Support for saved objects name attribute in audit log#206644
Merged
elena-shostak merged 35 commits intoelastic:mainfrom Jan 29, 2025
Merged
Support for saved objects name attribute in audit log#206644elena-shostak merged 35 commits intoelastic:mainfrom
elena-shostak merged 35 commits intoelastic:mainfrom
Conversation
341fee8 to
883fafd
Compare
Contributor
Author
|
/ci |
Dosant
approved these changes
Jan 20, 2025
Contributor
Dosant
left a comment
There was a problem hiding this comment.
src/platform/plugins/shared/files/server/integration_tests/file_service.test.ts lgtm
SiddharthMantri
approved these changes
Jan 22, 2025
Contributor
SiddharthMantri
left a comment
There was a problem hiding this comment.
Really cool! 🎉 I've left one nit below.
| namespaces = await getAvailableSpaces(); | ||
| } | ||
|
|
||
| const getFields = () => { |
Contributor
There was a problem hiding this comment.
Nit: Can this function change to a pure function so that it doesn't mutate the external variable fields? fields being an argument to the getFields function instead of maybe depending on it from the external context?
Contributor
Author
|
@elasticmachine merge upstream |
| return this.types.get(type)?.management?.importableAndExportable ?? false; | ||
| } | ||
|
|
||
| public getNameAttribute(type: string) { |
Contributor
There was a problem hiding this comment.
Having defaults as undefined isn't ideal because it leads to messy code where we're always having to safeguard against undefined properties.
WDYT about using a default such as "anonymous" or even "unnamed"? That way we could search for those more easily.
Contributor
Author
There was a problem hiding this comment.
Made it unknown since we mostly use it for audit (unknown outcome etc). Pushed in c3071cc
| title?: string; | ||
| }; | ||
|
|
||
| const fallbackTitle = attributes?.name ?? attributes?.title ?? ''; |
Contributor
There was a problem hiding this comment.
prefer explicit (if somewhat verbose) code that's easier to read for all developers.
for example:
Suggested change
| const fallbackTitle = attributes?.name ?? attributes?.title ?? ''; | |
| const fallbackTitle = attributes?.name || attributes?.title || ''; |
|
|
||
| if (nameAttribute) { | ||
| return ( | ||
| (attributes?.[nameAttribute as keyof (typeof savedObject)['attributes']] as string) ?? |
Contributor
There was a problem hiding this comment.
Isn't nameAttribute one of name, title or ''? We may need to make this clearer for non-typescript buffs. I, for one, find it hard to wrap my head around 😵💫
Contributor
Author
|
@elasticmachine merge upstream |
TinaHeiligers
approved these changes
Jan 28, 2025
Contributor
TinaHeiligers
left a comment
There was a problem hiding this comment.
Nicely done, LGTM on CI green
| */ | ||
| name: string; | ||
| /** | ||
| * The attribute path to the saved object's name |
Contributor
There was a problem hiding this comment.
Adding a bit more detail about where the nameAttribute is used and its behavior will prevent unintended use down the road. nameAttribute and name could get confusing to new consumers.
Suggested change
| * The attribute path to the saved object's name | |
| * The path to the attribute to be used as a human-readable name for audit logging. Defaults to the path to the name or title when not defined. |
Or something along those lines.
Contributor
|
The failing test was skipped in main. I'm pulling in the changes and re-running CI. |
Contributor
|
@elasticmachine merge upstream |
Contributor
💚 Build Succeeded
Metrics [docs]Public APIs missing comments
Public APIs missing exports
Unknown metric groupsAPI count
History
|
Contributor
|
Starting backport for target branches: 8.x |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Jan 29, 2025
## Summary
Added support for human readable `name` attribute for saved objects
audit.
- Updated the saved object type/registration with `nameAttribute` option
- Updated the Saved Objects Security Extension to support passing object
names to the audit functions
- Updated the audit logger with a configuration option to opt out of
including saved object names (the SOR and SSC should be aware of this to
avoid operations when they are not necessary)
- Updated Saved Object Repository functions
- [x] `bulkCreate`
- [x] `bulkGet`
- [x] `bulkResolve`
- [x] `bulkUpdate`
- [x] `collectMultiNamespaceReferences`
- [x] `get`
- [x] `updateObjectsSpaces`
- [x] `bulkDelete`
- [x] `delete`
- [x] `removeReferencesTo`
- [x] Updated Secure Spaces Client functions
- [x] `auditObjectsForSpaceDeletion`
Functions that were not updated:
- `authorizeFind` - now we log audit before the actual find with only
types. Find is complex one, that can return a lot of saved objects. The
benefit of adding a separate audit event vs potential performance cost
can be considered negligible.
https://github.com/elastic/kibana/blob/2f6b9f67d8351a5688e9c3753a4a7234e466dc6a/src/core/packages/saved-objects/api-server-internal/src/lib/apis/find.ts#L166
- `deleteByNamespace` - doesn't have an audit log itself, however is
used only along with the `delete` which adds audit log with SO name
https://github.com/elastic/kibana/blob/2f6b9f67d8351a5688e9c3753a4a7234e466dc6a/x-pack/platform/plugins/shared/spaces/server/spaces_client/spaces_client.ts#L223-L225
- `checkConflicts` - audit was intensionally bypassed
https://github.com/elastic/kibana/blob/2f6b9f67d8351a5688e9c3753a4a7234e466dc6a/x-pack/platform/plugins/shared/security/server/saved_objects/saved_objects_security_extension.ts#L945-L948
- `disableLegacyUrlAliases` - function calls `bulkUpdate` in the end
(which adds audit log with SO name already). Adding name to the
`disableLegacyUrlAliases` audit log, will result in double saved objects
get operation which is not feasible.
https://github.com/elastic/kibana/blob/2f6b9f67d8351a5688e9c3753a4a7234e466dc6a/x-pack/platform/plugins/shared/spaces/server/spaces_client/spaces_client.ts#L228-L234
## How to test
Best way to test it is from the `Manage Saved Objects` page with audit
enabled.
- Import some test data set from the main page.
- Go to the `Manage Saved Objects`:
- Update single SO
- Delete singe SO
- Bulk update SOs
- Bulk delete SOs
- Import/export SOs
### Checklist
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
### Release note
Added support for human readable name attribute for saved objects audit
events.
__Closes: https://github.com/elastic/kibana/issues/200538__
---------
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
(cherry picked from commit 7b26912)
Contributor
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Jan 29, 2025
…#208680) # Backport This will backport the following commits from `main` to `8.x`: - [Support for saved objects name attribute in audit log (#206644)](#206644) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Elena Shostak","email":"165678770+elena-shostak@users.noreply.github.com"},"sourceCommit":{"committedDate":"2025-01-29T08:03:26Z","message":"Support for saved objects name attribute in audit log (#206644)\n\n## Summary\r\n\r\nAdded support for human readable `name` attribute for saved objects\r\naudit.