Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[ML] Adds secondary authorization header to Transforms in Fleet (#154665
) ## Summary The PR updates how credentials are created and managed for packages including Transforms. Previously, everything will be installed as `kibana_system` user, which has limited permissions to a specific set of indices defined internally. This PR changes so that a secondary authorization is passed to the creation of Transforms, making the permissions/privileges dependent on the logged-in user. ### Installing a package containing transforms - If the package has transforms assets to be installed, it will show warning/info call out message indicating that the transforms will be created and started with the current user's credentials/roles. <img width="1226" alt="Screen Shot 2023-04-11 at 17 45 58" src="https://user-images.githubusercontent.com/43350163/231305549-ad4c981c-e186-4431-8229-5083e9ed6fc3.png"> <img width="1226" alt="Screen Shot 2023-04-11 at 17 46 03" src="https://user-images.githubusercontent.com/43350163/231305550-7b47e95d-f876-456a-beb4-d71336a3f2cf.png"> -It will parse the authorization header (schema and credentials) from the Kibana request to the package handlers. - If the package contains transforms, and if **run_as_kibana_system: false in the any of the transform yml config** , then generate an API key from the above credential (as that Kibana user with the roles and permissions at the time of generation), and use it in `transform/_put` requests. - If user has **sufficient permissions**: - Transforms will be successfully created and started. They will be marked in the saved object reference with `deferred: false` - Transform `_meta` will have `installed_by: {username}` <img width="582" alt="Screen Shot 2023-04-11 at 14 11 43" src="https://user-images.githubusercontent.com/43350163/231305101-20a63860-6d0c-4324-ba49-bea116de1f96.png"> - Package will be successfully installed - If user has **insufficient permissions**: - Transforms will be successfully created, but fail to start. They will be marked in the saved object reference with `deferred: true` - Package will still be successfully installed. It will show warning that the package has some deferred installations. ### Deferred installations If a package has deferred installations (a.k.a assets that were included in the package, but require additional permissions to operate correctly), it will: - Show a warning on the `Installed integrations` page: <img width="1216" alt="Screen Shot 2023-04-06 at 15 59 46" src="https://user-images.githubusercontent.com/43350163/230955445-fcb575af-d02b-4b0f-96f7-7506fa4a8f02.png"> - Show a warning badge with explanation on the tab: <img width="750" alt="Screen Shot 2023-04-10 at 12 17 26" src="https://user-images.githubusercontent.com/43350163/230955055-2fa85f1f-b7f8-4473-997a-1e4fec5453b9.png"> - Show a new `Deferred installations` section as well as call out message to prompt user to re-authorize inside the `Assets` tab: <img width="1216" alt="Screen Shot 2023-04-06 at 15 59 09" src="https://user-images.githubusercontent.com/43350163/230955326-457074da-9f04-4aa6-aa15-f2c7ff14c6f1.png"> If the currently logged-in user has sufficient permissions (`manage_transform` ES cluster privilege/`transform_admin` Kibana role), the Reauthorize buttons will be enabled: <img width="1054" alt="Screen Shot 2023-04-10 at 12 24 18" src="https://user-images.githubusercontent.com/43350163/230960881-aa122119-c408-41c9-ab0c-90c18f65205e.png"> ### Reauthorizing installations - For transforms: - Clicking the `Reauthorize` button will send an `_transform/_update` API request with a `headers: {es-secondary-authorization: 'ApiKey {encoded_api}'` and then a `_transform/_start` to start operations. - Transform `_meta` will be updated with addition of `last_authorized_by: {username}` <img width="593" alt="Screen Shot 2023-04-11 at 14 12 38" src="https://user-images.githubusercontent.com/43350163/231305257-eb79cf47-dbc1-4d93-b47f-0ff698ba8e6d.png"> - If `order` is specified in `_meta` of the transform, they will be updated and started sequentially. Else, they will be executed concurrently. ## Reviewers note: -For **kibana-core**: saved object for Fleet's EsAsset was extended with `deferred: boolean`, thus changing the hash. ### Checklist Delete any items that are not applicable to this PR. - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] Any UI touched in this PR is usable by keyboard only (learn more about [keyboard accessibility](https://webaim.org/techniques/keyboard/)) - [ ] Any UI touched in this PR does not create any new axe failures (run axe in browser: [FF](https://addons.mozilla.org/en-US/firefox/addon/axe-devtools/), [Chrome](https://chrome.google.com/webstore/detail/axe-web-accessibility-tes/lhdoppojpmngadmnindnejefpokejbdd?hl=en-US)) - [ ] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [ ] This renders correctly on smaller devices using a responsive layout. (You can test this [in your browser](https://www.browserstack.com/guide/responsive-testing-on-local-server)) - [ ] This was checked for [cross-browser compatibility](https://www.elastic.co/support/matrix#matrix_browsers) ### Risk Matrix Delete this section if it is not applicable to this PR. Before closing this PR, invite QA, stakeholders, and other developers to identify risks that should be tested prior to the change/feature release. When forming the risk matrix, consider some of the following examples and how they may potentially impact the change: | Risk | Probability | Severity | Mitigation/Notes | |---------------------------|-------------|----------|-------------------------| | Multiple Spaces—unexpected behavior in non-default Kibana Space. | Low | High | Integration tests will verify that all features are still supported in non-default Kibana Space and when user switches between spaces. | | Multiple nodes—Elasticsearch polling might have race conditions when multiple Kibana nodes are polling for the same tasks. | High | Low | Tasks are idempotent, so executing them multiple times will not result in logical error, but will degrade performance. To test for this case we add plenty of unit tests around this logic and document manual testing procedure. | | Code should gracefully handle cases when feature X or plugin Y are disabled. | Medium | High | Unit tests will verify that any feature flag or plugin combination still results in our service operational. | | [See more potential risk examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx) | ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
- Loading branch information