mirror of https://github.com/elastic/kibana.git synced 2025-04-24 17:59:23 -04:00

Your window into the Elastic Stack

dashboards elasticsearch hacktoberfest kibana metrics observability visualizations

Find a file

Elena Shostak 6be0e84cb1 [8.x] [Hardening] Kibana Feature API Privileges Names (#208067 ) (#209321 ) # Backport This will backport the following commits from `main` to `8.x`: - [[Hardening] Kibana Feature API Privileges Names (#208067)](https://github.com/elastic/kibana/pull/208067) <!--- Backport version: 9.6.4 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Elena Shostak","email":"165678770+elena-shostak@users.noreply.github.com"},"sourceCommit":{"committedDate":"2025-02-03T14:22:29Z","message":"[Hardening] Kibana Feature API Privileges Names (#208067)\n\n## Summary\r\n\r\nAs part of our effort to harden API action definitions and enforce\r\nstandards this PR adds an utility `ApiPrivileges` class.\r\nIt is supposed to be used for both feature registration and API route\r\ndefinition to construct the privilege name.\r\n```ts\r\nplugins.features.registerKibanaFeature({\r\n privileges: {\r\n all: {\r\n app: [...],\r\n catalogue: [...],\r\n api: [ApiPrivileges.manage('subject_name')],\r\n ...\r\n },\r\n read: {\r\n ...\r\n api: [ApiPrivileges.read('subject_name')],\r\n ...\r\n },\r\n },\r\n})\r\n....\r\n\r\n// route definition\r\nrouter.get(\r\n {\r\n path: 'api_path',\r\n security: {\r\n authz: {\r\n requiredPrivileges: [ApiPrivileges.manage('subject_name')],\r\n },\r\n },\r\n },\r\n async (ctx, req, res) => {}\r\n);\r\n```\r\n\r\n`require_kibana_feature_privileges_naming` eslint rule has been added to\r\nshow warning if the API privilege name doesn't satisfy the naming\r\nconvention.\r\n\r\n### Naming convention\r\n\r\n- API privilege should start with valid `ApiOperation`: `manage`,\r\n`read`, `update`, `delete`, `create`\r\n- API privilege should use `_` as separator\r\n\r\n❌ `read-entity-a`\r\n❌ `delete_entity-a`\r\n❌ `entity_manage`\r\n✅ `read_entity_a`\r\n✅ `delete_entity_a`\r\n✅ `manage_entity`\r\n\r\n> [!IMPORTANT] \r\n> Serverless ZDT update scenario:\r\n>\r\n> - version N has an endpoint protected with the `old_privilege_read`.\r\n> - version N+1 has the same endpoint protected with a new\r\n`read_privilege`.\r\n> \r\n> There might be a short period between the time the UI pod N+1 passes\r\nSO migrations and updates privileges and the time it's marked as\r\nready-to-handle-requests by k8s, and when UI pod N is terminated.\r\n>\r\n> After discussion with @legrego and @azasypkin we decided to ignore it\r\ndue to the perceived risk-to-cost ratio:\r\n> 1. The time window users might be affected is very narrow because we\r\nregister privileges late in the Kibana startup flow (e.g., after SO\r\nmigrations).\r\n> 2. The transient 403 errors users might get won't result in session\r\ntermination and shouldn't lead to data loss.\r\n> 3. The roll-out will be performed in batches over the course of\r\nmultiple weeks and implemented by different teams. This means the impact\r\nper release shouldn't be significant.\r\n\r\n### Checklist\r\n\r\n- [x]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas added for features that require explanation or tutorials\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n__Relates: https://github.com/elastic/kibana/issues/198716__\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>\r\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"504510b92b0e92cbc173f0de517c506d2f54d536","branchLabelMapping":{"^v9.1.0$":"main","^v8.19.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:Security","release_note:skip","Feature:Hardening","backport:prev-minor","Team:Obs AI Assistant","backport:version","v9.1.0","v8.19.0"],"title":"[Hardening] Kibana Feature API Privileges Names","number":208067,"url":"https://github.com/elastic/kibana/pull/208067","mergeCommit":{"message":"[Hardening] Kibana Feature API Privileges Names (#208067)\n\n## Summary\r\n\r\nAs part of our effort to harden API action definitions and enforce\r\nstandards this PR adds an utility `ApiPrivileges` class.