\r\n- Updated the saved object type/registration with `nameAttribute` option\r\n- Updated the Saved Objects Security Extension to support passing object\r\nnames to the audit functions\r\n- Updated the audit logger with a configuration option to opt out of\r\nincluding saved object names (the SOR and SSC should be aware of this to\r\navoid operations when they are not necessary)\r\n- Updated Saved Object Repository functions\r\n - [x] `bulkCreate`\r\n - [x] `bulkGet`\r\n - [x] `bulkResolve`\r\n - [x] `bulkUpdate`\r\n - [x] `collectMultiNamespaceReferences`\r\n - [x] `get`\r\n - [x] `updateObjectsSpaces`\r\n - [x] `bulkDelete`\r\n - [x] `delete`\r\n - [x] `removeReferencesTo`\r\n- [x] Updated Secure Spaces Client functions\r\n - [x] `auditObjectsForSpaceDeletion`\r\n \r\nFunctions that were not updated:\r\n\r\n- `authorizeFind` - now we log audit before the actual find with only\r\ntypes. Find is complex one, that can return a lot of saved objects. The\r\nbenefit of adding a separate audit event vs potential performance cost\r\ncan be considered negligible.\r\n\r\nhttps://github.com/elastic/kibana/blob/2f6b9f67d8351a5688e9c3753a4a7234e466dc6a/src/core/packages/saved-objects/api-server-internal/src/lib/apis/find.ts#L166\r\n- `deleteByNamespace` - doesn't have an audit log itself, however is\r\nused only along with the `delete` which adds audit log with SO name\r\n\r\nhttps://github.com/elastic/kibana/blob/2f6b9f67d8351a5688e9c3753a4a7234e466dc6a/x-pack/platform/plugins/shared/spaces/server/spaces_client/spaces_client.ts#L223-L225\r\n- `checkConflicts` - audit was intensionally bypassed\r\n\r\nhttps://github.com/elastic/kibana/blob/2f6b9f67d8351a5688e9c3753a4a7234e466dc6a/x-pack/platform/plugins/shared/security/server/saved_objects/saved_objects_security_extension.ts#L945-L948\r\n- `disableLegacyUrlAliases` - function calls `bulkUpdate` in the end\r\n(which adds audit log with SO name already). Adding name to the\r\n`disableLegacyUrlAliases` audit log, will result in double saved objects\r\nget operation which is not feasible.\r\n\r\nhttps://github.com/elastic/kibana/blob/2f6b9f67d8351a5688e9c3753a4a7234e466dc6a/x-pack/platform/plugins/shared/spaces/server/spaces_client/spaces_client.ts#L228-L234\r\n\r\n## How to test\r\n\r\nBest way to test it is from the `Manage Saved Objects` page with audit\r\nenabled.\r\n\r\n- Import some test data set from the main page.\r\n- Go to the `Manage Saved Objects`: \r\n - Update single SO\r\n - Delete singe SO\r\n - Bulk update SOs\r\n - Bulk delete SOs\r\n - Import/export SOs\r\n\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n- [x] The PR description includes the appropriate Release Notes section,\r\nand the correct `release_note:*` label is applied per the\r\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n### Release note\r\n\r\nAdded support for human readable name attribute for saved objects audit\r\nevents.\r\n\r\n\r\n__Closes: https://github.com/elastic/kibana/issues/200538__\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"7b269123857e9c40e3db6844e43cc9644724f2be","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:enhancement","Team:Security","v9.0.0","Feature:Security/Audit","backport:prev-minor"],"title":"Support for saved objects name attribute in audit log","number":206644,"url":"https://github.com/elastic/kibana/pull/206644","mergeCommit":{"message":"Support for saved objects name attribute in audit log (#206644)\n\n## Summary\r\n\r\nAdded support for human readable `name` attribute for saved objects\r\naudit.\r\n- Updated the saved object type/registration with `nameAttribute` option\r\n- Updated the Saved Objects Security Extension to support passing object\r\nnames to the audit functions\r\n- Updated the audit logger with a configuration option to opt out of\r\nincluding saved object names (the SOR and SSC should be aware of this to\r\navoid operations when they are not necessary)\r\n- Updated Saved Object Repository functions\r\n - [x] `bulkCreate`\r\n - [x] `bulkGet`\r\n - [x] `bulkResolve`\r\n - [x] `bulkUpdate`\r\n - [x] `collectMultiNamespaceReferences`\r\n - [x] `get`\r\n - [x] `updateObjectsSpaces`\r\n - [x] `bulkDelete`\r\n - [x] `delete`\r\n - [x] `removeReferencesTo`\r\n- [x] Updated Secure Spaces Client functions\r\n - [x] `auditObjectsForSpaceDeletion`\r\n \r\nFunctions that were not updated:\r\n\r\n- `authorizeFind` - now we log audit before the actual find with only\r\ntypes. Find is complex one, that can return a lot of saved objects. The\r\nbenefit of adding a separate audit event vs potential performance cost\r\ncan be considered negligible.