * Fixing type errors * Beginning to work on the framework to test the combinations * Adding some factories * Pushing forward, not a huge fan of what I have right now * The new-new * Less weird types * Revising some things after talking with Larry * Switching from wreck to axios * Restructuring some files * Changing to a space with all features, and a space with no features * Beginning to add the security only tests * Adding a navLinksBuilder * Adding spaces only tests * Not disabling ui capabilities, or authing app/api access when we shouldn't be * Can't get rid of management * Adding more user types * More users, this is starting to really suck * Renaming some things... * Revising which users we'll test in which ui capabilities "test suite" * Adding some more user scenarios for the security_only configuration * Adding security_only user scenarios * Adding space scenarios * Fixing type errors * Udpating the readme for the spaces we're testing with * Adding global read discover security ui functional tests * Adding tests to make sure save buttons are shown/hidden The actual implementation is broken somewhere * Fixing tests after GIS is added and conflicts happened for infra * Adding discover ui capability tests * Fixing navlinks tests * Adding discover view tests * Adding UI tests for spaces being disabled * Fixing tests * Removing wreck dependency, it's garbage * Fixing typo * Updating ui capabilities README.md and adding another user for the security and spaces ui capability tests * Updating yarn lock file * Consolidation some types * Adding VisualizeDisabledSpace to the scenarios. * Fixing esArchives with .kibana_2 * Disable features optional again * Adding ensureCurrentUrl: false * Fixing space selector tests * Fixing gis privileges, they use saved objects * Fixing find's element staleness checks * Update x-pack/test/functional/es_archives/spaces/disabled_features/data.json Co-Authored-By: kobelb <brandon.kobel@gmail.com> * Generalizing logic to get appNavLinksText * Removing duplicate license header * Adding GIS mappingst * Fixing readme * We love our future selfs * Adding GisRead scenario * Whoops * Adding note about funky syntax for use with exhaustive switches * Using a centralized list of features * Give it some time * Even more time? * Space Management - accessibility & i18n improvements (#28195) ## Summary 1) Improves the accessibility for the spaces management screen: - Customize Space Avatar popover now receives focus when toggled - Labels are more descriptive, providing context - Delete Space modal correctly focuses 2) Improves i18n support - fixed a couple hard-coded strings 3) Adds a "Features" column to the spaces grid page, which shows a brief summary of the number of features enabled for each space:  Related: https://github.com/elastic/kibana/issues/28184 * Feature Controls - spaces - functional tests (#28213) * adds tests for /api/features/v1 endpoint * update failing management test * Fc/run ui capability tests (#28362) * Running the UI Capability Tests as part of the normal CI runs * Adding uptime feature to get these tests passing * Adding features and sorting * Adding uptime security_only uiCapability tests, and fixing devTools * Fixing the docs * Fixing section panel i18n issue * Removing unused import * Updating snapshots * Feature Controls - The new new role API (#28441) These changes allow us to build the most recent UI where spaces can be "grouped" and edited at once. This changes the kibana section of the role definition to the following: ``` { kibana: [ { base: ['read'], feature: { discover: ['all'], dashboard: ['all'] }, spaces: ['*'] }, { base: ['read'], feature: { discover: ['all'], dashboard: ['all'] }, spaces: ['marketing', 'sales'] } ] } ``` If the `spaces` property isn't provided (for example if the user isn't using Spaces) then it'll default to `['*']`. There are a few other stipulations that we're implementing with this approach. 1. Each "item" can be for 1 to many spaces OR globally. We can't specify both space privileges and global privileges in the same "item" because for Spaces we translate `all` to `space_all`, etc. so we can give them different privileges, and this becomes problematic when trying to serialize/deserialize to ES. 2. Additionally, each space can only appear once. The ES model would allow this, but the role management UI becomes more complicated if we were to allow this when calculating effective privileges. * Feature Controls - Discover Save Button Test #28500 (#28501) * Adding some debug logs * Setting ui settings using the functional services * Doing the same for the spaces disabled features * Removing console.log debug statements * Using save instead of showWriteControls * Reload when adjusting visible features within the users active space (#28409) ## Summary Changes to the visible features within a space are not visible until the page is refreshed. Because of this, when a user is editing their active space, their changes are not immediately visible. This updates the space management screen to force a refresh when updating the visible features inside the active space. It also introduces a modal warning that this will happen:  * Throwing error if we register a feature after getAll is called (#29030) * Throwing error if we register a feature after getAll is called * Fixing some tests * Fixing feature route tests * Removing unused imports * Fixing merge conflict * Feature Controls - Fixing fallout