\r\nIt is supposed to be used for both feature registration and API route\r\ndefinition to construct the privilege name.\r\n```ts\r\nplugins.features.registerKibanaFeature({\r\n privileges: {\r\n all: {\r\n app: [...],\r\n catalogue: [...],\r\n api: [ApiPrivileges.manage('subject_name')],\r\n ...\r\n },\r\n read: {\r\n ...\r\n api: [ApiPrivileges.read('subject_name')],\r\n ...\r\n },\r\n },\r\n})\r\n....\r\n\r\n// route definition\r\nrouter.get(\r\n {\r\n path: 'api_path',\r\n security: {\r\n authz: {\r\n requiredPrivileges: [ApiPrivileges.manage('subject_name')],\r\n },\r\n },\r\n },\r\n async (ctx, req, res) => {}\r\n);\r\n```\r\n\r\n`require_kibana_feature_privileges_naming` eslint rule has been added to\r\nshow warning if the API privilege name doesn't satisfy the naming\r\nconvention.\r\n\r\n### Naming convention\r\n\r\n- API privilege should start with valid `ApiOperation`: `manage`,\r\n`read`, `update`, `delete`, `create`\r\n- API privilege should use `_` as separator\r\n\r\n❌ `read-entity-a`\r\n❌ `delete_entity-a`\r\n❌ `entity_manage`\r\n✅ `read_entity_a`\r\n✅ `delete_entity_a`\r\n✅ `manage_entity`\r\n\r\n> [!IMPORTANT] \r\n> Serverless ZDT update scenario:\r\n>\r\n> - version N has an endpoint protected with the `old_privilege_read`.\r\n> - version N+1 has the same endpoint protected with a new\r\n`read_privilege`.\r\n> \r\n> There might be a short period between the time the UI pod N+1 passes\r\nSO migrations and updates privileges and the time it's marked as\r\nready-to-handle-requests by k8s, and when UI pod N is terminated.\r\n>\r\n> After discussion with @legrego and @azasypkin we decided to ignore it\r\ndue to the perceived risk-to-cost ratio:\r\n> 1. The time window users might be affected is very narrow because we\r\nregister privileges late in the Kibana startup flow (e.g., after SO\r\nmigrations).\r\n> 2. The transient 403 errors users might get won't result in session\r\ntermination and shouldn't lead to data loss.\r\n> 3. The roll-out will be performed in batches over the course of\r\nmultiple weeks and implemented by different teams. This means the impact\r\nper release shouldn't be significant.\r\n\r\n### Checklist\r\n\r\n- [x]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas added for features that require explanation or tutorials\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n__Relates: https://github.com/elastic/kibana/issues/198716__\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>\r\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"504510b92b0e92cbc173f0de517c506d2f54d536"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/208067","number":208067,"mergeCommit":{"message":"[Hardening] Kibana Feature API Privileges Names (#208067)\n\n## Summary\r\n\r\nAs part of our effort to harden API action definitions and enforce\r\nstandards this PR adds an utility `ApiPrivileges` class.\r\nIt is supposed to be used for both feature registration and API route\r\ndefinition to construct the privilege name.\r\n```ts\r\nplugins.features.registerKibanaFeature({\r\n privileges: {\r\n all: {\r\n app: [...],\r\n catalogue: [...],\r\n api: [ApiPrivileges.manage('subject_name')],\r\n ...\r\n },\r\n read: {\r\n ...\r\n api: [ApiPrivileges.read('subject_name')],\r\n ...\r\n },\r\n },\r\n})\r\n....\r\n\r\n// route definition\r\nrouter.get(\r\n {\r\n path: 'api_path',\r\n security: {\r\n authz: {\r\n requiredPrivileges: [ApiPrivileges.manage('subject_name')],\r\n },\r\n },\r\n },\r\n async (ctx, req, res) => {}\r\n);\r\n```\r\n\r\n`require_kibana_feature_privileges_naming` eslint rule has been added to\r\nshow warning if the API privilege name doesn't satisfy the naming\r\nconvention.