\r\n\r\nhttps://github.com/elastic/kibana/blob/2f6b9f67d8351a5688e9c3753a4a7234e466dc6a/src/core/packages/saved-objects/api-server-internal/src/lib/apis/find.ts#L166\r\n- `deleteByNamespace` - doesn't have an audit log itself, however is\r\nused only along with the `delete` which adds audit log with SO name\r\n\r\nhttps://github.com/elastic/kibana/blob/2f6b9f67d8351a5688e9c3753a4a7234e466dc6a/x-pack/platform/plugins/shared/spaces/server/spaces_client/spaces_client.ts#L223-L225\r\n- `checkConflicts` - audit was intensionally bypassed\r\n\r\nhttps://github.com/elastic/kibana/blob/2f6b9f67d8351a5688e9c3753a4a7234e466dc6a/x-pack/platform/plugins/shared/security/server/saved_objects/saved_objects_security_extension.ts#L945-L948\r\n- `disableLegacyUrlAliases` - function calls `bulkUpdate` in the end\r\n(which adds audit log with SO name already). Adding name to the\r\n`disableLegacyUrlAliases` audit log, will result in double saved objects\r\nget operation which is not feasible.\r\n\r\nhttps://github.com/elastic/kibana/blob/2f6b9f67d8351a5688e9c3753a4a7234e466dc6a/x-pack/platform/plugins/shared/spaces/server/spaces_client/spaces_client.ts#L228-L234\r\n\r\n## How to test\r\n\r\nBest way to test it is from the `Manage Saved Objects` page with audit\r\nenabled.\r\n\r\n- Import some test data set from the main page.\r\n- Go to the `Manage Saved Objects`: \r\n - Update single SO\r\n - Delete singe SO\r\n - Bulk update SOs\r\n - Bulk delete SOs\r\n - Import/export SOs\r\n\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n- [x] The PR description includes the appropriate Release Notes section,\r\nand the correct `release_note:*` label is applied per the\r\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n### Release note\r\n\r\nAdded support for human readable name attribute for saved objects audit\r\nevents.\r\n\r\n\r\n__Closes: https://github.com/elastic/kibana/issues/200538__\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"7b269123857e9c40e3db6844e43cc9644724f2be"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/206644","number":206644,"mergeCommit":{"message":"Support for saved objects name attribute in audit log (#206644)\n\n## Summary\r\n\r\nAdded support for human readable `name` attribute for saved objects\r\naudit.\r\n- Updated the saved object type/registration with `nameAttribute` option\r\n- Updated the Saved Objects Security Extension to support passing object\r\nnames to the audit functions\r\n- Updated the audit logger with a configuration option to opt out of\r\nincluding saved object names (the SOR and SSC should be aware of this to\r\navoid operations when they are not necessary)\r\n- Updated Saved Object Repository functions\r\n - [x] `bulkCreate`\r\n - [x] `bulkGet`\r\n - [x] `bulkResolve`\r\n - [x] `bulkUpdate`\r\n - [x] `collectMultiNamespaceReferences`\r\n - [x] `get`\r\n - [x] `updateObjectsSpaces`\r\n - [x] `bulkDelete`\r\n - [x] `delete`\r\n - [x] `removeReferencesTo`\r\n- [x] Updated Secure Spaces Client functions\r\n - [x] `auditObjectsForSpaceDeletion`\r\n \r\nFunctions that were not updated:\r\n\r\n- `authorizeFind` - now we log audit before the actual find with only\r\ntypes. Find is complex one, that can return a lot of saved objects. The\r\nbenefit of adding a separate audit event vs potential performance cost\r\ncan be considered negligible.