-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Spaces - Hiding management link #38472
Changes from 7 commits
2f3e7fc
131cfc2
6250324
00fb4f3
84f8acf
49e078f
f7a48ce
4d21c34
84644c8
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -18,7 +18,7 @@ import routes from 'ui/routes'; | |
import { AdvancedSettingsSubtitle } from './components/advanced_settings_subtitle'; | ||
import { AdvancedSettingsTitle } from './components/advanced_settings_title'; | ||
|
||
const MANAGE_SPACES_KEY = 'manage_spaces'; | ||
const MANAGE_SPACES_KEY = 'spaces'; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It felt weird to have the ui capability |
||
|
||
routes.defaults(/\/management/, { | ||
resolve: { | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -21,6 +21,7 @@ const reactRootNodeId = 'manageSpacesReactRoot'; | |
routes.when('/management/spaces/list', { | ||
template, | ||
k7Breadcrumbs: getListBreadcrumbs, | ||
requireUICapability: 'spaces.manage', | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The other management routes use their There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Sure, I'll change this to be consistent. |
||
controller( | ||
$scope: any, | ||
$http: any, | ||
|
@@ -53,6 +54,7 @@ routes.when('/management/spaces/list', { | |
routes.when('/management/spaces/create', { | ||
template, | ||
k7Breadcrumbs: getCreateBreadcrumbs, | ||
requireUICapability: 'spaces.manage', | ||
controller( | ||
$scope: any, | ||
$http: any, | ||
|
@@ -89,6 +91,7 @@ routes.when('/management/spaces/edit', { | |
routes.when('/management/spaces/edit/:spaceId', { | ||
template, | ||
k7Breadcrumbs: () => getEditBreadcrumbs(), | ||
requireUICapability: 'spaces.manage', | ||
controller( | ||
$scope: any, | ||
$http: any, | ||
|
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,175 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License; | ||
* you may not use this file except in compliance with the Elastic License. | ||
*/ | ||
import expect from '@kbn/expect'; | ||
import { KibanaFunctionalTestDefaultProviders } from '../../../../types/providers'; | ||
|
||
// eslint-disable-next-line import/no-default-export | ||
export default function({ getPageObjects, getService }: KibanaFunctionalTestDefaultProviders) { | ||
const esArchiver = getService('esArchiver'); | ||
const security = getService('security'); | ||
const PageObjects = getPageObjects(['common', 'settings', 'security']); | ||
const appsMenu = getService('appsMenu'); | ||
const testSubjects = getService('testSubjects'); | ||
|
||
describe('security feature controls', () => { | ||
before(async () => { | ||
await esArchiver.load('empty_kibana'); | ||
}); | ||
|
||
after(async () => { | ||
await esArchiver.unload('empty_kibana'); | ||
}); | ||
|
||
describe('global all base privilege', () => { | ||
before(async () => { | ||
await security.role.create('global_all_role', { | ||
kibana: [ | ||
{ | ||
base: ['all'], | ||
spaces: ['*'], | ||
}, | ||
], | ||
}); | ||
|
||
await security.user.create('global_all_user', { | ||
password: 'global_all_user-password', | ||
roles: ['global_all_role'], | ||
full_name: 'test user', | ||
}); | ||
|
||
await PageObjects.security.logout(); | ||
|
||
await PageObjects.security.login('global_all_user', 'global_all_user-password', { | ||
expectSpaceSelector: false, | ||
}); | ||
}); | ||
|
||
after(async () => { | ||
await Promise.all([ | ||
security.role.delete('global_all_role'), | ||
security.user.delete('global_all_user'), | ||
PageObjects.security.logout(), | ||
]); | ||
}); | ||
|
||
it('shows management navlink', async () => { | ||
const navLinks = (await appsMenu.readLinks()).map( | ||
(link: Record<string, string>) => link.text | ||
); | ||
expect(navLinks).to.contain('Management'); | ||
}); | ||
|
||
it(`displays Spaces management section`, async () => { | ||
await PageObjects.settings.navigateTo(); | ||
await testSubjects.existOrFail('spaces'); | ||
}); | ||
|
||
it(`can navigate to spaces grid page`, async () => { | ||
await PageObjects.common.navigateToActualUrl('kibana', 'management/spaces/list', { | ||
ensureCurrentUrl: false, | ||
shouldLoginIfPrompted: false, | ||
}); | ||
|
||
await testSubjects.existOrFail('spaces-grid-page'); | ||
}); | ||
|
||
it(`can navigate to create new space page`, async () => { | ||
await PageObjects.common.navigateToActualUrl('kibana', 'management/spaces/create', { | ||
ensureCurrentUrl: false, | ||
shouldLoginIfPrompted: false, | ||
}); | ||
|
||
await testSubjects.existOrFail('spaces-edit-page'); | ||
}); | ||
|
||
it(`can navigate to edit space page`, async () => { | ||
await PageObjects.common.navigateToActualUrl('kibana', 'management/spaces/edit/default', { | ||
ensureCurrentUrl: false, | ||
shouldLoginIfPrompted: false, | ||
}); | ||
|
||
await testSubjects.existOrFail('spaces-edit-page'); | ||
}); | ||
