[Saved Queries] Rework saved query privileges #202863
Merged
+8,644
−1,497
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
davismcphee
added
release_note:breaking
backport:skip
viduni94
pushed a commit
to viduni94/kibana
that referenced
this pull request
Jan 23, 2025
…re replacements (elastic#206660) ## Summary Today, when a developer deprecates a feature and replaces its privileges with those of another feature, we reasonably assume that the new feature fully replaces the old one in all possible contexts - whether in role management UIs or in the Spaces feature toggles visibility UI. However, when deprecated privileges are replaced by the privileges of multiple features, such as in [this case](elastic#202863 (comment)) where the Discover/Dashboard/Maps feature privileges are replaced by the privileges of Discover_v2/Dashboard_v2/Maps_v2, respectively, **and** the privileges of the Saved Query Management feature, the choice is ambiguous. Which of these features should be treated as the replacement for the deprecated feature in contexts that deal with entire features (like the Spaces feature toggles visibility UI) rather than individual privileges (like in role management UIs)? Should all referenced features be considered replacements? Or just a subset - or even a single feature? If so, which one? Currently, we treat all referenced features as replacements for the deprecated feature, which creates problems, as described in detail in [this discussion](elastic#202863 (comment)). This PR allows developers to customize this behavior by specifying which features Kibana should treat as direct successors to deprecated features in contexts that deal with whole features rather than individual privileges: ```ts deps.features.registerKibanaFeature({ deprecated: { notice: 'The feature is deprecated because … well, there’s a reason.', --> replacedBy: ['feature_id_v2'], <-- }, id: 'feature_id' name: `Case elastic#4 feature ${suffix} (DEPRECATED)`, … }); ``` ## How to test 1. Run test server ```bash node scripts/functional_tests_server.js --config x-pack/test/security_api_integration/features.config.ts ``` 2. Execute the following request from the Dev Tools (`case_4_feature_a` is a deprecated feature that is replaced by multiple features and **doesn't use** `deprecated.replacedBy`) ```http PUT kbn:/api/spaces/space/default?overwrite=true { "id":"default", "name":"Default", "description":"This is your default space!", "color":"#00bfb3", "disabledFeatures":["case_4_feature_a"], "_reserved":true, "imageUrl":"", "initials":"D" } ``` 3. Observe that in response deprecated `case_4_feature_a` is replaced by two features (you can also check http://localhost:5620/app/management/kibana/spaces/edit/default to see how it's reflected in UI) ```http { "id": "default", "name": "Default", "description": "This is your default space!", "color": "#00bfb3", "initials": "D", "imageUrl": "", "disabledFeatures": [ "case_4_feature_a_v2", "case_4_feature_c" ], "_reserved": true } ``` 4. Execute the following request from the Dev Tools (`case_4_feature_b` is a deprecated feature that is replaced by multiple features, but **uses** `deprecated.replacedBy` to set the conceptual feature-successor) ```http PUT kbn:/api/spaces/space/default?overwrite=true { "id":"default", "name":"Default", "description":"This is your default space!", "color":"#00bfb3", "disabledFeatures":["case_4_feature_b"], "_reserved":true, "imageUrl":"", "initials":"D" } ``` 5. Observe that in response deprecated `case_4_feature_b` is replaced by a single feature (you can also check http://localhost:5620/app/management/kibana/spaces/edit/default to see how it's reflected in UI) ```http { "id": "default", "name": "Default", "description": "This is your default space!", "color": "#00bfb3", "initials": "D", "imageUrl": "", "disabledFeatures": [ "case_4_feature_b_v2" ], "_reserved": true } ``` __Required by:__ elastic#202863 (comment) //cc @davismcphee
|
Thanks for the heads up @rylnd, and I left a comment on the issue with some details. I just want to confirm that the plan is to verify this soon, right (since these changes are targeting 9.00 FF)? |
rylnd
approved these changes
Jan 23, 2025
There was a problem hiding this comment.
Following up on my previous review: I just received a confirmation of the expected behavior, so this is good on our end.
