Set spaces and roles CRUD APIs to public #193534
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jeramysoucy
added
Team:Security
jeramysoucy
changed the title
jeramysoucy
changed the title
|
Pinging @elastic/kibana-security (Team:Security) |
sabarasaba
approved these changes
Sep 24, 2024
Flaky Test Runner Stats🎉 All tests passed! - kibana-flaky-test-suite-runner#7002[✅] x-pack/test_serverless/api_integration/test_suites/search/config.feature_flags.ts: 50/50 tests passed. |
jeramysoucy
commented
Oct 3, 2024
| @@ -5,7 +5,7 @@ set -euo pipefail | |||
| source .buildkite/scripts/common/util.sh | |||
|
|
|||
| echo --- Capture OAS snapshot | |||
| cmd="node scripts/capture_oas_snapshot --include-path /api/status --include-path /api/alerting/rule/ --include-path /api/alerting/rules --include-path /api/actions" | |||
| cmd="node scripts/capture_oas_snapshot --include-path /api/status --include-path /api/alerting/rule/ --include-path /api/alerting/rules --include-path /api/actions --include-path /api/security/role --include-path /api/spaces" | |||
There was a problem hiding this comment.
cc @elastic/kibana-core for awareness
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]Public APIs missing comments
Async chunks
Page load bundle
History
To update your PR or re-run it, just comment with: |
tiansivive
pushed a commit
to tiansivive/kibana
that referenced
this pull request
Oct 7, 2024
Closes elastic#192153 ## Summary This PR sets the spaces and roles CRUD operation HTTP API endpoints to public in both stateful and serverless offerings, and additionally, switches to the versioned router to register these endpoints. Prior to this PR, the access level was not explicitly set, thus any endpoints registered in serverless were by default internal. CRUD operations for spaces and roles are being set to public to support the rollout of custom roles in serverless, which coincides with enabling multiple spaces. ### Note - Currently, roles APIs are only available in serverless via a feature flag (`xpack.security.roleManagementEnabled`) - Spaces APIs are already registered in serverless, however, the maximum number of spaces is by default 1, rendering create and delete operations unusable. By overriding `xpack.spaces.maxSpaces` to a number greater than 1 (stateful default is 1000), it will effectively enable use of the spaces CRUD operations in serverless. ## Tests - x-pack/test_serverless/api_integration/test_suites/common/management/multiple_spaces_enabled.ts - x-pack/test_serverless/api_integration/test_suites/common/management/spaces.ts - x-pack/test_serverless/api_integration/test_suites/common/platform_security/authorization.ts - x-pack/test_serverless/api_integration/test_suites/common/platform_security/roles_routes_feature_flag.ts - Unit tests for each endpoint (to account for versioned router) - Flaky Test Runner: https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/7002 ## Manual Testing 1. Start ES & Kibana in serverless mode with config options to enable role management and multiple spaces Elasticsearch: ``` xpack.security.authc.native_roles.enabled: true ``` KIbana: ``` xpack.security.roleManagementEnabled: true xpack.spaces.maxSpaces: 100 ``` 3. Issue each CRUD HTTP API without including the internal origin header ('x-elastic-internal-origin') and verify you do not receive a 400 with the message "method [get|post|put|delete] exists but is not available with the current configuration" 4. Repeat steps 1 & 2 from the current head of main and verify that you DO receive a 400 with the message "method [get|post|put|delete] exists but is not available with the current configuration" Regression testing - ensure that interfaces which leverage spaces and roles APIs are functioning properly - Spaces management - Space navigation - Roles management --------- Co-authored-by: kibanamachine <[email protected]>
|
@jeramysoucy Should this be backported to 8.x? I see both |
|
@jen-huang Sorry about that. This doesn't need to be backported. I removed the v8.16 tag. |
45 tasks
|
@jen-huang Sorry to change this now, but after a good point from a team member, we will backport to prev-minor. |
jeramysoucy
added
backport:prev-major
|
Starting backport for target branches: 8.15, 8.x https://github.com/elastic/kibana/actions/runs/11341061398 |
|
Starting backport for target branches: 8.15, 8.x https://github.com/elastic/kibana/actions/runs/11341061349 |