\r\n\r\n### Naming convention\r\n\r\n- API privilege should start with valid `ApiOperation`: `manage`,\r\n`read`, `update`, `delete`, `create`\r\n- API privilege should use `_` as separator\r\n\r\n❌ `read-entity-a`\r\n❌ `delete_entity-a`\r\n❌ `entity_manage`\r\n✅ `read_entity_a`\r\n✅ `delete_entity_a`\r\n✅ `manage_entity`\r\n\r\n> [!IMPORTANT] \r\n> Serverless ZDT update scenario:\r\n>\r\n> - version N has an endpoint protected with the `old_privilege_read`.\r\n> - version N+1 has the same endpoint protected with a new\r\n`read_privilege`.\r\n> \r\n> There might be a short period between the time the UI pod N+1 passes\r\nSO migrations and updates privileges and the time it's marked as\r\nready-to-handle-requests by k8s, and when UI pod N is terminated.\r\n>\r\n> After discussion with @legrego and @azasypkin we decided to ignore it\r\ndue to the perceived risk-to-cost ratio:\r\n> 1. The time window users might be affected is very narrow because we\r\nregister privileges late in the Kibana startup flow (e.g., after SO\r\nmigrations).\r\n> 2. The transient 403 errors users might get won't result in session\r\ntermination and shouldn't lead to data loss.\r\n> 3. The roll-out will be performed in batches over the course of\r\nmultiple weeks and implemented by different teams. This means the impact\r\nper release shouldn't be significant.\r\n\r\n### Checklist\r\n\r\n- [x]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas added for features that require explanation or tutorials\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n__Relates: https://github.com/elastic/kibana/issues/198716__\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>\r\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"504510b92b0e92cbc173f0de517c506d2f54d536"}},{"branch":"8.x","label":"v8.19.0","branchLabelMappingKey":"^v8.19.0$","isSourceBranch":false,"state":"NOT_CREATED"},{"url":"https://github.com/elastic/kibana/pull/209315","number":209315,"branch":"9.0","state":"OPEN"}]}] BACKPORT-->		2025-02-03 11:51:36 -05:00
.buildkite	[8.x] [ci] Increase Checks disk size (#209198 ) (#209202 )	2025-01-31 20:10:44 -06:00
.devcontainer	[8.x] Sync devcontainer with main (#202854 )	2024-12-03 17:10:40 -08:00
.github	[8.x] Introduce the `InferenceChatModel` for langchain (#206429 ) (#209277 )	2025-02-03 16:32:00 +01:00
api_docs	[8.x] [AVC Banner] Updates the AVC Banner for 2025 (#205467 ) (#205820 )	2025-01-08 11:11:46 -05:00
config	[8.x] [FTR][Synonyms UI] Add Synonyms overview FTRs (#208723 ) (#208925 )	2025-01-30 15:12:45 +01:00
dev_docs	[8.x] [Hardening] Kibana Feature API Privileges Names (#208067 ) (#209321 )	2025-02-03 11:51:36 -05:00
docs	[8.x] [Synthetics] Clarify private location api docs !! (#208504 ) (#209005 )	2025-01-30 18:16:42 +00:00
examples	[8.x] [Embeddable] EUI Visual Refresh Integration (#204452 ) (#208565 )	2025-01-29 14:47:30 -05:00
kbn_pm	[8.x] Sustainable Kibana Architecture: Move `CodeEditor` related packages #205587 (#205738 ) (#205919 )	2025-01-10 11:20:26 +00:00
legacy_rfcs	[8.x] SKA: Update broken references and URLs (#206836 ) (#208479 )	2025-01-28 10:09:09 +01:00
licenses	Adds AGPL 3.0 license (#192025 )	2024-09-06 19:02:41 -06:00
oas_docs	[8.x] [Detection Engine] [Alerting] [Response Ops] Rule gaps (#206313 ) (#208971 )	2025-01-30 17:49:06 +01:00
packages	[8.x] [Hardening] Kibana Feature API Privileges Names (#208067 ) (#209321 )	2025-02-03 11:51:36 -05:00
plugins
scripts	[8.x] SKA: Update broken references and URLs (#206836 ) (#208479 )	2025-01-28 10:09:09 +01:00
src	[8.x] [Hardening] Kibana Feature API Privileges Names (#208067 ) (#209321 )	2025-02-03 11:51:36 -05:00
test	[8.x] [Vega] Fix highlight for HJSON (#208858 ) (#209292 )	2025-02-03 16:43:26 +01:00
typings	[8.x] make emotion typing global (#200958 ) (#203162 )	2024-12-05 14:10:16 -06:00
x-pack	[8.x] [Hardening] Kibana Feature API Privileges Names (#208067 ) (#209321 )	2025-02-03 11:51:36 -05:00
.backportrc.json	chore(NA): adds 8.16 into backportrc (#187530 )	2024-07-04 19:09:25 +01:00
.bazelignore	Remove references to deleted .ci folder (#177168 )	2024-02-20 19:54:21 +01:00
.bazeliskversion	chore(NA): upgrade bazelisk into v1.11.0 (#125070 )	2022-02-09 20:43:57 +00:00
.bazelrc	chore(NA): use new and more performant BuildBuddy servers (#130350 )	2022-04-18 02:01:38 +01:00
.bazelrc.common	Transpile packages on demand, validate all TS projects (#146212 )	2022-12-22 19:00:29 -06:00
.bazelversion	chore(NA): revert bazel upgrade for v5.2.0 (#135096 )	2022-06-24 03:57:21 +01:00
.browserslistrc	Add Firefox ESR to browserlistrc (#184462 )	2024-05-29 17:53:18 -05:00
.editorconfig
.eslintignore	[8.x] SKA: Fix outdated eslint rules (#206961 ) (#208486 )	2025-01-28 14:46:39 +01:00
.eslintrc.js	[8.x] SKA: Update repository structure documentation (#208691 ) (#208831 )	2025-01-30 12:40:53 +03:00
.gitattributes
.gitignore	[8.x] Sustainable Kibana Architecture: Move modules owned by `@elastic/kibana-operations` (#202739 ) (#205320 )	2024-12-31 19:01:38 +01:00
.i18nrc.json	[8.x] [Discover] In-table search (#206454 ) (#208868 )	2025-01-30 09:16:33 +01:00
.node-version	[8.x] Upgrade Node.js to 20.18.2 (#207431 ) (#207894 )	2025-01-22 19:37:48 +00:00
.npmrc	[npmrc] Fix puppeteer_skip_download configuration (#177673 )	2024-02-22 18:59:01 -07:00
.nvmrc	[8.x] Upgrade Node.js to 20.18.2 (#207431 ) (#207894 )	2025-01-22 19:37:48 +00:00
.prettierignore
.prettierrc
.puppeteerrc	Add .puppeteerrc (#179847 )	2024-04-03 09:14:39 -05:00
.stylelintignore
.stylelintrc	Bump stylelint to ^14 (#136693 )	2022-07-20 10:11:00 -05:00
.telemetryrc.json	[8.x] Sustainable Kibana Architecture: Move modules owned by `@elastic/kibana-core` (#201653 ) (#205563 )	2025-01-05 16:32:00 +01:00
.yarnrc
BUILD.bazel	Transpile packages on demand, validate all TS projects (#146212 )	2022-12-22 19:00:29 -06:00
catalog-info.yaml	[sonarqube] Disable cron (#190611 )	2024-08-15 09:19:09 -05:00
CODE_OF_CONDUCT.md
CONTRIBUTING.md
FAQ.md	Fix small typos in the root md files (#134609 )	2022-06-23 09:36:11 -05:00
fleet_packages.json	[8.x] Sync bundled packages with Package Storage (#208241 )	2025-01-27 13:05:25 +01:00
github_checks_reporter.json
kibana.d.ts	Adds AGPL 3.0 license (#192025 )	2024-09-06 19:02:41 -06:00
LICENSE.txt	Adds AGPL 3.0 license (#192025 )	2024-09-06 19:02:41 -06:00
NOTICE.txt	[8.x] [ES\|QL] capitalize `FROM` in recommended queries (#205122 ) (#205352 )	2025-01-02 04:27:03 -06:00
package.json	[8.x] Introduce the `InferenceChatModel` for langchain (#206429 ) (#209277 )	2025-02-03 16:32:00 +01:00
preinstall_check.js	Adds AGPL 3.0 license (#192025 )	2024-09-06 19:02:41 -06:00
README.md
renovate.json	[8.x] [Renovate/Core] Use `prev-minor` backport strategy (#204709 ) (#204909 )	2024-12-19 11:00:04 +00:00
RISK_MATRIX.mdx
run_fleet_setup_parallel.sh	[8.x] Sustainable Kibana Architecture: Move modules owned by `@elastic/fleet` (#202422 ) (#205145 )	2024-12-24 15:17:23 -06:00
SECURITY.md
sonar-project.properties	[sonarqube] update memory, cpu (#190547 )	2024-09-09 16:16:30 -05:00
STYLEGUIDE.mdx	[styleguide] update path to scss theme (#140742 )	2022-09-15 10:41:14 -04:00
tsconfig.base.json	[8.x] Introduce the `InferenceChatModel` for langchain (#206429 ) (#209277 )	2025-02-03 16:32:00 +01:00
tsconfig.browser.json
tsconfig.browser_bazel.json
tsconfig.json	Transpile packages on demand, validate all TS projects (#146212 )	2022-12-22 19:00:29 -06:00
TYPESCRIPT.md	Fix small typos in the root md files (#134609 )	2022-06-23 09:36:11 -05:00
versions.json	[ci] Update version tracking for 7.17.25 (#192477 )	2024-09-10 20:54:04 -05:00
WORKSPACE.bazel	[8.x] Upgrade Node.js to 20.18.2 (#207431 ) (#207894 )	2025-01-22 19:37:48 +00:00
yarn.lock	[8.x] Introduce the `InferenceChatModel` for langchain (#206429 ) (#209277 )	2025-02-03 16:32:00 +01:00

