Make alerting properly space aware #42081
Conversation
mikecote
added
Feature:Alerting
v8.0.0
release_note:skip
|
Pinging @elastic/kibana-stack-services |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
|
Pending on #42133. |
mikecote
force-pushed
the
alerting/space-aware
branch
from
09f5f51 to
d3040ba
Compare
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
💔 Build Failed |
💚 Build Succeeded |
x-pack/legacy/plugins/actions/server/lib/get_create_task_runner_function.ts
Show resolved
Hide resolved
| @@ -75,6 +81,9 @@ export function init(server: Legacy.Server) { | |||
| const fireFn = createFireFunction({ | |||
There was a problem hiding this comment.
fireFn, which we expose via server.expose, allows consumers to specify their own space id. Do we know of any scenarios where consumers will need this capability? If not, we could potentially create a "scoped" fire function, where the space id is derived from the current request, or similar.
If we do need to allow consumers to specify their own space id, then you'll likely want to update this so that it can handle spaces being disabled, and handle cases where a space id is required, but missing. Currently, spaceIdToNamespace will throw an error if a space id is not provided.
Also, the underlying fireFn uses callWithInternalUser in an unguarded fashion, so there isn't any authorization being applied there. This would be less of a concern if it wasn't exposed to consumers, but since this is a consumer-facing function, we should have protections in place there. (perhaps out of scope for this PR?)
There was a problem hiding this comment.
From what I can tell, consumers will need to specify their own space id. The example I can think of is task manager wants to fire action a in space b and uses this function to indicate that. We should be ok when spaces is disabled due to spaceIdToNamespace being passed as https://github.com/elastic/kibana/pull/42081/files#diff-c2af122155b3536ee79e8b5384fdaa6eR94.
In regards to callWithInternalUser being unguarded, we'll have this fixed when API keys are implemented. We will do the callWithInternalUser first, setup a connection with the keys and re-load the same object via the saved objects client.
This comment has been minimized.
This comment has been minimized.
💚 Build Succeeded |
|
retest |
|
As discussed with @kobelb, it would be great to have high-level tests to ensure denied access to spaces when users don't have access. But since this requires API keys to work, we will defer the tests for the PR implementing API keys. Right now alerting doesn't support security enabled in kibana and is pending API keys to support it. |
💚 Build Succeeded |
* Make alerting properly space aware * Fix broken jest tests * Fix broken integration test * Cleanup pt1 * Add spaces integration tests * Fix type check failure * Apply PR feedback pt1 * Use TS types from spaces plugin * Fix broken tests * Apply PR feedback pt1 * Fix getBasePath to return server.basePath when spaces is disabled * Apply new API changes to tests
* Make alerting properly space aware * Fix broken jest tests * Fix broken integration test * Cleanup pt1 * Add spaces integration tests * Fix type check failure * Apply PR feedback pt1 * Use TS types from spaces plugin * Fix broken tests * Apply PR feedback pt1 * Fix getBasePath to return server.basePath when spaces is disabled * Apply new API changes to tests
…-or-edit-existing-rollup-job * 'master' of github.com:elastic/kibana: (67 commits) [TSVB] Shim new platform (elastic#39169) [Metric Vis] Shim new platform (elastic#42240) [Tag Cloud] Shim new platform (elastic#42348) Disable flaky request lib tests. Add es_ui_shared plugin to CODEOWNERS. Add disk space percentage to node listing (elastic#42145) [SIEM] Add chart interactions - update date picker after brush selection on charts (elastic#42440) Document HTTP service (elastic#42331) [Reporting] Sanitize 409 error log message (elastic#42495) [docs][skip ci] Maps read only access (elastic#35561) [x-pack/ftr] refactor types to be more accurate/consistent wit… (elastic#42407) [DOCS] Updates images and content in Dashboard docs (elastic#42500) Allow sorting on multiple columns in Discover (elastic#41918) [Infra UI][Logs UI] Fix autocomplete to use proper derived index pattern (elastic#42287) [ftr/cheerio] improve cheerio types to include test subject me… (elastic#42534) Upgraded EUI 13.0.0 -> 13.1.1 (elastic#42298) Increase max-old-space-size for builds (elastic#42218) [Infra UI] Add cloud metrics and cloud/host info to metadata endpoint (elastic#41836) [Logs UI][a11y] Announce name of column on remove column button (elastic#41695) Inspector 👉 New Platform (elastic#42164) Make alerting properly space aware (elastic#42081) ...
…s_autocomplete * 'master' of github.com:elastic/kibana: (189 commits) [TSVB] Shim new platform (elastic#39169) [Metric Vis] Shim new platform (elastic#42240) [Tag Cloud] Shim new platform (elastic#42348) Disable flaky request lib tests. Add es_ui_shared plugin to CODEOWNERS. Add disk space percentage to node listing (elastic#42145) [SIEM] Add chart interactions - update date picker after brush selection on charts (elastic#42440) Document HTTP service (elastic#42331) [Reporting] Sanitize 409 error log message (elastic#42495) [docs][skip ci] Maps read only access (elastic#35561) [x-pack/ftr] refactor types to be more accurate/consistent wit… (elastic#42407) [DOCS] Updates images and content in Dashboard docs (elastic#42500) Allow sorting on multiple columns in Discover (elastic#41918) [Infra UI][Logs UI] Fix autocomplete to use proper derived index pattern (elastic#42287) [ftr/cheerio] improve cheerio types to include test subject me… (elastic#42534) Upgraded EUI 13.0.0 -> 13.1.1 (elastic#42298) Increase max-old-space-size for builds (elastic#42218) [Infra UI] Add cloud metrics and cloud/host info to metadata endpoint (elastic#41836) [Logs UI][a11y] Announce name of column on remove column button (elastic#41695) Inspector 👉 New Platform (elastic#42164) Make alerting properly space aware (elastic#42081) ...
|
Hi @mikecote I see that there were updates to the README for Actions in this PR and those make perfect sense but it's a little unclear to me after reading this whether there are also changes to the security model for the Alerting plugin. Could you help me understand if that plugin is also Spaces-aware and if so, whether there are changes needed for a user of the Alerting plugin? |
|
Hi @cachedout, tl;dr: no changes required. Yes both plugins alerting and actions are space aware end to end with this PR. There isn't any changes required from your end. It's a bit hidden to the consumer just like regular saved objects in the system. One thing you may notice between alerts and actions is we currently don't validate the |
Extracted from #41389. This PR makes alerting properly space aware by capturing
spaceIdand passing it along anywhere that is needed.