Update api keys to include acl filter index #159840
Conversation
seanstory
added
release_note:skip
| @@ -17,14 +17,22 @@ export const createApiKey = async ( | |||
| indexName: string, | |||
| keyName: string | |||
| ) => { | |||
| let aclIndexName: string; | |||
| if (indexName.startsWith('search-')) { | |||
| const suffix = indexName.replace('search-', ''); | |||
There was a problem hiding this comment.
why do we have to replace the prefix?
There was a problem hiding this comment.
I'm wondering the same thing. Seems to me that this could create conflicting index names.
There was a problem hiding this comment.
The index name isn't getting modified, we're just figuring out the suffix.
If the user uses our UI to create an index:
- they type
test - the index name is
search-test - the permissions index name is
.search-acl-filter-test
I don't want the permissions index name to be .search-acl-filter-search-test, so I have to strip off the search- from the index name to determine the suffix.
There was a problem hiding this comment.
Right, my question is really: why don't we want it to be .search-acl-filter-search-test?
There was a problem hiding this comment.
because then you have search in the prefix twice and it's redundant
There was a problem hiding this comment.
Not really? The second search isn't part of the prefix, it's the actual index name that just happens to start with search. What happens when people want to use their own indices that don't start with search (which we don't really support, but people can easily do)? We may accidentally create conflicting ACL index names (eg: search-test and test would have the same ACL name).
There was a problem hiding this comment.
++ @sphilipse - I am not too worried about the redundancy, more about consistency in the future where we don't require the search- prefix.
There was a problem hiding this comment.
🤦 totally missed that I had replies on here when I asked again for an approve and then merged. Sorry both, did not mean to ignore this concern.
I do think that we're in an OK place right now. If we get rid of using search-*, we could switch to using .acl-filter as our prefix anyway.
| @@ -17,14 +17,22 @@ export const createApiKey = async ( | |||
| indexName: string, | |||
| keyName: string | |||
| ) => { | |||
| let aclIndexName: string; | |||
| if (indexName.startsWith('search-')) { | |||
| const suffix = indexName.replace('search-', ''); | |||
There was a problem hiding this comment.
I'm wondering the same thing. Seems to me that this could create conflicting index names.
| @@ -17,14 +17,22 @@ export const createApiKey = async ( | |||
| indexName: string, | |||
| keyName: string | |||
| ) => { | |||
| let aclIndexName: string; | |||
There was a problem hiding this comment.
nitpick: more idiomatic for our codebase would be
const aclIndexName = indexName.startsWith('search-') ? `.search-acl-filter-${indexName.slice(7)}` : `.search-acl-filter-${indexName}`;
There was a problem hiding this comment.
I can make that change. I hadn't considered using a substring method so I could inline the suffix extraction with the prefix concatenation.
If I had to have a block of logic, what's the idiomatic way to do this to avoid the let? (I assume that's what you're trying to avoid?)
There was a problem hiding this comment.
maybe the closest thing you can get to a block/scope that returns a value for assignment is an IIFE.
with this code it would look something like this:
const aclIndexName: string = (() => {
if (indexName.startsWith('search-')) {
const suffix = indexName.replace('search-', '');
return `.search-acl-filter-${suffix}`;
} else {
return `.search-acl-filter-${indexName}`;
}
})()There was a problem hiding this comment.
An IIFE is possible but isn't really idiomatic, we're more likely to extract it to a function elsewhere in the file and call it here (or to a shared utility function that's used in multiple places, which might be useful here).
|
@elasticmachine merge upstream |
| const aclIndexName = indexName.startsWith('search-') | ||
| ? `.search-acl-filter-${indexName.slice(7)}` | ||
| : `.search-acl-filter-${indexName}`; |
There was a problem hiding this comment.
okay i know this code has been rewritten for you already but i got a bit nerdsniped and thought "could we do this with a regular expression?
| const aclIndexName = indexName.startsWith('search-') | |
| ? `.search-acl-filter-${indexName.slice(7)}` | |
| : `.search-acl-filter-${indexName}`; | |
| const aclIndexName = indexName.replace(/^(?:search-)?(.*)$/, '.search-acl-filter-$1') |
this regexp matches a string with an optional search- prefix and adds it to the end of the desired .search-acl-filter- without any search- prefix.
again, this is so minor, please feel free to disregard.
There was a problem hiding this comment.
TIL "Nerd Sniping" 😂
I actually like this better, because the slice(7) didn't seem explicitly clear, but this regex isn't too hard to follow.
seanstory
force-pushed
the
seanstory/4304-update-api-key-to-include-acl-filter-index
branch
from
c0072a6 to
44fefbc
Compare
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]Unknown metric groupsESLint disabled line counts
Total ESLint disabled count
History
To update your PR or re-run it, just comment with: |
seanstory
deleted the
seanstory/4304-update-api-key-to-include-acl-filter-index
branch
…unction (#160457) ## Summary I'd added this logic in #159840 and turns out that was the wrong place to influence connector api keys. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
…unction (elastic#160457) ## Summary I'd added this logic in elastic#159840 and turns out that was the wrong place to influence connector api keys. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) (cherry picked from commit 8251481)
…tion function (#160457) (#160465) # Backport This will backport the following commits from `main` to `8.9`: - [move .search-acl-filter-* permissions to the right api key creation function (#160457)](#160457) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Sean Story","email":"[email protected]"},"sourceCommit":{"committedDate":"2023-06-23T21:35:26Z","message":"move .search-acl-filter-* permissions to the right api key creation function (#160457)\n\n## Summary\r\nI'd added this logic in https://github.com/elastic/kibana/pull/159840\r\nand turns out that was the wrong place to influence connector api keys.\r\n\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n### For maintainers\r\n\r\n- [ ] This was checked for breaking API changes and was [labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)","sha":"8251481340c8125e450ef1386cbd73209de882ff","branchLabelMapping":{"^v8.10.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:EnterpriseSearch","v8.9.0","v8.10.0"],"number":160457,"url":"https://github.com/elastic/kibana/pull/160457","mergeCommit":{"message":"move .search-acl-filter-* permissions to the right api key creation function (#160457)\n\n## Summary\r\nI'd added this logic in https://github.com/elastic/kibana/pull/159840\r\nand turns out that was the wrong place to influence connector api keys.\r\n\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n### For maintainers\r\n\r\n- [ ] This was checked for breaking API changes and was [labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)","sha":"8251481340c8125e450ef1386cbd73209de882ff"}},"sourceBranch":"main","suggestedTargetBranches":["8.9"],"targetPullRequestStates":[{"branch":"8.9","label":"v8.9.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.10.0","labelRegex":"^v8.10.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/160457","number":160457,"mergeCommit":{"message":"move .search-acl-filter-* permissions to the right api key creation function (#160457)\n\n## Summary\r\nI'd added this logic in https://github.com/elastic/kibana/pull/159840\r\nand turns out that was the wrong place to influence connector api keys.\r\n\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n### For maintainers\r\n\r\n- [ ] This was checked for breaking API changes and was [labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)","sha":"8251481340c8125e450ef1386cbd73209de882ff"}}]}] BACKPORT--> Co-authored-by: Sean Story <[email protected]>
Summary
Part of https://github.com/elastic/enterprise-search-team/issues/4304
Ensures that new API keys generated from our application include permissions not only to the document index but also to the
.search-acl-filter-*index that corresponds to it.For maintainers