Fix query:allowLeadingWildcards description as there are no "experimental query features" anymore.
Co-authored-by: Julia Rechkunova <julia.rechkunova@elastic.co>
Co-authored-by: Stratoula Kalafateli <efstratia.kalafateli@elastic.co>
Update the `DELETE` request to use `<space_name>`.
Thanks @Erni for the nudge!
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
This PR adds a new find API for retrieving a subset of the user actions
for a case.
Issue: https://github.com/elastic/kibana/issues/134344
```
GET /api/cases/<case_id>/user_actions/_find
Query Paramaters
{
types?: Array of "assignees" | "comment" | "connector" | "description" | "pushed" | "tags" | "title" | "status" | "settings" | "severity" | "create_case" | "delete_case" | "action" | "alert" | "user" | "attachment"
sortOrder?: "asc" | "desc"
page?: number as a string
perPage?: number as a string
}
```
<details><summary>Example request and response</summary>
Request
```
curl --location --request GET 'http://localhost:5601/api/cases/8df5fe00-96b1-11ed-9341-471c9630b5ec/user_actions/_find?types=create_case&sortOrder=asc' \
--header 'kbn-xsrf: hello' \
--header 'Authorization: Basic ZWxhc3RpYzpjaGFuZ2VtZQ==' \
--data-raw ''
```
Response
```
{
"userActions": [
{
"created_at": "2023-01-17T21:54:45.527Z",
"created_by": {
"username": "elastic",
"full_name": null,
"email": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"owner": "cases",
"action": "create",
"payload": {
"title": "Awesome case",
"tags": [],
"severity": "low",
"description": "super",
"assignees": [],
"connector": {
"name": "none",
"type": ".none",
"fields": null,
"id": "none"
},
"settings": {
"syncAlerts": false
},
"owner": "cases",
"status": "open"
},
"type": "create_case",
"id": "8e121180-96b1-11ed-9341-471c9630b5ec",
"case_id": "8df5fe00-96b1-11ed-9341-471c9630b5ec",
"comment_id": null
}
],
"page": 1,
"perPage": 20,
"total": 1
}
```
</details>
## Notable Changes
- Created the new `_find` route
- Created a new `UserActionFinder` class and moved the find* methods
from the `index.ts` file into there as well as the new find logic
- Extracted the transform logic to its own file since its shared between
multiple files now
- Extracted the user action related integration test functions to the
`user_action.ts` utility file
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: lcawl <lcawley@elastic.co>
…p Service
Adding some text to help clear out confusion by users reading the
`EMS_PATH_CONF` env variable as a host env var, instead of a env
variable inside the docker container. Also, mentioning the `-e` docker
flag that can be used on the docker command to start up the service.
## Summary
Summarize your PR. If it involves visual changes include a screenshot or
gif.
### Checklist
Delete any items that are not applicable to this PR.
- [ ] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] Any UI touched in this PR is usable by keyboard only (learn more
about [keyboard accessibility](https://webaim.org/techniques/keyboard/))
- [ ] Any UI touched in this PR does not create any new axe failures
(run axe in browser:
[FF](https://addons.mozilla.org/en-US/firefox/addon/axe-devtools/),
[Chrome](https://chrome.google.com/webstore/detail/axe-web-accessibility-tes/lhdoppojpmngadmnindnejefpokejbdd?hl=en-US))
- [ ] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
- [ ] This renders correctly on smaller devices using a responsive
layout. (You can test this [in your
browser](https://www.browserstack.com/guide/responsive-testing-on-local-server))
- [ ] This was checked for [cross-browser
compatibility](https://www.elastic.co/support/matrix#matrix_browsers)
### Risk Matrix
Delete this section if it is not applicable to this PR.
Before closing this PR, invite QA, stakeholders, and other developers to
identify risks that should be tested prior to the change/feature
release.
When forming the risk matrix, consider some of the following examples
and how they may potentially impact the change:
| Risk | Probability | Severity | Mitigation/Notes |
|---------------------------|-------------|----------|-------------------------|
| Multiple Spaces—unexpected behavior in non-default Kibana Space.
| Low | High | Integration tests will verify that all features are still
supported in non-default Kibana Space and when user switches between
spaces. |
| Multiple nodes—Elasticsearch polling might have race conditions
when multiple Kibana nodes are polling for the same tasks. | High | Low
| Tasks are idempotent, so executing them multiple times will not result
in logical error, but will degrade performance. To test for this case we
add plenty of unit tests around this logic and document manual testing
procedure. |
| Code should gracefully handle cases when feature X or plugin Y are
disabled. | Medium | High | Unit tests will verify that any feature flag
or plugin combination still results in our service operational. |
| [See more potential risk
examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx) |
### For maintainers
- [ ] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
## Summary
This PR creates the bulk get cases internal API. The endpoint is needed
for the alerts table to be able to get all cases the alerts are attached
to with one call.
Reference: https://github.com/elastic/kibana/issues/146864
### Request
- ids: (Required, array) An array of IDs of the retrieved cases.
- fields: (Optional, array) The fields to return in the attributes key
of the object response.
```
POST <kibana host>:<port>/internal/cases/_bulk_get
{
"ids": ["case-id-1", "case-id-2", "123", "not-authorized"],
"fields": ["title"]
}
```
### Response
```
{
"cases": [
{
"title": "case1",
"owner": "securitySolution",
"id": "case-id-1",
"version": "WzIzMTU0NSwxNV0="
},
{
"title": "case2",
"owner": "observability",
"id": "case-id-2",
"version": "WzIzMTU0NSwxNV0="
}
],
"errors": [
{
"error": "Not Found",
"message": "Saved object [cases/123] not found",
"status": 404,
"caseId": "123"
},
{
"error": "Forbidden",
"message": "Unauthorized to access case with owner: \"cases\"",
"status": 403,
"caseId": "not-authorized"
}
]
}
```
### Checklist
Delete any items that are not applicable to this PR.
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
### For maintainers
- [x] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
- Adds CentOS to the list of exceptions to the default value. CentOS,
Debian, and Red Hat Linux use `true`, but all other OS use `false`.
Previously, CentOS was not documented.
- Adds note regarding Chrome crash in the troubleshooting doc.
Follow up to #147526 which had to be reverted.
Resolves#127481
## Release notes
Include IP address in audit log
## Testing
1. Start Elasticsearch with trial license: `yarn es snapshot --license
trial`
2. Update `kibana.dev.yaml`:
```yaml
xpack.security.audit.enabled: true
xpack.security.audit.appender:
type: console
layout:
type: json
```
3. Observe audit logs in console when interacting with Kibana:
```json
{
"@timestamp": "2022-12-13T15:50:42.236+00:00",
"message": "User is requesting [/dev/internal/security/me] endpoint",
"client": {
"ip": "127.0.0.1"
},
"http": {
"request": {
"headers": {
"x-forwarded-for": "1.1.1.1, 127.0.0.1"
}
}
}
}
```
Note: You will see the `x-forwarded-for` field populated when running
Kibana in development mode (`yarn start`) since Kibana runs behind a
development proxy.
Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Resolves: #146222
This PR makes maximum number of retries of an action configurable.
Follows the same pattern we used in alerting plugin.
`xpack.actions.run.maxAttempts` as a global settings and
`xpack.actions.run.connectorTypeOverrides` to override the global
settings for specific connector types.
## Dearest Reviewers 👋
I've been working on this branch with @mistic and @tylersmalley and
we're really confident in these changes. Additionally, this changes code
in nearly every package in the repo so we don't plan to wait for reviews
to get in before merging this. If you'd like to have a concern
addressed, please feel free to leave a review, but assuming that nobody
raises a blocker in the next 24 hours we plan to merge this EOD pacific
tomorrow, 12/22.
We'll be paying close attention to any issues this causes after merging
and work on getting those fixed ASAP. 🚀
---
The operations team is not confident that we'll have the time to achieve
what we originally set out to accomplish by moving to Bazel with the
time and resources we have available. We have also bought ourselves some
headroom with improvements to babel-register, optimizer caching, and
typescript project structure.
In order to make sure we deliver packages as quickly as possible (many
teams really want them), with a usable and familiar developer
experience, this PR removes Bazel for building packages in favor of
using the same JIT transpilation we use for plugins.
Additionally, packages now use `kbn_references` (again, just copying the
dx from plugins to packages).
Because of the complex relationships between packages/plugins and in
order to prepare ourselves for automatic dependency detection tools we
plan to use in the future, this PR also introduces a "TS Project Linter"
which will validate that every tsconfig.json file meets a few
requirements:
1. the chain of base config files extended by each config includes
`tsconfig.base.json` and not `tsconfig.json`
1. the `include` config is used, and not `files`
2. the `exclude` config includes `target/**/*`
3. the `outDir` compiler option is specified as `target/types`
1. none of these compiler options are specified: `declaration`,
`declarationMap`, `emitDeclarationOnly`, `skipLibCheck`, `target`,
`paths`
4. all references to other packages/plugins use their pkg id, ie:
```js
// valid
{
"kbn_references": ["@kbn/core"]
}
// not valid
{
"kbn_references": [{ "path": "../../../src/core/tsconfig.json" }]
}
```
5. only packages/plugins which are imported somewhere in the ts code are
listed in `kbn_references`
This linter is not only validating all of the tsconfig.json files, but
it also will fix these config files to deal with just about any
violation that can be produced. Just run `node scripts/ts_project_linter
--fix` locally to apply these fixes, or let CI take care of
automatically fixing things and pushing the changes to your PR.
> **Example:** [`64e93e5`
(#146212)](64e93e5806)
When I merged main into my PR it included a change which removed the
`@kbn/core-injected-metadata-browser` package. After resolving the
conflicts I missed a few tsconfig files which included references to the
now removed package. The TS Project Linter identified that these
references were removed from the code and pushed a change to the PR to
remove them from the tsconfig.json files.
