Prior to the availability of the ML plugin contract, we were unable to perform these checks.
This causes the following errant behaviors:
- API users can create/update ML Rules regardless of their ML permissions.
- UI users can create an enabled ML Rule by importing it
NB that in both of the above situations, the user must have a valid ML license (platinum/trial).
This might merit a separate PR, but rule execution is going to be even trickier: since the rule executes with the permissions of the last person who modified it, ML services will need to be refactored to accept a non-extended cluster client (currently they expect paths like ml.jobs which do not exist on the scoped alerting client). Even then, a user could lose their ML permissions and the job will happily continue to execute with its own (now outdated) copy of that user's permissions.
Prior to the availability of the ML plugin contract, we were unable to perform these checks.
This causes the following errant behaviors:
NB that in both of the above situations, the user must have a valid ML license (platinum/trial).
This might merit a separate PR, but rule execution is going to be even trickier: since the rule executes with the permissions of the last person who modified it, ML services will need to be refactored to accept a non-extended cluster client (currently they expect paths like
ml.jobswhich do not exist on the scoped alerting client). Even then, a user could lose their ML permissions and the job will happily continue to execute with its own (now outdated) copy of that user's permissions.