-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow the SavedObjectsClient to work outside of a space #131254
Comments
Pinging @elastic/kibana-security (Team:Security) |
Pinging @elastic/kibana-core (Team:Core) |
I encountered the same problem in #109196 for the SO management section. I needed to list/search for objects in all spaces (doable), but then there wasn't a way to properly I want to start by expressing a concern here. If your linked issue (ML management) and my use case (SO management) are prime and valid reasons to find a way to expose a 'non-spaced' client, I'm a bit scare of it being used outside of management features, where it, ihmo, shouldn't. Now, regarding our options. Even if I really hate it, our current SOR architecture doesn't really support such high level behavior modification as option 1) and 2) propose, which means that the 'space-agnostic' mode will have to be directly implemented in the (already too complex) SOR code. Also, atm we don't provide options (from the SOR) to the SO wrapper when instantiating them, so it would be an additional structural change to implement if we wanted to try to handle that at a wrapper's level. Overall, option 1) and 2) would require to take the time to tackle #102957 (and update the issue to support what would be required for the current issue). If you think this will be required anyway for #82725, then I'd say we should probably focus on the changes required for OLS first, and, once implemented, potentially perform the additional changes required for this issue. In the meantime, if this is really blocker for some management feature, I'd say we should implement option 3) in the meantime to provide a temporary solution/workaround to have all SOR APIs accept a WDYT? EDIT: Also, note that for SOM, only option 3) would really work, as we will be listing objects from all spaces of all namespaceType, meaning we'll need to manipulate isolated objects from another space, which is not supported with your suggested option 1) or 2) ( |
I'm not mad about changing the base SOR either and forsee forcing consumers to change their implementations will be met with heavy resistance if it's not going to benefit a wider audience. To echo #131254 (comment), since we need to do work for OLS anyway, I'm +1 with seeing how far option 2 gets us before making other large-scale changes and with option 3 as a shorter-term solution. |
@pgayvallet I agree, I think that largely, other potential future use cases we're talking about would be management-oriented (Alerting, for example).
Yes, I should have stated explicitly, but I was thinking the same thing!
Yeah, I am pretty certain at this point it will be required for OLS anyway, and I agree we should focus on that first before tackling approach 1/2 in this issue.
We discussed it with the ML team and we think we might be able to put in the groundwork for option 2 (changes to optimize preflight checks) in the next few months. So they are OK with waiting for now, and we'll avoid making any short-term changes (option 3).
Hm, that's a good point. I guess if we implemented option 2, we could still change the SOM page to take advantage of it, but it would have to have some additional logic (on the client side and server side) to apply the correct space ID for single-namespace objects.
|
There are two questions I'd like to be able to answer via data view management.
#132385 adds saved object relationships to data view management. It would be nice to add cross space support to this. We're not able to answer the first one without having some sort of visibility into all spaces. Seems this might be worth its own api endpoint since its really a boolean result. |
For SOR to only work in a given space makes sense for the mental model where spaces are a kind of multi-tenant solution with strict isolation. Sharing to multiple spaces is stretching that mental model, and from my understanding ML's use case is starting to completely break away from that mental model into a new world where a user sees all objects from all their spaces. These are all "management" use cases, but I wonder if it's more than just isolated use cases. I could also imagine us allowing users to see all saved objects across all the spaces they have access to (or only the ones they wish to see). If I want to see a marketing dashboard and then a sales dashboard why do I have to switch spaces and break my work flow. I feel like we lack a strong product vision for how we see spaces being used and the kind of user experiences we want to build off of it. If ML is just the first adopter but other plugins will follow we would need built-in support rather than a workaround. |
We will lay the groundwork for Approach 2 in #133835 by getting rid of the SOC wrappers in favor of bespoke extensions. The PR to resolve that issue isn't ready to merge yet, but our team will pick it up soon. |
Background
The SavedObjectsClient (SOC) was designed to work in the current space (aka "active space") by default. Consumers didn't need to specify what space they were in, it is determined by the HTTP request context which they use to obtain an instance of the SOC. The spaces SOC wrapper determines the active space, and sets the
namespace
option accordingly.Over time we've had the need to change some SOC functions so they can work in multiple spaces. This includes:
find
across multiple spaces using thenamespaces
option (Search across spaces #67644)openPointInTimeForType
/createPointInTimeFinder
across multiple spaces using thenamespaces
option (Add multiple namespaces support to PIT search and finder #109062)create
an object in multiple spaces (or simply a different space) using theinitialNamespaces
option (Add support for sharing saved objects to all spaces #76132)bulkCreate
objects in multiple spaces (or simply a different space) using theinitialNamespaces
field in the object args (Add support for sharing saved objects to all spaces #76132)bulkGet
objects across multiple spaces using thenamespaces
field in the object args (bulkGet saved objects across spaces #109967)bulkUpdate
objects in different spaces using thenamespace
field in the object args (Change saved object bulkUpdate to work across multiple namespaces #75478)With the exception of
find
/openPointInTimeForType
/createPointInTimeFinder
, the SavedObjectsClient always operates within the active space. Even for those other functions that can work in multiple spaces, the authorization layer still ensures that the user is authorized in the current space.The remaining SOC functions only operate in the current space:
checkConflicts
get
resolve
bulkResolve
update
delete
collectMultiNamespaceReferences
updateObjectsSpaces
removeReferencesTo
incrementCounter
Feature
It would be useful to have the option to use the SavedObjectsClient in a space-agnostic manner. For example, this could be used to drive the ML Job Management page so you can manage jobs across all spaces that you have access to (#131134).
Unfortunately it's not trivial to change the entire SOC to behave in this manner, because some saved object types are still isolated to an individual space (
namespaceType: 'single'
) and they do not have globally unique IDs.I can think of three approaches to solve the ML Job Management use case.
Approach 1
ML jobs use
namespaceType: 'multiple'
and they do have globally unique IDs. We could potentially allow consumers to instantiate a SOC that works in a space-agnostic manner, but only for object types that have globally unique IDs. If a SOC was instantiated in this way, it would need to throw an error if a consumer attempted to use it for an isolated object type.This would entail:
Since the security SOC wrapper doesn't have access to the preflight check results that the SOR makes, it would have to check that the user is authorized to take that action in all spaces. This limitation would mean that users who are not "global admins" (e.g., they only have access to Kibana features in specific spaces) would never be authorized to make requests using this SOC.
Approach 2
This is a variation of Approach 1. If the security SOC wrapper had access to preflight check results, it could check authorization after the preflight check but before calling the base SOC function. We don't have the capability to do this today, but we'll likely need it anyway to implement #82725.
Approach 3
Alternatively, to support use cases like this one in the short term, the consumer could (1) create a SOC without the Spaces wrapper, (2) find objects across
'*'
spaces, and (3) take any subsequent update/delete actions in the context of a space where that object actually exists by specifying thenamespace
option.One upside of this approach is that it only requires minimal changes to the SOC. Specifically the security SOC wrapper's
find
function would need to be tweaked to expand'*'
to the list of actual spaces that exist, so that it can subsequently check authorization.The ShareToSpaceFlyout logic would also need to be tweaked to allow the consumer to specify a custom API endpoint for
collectMultiNamespaceReferences
(AKAgetShareableReferences
).A downside of this approach is that it's susceptible to race conditions. For example:
The text was updated successfully, but these errors were encountered: