[RAC] Disable RAC multi-tenancy #108506
Merged
[RAC] Disable RAC multi-tenancy #108506
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Kerry350
added
Feature:Observability RAC
Feature:RAC
Kerry350
added
release_note:skip
Yeah, I think this is absolutely acceptable and let's prioritize other work over figuring that out. Thanks! |
jasonrhodes
approved these changes
Aug 13, 2021
banderror
approved these changes
Aug 13, 2021
| @@ -13,8 +13,14 @@ export const config = { | |||
| write: schema.object({ | |||
| enabled: schema.boolean({ defaultValue: false }), | |||
There was a problem hiding this comment.
Shall we change xpack.ruleRegistry.write.enabled to true by default now?
There was a problem hiding this comment.
It'll happen as part of #105237 and the "final wrap up" 👍
Comment on lines
+94
to
+101
| if (!hasEnabledWrite) return false; | ||
|
|
||
| // Not using legacy multi-tenancy | ||
| if (!hasSetCustomKibanaIndex) { | ||
| return hasEnabledWrite; | ||
| } else { | ||
| return hasSetUnsafeAccess; | ||
| } |
There was a problem hiding this comment.
Nit: maybe this could be easier to grasp (totally subjective)
if (hasEnabledWrite) {
return hasSetCustomKibanaIndex ? hasSetUnsafeAccess : true;
}
return false;
Merged
17 tasks
41 tasks
💚 Build SucceededMetrics [docs]Unknown metric groupsAPI count
API count missing comments
History
To update your PR or re-run it, just comment with: cc @Kerry350 |
Kerry350
added
the
auto-backport
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Aug 16, 2021
* Disable RAC multi-tenancy
💚 Backport successful
This backport PR will be merged automatically after passing CI. |
kibanamachine
added a commit
that referenced
this pull request
Aug 16, 2021
* Disable RAC multi-tenancy Co-authored-by: Kerry Gallagher <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Implements #108393.
Customisation of the index used by the rule registry is no longer allowed. User's with
kibana.indexset will, by default, have no rule data written. They can however opt into an unsafe experience usingxpack.ruleRegistry.unsafe.legacyMultiTenancy.enabled.(Please see the ticket for more details).
Testing
Make sure you have a user with the ability to create indices for the later steps, when you set a custom kibana.index
The expectation is still that
xpack.ruleRegistry.write.enabledhas been set totrueFlows
Flow: User without a custom
kibana.indexExpectation: Data is written and viewable as normal
Flow: User has a custom
kibana.indexsetExpectation: Data isn't written
Flow: User has a custom
kibana.indexset andxpack.ruleRegistry.unsafe.legacyMultiTenancy.enabledset totrueExpectation: Data is written and viewable
UI disabling
Right now the
alertsUI and table isn't disabled (this won't break anything as there will be no data to query). We don't have access tokibana.indexeasily on the client side as we do on the server side. So we need to share information from the server side of the rule registry plugin, with the client side of the observability plugin. As it's server -> client we can't do a simple contract access. We could setup an API route. (Maybe I've missed an option 🤔). Jason and I discussed this, and it might be okay that the table displays, but just doesn't contain any data.