of removing the legacy fallback (#29141) * Fixing use of mode.useRbacFoRequest to mode.useRbac * Fixing ui capability tests * [Feature Controls] - Fix a11y for customize feature section (#29174) ## Summary Fixes the displayed and announced text for the "show"/"hide" button of the Customize Visible Features section of the spaces management page. This was inadvertently broken following a merge from master at some point. * Feature Controls: Fixing k7's new "nav links" (#29198) * Fixing k7's new applist for feature controls * Renaming appSwitcher to appsMenu * Feature Controls - Dashboard (#29139) * Using addRouteSetupWork to implement the redirect * Using centralized addSetupWork * Fixing dashboard functional feature privileges tests * Ensuring landing page and create dashboard redirect to the home-page * Adding more tests to ensure the redirects work properly * Adding disabled space feature tests for Dashboards * Update src/ui/public/capabilities/route_setup.ts Co-Authored-By: kobelb <brandon.kobel@gmail.com> * Update test/functional/page_objects/common_page.js Co-Authored-By: kobelb <brandon.kobel@gmail.com> * Fixing ui capability tests after adding createNew * Removing unnecessary `return undefined` * requireUICapabilities -> requireUICapability * Updating dashboard ui capability tests * Fixing issue with the selection column appearing on Dashboards * Fixing ui capability dashboard space only tests * [FC] - Move management and catalogue entries out of privilege definition (#28354) * Moves catalogue and management entries from privilege defintion to base feature definition * Update new management menu to respect items disabled via UI Capabilities * add test * re-add index pattern entries * re-add advanced settings icon * fix tests * remove management and catalogue entries from read-only users * bring it back now y'all * catalogue updates for xpack plugins * Introduces 'grantWithBaseRead' flag * update privileges from all -> read where necessary * rename feature builder functions * catalogue and management items should cascade to privileges when not specified * add catalogue entry for uptime app * Simplify feature registrations using inherited catalogue/management entries * consolidate and fix privilege building logic * rename variables * remove debug code * remove duplicate lodash import * Update x-pack/plugins/xpack_main/server/lib/feature_registry/feature_registry.ts Co-Authored-By: legrego <lgregorydev@gmail.com> * [GAP] - Role Management UI (#26840)    --------- Edge-case scenarios: 1) [x] '*' and spaces in the same "entry" Handled via `_transform_errors` at the API level. Renders a partial read-only view in the UI. 2) [x] same space appearing in multiple "entries" Handled via `_transform_errors` at the API level. Renders a partial read-only view in the UI. 3) [x] base and feature privileges being set on the same "entry" UI does not allow this to be set, but UI is smart enough to display the correct effective privilege in this case. 4) [x] multiple base privileges set in the same "entry" UI does not allow this to be set, but UI is smart enough to apply the most permissive base privilege when displaying and performing privilege calculations. 5) [x] multiple feature privileges for the same "entry" (ml_all and ml_read) UI does not allow for this to be set, but UI is smart enough to apply the most permissive base privilege when displaying and performing privilege calculations. -------- ## Summary This updates the role management UI to allow application privileges to be customized globally and per-space. ## TODO: - [x] [First Design review](https://github.com/legrego/kibana/pull/13) - [ ] Second Design review - [ ] Copy review - [x] i18n - [x] Handle deleted/unknown features - [x] Handle deleted/unknown spaces - [x] Cleanup & refactoring - [x] Testing * [Feature Controls, Spaces] - Don't load bundles for hidden apps (#29617) ## Summary This enables the spaces plugin to issue a 404 if the requested application is disabled within the users active space. To enable this functionality, the `app` property was moved to the root feature level, with the option to override at the privilege level. This follows the same logic as `catalogue` and `management` sections. This will enable automatic app "protections" for those which only specify a single UI application, including: 1) Timelion 2) Canvas 3) Monitoring 4) APM 5) Code (when it merges) 6) GIS 7) Graph 8) ML * [Feature Controls] - Copy Edits (#29651) ## Summary Copy edits from today's session * [Feature Controls] - Rename-a-thon (#29709) * post-merge cleanup * [Feature Controls] - fixes from recent merge from master (#29826) ## Summary this pr will contain any required changes to fix CI from the recent merge from master, which includes the new k7 redesign design and dark mode * Feature Controls: Adding privileges tooltip for Dev Tools (#30008) * Adding privileges tooltip for Dev Tools * appeasing the linter * [Feature Controls] - Fix displayed space base privilege (#30133) ## Summary This fixes the displayed space base privilege when a global base privilege is influencing the dropdown control: 1) Add global 'read' privilege 2) Configure space privilege -- note default base privilege of 'read' 3) Change space base privilege to 'custom' Prior to this fix, the dropdown would not honor the change; it would keep 'read' as the selected option. * Feature Controls: Adding read privileges for advanced settings and index patterns (#30106) * Adding read privileges for advanced settings and index patterns * Fixing the tests and the actual code itself * Feature Controls - spaces not a security mechanism warning (#29853) * Changing copy for the spaces not a security mechanism warning * Using Gail's wording * [Feature Controls] - Fixes from merging from master (8.0) (#30267) * improve typings * fix xpack_main type definitions * test updates * Fc/functional test move (#29835) * Moving dashboard feature control tests to the dashboard application * Moving more tests around * Fixing some tests, no longer using uiSettings service, doesn't play nicely with spaces * Fixing esarchived issue * Renaming some files * [Feature Controls] - Readonly view for Advanced Settings using UICapabilities (#30243) ## Summary This builds on the work done in https://github.com/elastic/kibana/pull/30106 to enable a read-only mode for the Advanced Settings screen: - Input fields are disabled - Save options are not displayed - "Reset to default" options are not displayed * Feature Controls: No Wildcards (#30169) * A poorly named abstraction enters the room * No more wildcards, starting to move some stuff around * Splitting out the feature privilege builders * Using actions instead of relying on their implementation * We don't need the saved object types any longer * Explicitly specifying some actions that used to rely on wildcards * Fixing api integration test for privileges * Test fixture plugin which adds the globaltype now specifies a feature * Unauthorized to find unknown types now * Adding tests for features with no privileges * Update x-pack/test/saved_object_api_integration/security_and_spaces/apis/find.ts Co-Authored-By: kobelb <brandon.kobel@gmail.com> * Adding back accidentally deleted test * Using the shared XPackMainPlugin definition * Fixing privileges * [Feature Controls] - Readonly mode for Canvas using UICapabilities (#29264) ## Summary Updates Canvas to respect UICapabilities when determining if a user has read or read/write access to the application: 1) Adds a `showWriteControls` UI Capability to the Canvas's `all` privilege. 2) Removes the `setCanUserWrite` Redux action 3) Sets the initial (and only) state for `state.transient.canUserWrite` based on the UI Capability. Closes https://github.com/elastic/kibana/issues/27695 * [Feature Controls] - Readonly mode for Maps using UICapabilities (#30437) ## Summary This updates the maps application to support a read-only mode: 1) Removes selection/delete from Maps listing page 2) Removes "save" option ## TODO: - [x] Functional UI Tests * Add typings for x-pack/test to support .html imports (#30570) We're importing `ui/capabilities` from the x-pack/test project, which implicitly traverses into typings which are potentially importing .html files, so we have to teach TypeScript about it. * [Feature Controls] - Readonly mode for Timelion using UICapabilities (#30128) ## Summary Updates Timelion to respect UICapabilities when determining if a user has read or read/write access to the application. A previous PR was responsible for hiding the save controls, but this PR adds testing and the appropriate UICapabilities to the registered privilege definition. * remove stray debug code * [Feature Controls] - Updates from src/ui move to src/legacy/ui (#30678) * dummy commit * fix import path * update message identifier * fix snapshot * remove unused translations * Feature Controls: Adding read/write privileges for all applications (#30732) * Adding read/write privileges for all applications * Using default for advanced settings, canvas, maps and timelion * Update x-pack/test/ui_capabilities/security_only/tests/canvas.ts Co-Authored-By: kobelb <brandon.kobel@gmail.com> * Update x-pack/test/ui_capabilities/security_only/tests/canvas.ts Co-Authored-By: kobelb <brandon.kobel@gmail.com> * Update x-pack/test/ui_capabilities/security_only/tests/maps.ts Co-Authored-By: kobelb <brandon.kobel@gmail.com> * Update x-pack/test/ui_capabilities/security_only/tests/maps.ts Co-Authored-By: kobelb <brandon.kobel@gmail.com> * Update x-pack/test/ui_capabilities/security_only/tests/timelion.ts Co-Authored-By: kobelb <brandon.kobel@gmail.com> * [Feature Controls] - Readonly mode for Visualize using UICapabilities (#29714) * enable read-only view, and enable app redirection for visualize app * Hide 'Edit Visualization' dashboard context menu item if visualizations are not editable * Hide 'Add new visualization' button if action is not available * show 'Visualize' button on discover view only if viz app is available * update tests * allow visualizations to be created, but not saved for read-only users * adds functional tests for visualize * add tests for showing/hiding the visualize button in the discover app * fix visualize tests following merge from master * tests for edit viz feature from dashboards * cleanup * remove unnecessary call to set ui settings * remove unused variables * reduce flakyness of tsvb tests * renames visualize.showWriteControls => visualize.save * fix ui capability tests * fix tests * fix references to timePicker page object * fix ts errors * adds 'editable' property to embeddable metadata instead of hardcoded capability checks * Remove unnecessary read-only considerations * revert unnecessary mock changes * [Feature Controls] - Adds missing uptime icon (#30716) ## Summary Adds missing feature icon for Uptime application. Needs https://github.com/elastic/kibana/pull/30678 