Kibana Spaces

[elasticmachine]

Original comment by @spalger:

When a user logs into Kibana, they will be presented with a spaces chooser that allows them to choose a space. From this point forward, all saved objects will be filtered and saved within that space. Spaces will be available in x-pack basic as an organization feature, and will be securable once Security is enabled.

An indicator of the selected workspace and a switcher will be displayed via the Kibana navigation bar.

Saved objects exist within a single space, and they cannot be shared between multiple workspaces. A systems administrator will be able to manage the spaces, via a UI similar to the following:

When a space is deleted, it will cascade the delete to all saved objects within the workspace. Additionally, Kibana UI Settings will be space specific, and the settings from the default workspace will be copied to the new space when it’s created.

Roles will grant read-only/write access to different spaces. This will utilize the custom privileges support that Elasticsearch is implementing in LINK REDACTED

There will always be a “default” space in Kibana. This is where saved objects that were created before spaces are enabled will go; and where dashboards, visualizations, etc. that are imported via Beats will be created, until their workflows are augmented to allow the user to choose a space.

Kibana’s URL routing will be modified to include the optional /space/{spaceId} path, and if one is not present we will assume the default space. URLs for saved objects that were created before spaces is enabled will work as long as saved object continues to exist within the default space. If it’s moved to another workspace, the previous URLs (including short URLs) will no longer work and the user will get the equivalent of a 404.

ML, APM, Monitoring and Reporting will exist outside of the context of spaces, and continue to use cluster-wide settings and indices. These applications should include some type of indicator that they aren’t within a space, so the user is aware that they are cluster-wide.

When saved objects are exported, we will omit the space in which they currently belong; and when they are imported they will be assigned to the currently selected space.

Tasks

• Separate base path and root base path
• Ensure Reporting works with the new Spaces
• Space chooser on login
• Spaces management screens
  • Delete cascade
  • Copy Advanced Settings from default space
  • Enforce unique space URL
• Default Space
  • Created on startup
  • Only created once after the elasticsearch plugin goes green
• Saved Object Client becomes space aware
  • Space ID stored on objects
  • SpaceID added to the mappings
  • Timing issue with the mappings being added is resolved
• SecureSavedObjectsClient
  • Secured with spaces
  • API integration tests against spaces
• Import and Export
• Expose the space on the request so ML can read it from there
• Role management screens
  • Reactify/EUIfy
  • Space based permissions

---

Updated March 31 with decision to move forward with Index/X-Pack Security based approach to permissions.

Previous iterations backed up in a google doc LINK REDACTED for posterity sake.

---

Kibana Workspaces create "silos" in Kibana for different groups of people to work together. Saved Objects and configuration will be unique to each workspace.

Original breakdown

User Experience

• OSS Kibana Install
  • There shouldn't be any perceivable difference in OSS Kibana
• X-Pack Installation
  • A new "workspaces" section is added to Management
  • A "default" workspace is created that uses the kibana index configured in kibana.yml
• Create a new Workspace
  • Create workspaces from the "workspaces" section of management
  • Choose workspace title
  • Choose if Kibana should automatically create read-only/full-access roles for this workspace (on by default)
  • Click create
  • Workspace editor is shown
• Give access to a workspace
  • If Kibana created a role for this workspace specifically, add that role to users who should have access
  • Follow the instructions in the workspace editor to give custom roles access to this workspace:

  • For a role to provide **read-only access** to the {title} workspace it must:
      - have the `read` index privilege for the `.xpack-ws-{id}*` pattern
    For a role to provide **full access** to the {title} workspace it must:
      - have the `manage` cluster privilege
      - have the `read`, `index`, `manage`, and `delete` index privilege for
        the `.xpack-ws-{id}*` pattern
    

• Access a Workspace
  • All requests to / will determine which workspaces a user can access
  • If they only have access to one, they will be redirected to it
  • If they have access to none, they will receive an error page
  • If they have access to multiple, a workspace selector page will be shown
  • Working in a workspace is exactly the same as working in Kibana today
• Switch Workspace
  • A workspace selector will be accessible somewhere
• Editing a Workspace
  • Select workspace from the "workspaces" section of management
  • Change the properties of the workspace
  • Save
• Delete a Workspace
  • Delete from the "workspaces" section of management
  • Make it very clear that deleting a workspace destroys all objects/reports/etc. in that workspace, and that none of the objects can be restored.
  • Deletes all traces of the workspace and it's indices

How/Implementation/Integration

• Workspace access is determined by index access
  • A workspace does not track which users/roles can access it
  • The list of workspaces a user can access is derived from the list of ES indexes they can access
  • Users/Admins must define who can access a workspace by adding permissions to Security roles for the indexes backing a workspace
• Indexes
  • Each workspace maps to a set of indexes with the .xpack-ws-{id}-{domain} format:
    • .xpack-ws-{id}-kibana for kibana saved objects
    • .xpack-ws-{id}-reporting for reporting jobs
  • Workspace metadata is stored in .xpack-workspaces
    • May move this into the default kibana index if a separate index is too costly
• Creating a workspace
  • workspace doc is created in .xpack-workspaces
  • workspace indexes are created at .xpack-ws-{id}-kibana and .xpack-ws-{id}-reporting
• Deleting a workspace
  • workspace doc, index, and reporting index are deleted
  • future updates could enable archiving a workspace, which closes it's indices and enables restoration
• Plugin startup
  • Ensure index templates exist for .xpack-workspaces, .xpack-ws-*-reporting, and .xpack-ws-*-kibana patterns
  • Ensure .xpack-workspaces index exists
  • Ensure the "default" workspace is defined in .xpack-workspaces index
• Health Checks/Kibana Index Setup
  • The health check will continue to be responsible for auto-creating the "default" kibana index
  • Workspaces health check will ensure that all other workspace indexes exist
• UI Integration
  • Default workspace will be served from /app/:appname (just like today)
  • New Workspaces will be served from /ws/:id/app/:appname
  • kbnIndex and basePath UI vars will be injected based on the current workspace
• API Integration
  • APIs will be served from both /api/:plugin and /ws/:id/api/:plugin
  • Requests without a prefix get routed to the "default" workspace
    • External integrations (like beats) will just use the default workspace

Undecided

• Should the workspace selector be visible even if a user only has access to a single workspace?
• Should we have an inline workspace selector or always go to a workspace selector "page"
• Do we like the name "Workspaces"?
• How involved should the workspace editor be in helping users manage permissions for the workspaces?
  • Shortcut for creating new role with correct privileges?
  • Add necessary privileges to a roles?
  • Remove privileges from a role?
  • Listing of all roles with access?
• What allows people to manage workspaces?
  • Same criteria that allows users to manage roles? (this level of access will be neceesary anyway)
  • Only people with the superuser role?
• How do we ensure that endpoints use the correct config?
  • Option 1 Multiple KbnServer instances
    • each workspace would map to a unique KbnServer instance that has modified configuration
    • plugins would not need to be adapted unless they maintain state outside of the server instance
    • Reroute request from initial server to child KbnServer instances as necessary
    • Shutdown KbnServer instances when not used for some time
    • Spin up instances as needed
    • POC in progress to determine what impact this has on system resources
  • Option 2 Request time config:
    • Endpoint will need to fetch configuration at request time instead of reading it from the config service.
    • Breaking change for plugins
    • Unknown amount of work making this possible

[elasticmachine]

Original comment by @cjcenizal:

Kibana Workspaces create "silos" in Kibana for different groups of people to work together. Saved Objects and configuration will be unique to each workspace.

Does anyone else find "Workspace" to be a confusing term? Are there examples of "Workspace" used by other products and services for this purpose? I'd find "Organization" or "Work group" to be clearer.

For context, both LINK REDACTED and LINK REDACTED use the term "Organization" for this type of feature.

[elasticmachine]

Original comment by @spalger:

I think we could use "Organization" or something similar, but I don't like the artificial limitation it implies.

