## Summary
This PR reworks saved query privileges to rely solely on a single global
`savedQueryManagement` privilege, and eliminates app-specific overrides.
This change simplifies the security model for users, fixes bugginess in
the saved query management UI, and reduces code complexity associated
with maintaining two separate security mechanisms (app-specific
overrides and global saved query management privileges).
### Background
Saved queries allow users to store a combination of KQL or Lucene
queries, filters, and time filters to use across various applications in
Kibana. Access to saved query saved objects are currently granted by the
following feature privileges:
```json
[
"feature_discover.all",
"feature_dashboard.all",
"feature_savedQueryManagement.all",
"feature_maps.all",
"feature_savedObjectsManagement.all",
"feature_visualize.all"
]
```
There is also a saved query management UI within the Unified Search bar
shared by applications across Kibana:
<img
src="https://github.com/user-attachments/assets/e4a7539b-3dd4-4d47-9ff8-205281ef50e3"
width="500" />
The way access to this UI is managed in Kibana is currently confusing
and buggy:
- If a user has `feature_discover.all` and `feature_dashboard.all` they
will be able to load and save queries in Discover and Dashboard.
- If a user has `feature_discover.all` and `feature_dashboard.read` they
will be able to load queries in both Discover and Dashboard, but only
save queries in Discover (even though they have write access to the SO,
and API access). Instead they have to navigate to Discover to save a
query before navigating back to Dashboard to load it, making for a
confusing and frustrating UX.
- Access to the UI is even more confusing in apps not listed in the
above feature privileges (e.g. alerting, SLOs). Some of them chose to
check one of the above feature privileges, meaning users who otherwise
should have saved query access won't see the management UI if they don't
also have the exact feature privilege being checked. Other apps just
always show the management UI, leading to bugs and failures when users
without one of the above feature privileges attempt to save queries.
### Existing improvements
In v8.11.0, we introduced a new ["Saved Query
Management"](https://github.com/elastic/kibana/pull/166937) privilege,
allowing users to access saved queries across all of Kibana with a
single global privilege:
<img
src="https://github.com/user-attachments/assets/ccbe79a4-bd0b-4ed6-89c9-117cc1f99ee2"
width="600" />
When this privilege is added to a role, it solves the
`feature_discover.all` and `feature_dashboard.read` issue mentioned
above. However, it does not fix any of the mentioned issues for roles
without the new privilege. We have so far postponed further improvements
to avoid a breaking change.
### Approach
To fully resolve these issues and migrate to a single global privilege,
these changes have been made:
- Remove saved query SO access from all application feature privileges
and instead only allow access through the global saved query management
privilege.
- Stop relying on application feature privileges for toggling the saved
query management UI, and instead rely on the global privilege.
To implement this with minimal breaking changes, we've used the Kibana
privilege migration framework. This allows us to seamlessly migrate
existing roles containing feature privileges that currently provide
access to saved queries, ensuring they are assigned the global saved
query management privilege on upgrade.
As a result, we had to deprecate the following feature privileges,
replacing them with V2 privileges without saved query SO access:
```json
[
"feature_discover.all",
"feature_dashboard.all",
"feature_maps.all",
"feature_visualize.all"
]
```
Each area of code that currently relies on any of these feature
privileges had to be updated to instead access `feature_X_V2` instead
(as well as future code).
This PR still introduces a minor breaking change, since users who have
`feature_discover.all` and `feature_dashboard.read` are now able to save
queries in Dashboard after upgrade, but we believe this is a better UX
(and likely the expected one) and worth a small breaking change.
### Testing
- All existing privileges should continue to work as they do now,
including deprecated V1 feature privileges and customized serverless
privileges. There should be no changes for existing user roles apart
from the minor breaking change outlined above.
- Check that code changes in your area don't introduce breaking changes
to existing behaviour. Many of the changes are just updating client UI
capabilities code from `feature.privilege` to `feature_v2.privilege`,
which is backward compatible.
- The `savedQueryManagement` feature should now globally control access
to saved query management in Unified Search for all new user roles.
Regardless of privileges for Discover, Dashboard, Maps, or Visualize,
new user roles should follow this behaviour:
- If `savedQueryManagement` is `none`, the user cannot see or access the
saved query management UI or APIs.
- If `savedQueryManagement` is `read`, the user can load queries from
the UI and access read APIs, but cannot save queries from the UI or make
changes to queries through APIs.
- If `savedQueryManagement` is `all`, the user can both load and save
queries from the UI and through APIs.
### Checklist
- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)
- [x]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] If a plugin configuration key changed, check if it needs to be
allowlisted in the cloud and added to the [docker
list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)
- [x] This was checked for breaking HTTP API changes, and any breaking
changes have been approved by the breaking-change committee. The
`release_note:breaking` label should be applied in these situations.
- [ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
### Identify risks
This PR risks introducing unintended breaking changes to user privileges
related to saved queries if the deprecated features have not been
properly migrated, and users could gain or lose access to saved query
management on upgrade. This would be bad if it happened, but not overly
severe since it wouldn't grant them access to any ES data they couldn't
previously access (only query saved objects). We have automated testing
in place to help ensure features have been migrated correctly, but the
scope of these changes are broad and touch many places in the codebase.
Additionally, the UI capabilities types are not very strict, and are
referenced with string paths in many places, which makes changing them
riskier than changing strictly typed code. A combination of regex
searches and temporarily modifying the `Capabilities` type to cause type
errors for deprecated privileges was used to identify references in
code. Reviewers should consider if there are any other ways that UI
capabilities can be referenced which were not addressed in this PR.
Our automated tests already help mitigate the risk, but it's important
that code owners thoroughly review the changes in their area and
consider if they could have unintended consequences. The Platform
Security team should also review this PR thoroughly, especially since
some changes were made to platform code around privilege handling. The
Data Discovery team will also manually test the behaviour when upgrading
existing user roles with deprecated feature privileges as part of 9.0
upgrade testing.
---------
Co-authored-by: Matthias Wilhelm <matthias.wilhelm@elastic.co>
Co-authored-by: Matthias Wilhelm <ankertal@gmail.com>
Co-authored-by: Aleh Zasypkin <aleh.zasypkin@gmail.com>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: “jeramysoucy” <jeramy.soucy@elastic.co>
fix https://github.com/elastic/kibana/issues/192052
## Summary
Internal APIs will be
[restricted](https://github.com/elastic/kibana/issues/163654) from
public access as of 9.0.0. In non-serverless environments, this breaking
change will result in a 400 error if an external request is made to an
internal Kibana API (route `access` option as `"internal"` or
`"public"`).
This PR allows API owners of non-xpack plugins to run their `ftr` API
integration tests against the restriction and adds examples of how to
handle it.
### Checklist
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
Note to reviewers: The header needed to allow access to internal apis
shouldn't change your test output, with or without the restriction
enabled.
### How to test the changes work:
#### Non x-pack:
1. Set `server.restrictInternalApis: true` in `test/common/config.js`
2. Ensure your tests pass
#### x-pack:
1. Set `server.restrictInternalApis: true` in
`x-pack/test/api_integration/apis/security/config.ts`
2. Ensure the spaces tests pass
---------
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
* Make Dashboard SO multiple-isolated
* Fix integration tests
* Fix Saved Objects API Integration Tests
* Fix more tests
* Fix even more tests
Co-authored-by: Joe Portner <5295965+jportner@users.noreply.github.com>
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* [kbnArchiver] convert archive names to root-relative paths
* ensure that newly multiline hooks are explicitly async
* missed a newly multiline hook
* fix exists check
* avoid extra lines by wrapping arrow body in {}
* one block more
* fix errant `name` variable
Co-authored-by: spalger <spalger@users.noreply.github.com>
* [New Platform Migration]: Management - Implement NP API
Part of #47432
* partial progress on a number of management sections
* fix passing history
* Fixed types
* Fixed routing for Ingest Node Pipelines
* introduce and use react router wrapped eui components
* react router utils
* work in progress => hashRouter to router
* more partial progress
* remove console.log
* use reactRouterNavigate for management_sidebar
* Breadcrumbs will need to make use of the reactRouterNavigate function
* [triggersActions] app. Hash Router -> Router
* Replace /app/kibana#/management urls to /app/management
* remove ui/public/management
* fix some links to management apps
* fix management url for functional tests
* add data-test-subj for EuiSideNavItem
* partial progress
* fix some of ts issues
* Fixed breadcrumbs for data index management
* [kibana/spaces] section
* fix functional test
* [role_management] fix Breadcrumbs
* [api_keys] fix Breadcrumbs and Navigation
* Fixed routing for remote cluster
* [role_mapping] Partial progress
* [users] partial progress
* [watcher] partial progress
* fix eslint issues
* [snapshot_restore] partial progress
* [rollup_jobs] partial progress
* Fixed routing for cross cluster replications (partial progress). Enhanced reactRouterNavigate
* Perf optimization: fix extra re-rendering
* fix TS errors
* x-pack fix config for functional tests
* Fixed routing for index lifecycle management
* fix some broken CI tests
* fix PR comment
* [snapshot_restore] move onClick into reactRouterNavigate
* fix some jest
* fix some functional tests
* fix functiona test: management scripted fields testing regression for issue
* fix some functional tests
* [licence_management] partial progress
* Fixed x-pack jest tests
* [saved_object_management] partial progress
* Fixed some tests
* fix functional test: should add new role myroleEast
* Reverted part of changes for ml
* [transforms] partial progress
* fix TS errors
* fix functional: redirects to Kibana home
* add support of Backward compatibility
* fix functional: Saved objects management feature controls saved objects management global visualize all privileges listing redirects to Kibana home
* fix PR comment
* fix TS issues
* Fixed x-pack jest tests
* fix oss JEST
* Fixed functional test
* fix functional test
* fix PR comment
* Fixed i18n
* fix typo
* fix Styles
* Fixed paths for cross_cluster_replication
* fix wrong link
* Fixed jest
* Fixed some comments
* fix sorting
* fix type check
* fixed x-pack jest
* fixed x-pack jest
* reverted using of parentHistory
* Add debugging toasts to CCR.
* Comment out non-CCR functional tests.
* Fix typo.
* Uncomment non-CCR functional tests.
* Enable CCR.
* fix CI
* Add comment to explain why CCR is enabled by default and move config variable back to original location in CCR plugin.
* revert some changes in APM
* add space between index pattern name and tags
* fix function test
* Update x-pack/plugins/security/public/management/management_urls.ts
Co-authored-by: Joe Portner <5295965+jportner@users.noreply.github.com>
* Update x-pack/plugins/security/public/management/api_keys/api_keys_management_app.tsx
Co-authored-by: Joe Portner <5295965+jportner@users.noreply.github.com>
* Update x-pack/plugins/spaces/public/management/spaces_management_app.tsx
Co-authored-by: Joe Portner <5295965+jportner@users.noreply.github.com>
* Update x-pack/plugins/security/public/management/roles/roles_management_app.tsx
Co-authored-by: Joe Portner <5295965+jportner@users.noreply.github.com>
* Update x-pack/plugins/security/public/management/users/users_management_app.tsx
Co-authored-by: Joe Portner <5295965+jportner@users.noreply.github.com>
* Update x-pack/plugins/security/public/management/management_urls.ts
Co-authored-by: Joe Portner <5295965+jportner@users.noreply.github.com>
* Update x-pack/plugins/security/public/management/management_urls.ts
Co-authored-by: Joe Portner <5295965+jportner@users.noreply.github.com>
* [security] getUrlForApp -> navigateToApp
* [mp] fix Uncaught (in promise) undefined
Co-authored-by: Matt Kime <matt@mattki.me>
Co-authored-by: Uladzislau Lasitsa <Uladzislau_Lasitsa@epam.com>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Co-authored-by: CJ Cenizal <cj@cenizal.com>
Co-authored-by: Joe Portner <5295965+jportner@users.noreply.github.com>
* unexpose SavedObjectsManagement from legacy server
* migrate saved object management routes to new plugin
* fix endpoint methods
* adapt code due to rebase
* extract types
* improve findAll params
* adapt existing api integration tests and migrate to TS
* update generated doc
* add API integration tests for /scroll/count
* add unit tests for plugin and routes
* add injectMetaAttributes tests
* extract relation type
* add find_relationships tests
* add find_all tests
* do not complete migrator$ to avoid unhandled promise rejection
* fix data for search endpoint integration tests
* remove falsy comment
* rename plugin folder to match plugin id
* address review comments
* update CODEOWNERS
