Migrate config deprecations and ShieldUser functionality to the New Platform
#53768
Conversation
azasypkin
added
chore
Team:Security
|
Pinging @elastic/kibana-security (Team:Security) |
azasypkin
added
release_note:skip
| }); | ||
|
|
||
| return { | ||
| anonymousPaths, |
There was a problem hiding this comment.
note: I can't think of any reason why we'd want to re-expose part of the core's own contract.
There was a problem hiding this comment.
I also took a look and I agree, seems unnecessary
| @@ -11,6 +11,8 @@ import * as React from 'react'; | |||
| import * as ReactDOM from 'react-dom'; | |||
| import { UIRoutes } from 'ui/routes'; | |||
| import { isLeft } from 'fp-ts/lib/Either'; | |||
| import { npSetup } from 'ui/new_platform'; | |||
There was a problem hiding this comment.
@mattapperson, I'm not sure why Beats team wasn't pinged by the GitHub automatically, but I see you were editing this file before, would you mind reviewing this single change in beats_management plugin?
There was a problem hiding this comment.
Pulling and checking now
There was a problem hiding this comment.
Hey @mattapperson, did you have chance to take a look at this change?
💔 Build Failed
To update your PR or re-run it, just comment with: |
💚 Build Succeeded
To update your PR or re-run it, just comment with: |
azasypkin
force-pushed
the
issue-xxx-np-security
branch
from
ec92eca
to
2dbccd1
Compare
azasypkin
force-pushed
the
issue-xxx-np-security
branch
from
2dbccd1
to
9e225ef
Compare
|
Reviewing now! |
| session: Joi.object({ | ||
| idleTimeout: HANDLED_IN_NEW_PLATFORM, | ||
| lifespan: HANDLED_IN_NEW_PLATFORM, | ||
| }).default(), | ||
| session: HANDLED_IN_NEW_PLATFORM, |
| legacyFallback: Joi.object({ | ||
| enabled: Joi.boolean().default(true), // deprecated | ||
| }).default(), | ||
| }).default(), | ||
| audit: Joi.object({ |
There was a problem hiding this comment.
| audit: Joi.object({ | |
| authorization: HANDLED_IN_NEW_PLATFORM, | |
| audit: Joi.object({ |
Need to specify this in the legacy plugin config, otherwise Kibana will crash if you have specified xpack.security.authorization.legacyFallback.enabled:
server log [12:52:10.787] [fatal][root] { ValidationError: child "xpack" fails because [child "security" fails because ["authorization" is not allowed]]
at Object.exports.process (/Users/joe/GitHub/kibana/node_modules/joi/lib/errors.js:196:19)
at internals.Object._validateWithOptions (/Users/joe/GitHub/kibana/node_modules/joi/lib/types/any/index.js:675:31)
at module.exports.internals.Any.validate (/Users/joe/GitHub/kibana/node_modules/joi/lib/index.js:146:23)
at Config._commit (/Users/joe/GitHub/kibana/src/legacy/server/config/config.js:124:25)
at Config.set (/Users/joe/GitHub/kibana/src/legacy/server/config/config.js:89:10)
at Config.extendSchema (/Users/joe/GitHub/kibana/src/legacy/server/config/config.js:62:10)
at extendConfigService (/Users/joe/GitHub/kibana/src/legacy/plugin_discovery/plugin_config/extend_config_service.js:36:10) name: 'ValidationError' }
FATAL ValidationError: child "xpack" fails because [child "security" fails because ["authorization" is not allowed]]
There was a problem hiding this comment.
Wow, good catch, I could swear it worked when I tested it at the early stages of this PR 🙈 There is a chance I'm making this up though, let me check.
There was a problem hiding this comment.
I wanted to check if it's indented behavior (that NP passes non-transformed config to the LP), but Platform team is out this week. Will just use your suggestion to not be blocked!
| await Promise.resolve(); | ||
| await Promise.resolve(); | ||
| await Promise.resolve(); | ||
| await Promise.resolve(); |
| }); | ||
|
|
||
| return { | ||
| anonymousPaths, |
There was a problem hiding this comment.
I also took a look and I agree, seems unnecessary
| interface SetupDeps { | ||
| securityLicense: SecurityLicense; | ||
| getCurrentUser: AuthenticationServiceSetup['getCurrentUser']; | ||
| } |
There was a problem hiding this comment.
I'm just curious, is there any particular reason you decided to use such a specific contract?
My 2 cents is that it would have sufficed to just use AuthenticationServiceSetup as a parameter -- less verbose that way, and less TypeScript jargon / easier to understand for new developers.
I noticed that SecurityLicense is also more generic (e.g., we don't specify SecurityLicense['feature$'] here, even though we could).
There was a problem hiding this comment.
I'm asking myself the same question in my next PR that is based on this one - and I totally agree that it looks weird and unnecessary. Can't recall why I did this, must be I'll think about it later, but never get back to it.... kind of thing 🙈 I'll fix it, thanks!
| export class SessionTimeout { | ||
| export class SessionTimeout implements ISessionTimeout { |
There was a problem hiding this comment.
Haha, not a big deal though - I've heard platform will be abandoning I{interface_name} convention soon (with TS 3.8 upgrade) since we used it mostly to workaround the absence of proper "private fields" support and with TS 3.8 it'd not make too much sense to create a dedicated interface if it completely replicates public part of the class definition.
… keep `authorization` in the legacy config schema.
|
@jportner thanks for review, PR is ready for another pass! |
💚 Build SucceededHistory
To update your PR or re-run it, just comment with: |
|
@mattapperson I'm going to move forward and merge this PR now to unblock other migration work we have. I've tested affected pieces in Beats CM and Logstash Pipelines and everything seems to be in order, but feel free to reach out to me if you have any concerns! |
* master: adds strict types to Alerting Client (elastic#53821) [Dashboard] Empty screen redesign (elastic#53681) Migrate config deprecations and `ShieldUser` functionality to the New Platform (elastic#53768)
…nsole-dependencies * 'master' of github.com:elastic/kibana: (33 commits) adds strict types to Alerting Client (elastic#53821) [Dashboard] Empty screen redesign (elastic#53681) Migrate config deprecations and `ShieldUser` functionality to the New Platform (elastic#53768) increase delay to make sure license refetched (elastic#53882) Allow custom NP plugin paths in production (elastic#53562) [Maps] show custom color ramps in legend (elastic#53780) [Lens] Expression type on document can be null (elastic#53883) [SIEM] [Detection engine] Add user permission to detection engine (elastic#53778) Update dependency @elastic/charts to v16.0.2 (elastic#52619) Set consistent EOL symbol in core API docs (elastic#53815) [Logs UI] Refactor query bar state to hooks (elastic#52656) [Maps] pass getFieldFormatter to DynamicTextProperty (elastic#53937) Invalidate alert API Key when generating a new one (elastic#53732) [Logs UI] HTTP API for log entries (elastic#53798) [kbn/pm] add caching to bootstrap (elastic#53622) adds createdAt and updatedAt fields to alerting (elastic#53793) [SR] Enable component integration tests (elastic#53893) Move index patterns: src/legacy/core_plugins/data 👉 src/plugins/data (elastic#53794) moved Task Manager server code under "server" directory (elastic#53777) Rename `/api/security/oidc` to `/api/security/oidc/callback`. (elastic#53886) ... # Conflicts: # yarn.lock
|
7.x/7.6.0: 12f4761 |
* master: allows Alerts to recover gracefully from Executor errors (elastic#53688) [Console] Fix OSS build (elastic#53885) migrate xsrf / version-check / custom-headers handlers to NP (elastic#53684) use NP deprecations in uiSettings (elastic#53755) adds strict types to Alerting Client (elastic#53821) [Dashboard] Empty screen redesign (elastic#53681) Migrate config deprecations and `ShieldUser` functionality to the New Platform (elastic#53768)
There are two changes in this PR (better to review commit by commit):
ShieldUseris removed and replaced withgetCurrentUserexposed by the New Platform plugin setup contract (unified with the same API on server side).Dev Docs [Security Plugin]
Legacy
ShieldUserangular service has been removed and replaced with the dedicated method on the Kibana platform pluginsetupcontract:Before:
Now:
Legacy plugin:
Kibana platform plugin: