github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-06-27 10:40:07 -04:00
Code Issues Projects Releases Packages Wiki Activity
kibana/x-pack
History
Dominique Clarke f15d325e3c
[Observability] [Serverless] Introduce custom roles (#219861) 
## Summary

Closes https://github.com/elastic/observability-dev/issues/4539
Fixes https://github.com/elastic/kibana/issues/221035

Enables custom roles for Observability projects in serverless.

The following is a summary of the changes:

## Feature renaming

1. Renamed `Uptime and Synthetics` to `Synthetics`
2. Renamed `APM and User Experience` to `Applications`
3. Renamed `Metrics` to `Infrastructure`

## Category reassignment

1. Changed `Dashboard` category from `Analytics` to `Observability` 
2. Changed `Discover` category from `Analytics` to `Observability`
3. Changed `ML` category from `Analytics` to `Observability`

## Feature hiding

1. Hides the `Stack Alerts` feature.
2. Provides backwards compatibility for alerts created via Stack Alerts.
This enables our users to import rules created within Stack Alerts and
expect to see them in the Observability rules table.

## Navigation updates

1. Adds a `Custom Roles` link under the `Access` section in the
management navigation
2. Adds a `Manage Organization Members` link under the `Access` section
in the management navigation
3. Removes the `Users and Roles` link from the navigation footer (in
favor of the `Manage Organization Members link)

## Bug fixes

1. Fixes a bug where the `Alerts` link was not shown for Synthetics only
user (in stateful and serverless)
2. Fixes a bug where the `Alerts` link was not shown for Logs only user
(in stateful and serverless)

## Alert Override Removal

In the alerting framework, each rule is assigned a `consumer` value.
This `consumer` value changes depending on where the rule is created in
Kibana. However, in serverless we introduced an override that caused the
`consumer` value to be `Observability` in nearly every case. This logic
branched from stateful causing complexity and a large mental burden for
our engineers. Ultimately, this override became the source of bugs,
uncertainty, and unintended user experiences. Because of this, we've
removed this overrides.

If we kept this override, it would have the unfortunate side effect of
making all rules created in serverless visible from all custom roles (an
APM only user would have been can see Synthetics rules, and vice
versus). To make things more unpredictable, when users import their
rules from stateful the behavior would be different (access would be
properly mapped to the specific feature).

To address these specific user experience issues, and remove the source
of complexity, branching logic, and bugs, we removed this override logic
and restored the rule access behavior to match with stateful.

We did this while introducing backwards compatibility logic, ensuring
rules created in earlier versions of an oblt stateful cluster continue
to work and are accessible by a user with the right role access.

# Testing

1. Run local ES
```
yarn es serverless --projectType=oblt -E xpack.security.authc.native_roles.enabled=true    
```

2. Run local Kibana
```
yarn start --serverless=oblt --xpack.security.roleManagementEnabled=true --xpack.cloud.users_and_roles_url="https://test_users_and_roles_url"
```
3. Login to Kibana with the admin role. Navigate to the Custom Roles
page via the management navigation.
4. Create a custom role 
5. Log out of Kibana
6. Log back in with your custom role. You can do so by typing the custom
role name into the mock saml auth
<img width="460" alt="Screenshot 2025-05-22 at 9 23 13 PM"
src="https://github.com/user-attachments/assets/8e7f659b-5fe9-4e74-8c57-b420467d309e"
/>