}); | ||
|
||
describe('default space all base privilege', () => { | ||
before(async () => { | ||
await security.role.create('default_space_all_role', { | ||
kibana: [ | ||
{ | ||
base: ['all'], | ||
spaces: ['default'], | ||
}, | ||
], | ||
}); | ||
|
||
await security.user.create('default_space_all_user', { | ||
password: 'default_space_all_user-password', | ||
roles: ['default_space_all_role'], | ||
full_name: 'test user', | ||
}); | ||
|
||
await PageObjects.security.logout(); | ||
|
||
await PageObjects.security.login( | ||
'default_space_all_user', | ||
'default_space_all_user-password', | ||
{ | ||
expectSpaceSelector: false, | ||
} | ||
); | ||
}); | ||
|
||
after(async () => { | ||
await Promise.all([ | ||
security.role.delete('default_space_all_role'), | ||
security.user.delete('default_space_all_user'), | ||
PageObjects.security.logout(), | ||
]); | ||
}); | ||
|
||
it('shows management navlink', async () => { | ||
const navLinks = (await appsMenu.readLinks()).map( | ||
(link: Record<string, string>) => link.text | ||
); | ||
expect(navLinks).to.contain('Management'); | ||
}); | ||
|
||
it(`doesn't display Spaces management section`, async () => { | ||
await PageObjects.settings.navigateTo(); | ||
await testSubjects.existOrFail('objects'); // this ensures we've gotten to the management page | ||
await testSubjects.missingOrFail('spaces'); | ||
}); | ||
|
||
it(`can't navigate to spaces grid page`, async () => { | ||
await PageObjects.common.navigateToActualUrl('kibana', 'management/spaces/list', { | ||
ensureCurrentUrl: false, | ||
shouldLoginIfPrompted: false, | ||
}); | ||
|
||
await testSubjects.existOrFail('homeApp'); | ||
}); | ||
|
||
it(`can't navigate to create new space page`, async () => { | ||
await PageObjects.common.navigateToActualUrl('kibana', 'management/spaces/create', { | ||
ensureCurrentUrl: false, | ||
shouldLoginIfPrompted: false, | ||
}); | ||
|
||
await testSubjects.existOrFail('homeApp'); | ||
}); | ||
|
||
it(`can't navigate to edit space page`, async () => { | ||
await PageObjects.common.navigateToActualUrl('kibana', 'management/spaces/edit/default', { | ||
ensureCurrentUrl: false, | ||
shouldLoginIfPrompted: false, | ||
}); | ||
|
||
await testSubjects.existOrFail('homeApp'); | ||
}); | ||
}); | ||
}); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We're changing from a shallow merge to a deep merge to support the new
management.kibana.spaces
flag. Originally, this was intentionally designed as a shallow merge so that plugins would not clobber capabilities which didn't belong to them. While it's true thatmerge
won't allow a plugin to delete capabilities defined by other plugins, the addition of capabilities to other plugin's "buckets" is likely not something we want to encourage/support.I know we've discussed letting plugins enhance the capabilities of other plugins, but I don't know if this is the way we want to do so. Since
management
is a defined key of theCapabilities
interface, how do you feel about allowing the merge for this key, but not for the rest?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The previous implementation wasn't preventing duplicate definitions of the same first-level ui capability: https://codepen.io/kobelb/pen/MMWROw?editors=0012. We take advantage of this for building the
catalogue
ui capabilities: some of them are hard-coded here and we add to this list within the xpack_main plugin here.I agree, but I don't believe those restrictions where previously enforced, at least not when using
injectDefaultVars
(when we first implemented FC) or the newuiCapabilities
. We have some enforcement on this withinxpack_main
here, but this is only for merging the ui capabilities that we derive from the feature registration.I can look at changing spaces to not use
uiCapabilities
to define the management section, and instead augment uiCapabilitiesForFeatures, but we'll still need the ability to merge all of these "deeply".I think the proper solution to this problem is to follow through on #36221 and make it so that each of these "ui capability sections" is able to define it's own rules and so we can enforce these restrictions throughout the system, I was trying to prevent making this a dependency for fixing this specific issue though.
I added tests with 4d21c34 to ensure we aren't clobbering anything, and added additional safeguards. Does this assuage any of your previous concerns?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So... we can't do this at the moment because we don't register a "Spaces" feature, and these actions are hard-coded here: https://github.com/elastic/kibana/pull/38472/files#diff-f5ed4149300a16c9d74494d7b470b450R68. I don't know what I was thinking previously.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed, thanks for the thoughtful followup!
❤️