Closes#174953
## Summary
Adds "Access" section to serverless management page, with cards for
custom roles, organization members, and API keys. These new cards are
gated by the `roleManagementEnabled` feature flag (see #176200).
<img width="1339" alt="Screenshot 2024-03-11 at 10 17 06 PM"
src="f2bb02f3-4154-4f2a-b07f-4c0013429a0c">
### API keys card
Access to this card is gated by API key privileges - any user with
permission to access the API keys management page will see this card.
### Custom roles card
Access to this card is gated by both the feature flag and role
privileges - any user with permission to access the Roles management
page will see this card if the feature flag is enabled.
### Organization members card
Access to this card is gated by only the feature flag. **Currently there
is no way to query if a user has access to manage the cloud
organization.**
### Implementation Notes:
- Previously, only the serverless search solution offered a link to the
API keys management page from the left navigation bar and the landing
page. This PR will provide access to the API keys management page in all
3 serverless solutions, via the management cards page, given the user
has the minimum API key permissions required.
- In order to check the value of the feature flag from outside of the
security plugin, I have exposed an authz service from the security
plugin (following the paradigm of the authc service). This can be
removed once the feature flag is no longer needed.
- The `Organization members` card is an "extension" navigation card
because it is not tied to an actual application. It provides a link to
the cloud organization. This is implemented in the serverless plugin,
alongside a `getNavigationCards` helper function, to be commonly located
for use in the three serverless solutions plugins. Due to dependency
restrictions, each solution plugin passes the feature flag value from
the security plugin to this function - a complication that will be
removed once the feature flag is no longer needed.
## Manual Testing
1. In the `kibana.dev.yml` file, add the following settings. This
enables the role management feature flag, and provides cloud URLs for
the `Manage organization members` card.
```
xpack.security.roleManagementEnabled: true
xpack.cloud.base_url: 'https://cloud.elastic.co'
xpack.cloud.organization_url: '/account/members'
```
2. Add a test user without access to API keys to the serverless search
`roles.yml` file. Example: Copy the viewer role, and remove the
`manage_own_api_key` cluster privilege.
```
tester:
cluster: ['read_pipeline']
indices:
- names:
- '*'
privileges:
- 'read'
- 'view_index_metadata'
applications:
- application: 'kibana-.kibana'
privileges:
- 'read'
resources:
- '*'
```
3. Start Elasticsearch and Kibana in serverless mode and SSL enabled (to
access the test user selector). Examples:
```
yarn es --serverless=es --ssl
yarn start --serverless=es --ssl
```
4. Navigate to Kibana (use `https` as SSL is enabled), and log in as the
`Admin` test user.
5. Navigate to the Management page using the side navigation bar. Verify
the three new cards are rendered in a new `Access` section, and that
each functions correctly by navigating the user the appropriate
application, or to the cloud organization page (in the case of the
Manage organization members card).
6. Switch to a user without access to view or update roles (e.g.
`viewer` in the serverless search solution). Verify that the API keys
and Org members cards are present, but not the Custom roles card.
7. Switch to a user without access to the API keys management page (the
test role added in step 2 for the search solution). Verify that the API
keys card is not present.
8. Disable the `xpack.security.roleManagementEnabled` feature flag.
Switch to the `admin` test user, and verify that the `Access` section
contains only the API keys card
9. Switch to a user without access to the API keys management page.
Verify that the `Access` section does not render at all.
10. Repeat testing with other solutions (security, observability). Keep
in mind that you may have to add additional test roles to the
`roles.yml` file if you want to test conditions for steps 6 and 7
independently.
## Automated Testing
See
`x-pack/test_serverless/functional/test_suites/common/platform_security/navigation/management_nav_cards.ts`,
which can be run from
-
`x-pack/test_serverless/functional/test_suites/search/config.feature_flags.ts`
-
`x-pack/test_serverless/functional/test_suites/security/config.feature_flags.ts`
-
`x-pack/test_serverless/functional/test_suites/observability/config.feature_flags.ts`.