---------

Co-authored-by: Jason Rhodes <jason.rhodes@elastic.co>
Co-authored-by: Faisal Kanout <faisal.kanout@elastic.co>
Co-authored-by: “jeramysoucy” <jeramy.soucy@elastic.co>
2025-06-13 22:03:49 -04:00
..
build_chromium [On-Week] Automate chromium linux builds for reporting in Kibana (#212674) 2025-05-06 22:04:08 +02:00
dev-tools
examples [SharedUX] Replace KibanaRenderContextProvider usage (#220170) 2025-06-12 08:39:59 -07:00
packages Upgrade ES client to 9.0.0-alpha.3 (#208776) 2025-02-25 14:37:23 +00:00
performance SKA: Relocate /test to /src/platform/test (#210956) 2025-03-14 16:57:23 +00:00
platform [Observability] [Serverless] Introduce custom roles (#219861) 2025-06-13 22:03:49 -04:00
scripts [Streams] Replay loghub data with synthtrace (#212120) 2025-03-11 13:30:06 +01:00
solutions [Observability] [Serverless] Introduce custom roles (#219861) 2025-06-13 22:03:49 -04:00
test [Observability] [Serverless] Introduce custom roles (#219861) 2025-06-13 22:03:49 -04:00
test_serverless [Observability] [Serverless] Introduce custom roles (#219861) 2025-06-13 22:03:49 -04:00
.gitignore SKA: Update and breakdown x-pack/.gitignore (#212341) 2025-02-25 11:34:42 +01:00
.i18nrc.json [upgrade assistant] Create upgrade-assistant package, stub out storybook usage (#218705) 2025-04-28 20:45:43 +02:00
.telemetryrc.json SKA: Extract list of Kibana solutions into a dedicated package (#213353) 2025-03-20 10:20:07 +01:00
package.json chore(NA): bump version to 9.1.0 (#208990) 2025-01-31 06:05:13 +00:00
README.md SKA: Relocate "platform" packages that remain on /packages (#208704) 2025-02-24 11:03:30 +00:00

README.md

Elastic License Functionality

This directory tree contains files subject to the Elastic License 2.0. The files subject to the Elastic License 2.0 are grouped in this directory to clearly separate them from files licensed otherwise.

Alert Details page feature flags (feature-flag-per-App)

If you have:

xpack.observability.unsafe.alertDetails.uptime.enabled: true

[For Uptime rule type] In Kibana configuration, will allow the user to navigate to the new Alert Details page, instead of the Alert Flyout when clicking on View alert details in the Alert table

Development

By default, Kibana will run with X-Pack installed as mentioned in the contributing guide.

Elasticsearch will run with a basic license. To run with a trial license, including security, you can specifying that with the yarn es command.

Example: yarn es snapshot --license trial --password changeme

By default, this will also set the password for native realm accounts to the password provided (changeme by default). This includes that of the kibana_system user which elasticsearch.username defaults to in development. If you wish to specify a password for a given native realm account, you can do that like so: --password.kibana_system=notsecure

Testing

For information on testing, see the Elastic functional test development guide.

Running functional tests

The functional UI tests, the API integration tests, and the SAML API integration tests are all run against a live browser, Kibana, and Elasticsearch install. Each set of tests is specified with a unique config that describes how to start the Elasticsearch server, the Kibana server, and what tests to run against them. The sets of tests that exist today are functional UI tests (specified by this config), API integration tests (specified by this config), and SAML API integration tests (specified by this config).

The script runs all sets of tests sequentially like so:

  • builds Elasticsearch and X-Pack
  • runs Elasticsearch with X-Pack
  • starts up the Kibana server with X-Pack
  • runs the functional UI tests against those servers
  • tears down the servers
  • repeats the same process for the API and SAML API integration test configs.

To do all of this in a single command run:

node scripts/functional_tests

Developing functional UI tests

If you are developing functional tests then you probably don't want to rebuild Elasticsearch and wait for all that setup on every test run, so instead use this command to build and start just the Elasticsearch and Kibana servers:

node scripts/functional_tests_server

After the servers are started, open a new terminal and run this command to run just the tests (without tearing down Elasticsearch or Kibana):

node scripts/functional_test_runner

For both of the above commands, it's crucial that you pass in --config to specify the same config file to both commands. This makes sure that the right tests will run against the right servers. Typically a set of tests and server configuration go together.

Read more about how the scripts work here.

For a deeper dive, read more about the way functional tests and servers work here.

Running API integration tests

API integration tests are run with a unique setup usually without UI assets built for the Kibana server.

API integration tests are intended to test only programmatic API exposed by Kibana. There is no need to run browser and simulate user actions, which significantly reduces execution time. In addition, the configuration for API integration tests typically sets optimize.enabled=false for Kibana because UI assets are usually not needed for these tests.

To run only the API integration tests:

node scripts/functional_tests --config test/api_integration/config

Running SAML API integration tests

We also have SAML API integration tests which set up Elasticsearch and Kibana with SAML support. Run only API integration tests with SAML enabled like so:

node scripts/functional_tests --config test/security_api_integration/saml.config

Running Jest integration tests

Jest integration tests can be used to test behavior with Elasticsearch and the Kibana server.

yarn test:jest_integration

Running Reporting functional tests

See here for more information on running reporting tests.

Running Security Solution Cypress E2E/integration tests

See here for information on running this test suite.