Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make TagClient available to other plugins on server side #130748

Closed
jen-huang opened this issue Apr 20, 2022 · 4 comments · Fixed by #130774
Closed

Make TagClient available to other plugins on server side #130748

jen-huang opened this issue Apr 20, 2022 · 4 comments · Fixed by #130774
Labels
enhancement New value added to drive a business result Feature:Saved Object Tagging Saved Objects Tagging feature impact:needs-assessment Product and/or Engineering needs to evaluate the impact of the change. Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc

Comments

@jen-huang
Copy link
Contributor

Describe the feature:
Expose savedObjectTagging client to other plugins for server-side consumption, currently it only exports an UI interface.

Describe a specific use case for the feature:
Fleet needs this in order to add tags to Kibana assets that are installed and managed by Fleet: #123904.

When Fleet installs these assets, there is already an internally-scoped saved object client set up that is used:

kibana/x-pack/plugins/fleet/server/plugin.ts

Lines 421 to 424 in 0082e0c

await setupFleet(
new SavedObjectsClient(core.savedObjects.createInternalRepository()),
core.elasticsearch.client.asInternalUser
);

So it would be great to be able to pass the same client to instantiate a TagClient.
@jen-huang jen-huang added Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc enhancement New value added to drive a business result Feature:Saved Object Tagging Saved Objects Tagging feature labels Apr 20, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-core (Team:Core)

@jen-huang jen-huang mentioned this issue Apr 20, 2022
Closed
@pgayvallet
Copy link
Contributor

currently it only exports an UI interface.

Not exactly. we're exposing the soTagging feature via a request handler context too, e,g ctx.tags.tagsClient. But there's currently no way to access the feature from outside of a request handler on the server-side.

@pgayvallet
Copy link
Contributor

Looking at the code, exposing the TagClient (which allows to create/delete/update tags) from outside of a request handler should not be an issue, as its only dependency is a SavedObjectsClientContract that could be provided by the API consumer.

However, the tagAssignmentService (which allows to assign/unassign tags to saved objects) is more problematic: as we need to make sure that the user performing the operation is allowed to update the target object(s), we are performing an authz check against the assigned types, using security.authorization.checkPrivilegesDynamicallyWithRequest, and this effectively requires to have a request object.

We could lift this authz check when creating the assignmentService from outside of a request handler, but tbh I don't really like this option very much...

@jen-huang what exactly do you need to perform via the SO tagging APIs? Are you only going to create tags, or do you also need to assign them to existing objects?

@pgayvallet pgayvallet mentioned this issue Apr 21, 2022
Merged
1 task
@jen-huang
Copy link
Contributor Author

@jen-huang what exactly do you need to perform via the SO tagging APIs? Are you only going to create tags, or do you also need to assign them to existing objects?

We will need to create tags and assign them to objects immediately after the objects are created.

However, the tagAssignmentService (which allows to assign/unassign tags to saved objects) is more problematic: as we need to make sure that the user performing the operation is allowed to update the target object(s), we are performing an authz check against the assigned types, using security.authorization.checkPrivilegesDynamicallyWithRequest, and this effectively requires to have a request object.

Is it possible to instantiate an internal/system user version of a request object that Fleet can pass to tagAssignmentService? Similar to core.elasticsearch.client.asInternalUser or core.savedObjects.createInternalRepository() which is what Fleet uses for as ES and SO clients for all package installations.

@exalate-issue-sync exalate-issue-sync bot reopened this Apr 29, 2022
@exalate-issue-sync exalate-issue-sync bot added the impact:needs-assessment Product and/or Engineering needs to evaluate the impact of the change. label Apr 29, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New value added to drive a business result Feature:Saved Object Tagging Saved Objects Tagging feature impact:needs-assessment Product and/or Engineering needs to evaluate the impact of the change. Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

SO Tagging: Expose tag client / assignment service from start contract pgayvallet/kibana
3 participants
@pgayvallet @jen-huang @elasticmachine