## No bazel? Does that mean no packages??
Nope! We're still doing packages but we're pretty sure now that we won't
be using Bazel to accomplish the 'distributed caching' and 'change-based
tasks' portions of the packages project.
This PR actually makes packages much easier to work with and will be
followed up with the bundling benefits described by the original
packages RFC. Then we'll work on documentation and advocacy for using
packages for any and all new code.
We're pretty confident that implementing distributed caching and
change-based tasks will be necessary in the future, but because of
recent improvements in the repo we think we can live without them for
**at least** a year.
## Wait, there are still BUILD.bazel files in the repo
Yes, there are still three webpack bundles which are built by Bazel: the
`@kbn/ui-shared-deps-npm` DLL, `@kbn/ui-shared-deps-src` externals, and
the `@kbn/monaco` workers. These three webpack bundles are still created
during bootstrap and remotely cached using bazel. The next phase of this
project is to figure out how to get the package bundling features
described in the RFC with the current optimizer, and we expect these
bundles to go away then. Until then any package that is used in those
three bundles still needs to have a BUILD.bazel file so that they can be
referenced by the remaining webpack builds.
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Part of #141780
## Release notes
Include Cross-Origin-Opener-Policy in default response headers
## Testing
Load Kibana; you should see Kibana respond with
`Cross-Origin-Opener-Policy: same-origin` header for page loads and API
requests.
The current example contains invalid characters and does not work. Furthermore does it incorrectly point towards the Elasticsearch API instead of the Kibana API. Both is addressed in this change.
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Reverts elastic/kibana#147526
Reverting due to errors when using `FakeRequest`:
```
TypeError: Cannot read properties of undefined (reading 'remoteAddress')
at KibanaSocket.get remoteAddress [as remoteAddress] (/Users/shahzad-16/elastic/kibana/node_modules/@kbn/core-http-router-server-internal/target_node/src/socket.js:25:24)
at Object.log (/Users/shahzad-16/elastic/kibana/x-pack/plugins/security/server/audit/audit_service.ts:95:32)
at runMicrotasks (<anonymous>)
at processTicksAndRejections (node:internal/process/task_queues:96:5)
Terminating process...
server crashed with status code 1
```
Resolves#127481
## Release notes
Include IP address in audit log
## Testing
1. Update `kibana.dev.yaml`:
```yaml
xpack.security.audit.enabled: true
xpack.security.audit.appender:
type: console
layout:
type: json
```
2. Observe audit logs in console when interacting with Kibana:
```json
{
"@timestamp": "2022-12-13T15:50:42.236+00:00",
"message": "User is requesting [/dev/internal/security/me] endpoint",
"client": {
"ip": "127.0.0.1"
},
"http": {
"request": {
"headers": {
"x-forwarded-for": "1.1.1.1, 127.0.0.1"
}
}
}
}
```
Note: You will see the `x-forwarded-for` field populated when running
Kibana in development mode (`yarn start`) since Kibana runs behind a
development proxy.
Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
Resolves https://github.com/elastic/kibana/issues/89481
## Summary
Adds group by options to the ES query rule type, both DSL and KQL
options. This is the same limited group by options that are offered in
the index threshold rule type so I used the same UI components and rule
parameter names. I moved some aggregation building code to `common` so
they could be reused. All existing ES query rules are migrated to be
`count over all` rules.
## To Verify
* Create the following types of rules and verify they work as expected.
Verify for both DSL query and KQL query
* `count over all` rule - this should run the same as before, where it
counts the number of documents that matches the query and applies the
threshold condition to that value. `{{context.hits}}` is all the
documents that match the query if the threshold condition is met.
* `<metric> over all` rule - this calculates the specific aggregation
metric and applies the threshold condition to the aggregated metric (for
example, `avg event.duration`). `{{context.hits}}` is all the documents
that match the query if the threshold condition is met.
* `count over top N terms` - this will apply a term aggregation to the
query and matches the threshold condition to each term bucket (for
example, `count over top 10 event.action` will apply the threshold
condition to the count of documents within each `event.action` bucket).
`{{context.hits}}` is the result of the top hits aggregation within each
term bucket if the threshold condition is met for that bucket.
* `<metric> over top N terms` - this will apply a term aggregation and a
metric sub-aggregation to the query and matches the threshold condition
to the metric value within each term bucket (for example, `avg
event.duration over top 10 event.action` will apply the threshold
condition to the average value of `event.duration` within each
`event.action` bucket). `{{context.hits}}` is the result of the top hits
aggregation within each term bucket if the threshold condition is met
for that bucket.
* Verify the migration by creating a DSL and KQL query in an older
version of Kibana and then upgrading to this PR. The rules should still
continue running successfully.
### Checklist
- [x]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Lisa Cawley <lcawley@elastic.co>