[elasticmachine]

Original comment by @alexfrancoeur:

I agree - when I think of a workspace I feel as if it's my own and is user specific. We don't want users creating workspaces for each user. "Groups", "Organization" or something similar might be better. We want the naming to hint that it's meant for a group of people.

[elasticmachine]

Original comment by @cjcenizal:

I don't want to restrict how people choose to create/use workspaces either, but we should use a term that communicates meaning as clearly as possible. Personally, I think of a workspace as my desk surface. It's where I go to arrange my pens, notebooks, laptop, etc in a usable way. I think this term would map well to a feature that allows you to configure and save your Kibana UI, but it doesn't map well to a feature that lets you define "groups of people".

[elasticmachine]

Original comment by @alexfrancoeur:

I wanted to link #11632 to this issue as I believe the new saved object API is a prerequisite for workspaces

[elasticmachine]

Original comment by @epixa:

@alexfrancoeur It is not a technically a prerequisite, though it will probably make things at least easier to test if not easier to implement.

[elasticmachine]

Original comment by @snide:

Notes for myself / design after talking with @epixa :

• Kibana workspaces are tied to roles.
• When creating a workspace they will have a name and an attachment to roles.
• On the roles form, we should also now allow attachment to existing workspaces.
• There will be two UI elements for switching your workspace:
  • A global switcher tied to the account.
  • If the user is attached to many workspaces, then on login, they should be prompted to select a workspace.
    • Within the user profile, the user should be able to define their "default" workspace to bypass this initial action.

[elasticmachine]

Original comment by @skearns64:

Kibana workspaces are tied to roles.

Are we planning to tie workspace access to specific roles, like we do with Dashboard-only mode (which isn't a security feature), or based on privileges to the underlying index used by the workspace (which would be a security feature)?
I think there was discussion about this long ago where I and others expressed a preference for the later, and the main issue description implies the later, but it's worth making sure we're all on the same page.

[elasticmachine]

Original comment by @epixa:

From a UI interaction standpoint, people can think of workspaces as being associated with roles. This way you can create a workspace and assign roles at the same time, and see whether a given role has access to a workspace alongside things like dashboard only mode. Behind the scenes, I think the source of truth on this should be the underlying permissions, so it isn't possible to have workspaces/roles/permissions get out of sync and the same underlying security model that is used for kibana now can be used for workspaces tomorrow.

[elasticmachine]

Original comment by @joshbressers:

We will have to be mindful of what happens when a role and a user's permissions don't agree. For example what would these two situations result in?

1. A user has a workspace role assigned but lacks permissions to see certain indices
2. A users has certain permissions but lacks the assigned workspace role

[elasticmachine]

Original comment by @epixa:

@joshbressers If we we rely on the resulting permissions behind the scenes rather than creating a separate explicit relationship between roles and workspaces, then we don't need to be mindful of this, as it is just using Elasticsearch's existing security model, which also happens to be Kibana's existing security model. In other words, how we handle permissions wouldn't change with the addition of workspaces, only the index in which a workspace's data is stored. You'd still need to manually grant access to non-kibana indices and the like.

[elasticmachine]

Original comment by @joshbressers:

OK, good. I misunderstood your last comment. This makes more sense now. This is the right way to deal with this.

[elasticmachine]

Original comment by @snide:

Some workspace spec designs, mostly in K7, but also did some concepts for how we could deal with selection in K6.

Notes

1. Added a launcher on login. This might be unnecessary, but figured I'd make an explicit welcome screen if we're worried about people forgetting where they are (think this is more a concern for K6). Think @epixa originally mentioned this as an option.
2. The K6 stuff is something I threw together in 15 minutes. I'll mess with it more once people are clear on the functionality. One option might be to not allow selection of workspaces only when the navigation is not collapsed. Figure it can just be a stylized dropdown when in expanded mode.
3. If we're anticipating more than a dozen of these we'll probably want to think up something more clever for K6 as we could eventually run out of space.
4. I think we should call these things "Projects" rather than "Workspaces". In almost all the language, it makes things a bit more clear. These are things that store content, not permissions or configurations (at least to a user).
5. The starring concept in K6 could be replaced with a simple dropdown in the user/profile area where they select "Use this workspace on login"...etc.

