Allow user to search saved objects across Spaces

[jinmu03]

Search across spaces

Scope

MVP is only concerned with the _find operation for saved objects. All other APIs and operations will continue to be scoped to the user's current space.

Approach 1: Expose namespaces as a query parameter

• /api/saved_objects/_find?type=index-pattern&namespaces=*

/_find	OSS	Spaces	Security	Spaces + Security
No namespaces specified	no changes (search within default namespace)	search within user's active space	no changes (authorize operation globally: * resource)	no changes: Spaces: search within user's active space Security: authorize operation against user's active space
namespaces=foo	search within foo namespace. This isn't something we should normally do, however.	search within foo space, instead of user's active space.	Authorize operation against foo resource	Spaces: search within foo space Security: authorize operation against foo resource
namespaces=foo,bar	search within both foo and bar namespaces.	search within foo and bar spaces, instead of user's active space	Authorize operation against both foo and bar resources	Spaces: search within foo and bar spaces Security: authorize operation against both foo and bar resources
namespaces=*	Options: reject operation ignore parameter, search as if it wasn't specified search across all namespaces	Steps: query for all spaces search within all available spaces instead of user's active space.	Authorize operation globally: * resource	1) query for all spaces where authorized to find the requested types 2) search within all authorized spaces instead of user's active space

Approach 2: Denote which APIs can support a multi-space operation:

• /s/*/api/saved_objects/_find?foo=bar

Not currently exploring this option. We would require a way for routes to opt-into this behavior in a way that makes sense for OSS too. The only current mechanism is the tags route option, which isn't ideal.

Complications

• Different saved objects can share an ID across spaces. How to resolve this?
  • If we can wait for Phase 3? of sharing saved objects between spaces, then this problem goes away
  • If not, then we can return these "duplicate" objects, but denote which namespaces they exist in.

[elasticmachine]

Pinging @elastic/kibana-security

[AlonaNadler]

@bmcconaghy I believe it falls under the global search initiative

[bmcconaghy]

Do you mean Global UI (or Core UI, we need to settle on a name). If so, then yes I think that saved objects will be on that team. We will need to coordinate any efforts with security as we will want to make sure that we enforce correct permissions. I guess I am wondering how exactly this will work, though. Will you be able to search any space you have permissions for from any other space?

[jinmu03]

I'd say only allow users to search Spaces they have access to.

[AlonaNadler]

@Bill I can't find the issue, we also have the design mockups for that for a while, the idea is similar to mac spotlight where you can search for objects, applications or sub menus (index pattern) and navigate quickly. The objects will be based on the spaces the users have access to

@snide any recollection where is this issue?

[bmcconaghy]

This seems like it will be confusing to users. If they can search for objects across spaces but only use objects in the space they are defined in, it will be a weird experience I think.

[AlonaNadler]

Currently if users have more than 1 space and they need to go to a specific dashboard in another space they need to:

• switch to space A
• go to dashboard application
• search for dashboard B
• open dashboard B

We can make it better for them, by providing quick navigation across all their applications and objects in Kibana. The right UI should show the relevant objects based on the term the users searched and explicitly call when these objects are in a different space.

[elasticmachine]

Pinging @elastic/kibana-core-ui (Team:Core UI)

[ryankeairns]

Related to #15019