[Response Ops][RAM] Add RBAC Support for Multi-Consumer Rule Creation in O11Y and Stack Management

[JiaweiWu]

Summary

Resolves:

• Change alerting RBAC logic to only consider consumer #162484
• [Response Ops][Actionable Observability] Creating a rule via Observability > Alerts > Manage Rules sets consumer to alerts #160677

This PR adds the ability for logs and/or infrastructure only users to create and modify ES Query and new Generic Threshold rules. The ensureAuthorized function is modified and simplified to support this use case, by skipping producer authorization and only authorizing for consumers. When the consumer is alerts, we will consider this legacy and replace it with the rule’s producer (consumer = ruleType.producer)

There is now a dropdown in the rule form to prompt the user when creating ES Query/Generic threshold rules to select the consumer based on their authorized consumers (we can no longer use alerts for these). If there is only 1 option, then the dropdown will not be shown and the option will be chosen automatically.

Generic threshold rules will have the following possible consumers:

• slo
• infrastructure
• logs
• apm
• uptime

ES query rules will have the following possible consumers:

• slo
• infrastructure
• logs
• apm
• uptime
• stackAlerts

To Test:

Single Consumer:

1. Create a user with only logs feature enabled (ensuring stackAlerts is not enabled).
2. Navigate to the O11Y rule management page
3. Click the create rule button
4. Assert that both ES query and generic threshold rules are available
5. Click ES query and fill out the relevant information and create the rule
6. Assert that the rule created has logs set in the consumer field
7. Repeat 5-6 for the generic threshold rule
8. Repeat 2-7 but on the Stack Management rules page
9. Repeat 1-8 for the infrastructure feature.

Multiple Consumers:

1. Create a user with logs, infrastructure and apm features enabled (ensuring stackAlerts is not enabled).
2. Navigate to the O11Y rule management page
3. Click the create rule button
4. Assert that both ES query and generic threshold rules are available
5. Click ES query and fill out the relevant information and create the rule
6. A dropdown should prompt the user to select between 1 of the 3 consumers, select 1
7. Assert that the rule was created with the selected consumer
8. Repeat 5-7 for the generic threshold rule
9. Repeat 2-8 but on the Stack Management rules page

Checklist

• Unit or functional tests were updated or added to match the most common scenarios

[mdefazio]

Nice one! Some thoughts on the modal copy:

Select rule association
This rule needs to be associated with a particular application for proper role access visibility.
[ Save ]

[mikecote]

By looking at the tests failures, if you feel the error messages are now misleading, you could change all the getUnauthorizedMessage calls to something like this (use legacyConsumer):

Suggested change

	throw Boom.forbidden(getUnauthorizedMessage(ruleTypeId, consumer, operation, entity));
	throw Boom.forbidden(getUnauthorizedMessage(ruleTypeId, legacyConsumer, operation, entity));

[elasticmachine]

Pinging @elastic/response-ops (Team:ResponseOps)

[JiaweiWu]

This value had to be incremented when we enabled the new generic threshold rules: https://github.com/elastic/kibana/pull/162605/files#diff-53c98e8d9e2d61d5c9f37b003fc6de5c3f84570f7886cf4bdd89f596b32a15c9R49

[nreese]

kibana-gis changes LGTM
code review only

[elasticmachine]

Pinging @elastic/apm-ui (Team:APM)

[elasticmachine]

Pinging @elastic/uptime (Team:uptime)

[mikecote]

Changes LGTM! I left a few nitpicks but overall the changes are looking great!

[mikecote]

Unless O11y is ready, we may want to reverse this change in the PR and let O11y change the default when they are ready.(unless we can add it to a todo list on the feature branch PR).

If we revert this, the following changes will have to be undone as well:

• x-pack/test/plugin_api_integration/test_suites/task_manager/check_registered_task_types.ts
• x-pack/test/api_integration/apis/maps/maps_telemetry.ts

I had this code in my POC to bypass having to set the kibana.yml settings for testing.

[JiaweiWu]

Let's add it to a to-do list, since we have tests other than maps_telemetry that depend on this change. Also, this is merging to a feature branch so won't merge to main presumably until ES types are enabled in o11y (correct me if im wrong)

[CoenWarmer]

@maryam-saeidi or @fkanout are best positioned to say whether this can be set to true already or not.

[maryam-saeidi]

We decided to not enable it for v8.10 and aim to either enable this in v8.11 or remove it and release the feature in beta.

[mikecote]

From an offline discussion last week, we'll be moving away from discover as a consumer, in favour of stackAlerts.

We'll need to do one of two things:

1. Remove this usage if no underlying issues exist
2. Add it to a list of tasks to complete before the feature branch is merged (if we have a draft PR on the feature branch, we can create a checklist list in the description)

[mikecote]

nit: can we re-use ES_QUERY_ID from x-pack/plugins/stack_alerts/server/rule_types/es_query/constants.ts, we'll have to move it into a common folder.

[JiaweiWu]

Just tried to do this, unfortunately, stack alerts has triggers actions UI as a dependency. If I import from stack alerts in triggers actions UI we get a circular dependency.

If we want to share this constantly then we probably move it to a package.

[CoenWarmer]

Thank you, way nicer.

[kibana-ci]

💔 Build Failed

• Buildkite Build
• Commit: 7be9ddc
• Interpreting CI Failures

Failed CI Steps

• Jest Integration Tests #5
• Build and Deploy to Cloud

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id	before	after	diff
triggersActionsUi	576	577	+1

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id	before	after	diff
stackAlerts	14	15	+1
triggersActionsUi	545	546	+1
total			+2

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
observability	1023.8KB	1023.8KB	+16.0B
stackAlerts	77.2KB	76.0KB	-1.1KB
triggersActionsUi	1.4MB	1.5MB	+2.8KB
total			+1.7KB

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id	before	after	diff
observability	99.3KB	99.6KB	+273.0B
stackAlerts	19.4KB	21.0KB	+1.6KB
triggersActionsUi	89.0KB	89.1KB	+82.0B
total			+2.0KB

Unknown metric groups

API count

id	before	after	diff
stackAlerts	14	15	+1
triggersActionsUi	571	572	+1
total			+2

ESLint disabled line counts

id	before	after	diff
triggersActionsUi	120	122	+2

Total ESLint disabled count

id	before	after	diff
triggersActionsUi	126	128	+2

History

• 💔 Build #151240 failed 3bbeb44
• 💔 Build #151218 failed 0dc5599
• 💚 Build #149040 succeeded b3b7093
• 💔 Build #149039 failed 28ab550

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

[mdefazio]

A small request on this (I know this is merged and we are close to FF—sorry).

Can we set the defaults of the dropdown to the following?:
If from Stack rule management --> dropdown defaults to Stack alerts
If from O11y rule management --> dropdown defaults to Logs

Rationale:
There are scenarios where customers are creating rules in Stack management vs Observability for purposes of locking down the rule from those without access to Stack Management / only access to O11y. Our concern is if this defaults to an Observability scope, then there's a chance the user may not notice that the current behavior has changed. (Creating a rule in stack and having it scoped to stack).

And, our expectation is that Logs will be the most common use case for this, so it makes sense to default to that.

@katrin-freihofner Can you confirm this request please?

Curious if there are any differing arguments to this as well.

cc/ @JiaweiWu @XavierM @katrin-freihofner