Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Discover] Do not update defaultIndex in case of insufficient permissions #134202

Merged
merged 13 commits into from
Jun 24, 2022
Merged

[Discover] Do not update defaultIndex in case of insufficient permissions #134202

merged 13 commits into from
Jun 24, 2022

Conversation

kertal
Copy link
Member

@kertal kertal commented Jun 13, 2022
edited
Loading

Summary

This PR prevents Discover from updating the defaultIndex uiSettings which can lead to a 403 error message when the user doesn't have permissions. getDefaultDataView of DataViewsService returns the needed defaultIndex also without updating, when the user has insufficient permissions. Works also in Dashboard, Visualizations ...

Testing

  • Add demo date e.g. Kibana eCommerce orders
  • Create a user having a role that has only readonly permissions to Discover.
  • Remove the defaultIndex value in Advanced settings.
  • Login with the new user
  • When navigating to Discover, there should be no error toast

Fixes #46124

Checklist

@kertal kertal self-assigned this Jun 13, 2022
@kertal kertal added Feature:Discover Discover Application Team:DataDiscovery Discover, search (e.g. data plugin and KQL), data views, saved searches. For ES|QL, use Team:ES|QL. labels Jun 13, 2022
@kertal kertal changed the title [Discover] Do not update defaultIndex when not set [Discover] Do not update defaultIndex when not set or invalid Jun 14, 2022
@kertal kertal marked this pull request as ready for review June 14, 2022 06:23
@kertal kertal requested review from a team as code owners June 14, 2022 06:23
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-data-discovery (Team:DataDiscovery)

jughosta
jughosta reviewed Jun 14, 2022
View reviewed changes
Copy link
Contributor

@jughosta jughosta left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The issue is still present for Dashboard and Visualize apps.

src/plugins/data_views/common/data_views/data_views.ts Outdated
const patterns = await this.getIdsWithTitle();
let defaultId: string | undefined = await this.config.get('defaultIndex');
const exists = defaultId ? patterns.some((pattern) => pattern.id === defaultId) : false;

if (defaultId && !exists) {
await this.config.remove('defaultIndex');
if (update) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It could be better here to check user's write-rights before trying to modify the settings. Do we have such API?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

that's a good question, @mattkime, can we? of course this would be a better pattern. What we did currently in Discover is, preventing to set the value in config, because it's not necessary in our domain.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we use capabilities.advangedSettings.save?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jughosta yes, thx, we should! I've refactored it to check for permissions, instead of adding another param to the function. This way, it also should work for other consumers of this functionality (Dashboard ...) ... let's see, if CI agrees

@kertal
Copy link
Member Author

kertal commented Jun 14, 2022

The issue is still present for Dashboard and Visualize apps.

Yes, we can be sure that it works in Discover, but e.g in has to be set defaultIndex has to be set, because it's requested in TSVB .. however it shouldn't be a big thing to remove it, so I would suggest opening 2 separate issues so the teams can check.

@kertal kertal requested a review from mattkime June 14, 2022 08:41
@kertal
Copy link
Member Author

kertal commented Jun 17, 2022

@elasticmachine merge upstream

@kertal
Copy link
Member Author

kertal commented Jun 20, 2022

@elasticmachine merge upstream

@kertal
Copy link
Member Author

kertal commented Jun 21, 2022

@elasticmachine merge upstream

jughosta
jughosta approved these changes Jun 21, 2022
View reviewed changes
Copy link
Contributor

@jughosta jughosta left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the changes! LGTM 👍

We should probably also update the copy for settings with "data view"
Screenshot 2022-06-21 at 10 39 27

@kertal kertal requested a review from mattkime June 21, 2022 15:59
@kertal kertal changed the title [Discover] Do not update defaultIndex when not set or invalid [Discover] Do not update defaultIndex when insufficient permissions Jun 22, 2022
mattkime
mattkime approved these changes Jun 22, 2022
View reviewed changes
Copy link
Contributor

@mattkime mattkime left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd rather see the defaultIndex value updated with a system level privileged but I'm not sure thats possible right now so 🚢 it!

Oh, I'd like to see getCanSaveAdvancedSettings marked private before this is merged

mattkime
mattkime reviewed Jun 22, 2022
View reviewed changes
src/plugins/data_views/common/data_views/data_views.ts Outdated
/**
* Can the user save advanced settings?
*/
public getCanSaveAdvancedSettings: () => Promise<boolean>;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be private, as its only use is internal to getDefaultDataView

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mattkime I did but now TypeScript is complaining, can you help

property 'getCanSaveAdvancedSettings' is private in type 'DataViewsServicePublic' but not in type 'DataViewsServicePublic'.

@kertal kertal force-pushed the discover-omit-update-defaultIndex branch from 85042cf to cab0d7f Compare June 22, 2022 14:03
@kibana-ci
Copy link
Collaborator

💚 Build Succeeded

Metrics [docs]

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id before after diff
dataViews 40.5KB 40.8KB +281.0B
Unknown metric groups

API count

id before after diff
dataViews 927 928 +1

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @kertal

@kertal
Copy link
Member Author

kertal commented Jun 24, 2022

@mattkime :) so simple! Thx!

@kertal kertal changed the title [Discover] Do not update defaultIndex when insufficient permissions [Discover] Do not update defaultIndex in case of insufficient permissions Jun 24, 2022
@kertal kertal merged commit b475ed6 into elastic:main Jun 24, 2022
@kibanamachine kibanamachine added the backport:skip This commit does not require backporting label Jun 24, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mattkime mattkime mattkime approved these changes

@jughosta jughosta jughosta approved these changes

Assignees

@kertal kertal

Labels
backport:skip This commit does not require backporting :DataDiscovery/fix-it-week Feature:Discover Discover Application release_note:fix Team:DataDiscovery Discover, search (e.g. data plugin and KQL), data views, saved searches. For ES|QL, use Team:ES|QL. v8.4.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Error when accessing Discover as a read only user without index patterns / default index pattern
7 participants
@kertal @elasticmachine @kibana-ci @mattkime @jughosta @kibanamachine @mistic