to merge before this will go green. * Feature Controls - Fix branch (#31135) * Updating snapshot * Switching visualize to use the default branch of the switch * Fixing esarchive * Feature Controls - Graph (#30762) * Adding graph functional tests * Fixing Privilieges API test * Adding graph ui capability tests * Update x-pack/test/ui_capabilities/security_only/tests/graph.ts Co-Authored-By: kobelb <brandon.kobel@gmail.com> * Update x-pack/test/ui_capabilities/security_only/tests/graph.ts Co-Authored-By: kobelb <brandon.kobel@gmail.com> * Update x-pack/test/ui_capabilities/security_and_spaces/tests/graph.ts Co-Authored-By: kobelb <brandon.kobel@gmail.com> * Update x-pack/test/ui_capabilities/security_only/tests/graph.ts Co-Authored-By: kobelb <brandon.kobel@gmail.com> * Update x-pack/test/ui_capabilities/spaces_only/tests/graph.ts Co-Authored-By: kobelb <brandon.kobel@gmail.com> * Apply suggestions from code review Co-Authored-By: kobelb <brandon.kobel@gmail.com> * Removing hard-coded constants * Adding Graph delete button * Fixing ui capability tests * [Feature Controls] - Fixes page width for spaces management screen (#30723) ## Summary Fixes the skinny spaces management screen following the redesign of the overall management area. Needs https://github.com/elastic/kibana/pull/30678 to merge before this will go green. * Feature Controls - Dev Tools (#30712) * Adding functional tests * Addingn Dev_Tools ui capability tests * Adding some api tests for console's API * Apply suggestions from code review Co-Authored-By: kobelb <brandon.kobel@gmail.com> * Moving uiCapability definition * Giving user_1 dashboard access to space_2 * Using the default in the switch for devtools/visualize * Using forceLogout, maps are leaving us on a 404 page * Fixing privileges API tests * Feature Controls- Fix Merge Conflicts (#31651) * Removing duplicated and outdated tests * Updating snapshot * Fixing type script errors * Getting rid of some double quotes * Adding saved_object:url access to discover temporarily to fix tests * Fixing dashboard tests, updating snapshots * Fixing security only find tests * Removing reduntant test * Trying to give it more time * Fixing it 20 seconds to redirect away from the create new dashboard * Feature Controls - No more route defaults for dashboards (#31767) * No more route defaults for dashboards * Verbose logging... * Changing some ciGroups to try to narrow down the problem * Revert "Verbose logging..." This reverts commit |
||
Josh Dover
|
648209981d
|
[new-platform] Improve naming and consistency in Plugin types (#34725) (#34882) | ||
|
Mikhail Shustov
|
e0afa46852
|
[New platform] Restrict import from core&plugin internals for ts files (#34688) (#34859)
* eslint-plugin-import should resolve *.ts files * no_restricted_paths adc support filename exclusion * fix linter errors * update autogenerateds docs * export directly |
||
|
Rudolf Meijering
|
8dbff4f1ef
|
Overlay core service (#34261) (#34717)
* Move ui/flyout to overlay core service * Remove onClose in parameter (use FlyoutSession instead) * Fix tests * Remove old inspector tests * Proper TODO message * Convert flyout service to class * Use correct i18n * Resolving weird merge conflicts * Fix panel plugin test * Change new platform access * Add more tests * Remove commented tests * Revert test fix (core is actually not fixed yet) * Fix tests * Expose onClose as Observable * Use jest.doMock * Fix typos * Core start() -> setup() * Remove @extends EventEmitter docs * Refactor and test flyoutservice * Fix comments: promise -> observable * Fix tests * Explicitly define OverlaySetup * Fix OverlaySetup type signature * Update Core API review file and docs * Remove redudant if case * Change FlyoutRef.onClose into a promise * Remove redundante cleanup * Use promise.finally * Remove targetDomElement from openFlyout() There's no need to support multiple targetDomElements per FlyoutService and the current implementation handled this use case incorrectly. Instead of adding complexity to try to support it, remove this from the function signature. * Fix + test to ensure child components are unmounted when a new flyover is displayed * Wrap flyover in i18n Context component * TSlint -> ESlint + test improvements |
||
|
Rudolf Meijering
|
8945b56fe2
|
[7.x] Generate core API docs from TSDoc comments (#32148) (#34421)
* Generate core API docs from TSDoc comments (#32148) * Generate core API docs from TSDoc comments Uses api-extractor and api-documenter to generate documentation for the Kibana core API from TSDoc comments in the source code. Documentation can be generated using `npm run docs:api`. I used --no-verify to ignore the following pre-commit hook errors: 1. Filenames MUST use snake_case - api-extractor.json It's possible to specify a different config file, but I prefer to keep the "standard" config file name. 2. UNHANDLED ERROR: Unable to find tsconfig.json file selecting "common/core_api_review/kibana.api.ts". Ensure one exists and it is listed in "src/dev/typescript/projects.ts" This is not a source file, so safe to ignore. * Flesh out API docs a little bit * Ignore snake_case check for api-extractor.json * Ignore api-extractor's review file from pre-commit check * Try to fix build failing by using masters yarn.lock * I'm being stupid * Found a better home for ignoring common/core_api_review/kibana.api.ts * Node script for detecting core API changes I initially wanted to include this as