jeramysoucy
added
backport:prev-minor
|
Starting backport for target branches: 8.x https://github.com/elastic/kibana/actions/runs/11341066309 |
💔 All backports failed
Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
💔 All backports failed
Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
jeramysoucy
added a commit
to jeramysoucy/kibana
that referenced
this pull request
Oct 15, 2024
Closes elastic#192153 ## Summary This PR sets the spaces and roles CRUD operation HTTP API endpoints to public in both stateful and serverless offerings, and additionally, switches to the versioned router to register these endpoints. Prior to this PR, the access level was not explicitly set, thus any endpoints registered in serverless were by default internal. CRUD operations for spaces and roles are being set to public to support the rollout of custom roles in serverless, which coincides with enabling multiple spaces. ### Note - Currently, roles APIs are only available in serverless via a feature flag (`xpack.security.roleManagementEnabled`) - Spaces APIs are already registered in serverless, however, the maximum number of spaces is by default 1, rendering create and delete operations unusable. By overriding `xpack.spaces.maxSpaces` to a number greater than 1 (stateful default is 1000), it will effectively enable use of the spaces CRUD operations in serverless. ## Tests - x-pack/test_serverless/api_integration/test_suites/common/management/multiple_spaces_enabled.ts - x-pack/test_serverless/api_integration/test_suites/common/management/spaces.ts - x-pack/test_serverless/api_integration/test_suites/common/platform_security/authorization.ts - x-pack/test_serverless/api_integration/test_suites/common/platform_security/roles_routes_feature_flag.ts - Unit tests for each endpoint (to account for versioned router) - Flaky Test Runner: https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/7002 ## Manual Testing 1. Start ES & Kibana in serverless mode with config options to enable role management and multiple spaces Elasticsearch: ``` xpack.security.authc.native_roles.enabled: true ``` KIbana: ``` xpack.security.roleManagementEnabled: true xpack.spaces.maxSpaces: 100 ``` 3. Issue each CRUD HTTP API without including the internal origin header ('x-elastic-internal-origin') and verify you do not receive a 400 with the message "method [get|post|put|delete] exists but is not available with the current configuration" 4. Repeat steps 1 & 2 from the current head of main and verify that you DO receive a 400 with the message "method [get|post|put|delete] exists but is not available with the current configuration" Regression testing - ensure that interfaces which leverage spaces and roles APIs are functioning properly - Spaces management - Space navigation - Roles management --------- Co-authored-by: kibanamachine <[email protected]> (cherry picked from commit 26f2928) # Conflicts: # oas_docs/output/kibana.serverless.yaml # oas_docs/output/kibana.yaml
jeramysoucy
added a commit
that referenced
this pull request
Oct 16, 2024
# Backport This will backport the following commits from `main` to `8.x`: - [Set spaces and roles CRUD APIs to public (#193534)](#193534) <!--- Backport version: 8.9.8 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Jeramy Soucy","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-10-03T14:28:54Z","message":"Set spaces and roles CRUD APIs to public (#193534)\n\nCloses #192153\r\n\r\n## Summary\r\n\r\nThis PR sets the spaces and roles CRUD operation HTTP API endpoints to\r\npublic in both stateful and serverless offerings, and additionally,\r\nswitches to the versioned router to register these endpoints.\r\n\r\nPrior to this PR, the access level was not explicitly set, thus any\r\nendpoints registered in serverless were by default internal. CRUD\r\noperations for spaces and roles are being set to public to support the\r\nrollout of custom roles in serverless, which coincides with enabling\r\nmultiple spaces.\r\n\r\n### Note\r\n- Currently, roles APIs are only available in serverless via a feature\r\nflag (`xpack.security.roleManagementEnabled`)\r\n- Spaces APIs are already registered in serverless, however, the maximum\r\nnumber of spaces is by default 1, rendering create and delete operations\r\nunusable. By overriding `xpack.spaces.maxSpaces` to a number greater\r\nthan 1 (stateful default is 1000), it will effectively enable use of the\r\nspaces CRUD operations in serverless.