elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.68k stars 8.23k forks source link

[newsfeed] Requests to feeds.elastic.co should be disabled when `newsfeed.enabled: false` #158101

Open lukeelmers opened 1 year ago

lukeelmers commented 1 year ago

The newsfeed plugin is in charge of making requests to feeds.elastic.co and loading the latest content in the global top nav. Setting newsfeed.enabled: false will disable this behavior. The observability and security solution overview pages both call feeds.elastic.co as well to retrieve o11y & security-specific feeds.

In the security plugin, there is logic to make sure that the newsfeed.enabled setting is still respected:

https://github.com/elastic/kibana/blob/c94c6a4f252d7b4aa1e70c8b275b632c129aac00/x-pack/plugins/security_solution/public/common/components/news_feed/index.tsx#L24-L25

However, it appears observability does not have similar logic in place, so setting newsfeed.enabled: false has no effect:

https://github.com/elastic/kibana/blob/c94c6a4f252d7b4aa1e70c8b275b632c129aac00/x-pack/plugins/observability/public/pages/overview/components/news_feed/helpers/get_news_feed.ts#L37-L40

Making these calls configurable is desirable for users who are sensitive to Kibana making calls to external services, or who are operating in airgapped environments.

Two potential options:

  1. Update the observability plugin to respect the newsfeed.enabled setting, similar to what security does.
  2. Make the newsfeed plugin the source of truth for any calls to feeds.elastic.co. That means newsfeed would need to expose APIs to retrieve feeds by ID from the feeds.elastic.co service. Plugins would then include newsfeed as an optional dependency, and whenever newsfeed.enabled: false is set, all feeds would automatically be turned off.

Option (2) would mean involving the security solution team as well, and would carry some additional complexity because of how security solution is currently using uiSettings to control the feed:

https://github.com/elastic/kibana/blob/c94c6a4f252d7b4aa1e70c8b275b632c129aac00/x-pack/plugins/security_solution/server/ui_settings.ts#L205-L217

--

cc @simianhacker as the o11y newsfeed appears to be owned by actionable observability

elasticmachine commented 1 year ago

Pinging @elastic/kibana-core (Team:Core)

elasticmachine commented 1 year ago

Pinging @elastic/actionable-observability (Team: Actionable Observability)