a precommit hook, but it takes quite long to execute (~12s) so might be better suited as a test or as part of the release process. The script currently fails because api-extractor uses an older version of typescript. * Fix tslint precommit hook ignore condition * Write tsdoc-metadata.json into ./build * Add LogMeta and ElasticSearch to exported types & docs * Suppress logging when running api-extractor from script * Improve check_core_api_changes script and run as test * Inline api-extractor.json config * Fix check_core_api_changes --help flag * LogMeta TSDoc comments * check_core_api_changes: fail if api-extractor produces warnings or errors And print more useful messages to the console * Move ignored ts files list into dev/file * Add back build:types since api-exporter cannot operate on source files * Upgrade api-exporter/documenter * api-extractor: independantly analyze core/public and core/server Becasue of https://github.com/Microsoft/web-build-tools/issues/1029 api-extractor can't use core/index.ts as a single entry point for analyzing the public and server API's as isolated namespaces. Instead we analyze these projects separately. This introduces other problems like the api review files and documentation always being called "kibana." from the package.json filename. * Build types as part of build task * Include types in typescript browser compilation * Force inclusion of core/public for building types * Fix api review filename in api-exporter errors * Update docs and API review files * Fix api-extractor warnings * Remove ts file ignored list since it's no longer necessary * Rename exported api package name * Review comments * Export other missing types * Upgrade api-documenter to latest beta * Export more missing types * Fix warnings and add api-exporter to Jenkins tests * Correctly handle runBuildTypes() exceptions * Fix another swallowed exception * Fix api-extractor warnings after master merge * Update yarn.lock * Fix erraneous type * Revert "Update yarn.lock" This reverts commit |
||
Tiago Costa
|
4213441df7
|
[7.x] Migration to Babel7 and @babel/preset-typescript (#33093) (#33889)
* chore(NA): merge and solve conflicts with 7.x branch * docs(NA): fix docs build with page headers. |
||
Spencer
|
883ea31bd2
|
[@kbn/expect] "fork" expect.js into repo (#33761) (#33794)
* [@kbn/expect] "fork" expect.js into repo * [eslint] autofix references to expect.js * [tslint] autofix all expect.js imports * now that expect.js is in strict mode, avoid reassigning fn.length |
||
Court Ewing
|
146518cab7 |
Update paths to ui, server, deprecation, plugin_discovery in src/legacy
This commit accompanies the four that precede it. Rather than squash them altogether, the four previous commits all do nothing except move files to help avoid conflicts. |
||
|
Josh Dover
|
27e5406d7a
|
Upgrade Hapi in legacy platform to v17 (#21707)
* Disable even-better monitoring * Upgrade to Hapi v15 * Upgrade to Hapi v16 * Handle optional req params correctly * Update http and kbnServer * Get mocha tests passing * Convert `reply` usages [wip] * Fix Joi and Plugin incompatibilities * Get server up and running * Get basic logging working * Fix optimizer * Fix recent route handlers * Various fixes * Fix recent routes * Upgrade wreck for async/await * Fix mocha tests * Fix joi issues * Fix xpack jest tests * Fix recent routes * Fix tests * Fix index setup * Decouple monitoring stats collection from good plugin * Update reload logging test to work * Reimplement logging with updated good plugin * Fix unit tests * Fix getConnections back * Make LegacyLoggingServer compatible with Hapi v17 * Update joi types * Fix x-pack unit tests * Remove stray debugger * Remove hapi-compat * Fix API integrations * Upgrade boom * Fix security plugin * Misc fixes * bump * Fix licensePreRoutingFactory * Fix failing integration tests * Remove unnecessary test change * Remove hapi-latest package * fx * Various cleanup * Fix race condition in oppsy events * Use elastic/good fork * Fix boom.wrap and hapi-latest changes * Simplify LegacyLoggingServer updates * package.json cleanup + test fix * yarn.lock cleanup * Change good tag * Fixes * Change return err -> throw err in routes * Fix await returns * Fix new load_data test * Make cookie security flags consistent * tmp doc * Fix types * Fix tests * Upgrade canvas plugin * Move good package to published @elastic/good one * Fix SO test * Fix logging reloading * Update APM apis * Fix error logging * Fix logging test * Convert spaces plugin * Add validation error shim * Remove 7.0 release notes * Await renderApp * Fix ccr routes * Prevent header popovers from scrolling with page content (#23850) * Fix spaces test * new yarn.lock-s * Fix spaces tests * Remove h2o2-latest * Fix @types/hapi * Upgrade InfraOps plugin * Fix package.json * Add back isSameSite: false * Upgrade beats_management plugin * Update snapshot * Fix InfraOps * Upgrade kql_telemetry * Merge upstream/master * Upgrade apm and ml * Put snapshot test back * Fx beats * Upgrade rollups * Update boom usages in new plugins |
||
Larry Gregory
|
1f38026731
|
Spaces Phase 1 (#21408)
