Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Reporting] Kibana Application Privileges for Reporting #94966

Merged
merged 43 commits into from
Apr 21, 2021

Conversation

tsullivan
Copy link
Member

@tsullivan tsullivan commented Mar 18, 2021

Release note: added an option to have Reporting features controlled by Kibana application privileges instead of by the reporting_user role.

Depends on #96097
Closes #19914
Closes #76210

Before, any user with the reporting_user role could use any Reporting feature. This PR allows Reporting be turned on and off by Kibana application privileges. A new configuration setting for kibana.yml toggles Reporting access privilege control between using security roles (deprecated) and UI Feature Controls (new platform).

The new setting is xpack.reporting.roles.enabled. It allows the Kibana admins to migrate Reporting from the deprecated scheme to the Kibana Platform scheme. The default value is true. This enables the legacy behavior of using xpack.reporting.roles.allowed as Elasticsearch security roles which identify the user as being granted Reporting privilege everywhere in Kibana. When the value is true, a warning is logged at startup that users should be migrated from the deprecated scheme to the new platform scheme. The warning will continue to be logged until the user migration is done. When the value is false, Reporting does not register itself as an Elasticsearch feature. Instead, applications take over and register Reporting as a sub-privilege. Administrators will give Reporting feature privileges through the Roles UI the Stack Management Security app.

Screenshot of the changes that this PR makes to the Edit role > Kibana privileges screen:
image

When xpack.reporting.roles.enabled is false and users have been granted privilege using feature controls, the migration from Reporting's legacy scheme to the new platform is done.

In 8.0, the only allowed value will be false.

Changes to plugins: Reporting, Features and Canvas

  1. A method had to be added to the FeaturesSetup contract to allow Reporting to update internal state that triggers Reporting to be included when privileges are registered for the OSS applications. This is featuresSetup.enableReportingUiCapabilities() It is meant to only be called by Reporting.

  2. A method had to be added to the ReportingSetup contract to allow Reporting-enabled applications to check if Reporting is configured for the New Platform behavior. If so, the application should register Reporting subfeature privileges. This is reportingSetup.usesUiCapabilities. Canvas was updated to call this method it its setup() phase before registering itself as a Kibana feature.

The following diagram shows the behavioral connections between the affected plugins. The parts added in this PR are highlighted in green.

FeaturesPlugin

Checklist

Delete any items that are not applicable to this PR.

For maintainers

@tsullivan tsullivan changed the title Implement Reporting access control as subfeature privileges of multip… WIP [Reporting] Implement Reporting access control as subfeature privileges of multip… Mar 18, 2021
@tsullivan tsullivan changed the title WIP [Reporting] Implement Reporting access control as subfeature privileges of multip… WIP [Reporting] Implement Reporting access control as subfeature privileges Mar 18, 2021
@tsullivan tsullivan force-pushed the reporting/feature-controls-support branch 4 times, most recently from 4269cf8 to d756567 Compare March 25, 2021 19:41
@tsullivan tsullivan changed the title WIP [Reporting] Implement Reporting access control as subfeature privileges [WIP] Implement Reporting subfeature privileges for Canvas Mar 25, 2021
@tsullivan tsullivan force-pushed the reporting/feature-controls-support branch from d756567 to ad7f7a3 Compare March 30, 2021 23:50
@tsullivan tsullivan changed the title [WIP] Implement Reporting subfeature privileges for Canvas [WIP] Implement Reporting subfeature privileges for applications Mar 30, 2021
@tsullivan tsullivan force-pushed the reporting/feature-controls-support branch from ad7f7a3 to 3d6609c Compare March 31, 2021 00:04
@tsullivan tsullivan force-pushed the reporting/feature-controls-support branch 17 times, most recently from 52f7b11 to c061a0e Compare April 8, 2021 00:50
@tsullivan
Copy link
Member Author

@elasticmachine merge upstream

@tsullivan tsullivan force-pushed the reporting/feature-controls-support branch from 79f0501 to c2b50ac Compare April 9, 2021 04:02
@tsullivan
Copy link
Member Author

@elasticmachine merge upstream

@tsullivan
Copy link
Member Author

@elasticmachine merge upstream

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id before after diff
canvas 1085 1086 +1

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
canvas 1.2MB 1.2MB +1.1KB

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id before after diff
reporting 81.4KB 84.3KB +2.9KB
Unknown metric groups