README.md

Kibana

Kibana is your window into the Elastic Stack. Specifically, it's a browser-based analytics and search dashboard for Elasticsearch.

Getting Started
- Using a Kibana Release
- Building and Running Kibana, and/or Contributing Code
Documentation
Version Compatibility with Elasticsearch
Questions? Problems? Suggestions?

Getting Started

If you just want to try Kibana out, check out the Elastic Stack Getting Started Page to give it a whirl.

If you're interested in diving a bit deeper and getting a taste of Kibana's capabilities, head over to the Kibana Getting Started Page.

Using a Kibana Release

If you want to use a Kibana release in production, give it a test run, or just play around:

Download the latest version on the Kibana Download Page.
Learn more about Kibana's features and capabilities on the Kibana Product Page.
We also offer a hosted version of Kibana on our Cloud Service.

Building and Running Kibana, and/or Contributing Code

You might want to build Kibana locally to contribute some code, test out the latest features, or try out an open PR:

CONTRIBUTING.md will help you get Kibana up and running.
If you would like to contribute code, please follow our STYLEGUIDE.mdx.
For all other questions, check out the FAQ.md and wiki.

Documentation

Visit Elastic.co for the full Kibana documentation.

For information about building the documentation, see the README in elastic/docs.

Version Compatibility with Elasticsearch

Ideally, you should be running Elasticsearch and Kibana with matching version numbers. If your Elasticsearch has an older version number or a newer major number than Kibana, then Kibana will fail to run. If Elasticsearch has a newer minor or patch number than Kibana, then the Kibana Server will log a warning.

Note: The version numbers below are only examples, meant to illustrate the relationships between different types of version numbers.

Situation	Example Kibana version	Example ES version	Outcome
Versions are the same.	7.15.1	7.15.1	💚 OK
ES patch number is newer.	7.15.0	7.15.1	⚠️ Logged warning
ES minor number is newer.	7.14.2	7.15.0	⚠️ Logged warning
ES major number is newer.	7.15.1	8.0.0	🚫 Fatal error
ES patch number is older.	7.15.1	7.15.0	⚠️ Logged warning
ES minor number is older.	7.15.1	7.14.2	🚫 Fatal error
ES major number is older.	8.0.0	7.15.1	🚫 Fatal error

Questions? Problems? Suggestions?

If you've found a bug or want to request a feature, please create a GitHub Issue. Please check to make sure someone else hasn't already created an issue for the same topic.
Need help using Kibana? Ask away on our Kibana Discuss Forum and a fellow community member or Elastic engineer will be glad to help you out.