[UIAM] Investigate the usage of fake request in Streams

[kc13greiner]

When running Kibana with UIAM, an error for Streams is showing up in the logs.

Source: #239713 (review)

Testing locally, authentication errors consistently log from the Streams feature. After a bit of digging, I believe it's related to their use of a fake request. Without context, this pattern looks suspicious at best. We need to understand their use case to see if their implementation is valid, or if changes need to be made to accommodate UIAM. Plugins should not be trying to access the authorization header directly:

https://github.com/kc13greiner/kibana/blob/d8fd317c4166c99b3da0e679ca2cc360ec60ea97/x-pack/platform/plugins/shared/streams/server/lib/streams/helpers/fake_request_factory.ts#L11-L22

[2025-10-21T09:43:48.607-04:00][DEBUG][plugins.security.authentication] Re-authenticating request due to error: {"error":{"root_cause":[{"type":"security_exception","reason":"unable to authenticate user [<unauthenticated-cloud-access-token>] for REST request [/_security/user/_has_privileges]","header":{"WWW-Authenticate":["Bearer realm=\"security\"","ApiKey","Basic realm=\"security\", charset=\"UTF-8\""]}}],"type":"security_exception","reason":"unable to authenticate user [<unauthenticated-cloud-access-token>] for REST request [/_security/user/_has_privileges]","header":{"WWW-Authenticate":["Bearer realm=\"security\"","ApiKey","Basic realm=\"security\", charset=\"UTF-8\""]}},"status":401}

[2025-10-21T09:43:48.609-04:00][ERROR][plugins.streams] Error: Failed to create AlertingAuthorization class: ResponseError: security_exception
        Root causes:
                security_exception: unable to authenticate user [<unauthenticated-cloud-access-token>] for REST request [/_security/user/_has_privileges]
    at Function.create (alerting_authorization.ts:155:13)
    at processTicksAndRejections (node:internal/process/task_queues:105:5)
    at RulesClientFactory.create (rules_client_factory.ts:127:27)
    at QueryService.getClientWithRequest (query_service.ts:36:25)
    at async Promise.all (index 0)
    at getScopedClients (plugin.ts:186:51)
    at handler (route.ts:97:31)
    at wrappedHandler (register_routes.ts:75:37)
    at handle (route.ts:161:26)
    at handler (route.ts:78:14)
    at Router.handle (router.ts:218:30)
    at router.ts:199:23
    at exports.Manager.execute (/Users/larry/repos/kibana/node_modules/@hapi/hapi/lib/toolkit.js:60:28)
    at Object.internals.handler (/Users/larry/repos/kibana/node_modules/@hapi/hapi/lib/handler.js:46:20)
    at exports.execute (/Users/larry/repos/kibana/node_modules/@hapi/hapi/lib/handler.js:31:20)
    at Request._lifecycle (/Users/larry/repos/kibana/node_modules/@hapi/hapi/lib/request.js:370:32)
    at Request._execute (/Users/larry/repos/kibana/node_modules/@hapi/hapi/lib/request.js:280:9)

We should follow up with the Streams team as part of UIAM next steps.

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security)

[legrego]

@kdelemme tagging you here based on git blame. Can you help us understand the use of fake requests in the Streams / significant events feature? Plugins generally should not access the authorization header, and our testing has revealed the above issue when running with UIAM enabled (upcoming configuration that will be enabled for all Serverless projects).

I suspect this will also cause sporadic session-related issues even in non-serverless environments.

1. What is the fake request used for specifically?
2. Why is it required in lieu of a real request?

[kdelemme]

@legrego we fake the request used by the rule client in order to manage the rules associated to the significant event queries regardless of which space the user is using, since streams is space agnostic. If we were not binding the rule client to the default space, we would have issues when user creates a sign event query from a space and another attempt to delete or update it from another space.
@dgieselaar @shahzad31 to comment further

[legrego]

Ok, it seems like we have to rework that binding then.

Also, what happens to this feature for users who aren't authorized to access the default space? Would you expect these operations to fail?

[dgieselaar]

Also, what happens to this feature for users who aren't authorized to access the default space? Would you expect these operations to fail?

@legrego yes, I think it should break over a potential security leak. Is the latter the case with the current implementation? I would say errors are somewhat acceptable given this is tech preview and falls into the bucket of "we either make it work well with Elasticsearch or with Spaces" (regarding Streams as a whole) and we've opted for the former.

[flash1293]

@legrego do we have an ETA on input from the security team on this?

[legrego]

@azasypkin should be picking this up within our current iteration. I expect he will follow up soon.

[flash1293]

@legrego @azasypkin just mentioning that this keeps causing errors, see #245940

[azasypkin]

@legrego @azasypkin just mentioning that this keeps causing errors, see #245940

Yeah, as Larry mentioned in #239968 (comment), using the authorization header directly would lead to sporadic issues here and there, even in non-UIAM world, because whatever we have in authorization might expire at any moment. Putting it into FakeRequest breaks the link between these credentials and the user session that would have allowed us to refresh the token under the hood and retry the request invisibly to the consumer.

I've just started looking into this to see what options we have.