[Infra UI] Error trying to fetch services without apm privilege

neptunian commented 1 month ago

Summary

If a user does not have apm privilege or elasticsearch privilege for related indices they cannot access services which calls to those indices. There should be a check and improved error messaging.

Steps to reproduce

Create a user with elasticsearch index privileges:
- indices: metrics-, metricbeat-
- privileges: 'read', 'view_index_metadata'
- and kibana privileges: Infrastructure
Navigate to Hosts View, click on a host to navigate to the Asset Details page

Possible solution

We could show the Services section only if application.uiCapabilities.apm.show is true.

Because roles could also be configured such that users could have permission to APM but not to read APM indices, we also need to check on the server side, before running the query, whether the current user has permission to read from APM indices (see an example here)

The endpoint should've returned 403 too.

elasticmachine commented 1 month ago

Pinging @elastic/obs-ux-infra_services-team (Team:obs-ux-infra_services)

crespocarlos commented 1 month ago

After creating a new service in apm_data_access to retrieve APM hosts, I had the same problem. Luckily a test caught it. The problem, as you said, is that infra's SO client passed when calling getApmIndices lacks permission to retrieve apm-indices object type.

crespocarlos commented 1 month ago

@roshan-elastic we need to prioritize this

roshan-elastic commented 1 month ago

Cheers both - it's nearly top of the maintenance backlog so it'll flow in once a slot frees up

elastic / kibana