\r\n\r\n## Tests\r\n-\r\nx-pack/test_serverless/api_integration/test_suites/common/management/multiple_spaces_enabled.ts\r\n-\r\nx-pack/test_serverless/api_integration/test_suites/common/management/spaces.ts\r\n-\r\nx-pack/test_serverless/api_integration/test_suites/common/platform_security/authorization.ts\r\n-\r\nx-pack/test_serverless/api_integration/test_suites/common/platform_security/roles_routes_feature_flag.ts\r\n- Unit tests for each endpoint (to account for versioned router)\r\n- Flaky Test Runner:\r\nhttps://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/7002\r\n\r\n## Manual Testing\r\n1. Start ES & Kibana in serverless mode with config options to enable\r\nrole management and multiple spaces\r\n\r\nElasticsearch:\r\n```\r\nxpack.security.authc.native_roles.enabled: true\r\n```\r\n KIbana:\r\n```\r\n xpack.security.roleManagementEnabled: true\r\n xpack.spaces.maxSpaces: 100\r\n```\r\n3. Issue each CRUD HTTP API without including the internal origin header\r\n('x-elastic-internal-origin') and verify you do not receive a 400 with\r\nthe message \"method [get|post|put|delete] exists but is not available\r\nwith the current configuration\"\r\n4. Repeat steps 1 & 2 from the current head of main and verify that you\r\nDO receive a 400 with the message \"method [get|post|put|delete] exists\r\nbut is not available with the current configuration\"\r\n\r\nRegression testing - ensure that interfaces which leverage spaces and\r\nroles APIs are functioning properly\r\n- Spaces management\r\n- Space navigation\r\n- Roles management\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <[email protected]>","sha":"26f2928b0887c9fda4403c0ce3fcc332b7c0e69a","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:Security","Feature:Security/Spaces","release_note:skip","Feature:Security/Authorization","v9.0.0","backport:prev-minor","Project:Serverless"],"number":193534,"url":"https://github.com/elastic/kibana/pull/193534","mergeCommit":{"message":"Set spaces and roles CRUD APIs to public (#193534)\n\nCloses #192153\r\n\r\n## Summary\r\n\r\nThis PR sets the spaces and roles CRUD operation HTTP API endpoints to\r\npublic in both stateful and serverless offerings, and additionally,\r\nswitches to the versioned router to register these endpoints.\r\n\r\nPrior to this PR, the access level was not explicitly set, thus any\r\nendpoints registered in serverless were by default internal. CRUD\r\noperations for spaces and roles are being set to public to support the\r\nrollout of custom roles in serverless, which coincides with enabling\r\nmultiple spaces.\r\n\r\n### Note\r\n- Currently, roles APIs are only available in serverless via a feature\r\nflag (`xpack.security.roleManagementEnabled`)\r\n- Spaces APIs are already registered in serverless, however, the maximum\r\nnumber of spaces is by default 1, rendering create and delete operations\r\nunusable. By overriding `xpack.spaces.maxSpaces` to a number greater\r\nthan 1 (stateful default is 1000), it will effectively enable use of the\r\nspaces CRUD operations in serverless.\r\n\r\n## Tests\r\n-\r\nx-pack/test_serverless/api_integration/test_suites/common/management/multiple_spaces_enabled.ts\r\n-\r\nx-pack/test_serverless/api_integration/test_suites/common/management/spaces.ts\r\n-\r\nx-pack/test_serverless/api_integration/test_suites/common/platform_security/authorization.ts\r\n-\r\nx-pack/test_serverless/api_integration/test_suites/common/platform_security/roles_routes_feature_flag.ts\r\n- Unit tests for each endpoint (to account for versioned router)\r\n- Flaky Test Runner:\r\nhttps://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/7002\r\n\r\n## Manual Testing\r\n1. Start ES & Kibana in serverless mode with config options to enable\r\nrole management and multiple spaces\r\n\r\nElasticsearch:\r\n```\r\nxpack.security.authc.native_roles.enabled: true\r\n```\r\n KIbana:\r\n```\r\n xpack.security.roleManagementEnabled: true\r\n xpack.spaces.maxSpaces: 100\r\n```\r\n3. Issue each CRUD HTTP API without including the internal origin header\r\n('x-elastic-internal-origin') and verify you do not receive a 400 with\r\nthe message \"method [get|post|put|delete] exists but is not available\r\nwith the current configuration\"\r\n4. Repeat steps 1 & 2 from the current head