Stack Management / Kibana / Search Sessions menu entry not controlled by privileges

[pheyos]

Found in version

• 7.x / 7.12

Browser

• Chrome

Steps to reproduce

• Enable search sessions in the Kibana settings yml: xpack.data_enhanced.search.sessions.enabled: true
• Create a spaces role without stack management privileges, e.g. only read access to Discover in the Default space:
  
• Create a user and assign the before created role only
• Log in with that user

Expected result

• The user doesn't see the Stack Management menu entry.

Actual result

• The user sees the Stack Management menu entry, which contains the Kibana / Search Sessions entry.

Additional information

• This makes UI feature_controls tests on cloud fail, because the above mentioned setting is active there for API and UI tests. In CI tests the setting is only used for API tests, so the menu entry is never shown during UI tests and feature controls tests are passing fine.
• We probably need privileges to control the presence of this menu entry.
• Do we still need the feature flag in the Kibana settings to enabled/disable this menu entry? If so, we might want to enable it for UI tests as well to make sure everything is working ok? Ideally, we would have some UI tests for it as well.

[elasticmachine]

Pinging @elastic/kibana-app-services (Team:AppServices)

[azasypkin]

/cc @liza-mae @lukasolson

[Dosant]

Need to fix this to enable xpack.data_enhanced.search.sessions.enabled: true in master,

As a recap:
Currently, there is no global feature control for search sessions. Only Discover and Dashboard are using search sessions and they both have it as a sub-feature privilege. pr that introduced it. By default, it is on in all and off in read.

There is currently no condition that prevents search sessions to appear in mgmt app.

We thought of three options, but in my current understanding, only one is doable now:

Option 1 (the simplest one)

Do not register search_sessions management app if user doesn't have got discover/dashboard search sessions capabilities.

After a quick look, looks like it isn't possible because capabilities are available in the start phase, and registering an mgmt app has to be done in the setup phase.
We would prefer that as a quick fix until Option 3 is possible, but looks like Option 1 also isn't possible.

Option 2 (the only feasible today)

As @pheyos suggested:

create a new privilege to control the presence of this menu entry.

Our concern with this option is that it adds more burden for a user who manages roles and in-general complicates access control of search-sessions

Q: can we cascade the state of this global feature to discover's and dashboard's sub-feature?

Option 3 (the best one but needs core/security work)

If we could cascade the management app visibility depending on other apps sub-feature, we would go with that.
But as I understand, it isn't possible today.

---

Looks like Option 2 is our only option for now unless I am missing something and if there other options.
@azasypkin, could you please review and advise 🙏 ?

cc @lizozom

[azasypkin]

Option 3 (the best one but needs core/security work)
If we could cascade the management app visibility depending on other apps sub-feature, we would go with that.
But as I understand, it isn't possible today.

Hmm, I believe it should be possible today, did something not work for you?

I've just modified discover feature to something like this and it seems it did the job (left only relevant pieces):

{
  id: 'discover',
  ....
  management: {
    kibana: ['search_sessions'],
  },
  .....
  subFeatures: [
    {
      name: i18n.translate('xpack.features.ossFeatures.discoverShortUrlSubFeatureName', {
        defaultMessage: 'Short URLs',
      }),
      ......
    },
    {
      name: i18n.translate('xpack.features.ossFeatures.discoverSearchSessionsFeatureName', {
        defaultMessage: 'Store Search Sessions',
      }),
      privilegeGroups: [
        {
          groupType: 'independent',
          privileges: [
            {
              id: 'store_search_session',
              ......
              includeIn: 'all',
              ......
              management: {
                kibana: ['search_sessions'],
              },
            },
          ],
        },
      ],
    },
  ],
},

[Dosant]

Thanks, @azasypkin, that worked 👍
Not sure why I was under the impression that it wouldn't.

---

I started working on Option 2 before @azasypkin clarified Option 3 (suggested options are here: #89833 (comment))
So I have two prs:

1. Option 2 - where we introduce separate root search_sessions privilege
2. Option 3 - where we infer mgmt visibility from if search_sessions are enabled by sub-privilege in at least one of the apps

I'd prefer to go with Option 3 since it is a simpler change as it is closer to what we currently have. We can always extend and have something similar to Option 2 in the future.

@lizozom, @lukasolson, @elastic-jb, Let me know in case we want to go with Option 2 instead of Option 3, otherwise I am going forward with Option 3