mirror of
https://github.com/elastic/kibana.git
synced 2025-04-22 08:49:27 -04:00
b53d3990a2
## Summary This PR reworks saved query privileges to rely solely on a single global `savedQueryManagement` privilege, and eliminates app-specific overrides. This change simplifies the security model for users, fixes bugginess in the saved query management UI, and reduces code complexity associated with maintaining two separate security mechanisms (app-specific overrides and global saved query management privileges). ### Background Saved queries allow users to store a combination of KQL or Lucene queries, filters, and time filters to use across various applications in Kibana. Access to saved query saved objects are currently granted by the following feature privileges: ```json [ "feature_discover.all", "feature_dashboard.all", "feature_savedQueryManagement.all", "feature_maps.all", "feature_savedObjectsManagement.all", "feature_visualize.all" ] ``` There is also a saved query management UI within the Unified Search bar shared by applications across Kibana: <img src="https://github.com/user-attachments/assets/e4a7539b-3dd4-4d47-9ff8-205281ef50e3" width="500" /> The way access to this UI is managed in Kibana is currently confusing and buggy: - If a user has `feature_discover.all` and `feature_dashboard.all` they will be able to load and save queries in Discover and Dashboard. - If a user has `feature_discover.all` and `feature_dashboard.read` they will be able to load queries in both Discover and Dashboard, but only save queries in Discover (even though they have write access to the SO, and API access). Instead they have to navigate to Discover to save a query before navigating back to Dashboard to load it, making for a confusing and frustrating UX. - Access to the UI is even more confusing in apps not listed in the above feature privileges (e.g. alerting, SLOs). Some of them chose to check one of the above feature privileges, meaning users who otherwise should have saved query access won't see the management UI if they don't also have the exact feature privilege being checked. Other apps just always show the management UI, leading to bugs and failures when users without one of the above feature privileges attempt to save queries. ### Existing improvements In v8.11.0, we introduced a new ["Saved Query Management"](https://github.com/elastic/kibana/pull/166937) privilege, allowing users to access saved queries across all of Kibana with a single global privilege: <img src="https://github.com/user-attachments/assets/ccbe79a4-bd0b-4ed6-89c9-117cc1f99ee2" width="600" /> When this privilege is added to a role, it solves the `feature_discover.all` and `feature_dashboard.read` issue mentioned above. However, it does not fix any of the mentioned issues for roles without the new privilege. We have so far postponed further improvements to avoid a breaking change. ### Approach To fully resolve these issues and migrate to a single global privilege, these changes have been made: - Remove saved query SO access from all application feature privileges and instead only allow access through the global saved query management privilege. - Stop relying on application feature privileges for toggling the saved query management UI, and instead rely on the global privilege. To implement this with minimal breaking changes, we've used the Kibana privilege migration framework. This allows us to seamlessly migrate existing roles containing feature privileges that currently provide access to saved queries, ensuring they are assigned the global saved query management privilege on upgrade. As a result, we had to deprecate the following feature privileges, replacing them with V2 privileges without saved query SO access: ```json [ "feature_discover.all", "feature_dashboard.all", "feature_maps.all", "feature_visualize.all" ] ``` Each area of code that currently relies on any of these feature privileges had to be updated to instead access `feature_X_V2` instead (as well as future code). This PR still introduces a minor breaking change, since users who have `feature_discover.all` and `feature_dashboard.read` are now able to save queries in Dashboard after upgrade, but we believe this is a better UX (and likely the expected one) and worth a small breaking change. ### Testing - All existing privileges should continue to work as they do now, including deprecated V1 feature privileges and customized serverless privileges. There should be no changes for existing user roles apart from the minor breaking change outlined above. - Check that code changes in your area don't introduce breaking changes to existing behaviour. Many of the changes are just updating client UI capabilities code from `feature.privilege` to `feature_v2.privilege`, which is backward compatible. - The `savedQueryManagement` feature should now globally control access to saved query management in Unified Search for all new user roles. Regardless of privileges for Discover, Dashboard, Maps, or Visualize, new user roles should follow this behaviour: - If `savedQueryManagement` is `none`, the user cannot see or access the saved query management UI or APIs. - If `savedQueryManagement` is `read`, the user can load queries from the UI and access read APIs, but cannot save queries from the UI or make changes to queries through APIs. - If `savedQueryManagement` is `all`, the user can both load and save queries from the UI and through APIs. ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [x] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [x] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations. - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) ### Identify risks This PR risks introducing unintended breaking changes to user privileges related to saved queries if the deprecated features have not been properly migrated, and users could gain or lose access to saved query management on upgrade. This would be bad if it happened, but not overly severe since it wouldn't grant them access to any ES data they couldn't previously access (only query saved objects). We have automated testing in place to help ensure features have been migrated correctly, but the scope of these changes are broad and touch many places in the codebase. Additionally, the UI capabilities types are not very strict, and are referenced with string paths in many places, which makes changing them riskier than changing strictly typed code. A combination of regex searches and temporarily modifying the `Capabilities` type to cause type errors for deprecated privileges was used to identify references in code. Reviewers should consider if there are any other ways that UI capabilities can be referenced which were not addressed in this PR. Our automated tests already help mitigate the risk, but it's important that code owners thoroughly review the changes in their area and consider if they could have unintended consequences. The Platform Security team should also review this PR thoroughly, especially since some changes were made to platform code around privilege handling. The Data Discovery team will also manually test the behaviour when upgrading existing user roles with deprecated feature privileges as part of 9.0 upgrade testing. --------- Co-authored-by: Matthias Wilhelm <matthias.wilhelm@elastic.co> Co-authored-by: Matthias Wilhelm <ankertal@gmail.com> Co-authored-by: Aleh Zasypkin <aleh.zasypkin@gmail.com> Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: “jeramysoucy” <jeramy.soucy@elastic.co> |
||
|---|---|---|
| .. | ||
| alerting | ||
| commands | ||
| dashboard | ||
| graph | ||
| images | ||
| introduction/images | ||
| ml | ||
| monitoring | ||
| production-considerations | ||
| reporting | ||
| security | ||
| troubleshooting | ||
| api.asciidoc | ||
| canvas.asciidoc | ||
| dev-tools.asciidoc | ||
| discover.asciidoc | ||
| index.asciidoc | ||
| introduction.asciidoc | ||
| management.asciidoc | ||
| plugins.asciidoc | ||
| setup.asciidoc | ||
| whats-new.asciidoc | ||