\r\n\r\nhttps://github.com/elastic/kibana/blob/2f6b9f67d8351a5688e9c3753a4a7234e466dc6a/src/core/packages/saved-objects/api-server-internal/src/lib/apis/find.ts#L166\r\n- `deleteByNamespace` - doesn't have an audit log itself, however is\r\nused only along with the `delete` which adds audit log with SO name\r\n\r\nhttps://github.com/elastic/kibana/blob/2f6b9f67d8351a5688e9c3753a4a7234e466dc6a/x-pack/platform/plugins/shared/spaces/server/spaces_client/spaces_client.ts#L223-L225\r\n- `checkConflicts` - audit was intensionally bypassed\r\n\r\nhttps://github.com/elastic/kibana/blob/2f6b9f67d8351a5688e9c3753a4a7234e466dc6a/x-pack/platform/plugins/shared/security/server/saved_objects/saved_objects_security_extension.ts#L945-L948\r\n- `disableLegacyUrlAliases` - function calls `bulkUpdate` in the end\r\n(which adds audit log with SO name already). Adding name to the\r\n`disableLegacyUrlAliases` audit log, will result in double saved objects\r\nget operation which is not feasible.\r\n\r\nhttps://github.com/elastic/kibana/blob/2f6b9f67d8351a5688e9c3753a4a7234e466dc6a/x-pack/platform/plugins/shared/spaces/server/spaces_client/spaces_client.ts#L228-L234\r\n\r\n## How to test\r\n\r\nBest way to test it is from the `Manage Saved Objects` page with audit\r\nenabled.\r\n\r\n- Import some test data set from the main page.\r\n- Go to the `Manage Saved Objects`: \r\n - Update single SO\r\n - Delete singe SO\r\n - Bulk update SOs\r\n - Bulk delete SOs\r\n - Import/export SOs\r\n\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n- [x] The PR description includes the appropriate Release Notes section,\r\nand the correct `release_note:*` label is applied per the\r\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n### Release note\r\n\r\nAdded support for human readable name attribute for saved objects audit\r\nevents.\r\n\r\n\r\n__Closes: https://github.com/elastic/kibana/issues/200538__\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"7b269123857e9c40e3db6844e43cc9644724f2be"}}]}] BACKPORT--> Co-authored-by: Elena Shostak <165678770+elena-shostak@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Added support for human readable
nameattribute for saved objects audit.nameAttributeoptionbulkCreatebulkGetbulkResolvebulkUpdatecollectMultiNamespaceReferencesgetupdateObjectsSpacesbulkDeletedeleteremoveReferencesToauditObjectsForSpaceDeletionFunctions that were not updated:
authorizeFind- now we log audit before the actual find with only types. Find is complex one, that can return a lot of saved objects. The benefit of adding a separate audit event vs potential performance cost can be considered negligible.kibana/src/core/packages/saved-objects/api-server-internal/src/lib/apis/find.ts
Line 166 in 2f6b9f6
deleteByNamespace- doesn't have an audit log itself, however is used only along with thedeletewhich adds audit log with SO namekibana/x-pack/platform/plugins/shared/spaces/server/spaces_client/spaces_client.ts
Lines 223 to 225 in 2f6b9f6
checkConflicts- audit was intensionally bypassedkibana/x-pack/platform/plugins/shared/security/server/saved_objects/saved_objects_security_extension.ts
Lines 945 to 948 in 2f6b9f6
disableLegacyUrlAliases- function callsbulkUpdatein the end (which adds audit log with SO name already). Adding name to thedisableLegacyUrlAliasesaudit log, will result in double saved objects get operation which is not feasible.kibana/x-pack/platform/plugins/shared/spaces/server/spaces_client/spaces_client.ts
Lines 228 to 234 in 2f6b9f6
How to test
Best way to test it is from the
Manage Saved Objectspage with audit enabled.Manage Saved Objects:Checklist
release_note:*label is applied per the guidelinesRelease note
Added support for human readable name attribute for saved objects audit events.
Closes: #200538
Closes: #100523