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
> Changes identified using the script from
https://github.com/elastic/kibana/pull/171483
## Summary
The script from https://github.com/elastic/kibana/pull/171483 can
identify inconsistencies and untyped dependencies in Kibana plugins.
This PR fixes the obvious:
- `notifications` - move `actions` and `licensing` to `optionalPlugins`.
- `serverless` - move `kibanaReact` to `requiredBundles`.
- `serverlessObservability` - delete dead code and `kibanaReact`
dependency.
- `reporting` - move `esUiShared` and `embeddable` plugins to
`requiredBundles`.
- `uiActions` - remove `dataViews` dependency, (only a type is being
used).
- `urlDrilldowns` - move `uiActions` to `requiredBundles`.
- Type all plugins using the `Setup` and `Start` generics on the core
`Plugin` interface.
- Consistently name them.
- The exports needed to be named their original names; this will be
addressed in follow up work, (to avoid pinging teams)
- Add a `_` to unused parameters.
## Remaining Issues
### `licensing` and `licensingApiGuard`
Both of these plugins introduce side-effects, rather than dependent
logic. These need to be refactored to be consumed instead.
<img width="735" alt="Screenshot 2023-12-13 at 10 08 00 AM"
src="57916ffd-299d-4ca8-b796-dea2d06dca4a">
<img width="740" alt="Screenshot 2023-12-13 at 10 08 08 AM"
src="a2af254f-adec-4bf9-869a-8acf34c0c9b4">
## Resolved issues
### `reporting`
~~The `reporting` plugin requires `embeddable` and `esUiShared`, but
it's unclear if these still apply, or if they are required for
side-effects. Perhaps @tsullivan can help clarify?~~
Both are being used for static code. Moving to `requiredBundles`, and
need to follow-up to create packages.
<img width="800" alt="Screenshot 2023-12-13 at 10 08 23 AM"
src="7629fb92-d28e-43de-bfeb-97410cff424e">
### `uiActions`
~~The `uiActions` plugin requires `dataViews`. We need to determine if
this is a side-effect dependency, or a direct dependency, and remove or
refactor as necessary.~~
It's only using a type. Removing the dependency entirely,
(`requiredBundles` requires actual code be used).
<img width="622" alt="Screenshot 2023-12-13 at 10 08 33 AM"
src="39916f05-dafc-4f42-b5d8-1abcb1267b5b">
### urlDrilldown
~~The `urlDrilldown` plugin requires `uiActions`. We need to determine
if this is a side-effect dependency, or a direct dependency, and remove
or refactor as necessary.~~
Static code usage-- moving to `requiredBundles`.
<img width="732" alt="Screenshot 2023-12-13 at 10 13 13 AM"
src="af32f939-f866-483d-8dd0-aab962397dbb">
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
## Summary
fix https://github.com/elastic/kibana/issues/1665932569007b-92b6-47d0-a893-8747fbf17d2b
- "Projects" link removed, now it is part of breadcrumb. This also makes
the header more responsive as we get the flexibility from the
breadcrumbs.
- Added "View all projects"
- Added "Manage project" link
## Summary
Close https://github.com/elastic/kibana/issues/164507
This PR improves management breadcrumbs in serverless project.
- **Management**: I removed dependency from serverless -> management.
details:
https://github.com/elastic/kibana/pull/166259#discussion_r1324412333
- **Search**: Search project links directly to some management sub-apps
from the side nav. In some cases I hid the breadcrumb that comes from
the navigation config to avoid duplication: for example there was`Index
Management > Index Management` where the first came from the nav and the
second from the management sub-app.
- **Security**: For security I disabled setting management sub-app
breadcrumbs from the navigation config as they are set from the apps.