thomheymann
approved these changes
Jan 23, 2025
semd
reviewed
Jan 24, 2025
semd
reviewed
Jan 24, 2025
semd
approved these changes
Jan 27, 2025
jughosta
approved these changes
Jan 28, 2025
x-pack/solutions/observability/plugins/inventory/public/hooks/use_discover_redirect.ts.orig
Outdated
Show resolved
Hide resolved
💚 Build Succeeded
Metrics [docs]Public APIs missing comments
Async chunks
Public APIs missing exports
Page load bundle
Unknown metric groupsAPI count
History
|
semd
added a commit
that referenced
this pull request
Jan 31, 2025
…verless (#208911) ## Summary Remove the implicit grant of the `savedQueryManagement` feature with the Security Solution basic feature (ID: `siemV2`) in Serverless. This is a follow-up of #202863 ### Feature `siemV2` This change only affects new roles created with the `siemV2` feature, introduced recently [here](#201780). This change will align the Roles UI in Serverless and ESS, both requiring the `savedQueryManagement` feature to be explicitly granted to be able to manage saved queries. ### Feature `siem` Roles using the deprecated `siem` feature will still implicitly receive the `savedQueryManagement` feature (via an implicit grant of `discover`, `dashboard`, `visualize`, and `maps`) + migration to their `*v2` features which include `savedQueryManagement`. So there's no behavior change for existing roles using the old `siem` feature (no breaking change). ## Screenshots The siem/siemV2 feature toggle: <img width="774" alt="siem feature" src="https://github.com/user-attachments/assets/2759988a-3cf8-4e1f-9431-16c09cf9d95c" /> The savedQueryManagement feature toggle: <img width="774" alt="Saved query feature" src="https://github.com/user-attachments/assets/d0145244-f4b8-4577-b91f-93f4dd1f758b" />
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Jan 31, 2025
…verless (elastic#208911) ## Summary Remove the implicit grant of the `savedQueryManagement` feature with the Security Solution basic feature (ID: `siemV2`) in Serverless. This is a follow-up of elastic#202863 ### Feature `siemV2` This change only affects new roles created with the `siemV2` feature, introduced recently [here](elastic#201780). This change will align the Roles UI in Serverless and ESS, both requiring the `savedQueryManagement` feature to be explicitly granted to be able to manage saved queries. ### Feature `siem` Roles using the deprecated `siem` feature will still implicitly receive the `savedQueryManagement` feature (via an implicit grant of `discover`, `dashboard`, `visualize`, and `maps`) + migration to their `*v2` features which include `savedQueryManagement`. So there's no behavior change for existing roles using the old `siem` feature (no breaking change). ## Screenshots The siem/siemV2 feature toggle: <img width="774" alt="siem feature" src="https://github.com/user-attachments/assets/2759988a-3cf8-4e1f-9431-16c09cf9d95c" /> The savedQueryManagement feature toggle: <img width="774" alt="Saved query feature" src="https://github.com/user-attachments/assets/d0145244-f4b8-4577-b91f-93f4dd1f758b" /> (cherry picked from commit 3d5972a)
This was referenced Feb 4, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR reworks saved query privileges to rely solely on a single global
savedQueryManagementprivilege, and eliminates app-specific overrides. This change simplifies the security model for users, fixes bugginess in the saved query management UI, and reduces code complexity associated with maintaining two separate security mechanisms (app-specific overrides and global saved query management privileges).Background
Saved queries allow users to store a combination of KQL or Lucene queries, filters, and time filters to use across various applications in Kibana. Access to saved query saved objects are currently granted by the following feature privileges:
There is also a saved query management UI within the Unified Search bar shared by applications across Kibana:
The way access to this UI is managed in Kibana is currently confusing and buggy:
feature_discover.allandfeature_dashboard.allthey will be able to load and save queries in Discover and Dashboard.feature_discover.allandfeature_dashboard.readthey will be able to load queries in both Discover and Dashboard, but only save queries in Discover (even though they have write access to the SO, and API access). Instead they have to navigate to Discover to save a query before navigating back to Dashboard to load it, making for a confusing and frustrating UX.Existing improvements
In v8.11.0, we introduced a new "Saved Query Management" privilege, allowing users to access saved queries across all of Kibana with a single global privilege:
When this privilege is added to a role, it solves the
feature_discover.allandfeature_dashboard.readissue mentioned above. However, it does not fix any of the mentioned issues for roles without the new privilege. We have so far postponed further improvements to avoid a breaking change.Approach
To fully resolve these issues and migrate to a single global privilege, these changes have been made:
To implement this with minimal breaking changes, we've used the Kibana privilege migration framework. This allows us to seamlessly migrate existing roles containing feature privileges that currently provide access to saved queries, ensuring they are assigned the global saved query management privilege on upgrade.
As a result, we had to deprecate the following feature privileges, replacing them with V2 privileges without saved query SO access:
Each area of code that currently relies on any of these feature privileges had to be updated to instead access
feature_X_V2instead (as well as future code).This PR still introduces a minor breaking change, since users who have
feature_discover.allandfeature_dashboard.readare now able to save queries in Dashboard after upgrade, but we believe this is a better UX (and likely the expected one) and worth a small breaking change.Testing
feature.privilegetofeature_v2.privilege, which is backward compatible.savedQueryManagementfeature should now globally control access to saved query management in Unified Search for all new user roles. Regardless of privileges for Discover, Dashboard, Maps, or Visualize, new user roles should follow this behaviour:savedQueryManagementisnone, the user cannot see or access the saved query management UI or APIs.savedQueryManagementisread, the user can load queries from the UI and access read APIs, but cannot save queries from the UI or make changes to queries through APIs.savedQueryManagementisall, the user can both load and save queries from the UI and through APIs.Checklist
release_note:breakinglabel should be applied in these situations.release_note:*label is applied per the guidelinesIdentify risks
This PR risks introducing unintended breaking changes to user privileges related to saved queries if the deprecated features have not been properly migrated, and users could gain or lose access to saved query management on upgrade. This would be bad if it happened, but not overly severe since it wouldn't grant them access to any ES data they couldn't previously access (only query saved objects). We have automated testing in place to help ensure features have been migrated correctly, but the scope of these changes are broad and touch many places in the codebase.
Additionally, the UI capabilities types are not very strict, and are referenced with string paths in many places, which makes changing them riskier than changing strictly typed code. A combination of regex searches and temporarily modifying the
Capabilitiestype to cause type errors for deprecated privileges was used to identify references in code. Reviewers should consider if there are any other ways that UI capabilities can be referenced which were not addressed in this PR.Our automated tests already help mitigate the risk, but it's important that code owners thoroughly review the changes in their area and consider if they could have unintended consequences. The Platform Security team should also review this PR thoroughly, especially since some changes were made to platform code around privilege handling. The Data Discovery team will also manually test the behaviour when upgrading existing user roles with deprecated feature privileges as part of 9.0 upgrade testing.