New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow integration developers to edit managed content #170517
Comments
Pinging @elastic/kibana-presentation (Team:Presentation) |
@P1llus @drewdaemon, I assume the usual workflow is to:
Just a guess, but I wonder if a workaround could be:
This wouldn't be ideal long term, but it would at least be a workaround for 8.11 if any changes need to be made. Additionally, I don't really think this workaround should be built on the Dashboard side. Maybe we could add a |
@ThomThomson thats correct, its fine for 8.11.0, its not blocking us yet, but would be good to have a fix for the next patch release. The implementation I do not have much comments on, whichever is fine by us 😀 |
Tagging the @elastic/kibana-core team here as well for ideas on the implementation. |
@ThomThomson I tagged your team because this needs a team and Dashboards are the only content that is currently read-only. I agree that the solution needs to fit all content types.
I don't think this needs to be a user-facing feature. Integration developers make changes to these dashboards using a local stack that gets created by https://github.com/elastic/elastic-package. That tool could flip a Kibana configuration switch. I defer to Core on the specifics of how best to make this happen! |
@drewdaemon yes the Presentation team can certainly drive this.
Great news! This opens up many more avenues to tackle this problem. |
@ThomThomson this is never a good idea! Manually editing a saved object is prone to errors. We've seen many a kibana migration fail from corrupt documents, often the case when objects are manually edited.
++ |
I agree with @drewdaemon that this sounds more like a internal elastic developer focussed request than something we expect users would ever want/need to use. I don't have strong opinions about the implementation, but my suggestion would be to push these kinds of development-focussed hacks as close as possible to the team that depends on them. I would only change this in the dashboard plugin if there's no other way. In my opinion this is hack that's only relevant to fleet package / integration developers. So I wonder if fleet shouldn't add a development only configuration option that would set cc @elastic/fleet |
I think this is a good solution, but I don't know that we even need to track the Fleet already sets |
I really like where this is going. I feel that this is making the change in the right place and prevents us from complicating the logic around how we treat managed content in Kibana 👍 |
We'll want to make sure we don't box ourselves into a corner with this behavior. Using the kibana setting is fine for now, and will allow us to move quickly. However, we may want to consider making this a runtime settings configurable somewhere in Kibana for the future. Changing this behavior in serverless, for example, won't be possible if the setting is exposed only through I think in the interest of moving quickly, we should seek to solve this problem for today's ecosystem of integration development by using the |
That's a very good point that we have tp be proactive on and open an issue now for it. |
Makes sense.
A bit of context on this request (correct me if wrong @ruflin ): There's an idea that, in the future, we may give users the capabilities to build their own integrations directly in Kibana. The proposed runtime flag could be part of that. However, giving users these capabilities feels like a project in and of itself. Until we have someone defining and driving it, I'm not sure we need to go further than making sure we haven't ruled it out technically. |
I only recently discovered this discussion, the proposed approach looks generally good to me, at least by now, but I have some concerns:
So I think it is still worth considering to add some way to make dashboards editable.
Would it be an option to add the runtime toggle only in the EPM UI? So for example in the assets view, an "Edit", or "Make editable", button is added, and the Fleet plugin, that is the one that manages these assets, removes |
@jsoriano thanks for the comments. We know this isn't a perfect solution but we're aiming to unblock the integration developers quickly. Our tactical plan doesn't rule out future enhancements to the process of integration development. A few questions for you:
Could I hear more details on this? The only difference I know of is that we will keep users from editing or deleting managed content. Does this difference introduce risk into integration development?
Are users able to contribute changes today without using |
+1 to unblock this at least for local development environments.
Would it be an option to turn off the We could add something like an
Yes, there is an only difference now, but it is a difference, and I guess there can be more in the future. There is also a risk that we may have code that rely on these properties (now or in the future), and the only place where we won't have them is in packages development environments. For example I had to double-check if we use Maybe it is too nitpicky 🙂 but I see certain risk on removing something that uses to be there.
To work on packages you need |
I'm definitely okay with just unblocking the most common use case to make sure package developers can move forward with updating dashboards ASAP. I think we can confidently say that iterating on integration assets by using We haven't taken a stance one way or the other, but based on how the majority integration developers work and how this issue was raised by folks who work off of So, I think we should move forward with the implementation proposed here even if it is only limited to our officially support package development environment. This doesn't preclude us from improving support here in the future. For example, @jsoriano - I really like the idea of having a button + API call somewhere in Kibana to "unlock" a given asset for editing. But then we run into a similar problem set as we've discussed in this issue: in what environments/contexts do we allow users to actually take that action? Should we show the button and make the API accessible such that any user on any cluster could "unmanage" an asset at any time? That's probably not a great idea as it defeats the purpose of |
Is
Jill and I have discussed about this approach, and we think that it would be worth to explore this option. It adds an additional step when editing dashboard, but it would fit well with current development workflow, and we can deliver it faster as it would be a change only in We would add something like a new
@drewdaemon @kpollich do we expect to have something preventing to delete managed saved objects? I tried with the Delete saved objects API and it worked, but this API is deprecated. Is there going to be another API replacing this one? To confirm, these are the API operations we would need for this approach:
|
@jsoriano @rudolf would need to confirm but AFAIK, we don't have plans to delete these deprecated SO API's any time soon. We're' well aware that they're used extensively! |
@jsoriano I am currently driving the Kibana discussion on managed content. I have seen managed content as a UX, not a security feature. In other words, I have understood the request to be "stop users from accidentally getting into bad states" as opposed to "securely prevent motivated actors from circumventing controls." In that spirit, we are planning to have the UI prevent deleting and editing managed content. However, there are no current plans to lock edits or deletions to this content at the API level. I haven't yet been told that this is a problem, but feel free to chime in @kpollich . FWIW, there is an open discussion about possibly
I do not personally see a conflict between those decisions and your idea for |
Hi all, v0.94.0 of elastic-package has been released and includes the new Thank you everyone for your contributions! |
In #70461 Fleet asked for managed content to be readonly to stop users from losing changes on package upgrades.
In #166204 dashboards were made read-only. However, this prevents integration authors from making any changes to managed dashboards in 8.11. This prevents them from adopting any features introduced from 8.11 on.
We must provide integration developers with the ability to edit these assets.
Tasks
The text was updated successfully, but these errors were encountered: