[config] mechanism to prevent internal configs from leaking to self-managed users #152395
Comments
lukeelmers
added
Team:Core
|
Pinging @elastic/kibana-core (Team:Core) |
|
Concretely what we want here is a mechanism to disable/enable some plugins based on the project type without exposing said mechanism as a public API (such as kibana.yml). The solution that seems like it would require the least amount of work in Core to achieve this would be to create a
This is somewhat of an aside... While this mechanism allows any per project configs, in general I'd prefer if we don't introduce any new config flags just for the ability to specify them in these per project config files. Rather the config files should use existing config properties or only enabling/disabling plugins. Further customisation would then be powered through plugin JS APIs If observability wants to add a new embeddable type to their project type, we could add a config flag like |
Are we certain this is all this issue is about (I would be very glad if it was, but still asking)? From @lukeelmers's initial discussion, it felt like it could be more than just having a 'serverless only' way to control plugin enablement, and could be the need to have specific config properties (either Core's or Plugins') having the same need? |
Yeah I think that's very much still in the air. But once we have a serverless build we can use the same mechanism to only expose some config flags to serverless if we want these serverless-specific configs to be a private API. So if we want to customize the help button link with I think we should be careful because of the maintenance burden, but other than that this seems sufficient at the technical level. |
|
After looking through the code I realise I misunderstood the |
|
FWIW, this is where we're adding the context usable by references when validating the config: kibana/packages/kbn-config/src/config_service.ts Lines 239 to 247 in 1cbf83f The CLI command reading the Line 262 in 065dbe7 However, atm this flag is is not injected into |
## Summary Related to #152395. Closes #154394. This restores the `enabled` config setting for the Canvas plugin (in development only for now until #152395 is addressed). Restoring the `xpack.canvas.enabled` setting will allow Canvas to be disabled in future offerings. ### Checklist Delete any items that are not applicable to this PR. - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] Any UI touched in this PR is usable by keyboard only (learn more about [keyboard accessibility](https://webaim.org/techniques/keyboard/)) - [ ] Any UI touched in this PR does not create any new axe failures (run axe in browser: [FF](https://addons.mozilla.org/en-US/firefox/addon/axe-devtools/), [Chrome](https://chrome.google.com/webstore/detail/axe-web-accessibility-tes/lhdoppojpmngadmnindnejefpokejbdd?hl=en-US)) - [ ] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [ ] This renders correctly on smaller devices using a responsive layout. (You can test this [in your browser](https://www.browserstack.com/guide/responsive-testing-on-local-server)) - [ ] This was checked for [cross-browser compatibility](https://www.elastic.co/support/matrix#matrix_browsers) ### Risk Matrix Delete this section if it is not applicable to this PR. Before closing this PR, invite QA, stakeholders, and other developers to identify risks that should be tested prior to the change/feature release. When forming the risk matrix, consider some of the following examples and how they may potentially impact the change: | Risk | Probability | Severity | Mitigation/Notes | |---------------------------|-------------|----------|-------------------------| | Multiple Spaces—unexpected behavior in non-default Kibana Space. | Low | High | Integration tests will verify that all features are still supported in non-default Kibana Space and when user switches between spaces. | | Multiple nodes—Elasticsearch polling might have race conditions when multiple Kibana nodes are polling for the same tasks. | High | Low | Tasks are idempotent, so executing them multiple times will not result in logical error, but will degrade performance. To test for this case we add plenty of unit tests around this logic and document manual testing procedure. | | Code should gracefully handle cases when feature X or plugin Y are disabled. | Medium | High | Unit tests will verify that any feature flag or plugin combination still results in our service operational. | | [See more potential risk examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx) | ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
|
This issue might be related: #155912 |
We plan to use serverless config files to manage static settings for each project type we want to support in our serverless offering. However, the nature of our existing yml config options are that they're essentially a public API. There is no way to differentiate between settings that are meant to be adjusted by users, vs ones that are not. A good example here are our various
cloudsettings that are used in ESS: technically these could be set by self-managed users. In the case ofcloud, these are pretty useless/harmless settings outside of ESS, but there are more serious quality/testing concerns when we think of the types of config options we'll likely be adding for serverless.We will ultimately have tests running against each project type for the given combination of configs representing that type. However, there is a risk in some of these configs being picked up by self-managed users as it would be possible to run Kibana in unsupported/untested configurations. This is particularly a concern with the special behavior of
${plugin}.enabledsettings; we do not plan to have tests for every possible combination of plugins.The best way to minimize risk of these added configurations is to design a mechanism where we can identify specific configs as
internal, and then somehow exclude them if Kibana is not running in serverless. Potentially this solution could also be used for ESS-only settings, though that isn't a hard requirement at this time.One idea that was floated was investigating whether we could introduce another build specifically for serverless, and then conditionally include these settings there so that they would otherwise be excluded in the public distributable (cc @elastic/kibana-operations). This may be something we want to consider regardless as there are plans to build some serverless-only plugins.
If we don't introduce a safety measure like this, we would need to explicitly document these settings as not supported... as we have seen in the past, simply leaving them undocumented doesn't mean they won't be used. 🙂
The text was updated successfully, but these errors were encountered: