mirror of
https://github.com/elastic/kibana.git
synced 2025-04-25 02:09:32 -04:00
504510b92b
## Summary
As part of our effort to harden API action definitions and enforce
standards this PR adds an utility `ApiPrivileges` class.
It is supposed to be used for both feature registration and API route
definition to construct the privilege name.
```ts
plugins.features.registerKibanaFeature({
privileges: {
all: {
app: [...],
catalogue: [...],
api: [ApiPrivileges.manage('subject_name')],
...
},
read: {
...
api: [ApiPrivileges.read('subject_name')],
...
},
},
})
....
// route definition
router.get(
{
path: 'api_path',
security: {
authz: {
requiredPrivileges: [ApiPrivileges.manage('subject_name')],
},
},
},
async (ctx, req, res) => {}
);
```
`require_kibana_feature_privileges_naming` eslint rule has been added to
show warning if the API privilege name doesn't satisfy the naming
convention.
### Naming convention
- API privilege should start with valid `ApiOperation`: `manage`,
`read`, `update`, `delete`, `create`
- API privilege should use `_` as separator
❌ `read-entity-a`
❌ `delete_entity-a`
❌ `entity_manage`
✅ `read_entity_a`
✅ `delete_entity_a`
✅ `manage_entity`
> [!IMPORTANT]
> Serverless ZDT update scenario:
>
> - version N has an endpoint protected with the `old_privilege_read`.
> - version N+1 has the same endpoint protected with a new
`read_privilege`.
>
> There might be a short period between the time the UI pod N+1 passes
SO migrations and updates privileges and the time it's marked as
ready-to-handle-requests by k8s, and when UI pod N is terminated.
>
> After discussion with @legrego and @azasypkin we decided to ignore it
due to the perceived risk-to-cost ratio:
> 1. The time window users might be affected is very narrow because we
register privileges late in the Kibana startup flow (e.g., after SO
migrations).
> 2. The transient 403 errors users might get won't result in session
termination and shouldn't lead to data loss.
> 3. The roll-out will be performed in batches over the course of
multiple weeks and implemented by different teams. This means the impact
per release shouldn't be significant.
### Checklist
- [x]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
__Relates: https://github.com/elastic/kibana/issues/198716__
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
|
||
|---|---|---|
| .. | ||
| __fixtures__ | ||
| helpers | ||
| rules | ||
| index.js | ||
| jest.config.js | ||
| kibana.jsonc | ||
| lib.js | ||
| package.json | ||
| README.mdx | ||
---
id: kibDevDocsOpsEslintPluginEslint
slug: /kibana-dev-docs/ops/eslint-plugin-eslint
title: "@kbn/eslint-plugin-eslint"
description: A package holding an eslint plugin with custom rules used on Kibana
date: 2022-05-17
tags: ['kibana', 'dev', 'contributor', 'operations', 'eslint', 'plugin']
---
An ESLint plugin exposing custom rules used and built specifically for development within Kibana.
Next you can find information on each on.
## disallow-license-headers
Disallows a given group of license header texts on a group of files.
```javascript
module.exports = {
overrides: [
{
files: ['**/*.{js,mjs,ts,tsx}'],
rules: {
'@kbn/eslint/disallow-license-headers': [
'error',
{
licenses: [
"LICENSE_TEXT"
],
},
],
}
}
]
}
```
## module_migration
Offers a way to force a migration from a given node module into another as an alternative.
```javascript
module.exports = {
overrides: [
{
files: ['**/*.{js,mjs,ts,tsx}'],
rules: {
'@kbn/eslint/module_migration': [
'error',
[
{
from: 'expect.js',
to: '@kbn/expect',
}
],
],
}
}
]
}
```
## no_async_foreach
Disallows passing an async function to .forEach which will avoid promise rejections from being handled. asyncForEach() or a similar helper from "@kbn/std" should be used instead.
## no_async_promise_body
Disallows the usage of an async function as a constructor for a Promise function without a try catch in place.
## no_constructor_args_in_property_initializers
Disallows the usage of constructor arguments into class property initializers.
## no_export_all
Disables the usage of `export *`.
## no_this_in_property_initializers
Disallows the usage of `this` into class property initializers and enforce to define the property value into the constructor.
## no_trailing_import_slash
Disables the usage of a trailing slash in a node module import.
## require-license-header
Requires a given license header text on a group of files.
```javascript
module.exports = {
overrides: [
{
files: ['**/*.{js,mjs,ts,tsx}'],
rules: {
'@kbn/eslint/require-license-header': [
'error',
{
license: "LICENSE_TEXT"
},
],
}
}
]
}
```
## no_unsafe_console
Disables the usage of kbn-security-hardening/console/unsafeConsole.