Open neptunian opened 1 month ago
Pinging @elastic/obs-ux-infra_services-team (Team:obs-ux-infra_services)
After creating a new service in apm_data_access
to retrieve APM hosts, I had the same problem. Luckily a test caught it. The problem, as you said, is that infra's SO client passed when calling getApmIndices
lacks permission to retrieve apm-indices
object type.
@roshan-elastic we need to prioritize this
Cheers both - it's nearly top of the maintenance backlog so it'll flow in once a slot frees up
Summary
If a user does not have
apm
privilege or elasticsearch privilege for related indices they cannot access services which calls to those indices. There should be a check and improved error messaging.Steps to reproduce
Possible solution
We could show the Services section only if
application.uiCapabilities.apm.show
istrue
.Because roles could also be configured such that users could have permission to APM but not to read APM indices, we also need to check on the server side, before running the query, whether the current user has permission to read from APM indices (see an example here)
The endpoint should've returned 403 too.