github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-06-27 18:51:07 -04:00
Code Issues Projects Releases Packages Wiki Activity
kibana/config/serverless.oblt.yml
Dominique Clarke f15d325e3c
[Observability] [Serverless] Introduce custom roles (#219861) 
## Summary

Closes https://github.com/elastic/observability-dev/issues/4539
Fixes https://github.com/elastic/kibana/issues/221035

Enables custom roles for Observability projects in serverless.

The following is a summary of the changes:

## Feature renaming

1. Renamed `Uptime and Synthetics` to `Synthetics`
2. Renamed `APM and User Experience` to `Applications`
3. Renamed `Metrics` to `Infrastructure`

## Category reassignment

1. Changed `Dashboard` category from `Analytics` to `Observability` 
2. Changed `Discover` category from `Analytics` to `Observability`
3. Changed `ML` category from `Analytics` to `Observability`

## Feature hiding

1. Hides the `Stack Alerts` feature.
2. Provides backwards compatibility for alerts created via Stack Alerts.
This enables our users to import rules created within Stack Alerts and
expect to see them in the Observability rules table.

## Navigation updates

1. Adds a `Custom Roles` link under the `Access` section in the
management navigation
2. Adds a `Manage Organization Members` link under the `Access` section
in the management navigation
3. Removes the `Users and Roles` link from the navigation footer (in
favor of the `Manage Organization Members link)

## Bug fixes

1. Fixes a bug where the `Alerts` link was not shown for Synthetics only
user (in stateful and serverless)
2. Fixes a bug where the `Alerts` link was not shown for Logs only user
(in stateful and serverless)

## Alert Override Removal

In the alerting framework, each rule is assigned a `consumer` value.
This `consumer` value changes depending on where the rule is created in
Kibana. However, in serverless we introduced an override that caused the
`consumer` value to be `Observability` in nearly every case. This logic
branched from stateful causing complexity and a large mental burden for
our engineers. Ultimately, this override became the source of bugs,
uncertainty, and unintended user experiences. Because of this, we've
removed this overrides.

If we kept this override, it would have the unfortunate side effect of
making all rules created in serverless visible from all custom roles (an
APM only user would have been can see Synthetics rules, and vice
versus). To make things more unpredictable, when users import their
rules from stateful the behavior would be different (access would be
properly mapped to the specific feature).

To address these specific user experience issues, and remove the source
of complexity, branching logic, and bugs, we removed this override logic
and restored the rule access behavior to match with stateful.

We did this while introducing backwards compatibility logic, ensuring
rules created in earlier versions of an oblt stateful cluster continue
to work and are accessible by a user with the right role access.

# Testing

1. Run local ES
```
yarn es serverless --projectType=oblt -E xpack.security.authc.native_roles.enabled=true    
```

2. Run local Kibana
```
yarn start --serverless=oblt --xpack.security.roleManagementEnabled=true --xpack.cloud.users_and_roles_url="https://test_users_and_roles_url"
```
3. Login to Kibana with the admin role. Navigate to the Custom Roles
page via the management navigation.
4. Create a custom role 
5. Log out of Kibana
6. Log back in with your custom role. You can do so by typing the custom
role name into the mock saml auth
<img width="460" alt="Screenshot 2025-05-22 at 9 23 13 PM"
src="https://github.com/user-attachments/assets/8e7f659b-5fe9-4e74-8c57-b420467d309e"
/>

---------

Co-authored-by: Jason Rhodes <jason.rhodes@elastic.co>
Co-authored-by: Faisal Kanout <faisal.kanout@elastic.co>
Co-authored-by: “jeramysoucy” <jeramy.soucy@elastic.co>
2025-06-13 22:03:49 -04:00

133 lines
4.2 KiB
YAML
Raw Blame History

# Observability Project config
## Core pricing tier for observability project
pricing.tiers.enabled: true
pricing.tiers.products:
- name: observability
tier: complete # Accepted values for this tier are: complete, logs_essentials
# Make sure the plugins belonging to this project type are loaded
plugins.allowlistPluginGroups: ['platform', 'observability']
# Disabled Observability plugins
xpack.ux.enabled: false
xpack.legacy_uptime.enabled: false
xpack.features.overrides:
### By default, this feature named as `APM and User Experience`, but should be renamed to `Applications`.
apm.name: 'Applications'
### Dashboards feature should be moved from Analytics category to the Observability one.
dashboard_v2.category: 'observability'
### Discover feature should be moved from Analytics category to the Observability one and its privileges are
### fine-tuned to grant access to Observability app.
discover_v2.category: 'observability'
### Machine Learning feature should be moved from Analytics category to the Observability one and renamed to `AI Ops`.
ml:
category: 'observability'
order: 1200
### Stack alerts is hidden in Role management since it's not needed.
stackAlerts.hidden: true
### By default, this feature named as `Synthetics and Uptime`, but should be renamed to `Synthetics` since `Uptime` is not available.
uptime.name: 'Synthetics'
## Cloud settings
xpack.cloud.serverless.project_type: observability
## Enable the Serverless Observability plugin
xpack.serverless.observability.enabled: true
## Set the home route
uiSettings.overrides.defaultRoute: /app/observability/landing
# Customize empty page state for analytics apps
no_data_page.analyticsNoDataPageFlavor: 'serverless_observability'
## Disable adding the component template `.fleet_agent_id_verification-1` to every index template for each datastream for each integration
xpack.fleet.agentIdVerificationEnabled: false
## Enable event.ingested separately because agentIdVerification is disabled
xpack.fleet.eventIngestedEnabled: true
## APM Serverless Onboarding flow
xpack.apm.serverlessOnboarding: true
# Synthetics mTLS cert locations
xpack.uptime.service.tls.certificate: /mnt/elastic-internal/http-certs/tls.crt
xpack.uptime.service.tls.key: /mnt/elastic-internal/http-certs/tls.key
# Fleet specific configuration
xpack.fleet.internal.registry.capabilities: ['apm', 'observability', 'uptime']
xpack.fleet.internal.registry.excludePackages: [
# Security integrations
'endpoint',
'beaconing',
'cloud_security_posture',
'cloud_defend',
'security_detection_engine',
# Deprecated security integrations
'bluecoat',
'cisco',
'cyberark',
'cylance',
'f5',
'fortinet_forticlient',
'juniper_junos',
'juniper_netscreen',
'microsoft',
'netscout',
'radware',
'symantec',
'tomcat',
# ML integrations
'dga',
# Profiling integrations
'profiler_agent',
]
## Required for force installation of integration packages
xpack.fleet.packages:
# fleet_server package installed to publish agent metrics
- name: fleet_server
version: latest
## Disable APM UI components and API calls
xpack.apm.featureFlags.agentConfigurationAvailable: false
xpack.apm.featureFlags.configurableIndicesAvailable: false
xpack.apm.featureFlags.infrastructureTabAvailable: true
xpack.apm.featureFlags.infraUiAvailable: true
xpack.apm.featureFlags.migrationToFleetAvailable: false
xpack.apm.featureFlags.sourcemapApiAvailable: false
xpack.apm.featureFlags.storageExplorerAvailable: false
## Set the AI Assistant type
aiAssistantManagementSelection.preferredAIAssistantType: 'observability'
xpack.observabilityAIAssistant.scope: 'observability'
# Specify in telemetry the project type
telemetry.labels.serverless: observability
xpack.ml.ad.enabled: true
xpack.ml.dfa.enabled: true
xpack.ml.nlp:
enabled: true
modelDeployment:
allowStaticAllocations: false
vCPURange:
low:
min: 0
max: 2
medium:
min: 1
max: 32
high:
min: 1
max: 128
xpack.ml.compatibleModuleType: 'observability'
# Disable the embedded Dev Console
console.ui.embeddedEnabled: false
# Disable role management (custom roles)
xpack.security.roleManagementEnabled: false
Reference in a new issue View git blame Copy permalink