[Saved Objects] Adds config flag to toggle hiddenFromHttpApis SO types conditionally

[TinaHeiligers]

Fix #150471
Part of #149287

This PR adds a config option to set if the Saved Objects HTTP APIs should be accessible to types registered with hiddenFromHttpApis: true.

allowHttpApiAccess: true --------> grants access
allowHttpApiAccess: false --------> throws in Saved Objects HTTP APIs

allowHttpApiAccess can be configured in kibana.yml but we don't plan to document the option as it is not intended for public use.

The configuration prevents immediate breaking changes caused by saved objects adopting the option to be hidden from the HTTP APIs and is a stepping stone toward removing the Saved Objects HTTP APIs.

The option is only applicable to saved objects registered as hiddenFromHttpApis:true.

Checklist

• Documentation was added for features that require explanation or tutorials. Code comments should be sufficient to describe the internal behavior.
• Unit or functional tests were updated or added to match the most common scenarios
• If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the docker list Docker list updated, we don't intend to add user settings in cloud.

Risk Matrix

Risk	Probability	Severity	Mitigation/Notes
Code should gracefully handle cases when the HTTP APIs are disabled.	Medium	High	Unit tests will verify that any feature flag or plugin combination still results in our service behaving the way intended.

For maintainers

• This was checked for breaking API changes and was labeled appropriately

How to test this

Ensure that allowHttpApiAccess can be set in kibana.yml to override the default:

Add the following debug log line to the SavedObjectsService setup contract after the config is set:

log config value

public async setup(setupDeps: SavedObjectsSetupDeps): Promise<InternalSavedObjectsServiceSetup> {
    this.logger.debug('Setting up SavedObjects service');

    this.setupDeps = setupDeps;
    const { http, elasticsearch, coreUsageData, deprecations } = setupDeps;

    const savedObjectsConfig = await firstValueFrom(
      this.coreContext.configService.atPath<SavedObjectsConfigType>('savedObjects')
    );
    const savedObjectsMigrationConfig = await firstValueFrom(
      this.coreContext.configService.atPath<SavedObjectsMigrationConfigType>('migrations')
    );
    this.config = new SavedObjectConfig(savedObjectsConfig, savedObjectsMigrationConfig);
   // add the debug log:
    this.logger.debug(
      `SavedObjects default allowHttpApiAccess configuration: ${this.config.allowHttpApiAccess}`
    );
    deprecations.getRegistry('savedObjects').registerDeprecations(
     <...rest>

Configure logging to include the saved objects service logs:
For example:

kibana.yml

logging:
  appenders:
    so-console:
      type: console
      layout:
        type: pattern
        highlight: true
        pattern: "SAVED_OBJECTS_SERVICE--[%date][%level][%logger]---%message"
  loggers:
    - name: savedobjects-service
      level: debug
      appenders: [so-console]

Start kibana (any version of es is fine) and ensure that allowHttpApiAccess is set. For example, when run from dev the log should read something like:
SAVED_OBJECTS_SERVICE--[2023-02-21T12:06:28.561-07:00][DEBUG][savedobjects-service]---SavedObjects default allowHttpApiAccess configuration: false

In kibana.yml, specifically set savedObjects.allowHttpApiAccess: true and recheck the logs. Using the same logging config as above, the log line should now read:
SAVED_OBJECTS_SERVICE--[2023-02-21T12:06:28.561-07:00][DEBUG][savedobjects-service]---SavedObjects default allowHttpApiAccess configuration: true

[TinaHeiligers]

Self review on draft

[TinaHeiligers]

I've gone with defaulting to the "old" behavior where all visible types (those not hidden) use the HTTP APIs. We also need to allow access for self-managed & current cloud offering & cloud tests

[Bamieh]

Is there a specific reason to depend on the environment and not distribution?

Instead of doing the override logic between the config and the env inside the code and having to inject the env into the classes, why not just do it from the config defaults here (like the example below). This makes the logic a lot more resilient and easier to understand. wdyt?

schema.conditional(
      schema.contextRef('dist'),
      true,
      schema.boolean({ defaultValue: false }),
      schema.boolean({ defaultValue: true })
)

[TinaHeiligers]

Is there a specific reason to depend on the environment and not distribution?

I didn't think to use the distro rather, great idea thanks!
I'll change it and see how it improves the logic.

[TinaHeiligers]

@Bamieh I've made the change you requested in 96bb95a (#151512).
Could you take another look, please?

[TinaHeiligers]

Naming is hard and hideFromHttpApis or denyHttpApiAccess sound rather negative, hence the more "positive" choice.

[TinaHeiligers]

I need to inject if Kibana's running in dev or prod mode from env and set the new config options from within the SO service to avoid instantiating SavedObjectConfig with:

new SavedObjectConfig(savedObjectsConfig, savedObjectsMigrationConfig, coreContext.env.mode.prod)

[TinaHeiligers]

This test and the others in the same folder test the route behavior in a "dev" environment, were we enforce API blocking.

They're verbose to setup (copies of the main route api_integration tests) and ideally should be condensed. I tried but haven't been able to just yet.

[TinaHeiligers]

Strictly not necessary but I'm reusing the util in almost all the route's tests

[TinaHeiligers]

New SO config option

[elasticmachine]

Pinging @elastic/kibana-core (Team:Core)

[jbudz]

kibana-docker

[TinaHeiligers]

@elasticmachine merge upstream

[TinaHeiligers]

@rudolf I added you as a reviewer since Pierre is out. Could you 👁️ when you get a chance? cc @jloleysens

[Bamieh]

i have a couple of comments/questions

[rudolf]

Suggested change

	it('returns with status 400 when a type is hidden from the HTTP APIs', async () => {
	it('returns with status 200 when a type is hidden from the HTTP APIs', async () => {

[rudolf]

nit: these tests have inconsistent names across the different methods
uses config option allowHttpApiAccess to grant hiddenFromHttpApis types access
vs returns with status 200 when a type is hidden from the HTTP APIs

I prefer the latter

[TinaHeiligers]

@rudolf change is made: 75e11c7 (#151512)

[TinaHeiligers]

@elasticmachine merge upstream

[kibana-ci]

💚 Build Succeeded

• Buildkite Build
• Commit: 75e11c7

Metrics [docs]

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id	before	after	diff
@kbn/core-saved-objects-base-server-internal	35	36	+1

Unknown metric groups

API count

id	before	after	diff
@kbn/core-saved-objects-base-server-internal	46	47	+1

History

• 💚 Build #109298 succeeded b61d065
• 💚 Build #109068 succeeded 879d33b
• 💚 Build #108873 succeeded 497ec8a
• 💚 Build #108749 succeeded 99b4dcf

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

[Bamieh]

LGTM