-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add bulk assign to saved object tagging #81970
Comments
Pinging @elastic/kibana-platform (Team:Platform) |
Pinging @elastic/kibana-core-ui (Team:Core UI) |
This is definitely something we want. Still waiting on elastic/eui#4095 to be integrated to Kibana to be able to implement the design-compliant bulk action menu. @chandlerprall, can you tell us when the next EUI update is planned for Kibana? Just a technical remark:
The dashboard panel selector (that used the Also, The second, (complementary) option to this proposal would be to have a new
@MichaelMarcialis I think we do, but could you confirm we got mockups for both worflows (and share them here to continue the discussion?) |
@pgayvallet: We do have mockups and prototypes for assigning one or more tags to multiple saved objects on the saved objects page, as shown here: https://www.figma.com/proto/kh7Gm1iM0zJPj504BeDQC4/Mockups-Version-3-Awaiting-Dev?node-id=445%3A0&viewport=13425%2C-7073%2C0.5&scaling=min-zoom I would like to expand this further by also providing a row-level action on the saved objects page table that allows users to assign one or more tags to a single saved object. After that is implemented, I feel the next highest priority should be to incorporate those flows for assigning one or more tags to saved objects and apply the same interface to the Kibana applications' main pages. I think asking users to manage the meta details of their saved objects from the saved objects page makes sense in the short term, but longer term I believe users will wish to make such bulk tag assignments directly from the Kibana applications they are working within. @alexfrancoeur, regarding your thoughts on having users go to the tag management page instead (to pick a tag they would like to assign to one or more saved objects), I agree that this could be a viable use case. However, I do worry that may end up being more of an edge case that comes secondary to users wishing to make such tag changes directly from the applications they're using. Thoughts? |
++ and that's what was originally proposed in the mocks I believe. This is probably more of an edge case, but I could see potentially having write permissions for tag management and none for saved objects. That is why I was leaning to having one option for bulk tag assignment to be done through the tag management UI.
I agree that most users would prefer to assign from the application themselves. That was where my head was at with this comment #79096 (comment). I also think we probably want a more administrative way to do this as well. Both use cases seem valid to me. At this point, I'd lean towards whatever can ship with the first release if it's possible. My concern is that adoption (#81847) may not be as impactful with clusters that need this functionality most. I'm happy to iterate, but whatever can get us this type of functionality in MVP would be my preferred approach 😉 If that's from the SO management UI, that works for me. In which case, we simply lean into the app first route. |
Yeah, good point. Once we know which direction we'd be able to implement first, let me know and I'll be happy to mock it up. |
You're right, this is probably an edge case, but I guess if we were to only have one initial way to assign tags, it probably makes more sense to do so from the tags management instead of SO management, so it is probably better to start with that. (even if we should be able to implement both for 7.11) @MichaelMarcialis could you start working on mockups for this workflow then? Bonus question to @alexfrancoeur: Do we want a bulk |
Yeah, I'll plan to work up some mockups for this. |
(extracted from #81980 (comment)) Regarding the A user can have (depending on previous point) the 'assign tag' permission is available for users having Note that this permission issue is only present for the |
We don't have precedent for this for "normal" saved objects. The
Something like this might work. The downside is that it would require two API calls to fulfill the request: a pre-flight check to get the authorized types, and another to actually retrieve the saved objects. It would be great if X-Pack plugins could augment the SO APIs, but we don't have the infrastructure in place to support that. With this, we could add a similar
When we first designed UI Capabilities, we intentionally omitted such implementation details like: "Can I create a saved object of type
I agree. This is arguably the easiest approach, but the SO Management privileges are rather powerful, so it would prevent a good number of users from taking advantage of this feature. |
Following our discussion from yesterday, we will soon have similar needs for OLS. For OLS, we will need to have the 'read/write' permission info on each individual object returned from the SO api. Note that this would work for tagging too: If the
Do we really need to perform an ES call to get the
That would leaks (again) licensed features into oss, but at this point, I don't really mind anymore until the big However, I wonder if we shouldn't wait for more similar needs to arise before even thinking about doing that. The 'tagging' references and their technical implications here are quite special, so maybe we shouldn't do this just for tagging's specific requirements. If manually accessing the list of types the user has write permission to is an option, it would be good enough for us to manually implement this logic.
Yea, this would be our last resort if we can't have anything else working for 7.11 (cc @alexfrancoeur) |
Great discussion! Responding to a few direct pings
++ If we can't do anything else for 7.11, I think this would be the last resort so that the capability itself is available.
I think this request will naturally come up. If it's fairly trivial to add to the MVP along with bulk assign, let's do it. If not, we can push to a subsequent release. More generally, if it impacts the the amount of time needed to build the better user experience for the next release, I would aim to support this type of functionality for tags first and defer decisions to support OLS or other SO's that may need this requirement in the future if we can. That being said, I'm not sure how feasible that is or what amount of tech debt we'd incur, but OLS feels further out |
Kibana knows about all of the registered capabilities, but only Elasticsearch knows which of those the user is authorized for based on their assigned roles. The security plugin has the knowledge to ask the question, but it needs Elasticsearch to provide the answer.