[elasticmachine]

Original comment by @alexfrancoeur:

@snide if a user did not have any workspaces configured, would we show the current kibana server name or would this just be blank?

[elasticmachine]

Original comment by @snide:

@alexfrancoeur CJ suggested "Default workspace" as the name, rather than "Kibana". I think we need to show it, even if only one exists. Again, this is another spot where calling these things "projects" makes more sense.

[elasticmachine]

Original comment by @cjcenizal:

I agree that renaming this feature "Projects" will help. In terms of the default name, I think it might send a confusing message to name one "Kibana", because it sounds special/important, especially considering the app is called Kibana, we have a .kibana index, and if you go into Management there is a "Kibana" section. So calling it something dumb and obvious like "Default project", "Demo project", or "Your first project" will make it clearer that it's just there to give you momentum and ease you into a more advanced workflow.

[elasticmachine]

Original comment by @alexfrancoeur:

@snide @cjcenizal If customized, the default workspace / project could take on the name of the kibana server name as well. Is that still confusing? For instance if users have kibana-prod, kibana-qa or kibana-dev - we could show that server name and provide the user with a reminder as to what environment they are in. This may be a separate issue but it seemed to gel with the proposed design.

In regards to projects vs. workspaces, every customer I've spoken to thinks of using this concept for specific internal teams or external customers. To me, "workspace" sounds more in line with having a private area for that group or customer to work in. I see the benefits of "project" as it alludes to multiple projects within a group but I personally think workspaces makes more sense in context of how our users are thinking about the concept already.

[elasticmachine]

Original comment by @epixa:

@alexfrancoeur We should treat server-side configurations such as server.name as sensitive information that shouldn't be exposed to end-users. That value could very well be a good name for the default workspace on one install, but it could be a sensitive internal network id or something like that in another.

+1 to what @alexfrancoeur said about projects not feeling like the right name for this based on how customers plan to use it.

I think we need to show it, even if only one exists.

Why do you think that? Since users themselves will not be able to create workspaces, it seemed convenient that the whole concept of workspaces essentially just melted away if the user has no means to do anything with it.

[elasticmachine]

Original comment by @snide:

@epixa None of these are great reasons, but I'll bring them up. It's obviously easier to design not showing it.

1. The admin can look over their shoulder and know where they are.
2. Without it being prominent for the admin, they likely won't know it's a thing. Having it there, even if it's... hmm, what's this (and that will happen because of it's prominence in the global header), will lead to people setting them up properly as early as possible. I'm worried that without easily portable objects between workspaces people will have to do a lot of copy/cut/pasting of objects to set them up properly. May as well introduce them to it as early as possible.

[elasticmachine]

Original comment by @alexfrancoeur:

In the latest Platform meeting we discussed dropping the "Work" from "Workspaces" and would like to call this feature Kibana Spaces. Everyone generally liked it, any thoughts from the group?

[elasticmachine]

Original comment by @cjcenizal:

@alexfrancoeur My immediate impression is that it's too vague -- vaguer than Workspaces. 😄 Could you explain the thought process and why people liked this more?

[elasticmachine]

Original comment by @alexfrancoeur:

@cjcenizal it was just a suggestion from @jimgoodwin and in the very brief discussion we had, the group seemed to like it. From my perspective it seems to be fairly common terminology for defining an area that a single person or group of people can work / collaborate in.

LINK REDACTED)
LINK REDACTED
Google had LINK REDACTED - I'm sure they didn't discontinue the product because of it's name 😄, these guys just can't figure out messaging for the life of them.

I feel like we're going to have to get a vote going soon

[elasticmachine]

Original comment by @alexfrancoeur:

Latest spec doc from Spencer is in a google doc LINK REDACTED

[elasticmachine]

Original comment by @spalger:

Sorry this issue has gotten stale. Many discussions happened in berlin/slack/zoom without any record or sharing and it has left people out of the loop. We still plan to have these discussions but I will post here every time things change to help keep everyone updated.

Outer Space

We generally agree that space-limited apps like Dashboard need to be visually distinct from stack-limited apps like ML and Monitoring. We hope this will help the user understand that they are operating in a different context.

See "Not every app is space-specific" in the google doc LINK REDACTED for more information about the distinction between space and stack limited apps.

When a user who is used to their changes only affecting other users of the XYZ Space gets access to Outer Space, they will hopefully be able to tell when they are in which scope.

See POC (below) for a visual example

Routing/Default space

We plan to use a url prefix to designate which space a user is in; /space/123/app/kibana loads the Kibana app in space 123. In order to prevent all stored and documentation links from breaking we plan to move all Saved Objects into a "default space" when Spaces is first enabled, and use that default space when a URL doesn't have space information.

We think this will be a bigger issue than expected for a couple reasons:

1. We expect that most users will want to segregate their existing dashboards into any number of different spaces, meaning BWC will likely be broken shortly after moving to Spaces because the links will try to load all existing dashboards from the default space instead of space the user just created for the dashboard.
2. For several reasons, the default space will have to be a single shared space for all users, which works against what we are trying to build with spaces
3. The links that Kibana publishes in its docs, or that blog authors write into their posts, will need to instruct users how to adapt the URL if they are using X-Pack and Spaces (note: this is already the case when users use Kibana's basePath feature)

To mitigate the BWC and saved link issues we are thinking that we might not include space information in the URL, but would try to infer it from the primary Saved Object loaded by the application. This would theoretically allow saved objects to move between spaces without their URL changing. This would have a pretty severe impact on how Kibana handles routing, increases the complexity of implementation significantly, and would require some other method to specify the space in API requests, but is possible.

To mitigate the documentation and blog post URL issues, we're thinking that personal spaces could be used for requests that don't specify a specific space, rather than requiring a shared default space.

Open Source

We have discussed the possibility of implementing the core of Spaces in Kibana OSS and the security components in X-Pack. Doing this would make implementation much simpler across the board (especially if we decide that URLs can not include space specific information), would add a pretty nice feature to OSS Kibana assuming users didn't need access control, and diminishes the differences between the OSS and X-Pack UX by bringing Outer Space to open source.

No authorization in Kibana

In order to prevent Kibana from being a threat to the security of the whole stack we are reevaluating the option of using elasticsearch for all authorization. This was the original approach we took, and we decided against it because:

• it makes granting access to a space more complicated for the user
• it theoretically limits the number of spaces you can create, conflicts with the idea of automatically creating per-user personal spaces
• it creates additional work for the user at upgrade time, since users would have many kibana indexes (hundreds?) to upgrade

Our current thinking is that:

• we need to explore how the interaction between space-indices and roles could be tweaked to enable a better UX, possibly by adding features to X-Pack Security in Elasticsearch
• we'll probably punt on personal spaces until we have OLS in Elasticsearch, which we think we'll use to provide a personalized view on a shared index used for all personal spaces
  • notice how this conflicts with how we want to handle "default" spaces
• we're investigating how much of the upgrade process Kibana could do automatically
• when Kibana indexes can not be upgraded automatically, we plan to bundle them together in the upgrade assistant to that they are presented as a single step, rather than needing to be upgraded independently

The user without a space

It would be ideal if a user never successfully logged into Kibana and saw a message telling them they couldn't do anything, but this is currently the case until a user is given access to their first Space.

Personal spaces would solve this, but requires one of:

• An index per user
• OLS in Elasticsearch
• Authorization in Kibana

POC

LINK REDACTED
(there is also an alias to the LINK REDACTED if you like)

In order to better understand how navigation/login/Outer Space will work I built a POC (major thanks to the folks working on LINK REDACTED!) that implements the following:

• auto select a space if user only has access to one
• visually distinguish between spaces and Outer Space
• segregate space-specific and Outer Space management tasks

[elasticmachine]

Original comment by @cjcenizal:

@spalger Great job building out this POC! I love the attention to detail. So is Outer Space going to become a real thing????