### Review notes This is generally ready for review. We are awaiting https://github.com/elastic/elasticsearch/issues/32777 to improve handling when users do not have any access to Kibana, but this should not hold up the overall review for this PR. This PR is massive, there's no denying that. Here's what to focus on: 1) `x-pack/plugins/spaces`: This is, well, the Spaces plugin. Everything in here is brand new. The server code is arguably more important, but feel free to review whatever you see fit. 2) `x-pack/plugins/security`: There are large and significant changes here to allow Spaces to be securable. To save a bit of time, you are free to ignore changes in `x-pack/plugins/security/public`: These are the UI changes for the role management screen, which were previously reviewed by both us and the design team. 3) `x-pack/test/saved_object_api_integration` and `x-pack/test/spaces_api_integration`: These are the API test suites which verify functionality for: a) Both security and spaces enabled b) Only security enabled c) Only spaces enabled What to ignore: 1) As mentioned above, you are free to ignore changes in `x-pack/plugins/security/public` 2) Changes to `kibana/src/server/*`: These changes are part of a [different PR that we're targeting against master](https://github.com/elastic/kibana/pull/23378) for easier review. ## Saved Objects Client Extensions A bulk of the changes to the saved objects service are in the namespaces PR, but we have a couple of important changes included here. ### Priority Queue for wrappers We have implemented a priority queue which allows plugins to specify the order in which their SOC wrapper should be applied: `kibana/src/server/saved_objects/service/lib/priority_collection.ts`. We are leveraging this to ensure that both the security SOC wrapper and the spaces SOC wrapper are applied in the correct order (more details below). ### Spaces SOC Wrapper This wrapper is very simple, and it is only responsible for two things: 1) Prevent users from interacting with any `space` objects (use the Spaces client instead, described below) 2) Provide a `namespace` to the underlying Saved Objects Client, and ensure that no other wrappers/callers have provided a namespace. In order to accomplish this, the Spaces wrapper uses the priority queue to ensure that it is the last wrapper invoked before calling the underlying client. ### Security SOC Wrapper This wrapper is responsible for performing authorization checks. It uses the priority queue to ensure that it is the first wrapper invoked. To say another way, if the authorization checks fail, then no other wrappers will be called, and the base client will not be called either. This wrapper authorizes users in one of two ways: RBAC or Legacy. More details on this are below. ### Examples: `GET /s/marketing/api/saved_objects/index-pattern/foo` **When both Security and Spaces are enabled:** 1) Saved objects API retrieves an instance of the SOC via `savedObjects.getScopedClient()`, and invokes its `get` function 2) The Security wrapper is invoked. a) Authorization checks are performed to ensure user can access this particular saved object at this space. 3) The Spaces wrapper is invoked. a) Spaces applies a `namespace` to be used by the underlying client 4) The underlying client/repository are invoked to retrieve the object from ES. **When only Spaces are enabled:** 1) Saved objects API retrieves an instance of the SOC via `savedObjects.getScopedClient()`, and invokes its `get` function 2) The Spaces wrapper is invoked. a) Spaces applies a `namespace` to be used by the underlying client 3) The underlying client/repository are invoked to retrieve the object from ES. **When only Security is enabled:** (assume `/s/marketing` is no longer part of the request) 1) Saved objects API retrieves an instance of the SOC via `savedObjects.getScopedClient()`, and invokes its `get` function 2) The Security wrapper is invoked. a) Authorization checks are performed to ensure user can access this particular saved object globally. 3) The underlying client/repository are invoked to retrieve the object from ES. ## Authorization Authorization changes for this project are centered around Saved Objects, and builds on the work introduced in RBAC Phase 1. ### Saved objects client #### Security without spaces When security is enabled, but spaces is disabled, then the authorization model behaves the same way as before: If the user is taking advantage of Kibana Privileges, then we check their privileges "globally" before proceeding. A "global" privilege check specifies `resources: ['*']` when calling the [ES _has_privileges api.](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-has-privileges.html). Legacy users (non-rbac) will continue to use the underlying index privileges for authorization. #### Security with spaces When both plugins are enabled, then the authorization model becomes more fine-tuned. Rather than checking privileges globally, the privileges are checked against a specific resource that matches the user's active space. In order to accomplish this, the Security plugin needs to know if Spaces is enabled, and if so, it needs to ask Spaces for the user's active space. The subsequent call to the `ES _has_privileges api` would use `resources: ['space:marketing']` to verify that the user is authorized at the `marketing` space. Legacy users (non-rbac) will continue to use the underlying index privileges for authorization. **NOTE** The legacy behavior implies that those users will have access to all spaces. The read/write restrictions are still enforced, but there is no way to restrict access to a specific space for legacy auth users. #### Spaces without security No authorization performed. Everyone can access everything. ### Spaces client Spaces, when enabled, prevents saved objects of type `space` from being CRUD'd via the Saved Objects Client. Instead, the only "approved" way to work with these objects is through the new Spaces client (`kibana/x-pack/plugins/spaces/lib/spaces_client.ts`). When security is enabled, the Spaces client performs its own set of authorization checks before allowing the request to proceed. The Spaces client knows which authorization checks need to happen for a particular request, but it doesn't know _how_ to check privileges. To accomplish this, the spaces client will delegate the check security's authorization service. #### FAQ: Why oh why can't you used the Saved Objects Client instead!? That's a great question! We did this primarily to simplify the authorization model (at least for our initial release). Accessing regular saved objects follows a predictible authorization pattern (described above). Spaces themselves inform the authorization model, and this interplay would have greatly increased the complexity. We are brainstorming ideas to obselete the Spaces client in favor of using the Saved Objects Client everywhere, but that's certainly out of scope for this release. ## Test Coverage ### Saved Objects API A bulk of the changes to enable spaces are centered around saved objects, so we have spent a majority of our time automating tests against the saved objects api. **`x-pack/test/saved_object_api_integration/`** contains the test suites for the saved objects api. There is a `common/suites` subfolder which contains a bulk of the test logic. The suites defined here are used in the following test configurations: 1) Spaces only: `./spaces_only` 2) Security and spaces: `./security_and_spaces` 3) Security only: `./security_only` Each of these test configurations will start up ES/Kibana with the appropriate license and plugin set. Each set runs through the entire test suite described in `common/suites`. Each test with in each suite is run multiple times with different inputs, to test the various permutations of authentication, authorization type (legacy vs RBAC), space-level privileges, and the user's active space. ### Spaces API Spaces provides an experimental public API. **`x-pack/test/spaces_api_integration`** contains the test suites for the Spaces API. Similar to the Saved Objects API tests described above, there is a `common/suites` folder which contains a bulk of the test logic. The suites defined here are used in the following test configurations: 1) Spaces only: `./spaces_only` 2) Security and spaces: `./security_and_spaces` ### Role Management UI We did not provide any new functional UI tests for role management, but the existing suite was updated to accomidate the screen rewrite. We do have a decent suite of jest unit tests for the various components that make up the new role management screen. They're nested within `kibana/x-pack/plugins/security/public/views/management/edit_role` ### Spaces Management UI We did not provide any new functional UI tests for spaces management, but the components that make up the screens are well-tested, and can be found within `kibana/x-pack/plugins/spaces/public/views/management/edit_space` ### Spaces Functional UI Tests There are a couple of UI tests that verify _basic_ functionality. They assert that a user can login, select a space, and then choose a different space once inside: `kibana/x-pack/test/functional/apps/spaces` ## Reference Notable child PRs are listed below for easier digesting. Note that some of these PRs are built on other PRs, so the deltas in the links below may be outdated. Cross reference with this PR when in doubt. ### UI - Reactify Role Management Screen: https://github.com/elastic/kibana/pull/19035 - Space Aware Privileges UI: https://github.com/elastic/kibana/pull/21049 - Space Selector (in Kibana Nav): https://github.com/elastic/kibana/pull/19497 - Recently viewed Widget: https://github.com/elastic/kibana/pull/22492 - Support Space rename/delete: https://github.com/elastic/kibana/pull/22586 ### Saved Objects Client - ~~Space Aware Saved Objects: https://github.com/elastic/kibana/pull/18862~~ - ~~Add Space ID to document id: https://github.com/elastic/kibana/pull/21372~~ - Saved object namespaces (supercedes #18862 and #21372): https://github.com/elastic/kibana/pull/22357 - Securing saved objects: https://github.com/elastic/kibana/pull/21995 - Dedicated Spaces client (w/ security): https://github.com/elastic/kibana/pull/21995 ### Other - Public Spaces API (experimental): https://github.com/elastic/kibana/pull/22501 - Telemetry: https://github.com/elastic/kibana/pull/20581 - Reporting: https://github.com/elastic/kibana/pull/21457 - Spencer's original Spaces work: https://github.com/elastic/kibana/pull/18664 - Expose `spaceId` to "Add Data" tutorials: https://github.com/elastic/kibana/pull/22760 Closes #18948 "Release Note: Create spaces within Kibana to organize dashboards, visualizations, and other saved objects. Secure access to each space when X-Pack Security is enabled" |
||
Nathan Reese
|
78e1c8b147
|
add section about running API tests in functional test documentation (#21738)
* add section about running API tests in functional test documentation * list valid configs under more section |
||
archana
|
d1cb0a44f5
|
Deprecate test:ui commands (#21092)
* Deprecate test:ui commands |
||
Josh Soref
|
2b27fb1c5f | Fix misspellings (#19981) | ||
wispxjtu
|
0945154302
|
Code example miss single quotes (#19783) | ||
