search

elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.65k stars 8.23k forks source link

[SLO][Fleet] Reauthorize SLO transforms #189756

Open mgiota opened 3 months ago

mgiota commented 3 months ago

Summary

As part of this PR a secondary authorization header was added to Transforms in Fleet, making the permissions/privileges dependent on the logged-in user. Previously everything was installed as kibana_system user, which has limited permissions to a specific set of indices defined internally.

When SLO assets are installed, transforms get installed as well. The secondary authorization header that was added to Transforms in Fleet, didn't automatically got applied to SLO transforms, since SLO assets are installed as kibana assets and the secondary authorization header is currently applied only to ES assets.

Thus in this PR which handles the installation of SLO assets in Fleet, we hit following permission error:

Screenshot 2024-08-01 at 22 58 59 Screenshot 2024-08-01 at 22 56 21

✅ Acceptance criteria

Adapt the SLO installation process to incorporate the Transform reauthorization process

Screenshot 2024-08-01 at 23 24 23 Screenshot 2024-08-01 at 23 25 30 Screenshot 2024-08-01 at 23 26 47 Screenshot 2024-08-01 at 23 27 00
mgiota commented 3 months ago

I created a temp commit branched from this PR. I adapted existing Transforms Reauthorization process to take into consideration SLO transforms as well. Here's how the Reauthorization workflow looks like so far:

https://github.com/user-attachments/assets/a4e00769-8a0b-4091-9efc-ec8147e6da85

This is still WIP, since I am clarifying the workflow with Fleet team in this thread

cc @qn895

elasticmachine commented 3 months ago

Pinging @elastic/obs-ux-management-team (Team:obs-ux-management)