API count

id before after diff
features 199 200 +1
reporting 126 131 +5
total +6

API count missing comments

id before after diff
features 89 90 +1
reporting 125 130 +5
total +6

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@tsullivan tsullivan merged commit 5a6eda2 into elastic:master Apr 21, 2021
@tsullivan tsullivan deleted the reporting/feature-controls-support branch April 21, 2021 03:44
tsullivan added a commit to tsullivan/kibana that referenced this pull request Apr 21, 2021
* Implement Reporting features as subfeatures of applications

* add setting to the docker list

* update doc images

* finish docs

* Apply suggestions from code review

Co-authored-by: Kaarina Tungseth <kaarina.tungseth@elastic.co>

* Apply suggestions from code review

Co-authored-by: Kaarina Tungseth <kaarina.tungseth@elastic.co>

* Apply suggestions from code review

Co-authored-by: Kaarina Tungseth <kaarina.tungseth@elastic.co>

* typo fix

* "PDF / PNG Reports" => "Reporting"

* Update x-pack/plugins/reporting/server/config/index.ts

Co-authored-by: Larry Gregory <lgregorydev@gmail.com>

* Update x-pack/test/functional/apps/security/secure_roles_perm.js

Co-authored-by: Larry Gregory <lgregorydev@gmail.com>

* update ids of report privileges

* combine dashboard privileges into 1 group

* update jest snapshot

* fix tests

* fix tests

* updates from feedback

* add note

* update screenshot

* fix grammer

* fix bad link breaks in doc

* update doc heading

* Apply suggestions documentation feedback

Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>

* simplify

* use const assertions

* Apply text change suggestion from code review

Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>

* more test for oss_features and reporting subFeatures

* reduce loc diff

* fix snapshot

* fix flakiness in licensing plugin public functional tests

Co-authored-by: Kaarina Tungseth <kaarina.tungseth@elastic.co>
Co-authored-by: Larry Gregory <lgregorydev@gmail.com>
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
# Conflicts:
#	x-pack/plugins/reporting/server/core.ts
#	x-pack/plugins/reporting/server/lib/enqueue_job.test.ts
#	x-pack/plugins/reporting/server/lib/store/store.test.ts
#	x-pack/plugins/reporting/server/lib/tasks/execute_report.test.ts
#	x-pack/plugins/reporting/server/lib/tasks/monitor_report.test.ts
#	x-pack/plugins/reporting/server/plugin.ts
#	x-pack/plugins/reporting/server/test_helpers/create_mock_reportingplugin.ts
@spalger
Copy link
Contributor

spalger commented Apr 21, 2021

FYI, this backport to 7.x is going to go into 7.14, not 7.13, unless an backport is opened to the 7.13 branch.

node scripts/backport --pr 94966 --branch 7.13

tsullivan added a commit that referenced this pull request Apr 22, 2021
#97777)

* [Reporting] Kibana Application Privileges for Reporting (#94966)

* Implement Reporting features as subfeatures of applications

* add setting to the docker list

* update doc images

* finish docs

* Apply suggestions from code review

Co-authored-by: Kaarina Tungseth <kaarina.tungseth@elastic.co>

* Apply suggestions from code review

Co-authored-by: Kaarina Tungseth <kaarina.tungseth@elastic.co>

* Apply suggestions from code review

Co-authored-by: Kaarina Tungseth <kaarina.tungseth@elastic.co>

* typo fix

* "PDF / PNG Reports" => "Reporting"

* Update x-pack/plugins/reporting/server/config/index.ts

Co-authored-by: Larry Gregory <lgregorydev@gmail.com>

* Update x-pack/test/functional/apps/security/secure_roles_perm.js

Co-authored-by: Larry Gregory <lgregorydev@gmail.com>

* update ids of report privileges

* combine dashboard privileges into 1 group

* update jest snapshot

* fix tests

* fix tests

* updates from feedback

* add note

* update screenshot

* fix grammer

* fix bad link breaks in doc

* update doc heading

* Apply suggestions documentation feedback

Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>

* simplify

* use const assertions

* Apply text change suggestion from code review

Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>

* more test for oss_features and reporting subFeatures

* reduce loc diff

* fix snapshot

* fix flakiness in licensing plugin public functional tests

Co-authored-by: Kaarina Tungseth <kaarina.tungseth@elastic.co>
Co-authored-by: Larry Gregory <lgregorydev@gmail.com>
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
# Conflicts:
#	x-pack/plugins/reporting/server/core.ts
#	x-pack/plugins/reporting/server/lib/enqueue_job.test.ts
#	x-pack/plugins/reporting/server/lib/store/store.test.ts
#	x-pack/plugins/reporting/server/lib/tasks/execute_report.test.ts
#	x-pack/plugins/reporting/server/lib/tasks/monitor_report.test.ts
#	x-pack/plugins/reporting/server/plugin.ts
#	x-pack/plugins/reporting/server/test_helpers/create_mock_reportingplugin.ts