Lee Drengenberg
|
842ed488c5
|
Support 1 Kibana and 1 Elasticsearch URL as input params (#9760)
* Support 1 Kibana and 1 Elasticsearch URL as input params * Revert a previous change to test char substitution * Allow setting TEST_KIBANA_URL and TEST_ES_URL for Cloud testing * cleanup comment * Update docs * Refactor after PR review * Changes from review * fix default Kibana port to 5620 * Change es_test_config.js similar to kibana_test_server_url_parts.js |
||
Spencer
|
0fde087ca2 |
Switch to Yarn (#15485)
* switch to yarn * cleanup misc references to npm * [yarn] loosen dependency ranges so yarn will merge more deps * fix linting error now that moment uses ESM * [licenses] font-awesome changed the format of its license id * Use local yarn * Misc fixes * eslintignore built yarn file * Remove mkdir which doesn't do what it should do * Check build without upgrading lots of versions * Fix license check * too many moments * Better description * Review fixes * Lock to angular@1.6.5 * More specific version locks * Revert "More specific version locks" This reverts commit |
||
Yuri Astrakhan
|
fb583bc460 | minor indent fix (#15520) | ||
|
Spencer
|
f60639fccb
|
Upgrade to webpack 3 (#14315)
* [timelion] remove last remaining amd modules * [eslint-config-kibana] remove env.amd * [webpack] use absolute loader names * [webpack] remove absolute node_modules/ imports * [webpack] upgrade to webpack 3 * [uiFramework] make webpack build compatible with v3 * [eslint-import-resolver] use https://github.com/elastic/eslint-import-resolver-kibana/pull/21 * [baseOptimizer] don't break when pkg has no dependencies * [optimize] remove unnecessary json-loader * [optimize] remove local references to webpack vars * [eslint] upgrade to eslint-import-resolver-kibana 0.9.0 * [baseOptimizer] comment tweaks * [baseOptimizer] remove loader pinning In webpack 1 the loaders defined here were resolved relative to the file they were going to load, which meant that plugins in other projects could accidentally overwrite the loaders Kibana was trying to use, which is why the aliases were used to enforce proper resolution. In webpack 2 loaders are now resolved relative to the webpackConfig.context, which is set to the root of the Kibana repo. See https://webpack.js.org/configuration/module/#useentry * [webpack] rely on kibana webpack shims before checking node_modules |
||
|
archana
|
a01959451b |
Complete doc on running functional tests (#13035)
* Complete doc on running functional tests * Update development-functional-tests.asciidoc * Fix section title |
||
Matt Bargar
|
6193a7f318 |
Remove esAdmin mention from docs since it no longer exists (#13449)
The angular service was removed in #13000 |
||
Kim Joar Bekkelund
|
04c8812629 | [optimizer] remove support for .less extension (#12722) | ||
|
Spencer
|
1f5a9dcc83 | [optimizer] remove support for .jsx extension (#12712) | ||
Deb Adair
|
d88227eafc | [DOCS] Fixed xref to JS client doc. | ||
|
Court Ewing
|
2876f1fdf6 |
Revert "Switch to Yarn (#11637)"
This reverts commit
|
||
|
Spencer
|
71a9b8b6bc | Switch to Yarn (#11637) | ||
Gilly Barr
|
3849712d85 | Remove node resolve algorithm reference (#12023) | ||
|
debadair
|
fcf1f5089a | [DOCS] Fixed cross doc link issues. | ||
|
spalger
|
b79334b964 | [functional_test_runner] tweak doc styling | ||
|
Spencer
|
90434765c0 |
[functionalTestRunner] replace intern (#10910)
* [functional_test_runner] replace functional testing tools with custom/pluggable solution
* [functional_test_runner] Convert unit tests to commonjs format
* [functional_test_runner] Fix dashboard test in wrong mode
* [functional_test_runner] Add dashboardLandingPage test subject
* [functional_test_runner] Get Visualize page object
* [functional_test_runner] Fix outdated references
* [functional_test_runner] Fix more outdated refs
* [functional_test_runner] Remove duplicate tests
* [functional_test_runner] Improve test readability
* [functional_test_runner] 😞 So many duplicate methods
* [functional_test_runner] Move mgmt `before` outside toplevel describe
* [functional_test_runner] Settings page obj missing methods
* [functional_test_runner] Add improvements from @gammon
* [functional_test_runner] Fix return statements in async funcs
* [functional_test_runner] Move before() to correct scope
* [functional_test_runner] Add after() hooks to remove index patterns
* [functional_test_runner] Attempt to fix vertical bar chart tests
* [functional_test_runner] Clean up
* [functional_test_runner] Reinstate unit tests
* [functional_test_runner] Set default loglevel back to info
* [functional_test_runner] Replace `context`s with `describe`s
* [functional_test_runner] Better error handling
* [functional_test_runner] Add in new Tile Map tests
* Incorporate changes from master
* [functional_test_runner] validate that every test file has a single top-level suite
* Update contributing doc with link to full doc
* [docs] Spelling and grammar fixes
* docs: writing and running functional tests
* [docs] Move plugin doc to plugin area
* [docs] Housekeeping. Doc in wrong place
* [docs] Remove dup doc file
* [grunt] Only run mocha_setup when running tests, not every grunt task
|
||
|
Court Ewing
|
68baabe72f |
docs: kibana developer and known plugin docs (#9477)
* docs: kibana developer docs This is the beginning of developer-focussed docs for Kibana. The content is mostly pulled directly from the old wiki in the github repo. * docs: known plugins for 5.x |
