Skip to content

Commit

Permalink
Revert "[Infra][ECO] Fix RBAC issue in hosts view" (elastic#202418)
Browse files Browse the repository at this point in the history
  • Loading branch information
cauemarcondes authored and CAWilson94 committed Dec 9, 2024
1 parent 72e9d43 commit 3eb2a09
Show file tree
Hide file tree
Showing 19 changed files with 158 additions and 49 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,10 @@ export function registerAssistantFunctions({
ruleDataClient,
plugins,
getApmIndices: async () => {
const apmIndices = await plugins.apmDataAccess.setup.getApmIndices();
const coreContext = await resources.context.core;
const apmIndices = await plugins.apmDataAccess.setup.getApmIndices(
coreContext.savedObjects.client
);
return apmIndices;
},
};
Expand Down
11 changes: 9 additions & 2 deletions x-pack/plugins/observability_solution/apm/server/plugin.ts
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ import { registerAssistantFunctions } from './assistant_functions';
import { registerDeprecations } from './deprecations';
import { APM_FEATURE, registerFeaturesUsage } from './feature';
import { createApmTelemetry } from './lib/apm_telemetry';
import { getInternalSavedObjectsClient } from './lib/helpers/get_internal_saved_objects_client';
import {
APM_RULE_TYPE_ALERT_CONTEXT,
apmRuleTypeAlertFieldMap,
Expand Down Expand Up @@ -114,15 +115,21 @@ export class APMPlugin
};
}) as APMRouteHandlerResources['plugins'];

const apmIndicesPromise = (async () => {
const coreStart = await getCoreStart();
const soClient = await getInternalSavedObjectsClient(coreStart);
const { getApmIndices } = plugins.apmDataAccess;
return getApmIndices(soClient);
})();

// This if else block will go away in favour of removing Home Tutorial Integration
// Ideally we will directly register a custom integration and pass the configs
// for cloud, onPrem and Serverless so that the actual component can take
// care of rendering
if (currentConfig.serverlessOnboarding && plugins.customIntegrations) {
plugins.customIntegrations?.registerCustomIntegration(apmTutorialCustomIntegration);
} else {
plugins.apmDataAccess
.getApmIndices()
apmIndicesPromise
.then((apmIndices) => {
plugins.home?.tutorials.registerTutorial(
tutorialProvider({
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -115,7 +115,10 @@ export function registerRoutes({
);

const getApmIndices = async () => {
const apmIndices = await plugins.apmDataAccess.setup.getApmIndices();
const coreContext = await context.core;
const apmIndices = await plugins.apmDataAccess.setup.getApmIndices(
coreContext.savedObjects.client
);
return apmIndices;
};

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,8 @@ export const getAlertDetailsContextHandler = (
return async (requestContext, query) => {
const resources = {
getApmIndices: async () => {
return resourcePlugins.apmDataAccess.setup.getApmIndices();
const coreContext = await requestContext.core;
return resourcePlugins.apmDataAccess.setup.getApmIndices(coreContext.savedObjects.client);
},
request: requestContext.request,
params: { query: { _inspect: false } },
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
* 2.0.
*/

import { Logger, CoreStart } from '@kbn/core/server';
import { Logger, CoreStart, SavedObjectsClientContract } from '@kbn/core/server';
import {
FleetStartContract,
PostPackagePolicyCreateCallback,
Expand All @@ -22,6 +22,7 @@ import {
SOURCE_MAP_API_KEY_PATH,
} from './get_package_policy_decorators';
import { createInternalESClient } from '../../lib/helpers/create_es_client/create_internal_es_client';
import { getInternalSavedObjectsClient } from '../../lib/helpers/get_internal_saved_objects_client';
import { APMRouteHandlerResources } from '../apm_routes/register_apm_server_routes';

export async function registerFleetPolicyCallbacks({
Expand Down Expand Up @@ -148,7 +149,7 @@ function onPackagePolicyCreateOrUpdate({
coreStart,
}: {
fleetPluginStart: FleetStartContract;
getApmIndices: () => Promise<APMIndices>;
getApmIndices: (soClient: SavedObjectsClientContract) => Promise<APMIndices>;
coreStart: CoreStart;
}): PutPackagePolicyUpdateCallback & PostPackagePolicyCreateCallback {
return async (packagePolicy) => {
Expand All @@ -157,7 +158,8 @@ function onPackagePolicyCreateOrUpdate({
}

const { asInternalUser } = coreStart.elasticsearch.client;
const apmIndices = await getApmIndices();
const savedObjectsClient = await getInternalSavedObjectsClient(coreStart);
const apmIndices = await getApmIndices(savedObjectsClient);