This allows for deeper breadcrumbs, beyond just nav.
https://github.com/elastic/kibana/pull/166259#discussion_r1324411585
> [!IMPORTANT]
> I plan to merge this as an intermediate state. The next step is
changing the breadcrumbs component and make the project name as part of
it https://github.com/elastic/kibana/issues/166593
## Summary
close https://github.com/elastic/kibana/issues/166182
Shows project name in the Kibana header.
To test locally add to the `config/serverless.yml`:
```
xpack.cloud.serverless.project_id: "random"
xpack.cloud.serverless.project_name: "My Search Project"
```
I hardcoded 320px max-width to enable truncation for longer titles:
In general, the header is not very flexible and has issues on smaller
screen, but this needs to be fixed separately.
The link still leads to the `/projects` page of the cloud UI
Addresses https://github.com/elastic/kibana/issues/160411
## Summary
This PR adds functionality for filtering out advanced settings that are
not relevant for serverless.
For context, we need to build an Advanced settings page in serverless
which only contains a set of the existing settings. We will reuse the
section registry (https://github.com/elastic/kibana/pull/163502) from
the original Advanced settings plugin as well as its UI components which
will also be extracted into a separate package. The app will be
registered from inside the `serverless` plugin.
In order to only display the settings that are relevant for serverless,
we need to make some changes to the uiSettings service. The
implementation in this PR leverages the existing `readonly` uiSettings
param and adds the `setAllowlist()` method which is called by the
serverless plugin to set an allowlist of setting keys.
**Testing in serverless:**
1. Set `advanced_settings.enabled: true` to enable the Advanced settings
app in serverless:
5b216c6ea9/config/serverless.yml (L53)
2. Start Es with `yarn es serverless --ssl` and Kibana with `yarn
serverless-{mode} --ssl` in any serverless mode.
3. Navigate to `app/management/kibana/settings`
4. Verify that the app only displays the settings from
`packages/serverless/settings/common/index.ts` (these are the settings,
relevant for all projects in serverless) as well as the settings from
the corresponding project package
`packages/serverless/settings/{mode}_project/index.ts`.
5. Verify that the app is functioning correctly.
**Testing in self-managed:**
1. Start Es with `yarn es snapshot` and Kibana with `yarn start`.
2. Go to Stack Management > Advanced settings
3. Verify that all settings are displayed as usual.
4. Verify that the app is functioning correctly.
If your team is a code owner of any of the serverless project plugins,
please review the corresponding package
`packages/serverless/settings/{search/observanility/security}_project/index.ts`
where you've been added as an owner and test in the serverless solution
accordingly.
<!---
### Checklist
Delete any items that are not applicable to this PR.
- [ ] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] Any UI touched in this PR is usable by keyboard only (learn more
about [keyboard accessibility](https://webaim.org/techniques/keyboard/))
- [ ] Any UI touched in this PR does not create any new axe failures
(run axe in browser:
[FF](https://addons.mozilla.org/en-US/firefox/addon/axe-devtools/),
[Chrome](https://chrome.google.com/webstore/detail/axe-web-accessibility-tes/lhdoppojpmngadmnindnejefpokejbdd?hl=en-US))
- [ ] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
- [ ] This renders correctly on smaller devices using a responsive
layout. (You can test this [in your
browser](https://www.browserstack.com/guide/responsive-testing-on-local-server))
- [ ] This was checked for [cross-browser
compatibility](https://www.elastic.co/support/matrix#matrix_browsers)
### Risk Matrix
Delete this section if it is not applicable to this PR.
Before closing this PR, invite QA, stakeholders, and other developers to
identify risks that should be tested prior to the change/feature
release.
When forming the risk matrix, consider some of the following examples
and how they may potentially impact the change:
| Risk | Probability | Severity | Mitigation/Notes |
|---------------------------|-------------|----------|-------------------------|
| Multiple Spaces—unexpected behavior in non-default Kibana Space.
| Low | High | Integration tests will verify that all features are still
supported in non-default Kibana Space and when user switches between
spaces. |
| Multiple nodes—Elasticsearch polling might have race conditions
when multiple Kibana nodes are polling for the same tasks. | High | Low
| Tasks are idempotent, so executing them multiple times will not result
in logical error, but will degrade performance. To test for this case we
add plenty of unit tests around this logic and document manual testing
procedure. |
| Code should gracefully handle cases when feature X or plugin Y are
disabled. | Medium | High | Unit tests will verify that any feature flag
or plugin combination still results in our service operational. |
| [See more potential risk
examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx) |
-->
### For maintainers
- [ ] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Tiago Costa <tiago.costa@elastic.co>
## Summary
Closes https://github.com/elastic/kibana/issues/160141
The avatar menu needs to be displayed for serverless. It was previously
required to be hidden in serverless, so a config 'showNavLinks' was
added. This config is no longer needed, so it has been removed.
## Testing
Start KB with the `--serverless` flag and login as `elastic`.
The Avatar should appear in the top right coner.
Closes https://github.com/elastic/kibana/issues/157810
Closes https://github.com/elastic/kibana/issues/158879
## Summary
1. Moves the Logo icon out of the side nav and to the left of the
breadcrumbs
1. Moves the project switcher from the right of the header to the just
to the right of the logo
1. Removes the link to cloud from the side nav. Design is still TBD.
1. Adds new `serverless.setProjectHome` API since the home link is no
longer in the side nav
1. Removes the `linkToCloud` prop from the Navigation component since
design is still TBD.
1. Exposes the Global Search bar
### Checklist
Delete any items that are not applicable to this PR.
- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
### Screenshots
**Default**
<img width="1732" alt="Screenshot 2023-06-06 at 11 46 52 AM"
src="45cb55f6-aea6-4b40-86c2-3b386691fbf5">
**Global search (not yet collapsed by default)**
<img width="1732" alt="Screenshot 2023-06-06 at 11 46 37 AM"
src="9ca6c28d-755f-45be-b680-89b5b4b1fb36">
**Collapsed side nav**
<img width="1732" alt="image"
src="f334ab99-0fda-455c-a9e5-6b5f64aa954d">
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Closes#155137, with some extra reorganisation, modularisation and unit
tests.
### Refactors to `maybeAddConfig`
### Refactoring serve.js <-> bootstrap.ts
### Unit tests for `compileConfigStack`
---------
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
## Summary
Addresses
https://github.com/elastic/kibana/pull/156600#discussion_r1186071163
> Let's think if there is a way to throw an error when core chrome api
are called from invalid plugins (in this cases only the serverless
plugin would be allowed.
This PR can be a starting point for discussion on the behavior we really
want. This PR has a simple goal to ensure that non-serverless plugins do
not call the `chrome.projects` API. However, it's not complete security,
as the compile-time error would be easy to override.
cc @sebelga @Dosant @clintandrewhall
---
---
### Checklist
Delete any items that are not applicable to this PR.
- [x] Documentation was added for features that require explanation or
tutorials
Internal documentation:
https://docs.google.com/document/d/1ew8KYl6ROs_V7jeIXgeP_C9YgkYK2IPtuceo6KVF_jE/edit#
---------
Co-authored-by: Clint Andrew Hall <clint@clintandrewhall.com>
## Summary
closes: https://github.com/elastic/kibana/issues/156414
Adds the basic navigation to the Security Solution project.
- Renders the current navigation hierarchy as in the classic Security.
- Uses the basic styles defined by Core (dark sideNav has been dropped).
- Reuses the Security SideNav package.
- Adds the `setSideNavComponent` API to the Serverless plugin.
### Run project
`yarn serverless-security`
## Next steps
- Add the new features needed in the navigation package to align with
the new Security IA design.
- Update the configuration of the links to display the hierarchy defined
by the new Security IA.
- Add Serverless specific styles to the sideNav in the ServerlesSecurity
plugin.
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