* fix ci

* fix eslint

* skip flaky suite (#53575)

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Tiago Costa <tiagoffcc@hotmail.com>
@bhavyarm
Copy link
Contributor

This didn't make 7.13 BCs because of the missing backport. Zoomed with @tsullivan and @LeeDr and this is what we get for setting the key in kibana.yml - xpack.reporting.roles.enabled: true

 [18:07:11.840] [fatal][root] ValidationError: [config validation of [xpack.reporting].roles.enabled]: definition for this key is missing
    at ObjectType.validate (/Users/bhavyarajumandya/Desktop/snapshot_7.13.0/kibana-7.13.0-SNAPSHOT-darwin-x86_64/node_modules/@kbn/config-schema/target/types/type.js:51:19)
    at ConfigService.validateAtPath (/Users/bhavyarajumandya/Desktop/snapshot_7.13.0/kibana-7.13.0-SNAPSHOT-darwin-x86_64/node_modules/@kbn/config/target/config_service.js:170:23)

Removing 7.13.0 label from this. Thanks!

@bhavyarm bhavyarm removed the v7.13.0 label Apr 29, 2021
tsullivan added a commit to tsullivan/kibana that referenced this pull request Apr 29, 2021
…c#94966) (elastic#97777)

* [Reporting] Kibana Application Privileges for Reporting (elastic#94966)

* Implement Reporting features as subfeatures of applications

* add setting to the docker list

* update doc images

* finish docs

* Apply suggestions from code review

Co-authored-by: Kaarina Tungseth <kaarina.tungseth@elastic.co>

* Apply suggestions from code review

Co-authored-by: Kaarina Tungseth <kaarina.tungseth@elastic.co>

* Apply suggestions from code review

Co-authored-by: Kaarina Tungseth <kaarina.tungseth@elastic.co>

* typo fix

* "PDF / PNG Reports" => "Reporting"

* Update x-pack/plugins/reporting/server/config/index.ts

Co-authored-by: Larry Gregory <lgregorydev@gmail.com>

* Update x-pack/test/functional/apps/security/secure_roles_perm.js

Co-authored-by: Larry Gregory <lgregorydev@gmail.com>

* update ids of report privileges

* combine dashboard privileges into 1 group

* update jest snapshot

* fix tests

* fix tests

* updates from feedback

* add note

* update screenshot

* fix grammer

* fix bad link breaks in doc

* update doc heading

* Apply suggestions documentation feedback

Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>

* simplify

* use const assertions

* Apply text change suggestion from code review

Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>

* more test for oss_features and reporting subFeatures

* reduce loc diff

* fix snapshot

* fix flakiness in licensing plugin public functional tests

Co-authored-by: Kaarina Tungseth <kaarina.tungseth@elastic.co>
Co-authored-by: Larry Gregory <lgregorydev@gmail.com>
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
# Conflicts:
#	x-pack/plugins/reporting/server/core.ts
#	x-pack/plugins/reporting/server/lib/enqueue_job.test.ts
#	x-pack/plugins/reporting/server/lib/store/store.test.ts
#	x-pack/plugins/reporting/server/lib/tasks/execute_report.test.ts
#	x-pack/plugins/reporting/server/lib/tasks/monitor_report.test.ts
#	x-pack/plugins/reporting/server/plugin.ts
#	x-pack/plugins/reporting/server/test_helpers/create_mock_reportingplugin.ts

* fix ci

* fix eslint

* skip flaky suite (elastic#53575)

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Tiago Costa <tiagoffcc@hotmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
(Deprecated) Feature:Reporting Use Reporting:Screenshot, Reporting:CSV, or Reporting:Framework instead release_note:enhancement v7.14.0 v8.0.0
Projects
None yet