const internalESClient = await createInternalESClient({
debug: false,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,9 @@
"requiredPlugins": [
"data"
],
"optionalPlugins": [],
"optionalPlugins": [
"security"
],
"requiredBundles": []
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,7 @@ export type {
APMEventESSearchRequest,
APMLogEventESSearchRequest,
DocumentSourcesRequest,
ApmDataAccessPrivilegesCheck,
HostNamesRequest,
GetDocumentTypeParams,
} from './types';
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/

import { KibanaRequest } from '@kbn/core-http-server';
import { SecurityPluginStart } from '@kbn/security-plugin-types-server';
import { mapValues } from 'lodash';
import { APMIndices } from '..';

export interface ApmDataAccessPrivilegesCheck {
request: KibanaRequest;
security?: SecurityPluginStart;
getApmIndices: () => Promise<APMIndices>;
}

export async function checkPrivileges({
request,
getApmIndices,
security,
}: ApmDataAccessPrivilegesCheck) {
const authorization = security?.authz;
if (!authorization) {
return true;
}

const [apmIndices, checkPrivilegesFn] = await Promise.all([
getApmIndices(),
authorization.checkPrivilegesDynamicallyWithRequest(request),
]);

const { hasAllRequested } = await checkPrivilegesFn({
elasticsearch: {
cluster: [],
index: mapValues(apmIndices, () => ['read']),
},
});

return hasAllRequested;
}
Original file line number Diff line number Diff line change
Expand Up @@ -5,19 +5,32 @@
* 2.0.
*/

import { PluginInitializerContext, CoreSetup, CoreStart, Plugin, Logger } from '@kbn/core/server';
import {
PluginInitializerContext,
CoreSetup,
CoreStart,
Plugin,
SavedObjectsClientContract,
Logger,
} from '@kbn/core/server';
import { APMDataAccessConfig } from '.';
import { ApmDataAccessPluginSetup, ApmDataAccessPluginStart } from './types';
import {
ApmDataAccessPluginSetup,
ApmDataAccessPluginStart,
ApmDataAccessServerDependencies,
} from './types';
import { migrateLegacyAPMIndicesToSpaceAware } from './saved_objects/migrations/migrate_legacy_apm_indices_to_space_aware';
import {
apmIndicesSavedObjectDefinition,
getApmIndicesSavedObject,
} from './saved_objects/apm_indices';
import { getServices } from './services/get_services';
import { ApmDataAccessPrivilegesCheck, checkPrivileges } from './lib/check_privileges';

export class ApmDataAccessPlugin
implements Plugin<ApmDataAccessPluginSetup, ApmDataAccessPluginStart>
{
public server?: ApmDataAccessServerDependencies;
public config: APMDataAccessConfig;
public logger: Logger;

Expand All @@ -26,34 +39,45 @@ export class ApmDataAccessPlugin
this.logger = initContext.logger.get();
}

getApmIndices = async (savedObjectsClient: SavedObjectsClientContract) => {
const apmIndicesFromSavedObject = await getApmIndicesSavedObject(savedObjectsClient);
return { ...this.config.indices, ...apmIndicesFromSavedObject };
};

public setup(core: CoreSetup): ApmDataAccessPluginSetup {
// register saved object
core.savedObjects.registerType(apmIndicesSavedObjectDefinition);

const getApmIndices = async () => {
const [coreStart] = await core.getStartServices();
const soClient = await coreStart.savedObjects.createInternalRepository();

const apmIndicesFromSavedObject = await getApmIndicesSavedObject(soClient);
return { ...this.config.indices, ...apmIndicesFromSavedObject };
};

// expose
return {
apmIndicesFromConfigFile: this.config.indices,
getApmIndices,
getApmIndices: this.getApmIndices,
getServices,
};
}

public start(core: CoreStart) {
public start(core: CoreStart, plugins: ApmDataAccessServerDependencies) {
// TODO: remove in 9.0
migrateLegacyAPMIndicesToSpaceAware({ coreStart: core, logger: this.logger }).catch((e) => {
this.logger.error('Failed to run migration making APM indices space aware');
this.logger.error(e);
});

return {};
const getApmIndicesWithInternalUserFn = async () => {
const soClient = core.savedObjects.createInternalRepository();
return this.getApmIndices(soClient);
};

const startServices = {
hasPrivileges: ({ request }: Pick<ApmDataAccessPrivilegesCheck, 'request'>) =>
checkPrivileges({
request,
getApmIndices: getApmIndicesWithInternalUserFn,
security: plugins.security,
}),
};

return { ...startServices };
}

public stop() {}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,17 +5,28 @@
* 2.0.
*/

import { SavedObjectsClientContract } from '@kbn/core-saved-objects-api-server';
import type { SecurityPluginStart } from '@kbn/security-plugin-types-server';
import type { APMIndices } from '.';
import { getServices } from './services/get_services';
import type { ApmDataAccessPrivilegesCheck } from './lib/check_privileges';

export interface ApmDataAccessPluginSetup {
apmIndicesFromConfigFile: APMIndices;
getApmIndices: () => Promise<APMIndices>;
getApmIndices: (soClient: SavedObjectsClientContract) => Promise<APMIndices>;
getServices: typeof getServices;
}

// eslint-disable-next-line @typescript-eslint/no-empty-interface
export interface ApmDataAccessPluginStart {}
export interface ApmDataAccessServerDependencies {
security?: SecurityPluginStart;
}

export interface ApmDataAccessPluginStart {
hasPrivileges: (params: Pick<ApmDataAccessPrivilegesCheck, 'request'>) => Promise<boolean>;
}
export interface ApmDataAccessServerDependencies {
security?: SecurityPluginStart;
}

export type ApmDataAccessServices = ReturnType<typeof getServices>;
export type { ApmDataAccessServicesParams } from './services/get_services';
Expand All @@ -27,3 +38,4 @@ export type {
APMEventESSearchRequest,
APMLogEventESSearchRequest,
} from './lib/helpers';
export type { ApmDataAccessPrivilegesCheck };
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
"@kbn/config-schema",
"@kbn/core",
"@kbn/i18n",
"@kbn/core-saved-objects-api-server",
"@kbn/data-plugin",
"@kbn/inspector-plugin",
"@kbn/observability-plugin",
Expand All @@ -17,6 +18,8 @@
"@kbn/apm-types",
"@kbn/core-http-server-mocks",
"@kbn/apm-utils",
"@kbn/core-http-server",
"@kbn/security-plugin-types-server",
"@kbn/utility-types",
"@kbn/elastic-agent-utils",
"@kbn/observability-utils-common"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -27,17 +27,23 @@ export const getApmDataAccessClient = ({
context: InfraPluginRequestHandlerContext;
request: KibanaRequest;
}) => {
const hasPrivileges = async () => {
const apmDataAccessStart = await libs.plugins.apmDataAccess.start();
return apmDataAccessStart.hasPrivileges({ request });
};

const getServices = async () => {
const apmDataAccess = libs.plugins.apmDataAccess.setup;

const coreContext = await context.core;

const { uiSettings, elasticsearch } = coreContext;
const { savedObjects, uiSettings, elasticsearch } = coreContext;
const savedObjectsClient = savedObjects.client;
const esClient = elasticsearch.client.asCurrentUser;
const uiSettingsClient = uiSettings.client;

const [apmIndices, includeFrozen] = await Promise.all([
apmDataAccess.getApmIndices(),
apmDataAccess.getApmIndices(savedObjectsClient),
uiSettingsClient.get<boolean>(UI_SETTINGS.SEARCH_INCLUDE_FROZEN),
]);

Expand Down Expand Up @@ -80,5 +86,5 @@ export const getApmDataAccessClient = ({
};
};

return { getServices };
return { hasPrivileges, getServices };
};
Original file line number Diff line number Diff line change
Expand Up @@ -41,11 +41,12 @@ export const initInfraAssetRoutes = (libs: InfraBackendLibs) => {

try {
const apmDataAccessClient = getApmDataAccessClient({ request, libs, context });
const hasApmPrivileges = await apmDataAccessClient.hasPrivileges();

const [infraMetricsClient, alertsClient, apmDataAccessServices] = await Promise.all([
getInfraMetricsClient({ request, libs, context }),
getInfraAlertsClient({ libs, request }),
apmDataAccessClient.getServices(),
hasApmPrivileges ? apmDataAccessClient.getServices() : undefined,
]);

const hosts = await getHosts({
Expand Down Expand Up @@ -96,10 +97,11 @@ export const initInfraAssetRoutes = (libs: InfraBackendLibs) => {

try {
const apmDataAccessClient = getApmDataAccessClient({ request, libs, context });
const hasApmPrivileges = await apmDataAccessClient.hasPrivileges();

const [infraMetricsClient, apmDataAccessServices] = await Promise.all([
getInfraMetricsClient({ request, libs, context }),
apmDataAccessClient.getServices(),
hasApmPrivileges ? apmDataAccessClient.getServices() : undefined,
]);

const count = await getHostsCount({
Expand Down
Loading

0 comments on commit 3eb2a09

Please sign in to comment.