++ agree with all of this. Another short-term alternative is to have the tagging plugin expose its own API to retrieve these objects. If the tagging plugin added an optional dependency on the security plugin, then tagging could perform its unique authorization check up front to get the list of "updatable" types, and then pass that list of types through to the normal SO |
That's what I was planning to do anyway to be honest. The
That would be fine to me, and is probably the most pragmatic approach for the short term. Would you mind giving me some pointers on how to use the security plugin to perform such check / retrieve the list of 'updatable'/'writable' types using its API? |
Here's a code sample that I briefly tested. I used all visible types here, but feel free to adjust that as needed: public async getUpdatableSavedObjectTypes(
request: KibanaRequest,
typeRegistry: Pick<SavedObjectTypeRegistry, 'getVisibleTypes'>,
authorization?: SecurityPluginSetup['authz']
) {
const visibleTypes = typeRegistry.getVisibleTypes();
// Don't bother authorizing if the security plugin is disabled, or if security is disabled in ES
const shouldAuthorize = authorization?.mode.useRbacForRequest(request) ?? false;
if (!shouldAuthorize) {
return visibleTypes;
}
// Each Saved Object type has a distinct privilege/action that we need to check
const typeActionMap = visibleTypes.reduce((acc, type) => {
return {
...acc,
[type.name]: authorization!.actions.savedObject.get(type.name, 'update'),
};
}, {} as Record<string, string>);
// Perform the privilege check
const checkPrivileges = authorization!.checkPrivilegesDynamicallyWithRequest(request);
const { privileges } = await checkPrivileges({ kibana: Object.values(typeActionMap) });
// Filter results to only include the types that passed the authorization check above.
return visibleTypes.filter((type) => {
const requiredPrivilege = typeActionMap[type.name];
const hasRequiredPrivilege = privileges.kibana.some(
(kibanaPrivilege) =>
kibanaPrivilege.privilege === requiredPrivilege && kibanaPrivilege.authorized === true
);
return hasRequiredPrivilege;
});
} |
Hey, gang. Per our previous conversations, I've updated the saved object tagging design mockups and prototype to account for bulk tag assignment to saved objects via the tag management page. I've put together a quick design update video that runs through these changes. We can discuss further in today's meeting, but feel free to let me know if you have any feedback in the mean time. Thanks. CCing @alexfrancoeur, @pgayvallet, @ryankeairns. |
After our sync discussion from yesterday, I think we got all we need to start working on this issue once #82816 is merged |
I think it might be helpful to sync live. I was under the impression that
we want both. The design for tag assignment in a tag management UI makes
more sense on multiple levels.
…On Fri, Nov 20, 2020, 9:07 AM Ryan Keairns ***@***.***> wrote:
See related discussion in #83590
<#83590> where we seem to be
arriving at keeping tags in SO management.
cc:/ @kobelb <https://github.com/kobelb>
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#81970 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AGAD477XQX766JLP6V4MR5DSQZZZPANCNFSM4TDC5JUQ>
.
|
Ah yes, I can see how the wording of my comment was unclear. What I meant was, tags are already in SO management, so we should keep them there along with the bulk editing (in addition to having this feature in the Tags UI). |
++ thanks for clarifying Ryan. I think we can continue with this work as is then @pgayvallet |
@MichaelMarcialis @ryankeairns @alexfrancoeur I'm currently working on the UI implementation of the flyout, and I found something that we may want to change regarding the user experience. It is about the It actually doesn't reflect the actions that will be performed when clicking the CTA ( A quick example:
I think a wording stating the real actions that will be performed would be really better, something like Also, overall, I think in term of UX, it would be great if the user would have a way to see which results are going to be updated / are modified directly from the search results. For instance, in the following screenshot, I selected and unselected some tag assignments. But I have no way to see which line/result I performed that on / which ones I will update when clicking on WDYT? |
I agree that more explicit text would be helpful here
++ I agree this would be helpful as well. @MichaelMarcialis @ryankeairns is there UX we can "borrow" from the saved object management copy to space conflict resolution experience? (wow, that was a mouthful 😄 ) |
Michael is out, so I'll take a look a the conflict resolution stuff. There may also be a way to separate the two actions (assign vs unassign) within the flyout and avoid this matrix of possible combinations. |
As long as this is compatible with |
So, very quick thoughts:
For the 'new' bulk assign:
For the 'new' bulk unassign:
|
Thanks for the quick feedback. I'm out of meetings and will continue iterating as quickly as possible. |
Ok, I'm backtracking here a bit, but I think this gets us to a better spot and does not deviate materially from the original design. Proposed changes (as seen below)
Let me know what questions you have. I'm feeling much better about this set of changes.
|
@ryankeairns I really like it. It addresses the changes/status visibility while staying closer to the original design. These seem all minor changes, will try adding them asap. |
I think we can close this out now, ya? |
Would be happy to. Just want to be sure we are alright closing it, even if all subtasks listed on the initial description are not completed:
I guess we can close this one and reopen another issue if we want to continue later, wdty @alexfrancoeur? |
👍 let's close this out. I've opened #88204 for application specific bulk assignment. |
Building off of #74571 and #79096, we'd like to add bulk actions for adding tags to existing saved objects. Members of our community can have hundreds if not thousands of visualizations and dashboards. Having a quick easy way to apply a tag to all saved objects will make this transition significantly easier.
There are some early flows from @MichaelMarcialis here:
https://www.figma.com/proto/kh7Gm1iM0zJPj504BeDQC4/Mockups-Version-3-Awaiting-Dev?node-id=445%3A0&viewport=13425%2C-7073%2C0.5&scaling=min-zoom
I'm thinking we may want this experience in the tag manager, but would like to open up the discussion. Here's the flow I'm envisioning:
This flow would of course adhere to RBAC permissions.
What do you think @MichaelMarcialis @ryankeairns @pgayvallet ? This would be really nice to augment the MVP PR for our initial release.
Tasks
bulk assign
action to tag management #84177The text was updated successfully, but these errors were encountered: