-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make alerting properly space aware #42081
Conversation
Pinging @elastic/kibana-stack-services |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
Pending on #42133. |
09f5f51
to
d3040ba
Compare
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looking good to me so far, made a few comments
💔 Build Failed |
💚 Build Succeeded |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code LGTM, just some minor comments.
x-pack/legacy/plugins/actions/server/lib/get_create_task_runner_function.ts
Show resolved
Hide resolved
@@ -75,6 +81,9 @@ export function init(server: Legacy.Server) { | |||
const fireFn = createFireFunction({ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fireFn
, which we expose via server.expose
, allows consumers to specify their own space id. Do we know of any scenarios where consumers will need this capability? If not, we could potentially create a "scoped" fire function, where the space id is derived from the current request, or similar.
If we do need to allow consumers to specify their own space id, then you'll likely want to update this so that it can handle spaces being disabled, and handle cases where a space id is required, but missing. Currently, spaceIdToNamespace
will throw an error if a space id is not provided.
Also, the underlying fireFn
uses callWithInternalUser
in an unguarded fashion, so there isn't any authorization being applied there. This would be less of a concern if it wasn't exposed to consumers, but since this is a consumer-facing function, we should have protections in place there. (perhaps out of scope for this PR?)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From what I can tell, consumers will need to specify their own space id. The example I can think of is task manager wants to fire action a
in space b
and uses this function to indicate that. We should be ok when spaces is disabled due to spaceIdToNamespace
being passed as https://github.com/elastic/kibana/pull/42081/files#diff-c2af122155b3536ee79e8b5384fdaa6eR94.
In regards to callWithInternalUser
being unguarded, we'll have this fixed when API keys are implemented. We will do the callWithInternalUser
first, setup a connection with the keys and re-load the same object via the saved objects client.
This comment has been minimized.
This comment has been minimized.
💚 Build Succeeded |
retest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM - thanks for the changes, Mike!
As discussed with @kobelb, it would be great to have high-level tests to ensure denied access to spaces when users don't have access. But since this requires API keys to work, we will defer the tests for the PR implementing API keys. Right now alerting doesn't support security enabled in kibana and is pending API keys to support it. |
💚 Build Succeeded |
* Make alerting properly space aware * Fix broken jest tests * Fix broken integration test * Cleanup pt1 * Add spaces integration tests * Fix type check failure * Apply PR feedback pt1 * Use TS types from spaces plugin * Fix broken tests * Apply PR feedback pt1 * Fix getBasePath to return server.basePath when spaces is disabled * Apply new API changes to tests
* Make alerting properly space aware * Fix broken jest tests * Fix broken integration test * Cleanup pt1 * Add spaces integration tests * Fix type check failure * Apply PR feedback pt1 * Use TS types from spaces plugin * Fix broken tests * Apply PR feedback pt1 * Fix getBasePath to return server.basePath when spaces is disabled * Apply new API changes to tests
…-or-edit-existing-rollup-job * 'master' of github.com:elastic/kibana: (67 commits) [TSVB] Shim new platform (elastic#39169) [Metric Vis] Shim new platform (elastic#42240) [Tag Cloud] Shim new platform (elastic#42348) Disable flaky request lib tests. Add es_ui_shared plugin to CODEOWNERS. Add disk space percentage to node listing (elastic#42145) [SIEM] Add chart interactions - update date picker after brush selection on charts (elastic#42440) Document HTTP service (elastic#42331) [Reporting] Sanitize 409 error log message (elastic#42495) [docs][skip ci] Maps read only access (elastic#35561) [x-pack/ftr] refactor types to be more accurate/consistent wit… (elastic#42407) [DOCS] Updates images and content in Dashboard docs (elastic#42500) Allow sorting on multiple columns in Discover (elastic#41918) [Infra UI][Logs UI] Fix autocomplete to use proper derived index pattern (elastic#42287) [ftr/cheerio] improve cheerio types to include test subject me… (elastic#42534) Upgraded EUI 13.0.0 -> 13.1.1 (elastic#42298) Increase max-old-space-size for builds (elastic#42218) [Infra UI] Add cloud metrics and cloud/host info to metadata endpoint (elastic#41836) [Logs UI][a11y] Announce name of column on remove column button (elastic#41695) Inspector 👉 New Platform (elastic#42164) Make alerting properly space aware (elastic#42081) ...
…s_autocomplete * 'master' of github.com:elastic/kibana: (189 commits) [TSVB] Shim new platform (elastic#39169) [Metric Vis] Shim new platform (elastic#42240) [Tag Cloud] Shim new platform (elastic#42348) Disable flaky request lib tests. Add es_ui_shared plugin to CODEOWNERS. Add disk space percentage to node listing (elastic#42145) [SIEM] Add chart interactions - update date picker after brush selection on charts (elastic#42440) Document HTTP service (elastic#42331) [Reporting] Sanitize 409 error log message (elastic#42495) [docs][skip ci] Maps read only access (elastic#35561) [x-pack/ftr] refactor types to be more accurate/consistent wit… (elastic#42407) [DOCS] Updates images and content in Dashboard docs (elastic#42500) Allow sorting on multiple columns in Discover (elastic#41918) [Infra UI][Logs UI] Fix autocomplete to use proper derived index pattern (elastic#42287) [ftr/cheerio] improve cheerio types to include test subject me… (elastic#42534) Upgraded EUI 13.0.0 -> 13.1.1 (elastic#42298) Increase max-old-space-size for builds (elastic#42218) [Infra UI] Add cloud metrics and cloud/host info to metadata endpoint (elastic#41836) [Logs UI][a11y] Announce name of column on remove column button (elastic#41695) Inspector 👉 New Platform (elastic#42164) Make alerting properly space aware (elastic#42081) ...
Hi @mikecote I see that there were updates to the README for Actions in this PR and those make perfect sense but it's a little unclear to me after reading this whether there are also changes to the security model for the Alerting plugin. Could you help me understand if that plugin is also Spaces-aware and if so, whether there are changes needed for a user of the Alerting plugin? |
Hi @cachedout, tl;dr: no changes required. Yes both plugins alerting and actions are space aware end to end with this PR. There isn't any changes required from your end. It's a bit hidden to the consumer just like regular saved objects in the system. One thing you may notice between alerts and actions is we currently don't validate the |
Extracted from #41389. This PR makes alerting properly space aware by capturing
spaceId
and passing it along anywhere that is needed.