New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ResponseOps][Alerting] Hiding all features in a space causes rules to stop running #145372
[ResponseOps][Alerting] Hiding all features in a space causes rules to stop running #145372
Conversation
Pinging @elastic/response-ops (Team:ResponseOps) |
💚 Build Succeeded
Metrics [docs]Unknown metric groupsESLint disabled in files
ESLint disabled line counts
Total ESLint disabled count
History
To update your PR or re-run it, just comment with: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
Tested locally, works as expected.
This change also makes it so that a user with access to a space where all features are disabled can still use the alerting API to list all rules from this space that were created before the features were disabled. I'm assuming that's ok? cc @mikecote |
If ^^ is true, we can't have the alerting API leak rule information for users who don't have access to the feature.. We might have to revisit the approach and revert / fix the change. |
This is what I tested:
Would be great to verify that others see this behavior as well. |
TBH, I was kinda confused by this issue, because I thought - well, if they don't have access to the features, they probably shouldn't be able to run rules. Was the thinking here resilience? To make sure the rule would keep running if someone accidentally made a bunch of feature changes? Especially given the unintended consequences ^^^, I think we should revisit. To me, ideally the rule would error out when run, and surface an actionable message to the user in the UX on what happened. |
The way I see it with my thinking is; when rules are created, they take a snapshot of the user's privileges in time and will keep running using those. So if the privileges or user roles have changed, the rule shouldn't be impacted by them and still run as what the snapshot encapsulated when the rule was created / updated. |
Resolves #144638
Summary
Removes logic that prevents rules from running when all features in a space are disabled.
Checklist
To verify