of main and verify that you\r\nDO receive a 400 with the message \"method [get|post|put|delete] exists\r\nbut is not available with the current configuration\"\r\n\r\nRegression testing - ensure that interfaces which leverage spaces and\r\nroles APIs are functioning properly\r\n- Spaces management\r\n- Space navigation\r\n- Roles management\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <[email protected]>","sha":"26f2928b0887c9fda4403c0ce3fcc332b7c0e69a"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","labelRegex":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/193534","number":193534,"mergeCommit":{"message":"Set spaces and roles CRUD APIs to public (#193534)\n\nCloses #192153\r\n\r\n## Summary\r\n\r\nThis PR sets the spaces and roles CRUD operation HTTP API endpoints to\r\npublic in both stateful and serverless offerings, and additionally,\r\nswitches to the versioned router to register these endpoints.\r\n\r\nPrior to this PR, the access level was not explicitly set, thus any\r\nendpoints registered in serverless were by default internal. CRUD\r\noperations for spaces and roles are being set to public to support the\r\nrollout of custom roles in serverless, which coincides with enabling\r\nmultiple spaces.\r\n\r\n### Note\r\n- Currently, roles APIs are only available in serverless via a feature\r\nflag (`xpack.security.roleManagementEnabled`)\r\n- Spaces APIs are already registered in serverless, however, the maximum\r\nnumber of spaces is by default 1, rendering create and delete operations\r\nunusable. By overriding `xpack.spaces.maxSpaces` to a number greater\r\nthan 1 (stateful default is 1000), it will effectively enable use of the\r\nspaces CRUD operations in serverless.\r\n\r\n## Tests\r\n-\r\nx-pack/test_serverless/api_integration/test_suites/common/management/multiple_spaces_enabled.ts\r\n-\r\nx-pack/test_serverless/api_integration/test_suites/common/management/spaces.ts\r\n-\r\nx-pack/test_serverless/api_integration/test_suites/common/platform_security/authorization.ts\r\n-\r\nx-pack/test_serverless/api_integration/test_suites/common/platform_security/roles_routes_feature_flag.ts\r\n- Unit tests for each endpoint (to account for versioned router)\r\n- Flaky Test Runner:\r\nhttps://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/7002\r\n\r\n## Manual Testing\r\n1. Start ES & Kibana in serverless mode with config options to enable\r\nrole management and multiple spaces\r\n\r\nElasticsearch:\r\n```\r\nxpack.security.authc.native_roles.enabled: true\r\n```\r\n KIbana:\r\n```\r\n xpack.security.roleManagementEnabled: true\r\n xpack.spaces.maxSpaces: 100\r\n```\r\n3. Issue each CRUD HTTP API without including the internal origin header\r\n('x-elastic-internal-origin') and verify you do not receive a 400 with\r\nthe message \"method [get|post|put|delete] exists but is not available\r\nwith the current configuration\"\r\n4. Repeat steps 1 & 2 from the current head of main and verify that you\r\nDO receive a 400 with the message \"method [get|post|put|delete] exists\r\nbut is not available with the current configuration\"\r\n\r\nRegression testing - ensure that interfaces which leverage spaces and\r\nroles APIs are functioning properly\r\n- Spaces management\r\n- Space navigation\r\n- Roles management\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <[email protected]>","sha":"26f2928b0887c9fda4403c0ce3fcc332b7c0e69a"}}]}] BACKPORT--> --------- Co-authored-by: kibanamachine <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes #192153
Summary
This PR explicitly sets the spaces and roles CRUD operation HTTP API endpoints to public in both stateful and serverless offerings, and additionally, switches to the versioned router to register these endpoints.
Prior to this PR, the access level was not explicitly set, thus any endpoints registered in serverless were by default internal. CRUD operations for spaces and roles are being set to public to support the rollout of custom roles in serverless, which coincides with enabling multiple spaces.
Note
xpack.security.roleManagementEnabled)xpack.spaces.maxSpacesto a number greater than 1 (stateful default is 1000), it will effectively enable use of the spaces CRUD operations in serverless.Tests
Manual Testing
Elasticsearch:
KIbana:
Regression testing - ensure that interfaces which leverage spaces and roles APIs are functioning properly