[elasticmachine]

Original comment by @spalger:

Just met with @AlonaNadler, @skearns64, @tbragin, and @epixa. We ran way over, and @skearns64 and @tbragin had to leave on time but I think we made good progress

recording: LINK REDACTED

Discussion

• Navigating between a space and Outer Space is confusing, takes too many steps
• Different management apps for space and outer space is way confusing
• Segregating apps into Outer Space makes them harder to find
• Users with multi-tenant deployments will probably disable the plugins that would normally fill out Outer Space and give all of the tenants a mostly unified experience
• API permissions in ES still ensure that only trusted users can use Outer Space apps like ML and APM, so even if it was visible with the other apps it won't be functional unless the user is trusted enough to have permission
• Limiting access to Outer Space is basically a sub-par implementation of customized apps/plugins per user
  • everyone wants to limit access to certain apps
  • including a sub-par implementation in Spaces is not what we want
  • enabling/disabling entire plugins at the user+space level is what people really want and is making its way to the road map

Decisions

• present global apps along with the space-limited apps in navigation (goodbye Outer Space)
• Dashboard only mode will be per-space, and will present the same as it does in Kibana today (global apps will be hidden in that space)
• Spaces won't implement per-space or per-user application visibility
• Global apps won't leave the space, but should use visual indicators (need to try out a couple things) to label operations that are not actually limited by the current space
• Global apps should use the current space as the default when doing space-related operations (like which space to create a dashboard in using ML)

[elasticmachine]

Original comment by @tbragin:

Thanks for the notes, @spalger! I'm curious whether the decisions that were made on Tuesday affect our plans with the open-sourcing of the Spaces feature (aside from securing the Spaces). I think that's a big change from what we originally discussed, and would love to understand that further. I'll throw another chat on the calendar for Friday to hopefully dig into the reasoning behind that more.

[elasticmachine]

Original comment by @epixa:

The rationale for putting the insecure notion of spaces in OSS and then having xpack secure it is simply that it dramatically simplifies things from a technical standpoint.

More notes on this in a gist LINK REDACTED

[elasticmachine]

Original comment by @spalger:

Chatted with Alona and we both worry that spaces will cause more confusion when people are trying to find a specific dashboard (especially when they aren't using Kibana very often). To address that I want to mockup two things:

• LINK REDACTED
• LINK REDACTED

[elasticmachine]

Original comment by @snide:

@spalger @AlonaNadler If you go in this direction please consider just wrapping this into global search, which we need anyway and can superset that issue.

We need to have ONE search across Kibana, not many. No reason spaces / recently visited stuff can't appear in the global set. cc @timroes

[elasticmachine]

Original comment by @epixa:

Chatted with Alona and we both worry that spaces will cause more confusion when people are trying to find a specific dashboard (especially when they aren't using Kibana very often).

I think this is a real possibility, but it's not necessarily set in stone. A lot of it depends on how the feature evolves from a usage standpoint. For example, if the vast majority of organizations only have a couple spaces and the vast majority of users only belong to a single space, then the confusion will be much less than if spaces are widely used and many people belong to multiple spaces.

And beyond sheer usage numbers, what people are actually creating spaces for will impact this a lot as well. For example, if it's common to set up spaces for teams within your company, "losing" a dashboard may not be very common.

If you belong to a sales space and an engineering space, then you're probably not going to be confused about where to find the "ci failures dashboard", you know?

[elasticmachine]

Original comment by @epixa:

So in other words, I think we should keep an eye on this, but we shouldn't jump to any conclusions without seeing usage.

[elasticmachine]

Original comment by @kobelb:

Based on our discussions the previous weeks, work on Spaces will begin again with the @elastic/kibana-security owning it. I've updated the description of this issue with the current approach.

[kobelb]

Closing this out in favor of #18948 which has more up to date information