Skip to content

[Observability serverless] turn on custom roles by default#227878

Merged
pheyos merged 17 commits intoelastic:mainfrom
dominiqueclarke:feature/observability-custom-roles-on-by-default
Jul 18, 2025
Merged

[Observability serverless] turn on custom roles by default#227878
pheyos merged 17 commits intoelastic:mainfrom
dominiqueclarke:feature/observability-custom-roles-on-by-default

Conversation

@dominiqueclarke
Copy link
Copy Markdown
Contributor

@dominiqueclarke dominiqueclarke commented Jul 14, 2025
edited
Loading

Summary

Relates to #219861
Relates to https://github.com/elastic/observability-dev/issues/4539

Turns on Custom roles by default in serverless by turning on the feature flag

Original implementation found here.

Moves tests from the feature flag specific files to the standard files.

@github-actions github-actions bot added the author:obs-ux-management PRs authored by the obs ux management team label Jul 14, 2025
@dominiqueclarke dominiqueclarke force-pushed the feature/observability-custom-roles-on-by-default branch from cebc101 to 5970f48 Compare July 14, 2025 16:43
@dominiqueclarke dominiqueclarke changed the title observability serverless - turn on custom roles by default [Observability serverless] turn on custom roles by default Jul 14, 2025
@dominiqueclarke dominiqueclarke marked this pull request as ready for review July 14, 2025 16:45
@dominiqueclarke dominiqueclarke requested review from a team as code owners July 14, 2025 16:45
@dominiqueclarke dominiqueclarke requested review from a team as code owners July 14, 2025 16:53
@dominiqueclarke dominiqueclarke requested a review from a team as a code owner July 15, 2025 14:00
jeramysoucy
jeramysoucy requested changes Jul 15, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@jeramysoucy jeramysoucy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I noticed that we still have some tests that are specifically skipped for OBLT that can be unskipped now that we're enabling custom roles. Can we audit the code for instances like this and evaluate?

// custom roles are not enabled for observability projects
this.tags(['skipSvlOblt']);

config/serverless.oblt.yml Outdated

# Disable role management (custom roles)
xpack.security.roleManagementEnabled: false
xpack.security.roleManagementEnabled: true
Copy link
Copy Markdown
Contributor

@jeramysoucy jeramysoucy Jul 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: as this defaults to true, I think we can just remove it, along with the comment.

mgiota
mgiota approved these changes Jul 16, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@mgiota mgiota left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code review, LGTM!

jeramysoucy
jeramysoucy reviewed Jul 16, 2025
View reviewed changes
x-pack/test_serverless/api_integration/config.base.ts
...(options.serverlessProject !== 'oblt'
? ['xpack.security.authc.native_roles.enabled=true']
: []),
'xpack.security.authc.native_roles.enabled=true',
Copy link
Copy Markdown
Contributor

@jeramysoucy jeramysoucy Jul 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to set the ES flag for all project types

jeramysoucy
jeramysoucy reviewed Jul 16, 2025
View reviewed changes
x-pack/test_serverless/api_integration/test_suites/common/platform_security/authorization.ts
Copy link
Copy Markdown
Contributor

@jeramysoucy jeramysoucy Jul 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I updated this file to remove the skipSvlOblt tags that were preciously in place because custom roles was not yet supported on OBLT.

jeramysoucy
jeramysoucy reviewed Jul 16, 2025
View reviewed changes
...test_serverless/api_integration/test_suites/observability/platform_security/authorization.ts
Copy link
Copy Markdown
Contributor

@jeramysoucy jeramysoucy Jul 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I removed the roles tests here, which are now run for OBLT from the common config/index.

jeramysoucy
jeramysoucy reviewed Jul 16, 2025
View reviewed changes
x-pack/test_serverless/functional/config.base.ts
...(options.serverlessProject !== 'oblt'
? ['xpack.security.authc.native_roles.enabled=true']
: []),
'xpack.security.authc.native_roles.enabled=true',
Copy link
Copy Markdown
Contributor

@jeramysoucy jeramysoucy Jul 16, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to set the ES flag to enable native roles for all project types now.

jeramysoucy
jeramysoucy reviewed Jul 16, 2025
View reviewed changes
...erverless/functional/test_suites/common/platform_security/navigation/management_nav_cards.ts
Copy link
Copy Markdown
Contributor

@jeramysoucy jeramysoucy Jul 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I removed the skipSvlOblt tags that were here to handle when custom roles was not yet supported.

jeramysoucy
jeramysoucy reviewed Jul 16, 2025
View reviewed changes
x-pack/test_serverless/functional/test_suites/common/platform_security/roles.ts
Copy link
Copy Markdown
Contributor

@jeramysoucy jeramysoucy Jul 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I removed the skipSvlOblt tags that were here to handle when custom roles was not yet supported.

@botelastic botelastic bot added the ci:project-deploy-observability Create an Observability project label Jul 16, 2025
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Jul 16, 2025

🤖 GitHub comments

Expand to view the GitHub comments

Just comment with:

  • /oblt-deploy : Deploy a Kibana instance using the Observability test environments.
  • run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

@jeramysoucy jeramysoucy requested a review from a team as a code owner July 17, 2025 07:40
csr
csr approved these changes Jul 17, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@csr csr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, left a few comments.

x-pack/test_serverless/functional/test_suites/common/platform_security/roles.ts
const platformSecurityUtils = getService('platformSecurityUtils');

describe('Roles', function () {
// custom roles are not enabled for observability projects
Copy link
Copy Markdown
Member

@csr csr Jul 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jeramysoucy is the comment at the top still relevant?

// Note: this suite is currently only called from the feature flags test config:
// x-pack/test_serverless/functional/test_suites/search/config.feature_flags.ts
// This can be moved into the common config groups once custom roles are enabled
// permanently in serverless.

awahab07
awahab07 reviewed Jul 17, 2025
View reviewed changes
x-pack/test_serverless/functional/test_suites/observability/index.ts
// loadTestFile(require.resolve('./rules/es_query_consumer'));
loadTestFile(require.resolve('./rules/custom_threshold_consumer'));
loadTestFile(require.resolve('./rules/es_query_consumer'));
loadTestFile(require.resolve('./role_management'));
Copy link
Copy Markdown
Contributor

@awahab07 awahab07 Jul 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

kibana/x-pack/test_serverless/functional/test_suites/observability/role_management/custom_role_access.ts

Line 23 in 17c1381

this.tags(['skipMKI']);

The suite is skipped for MKI. Do we need to unskip it to be sure custom roles are working on MKI?

@dmlemeshko custom_role_access was added as an example, should it stay and be unkipped now that custom role management is enabled?

Copy link
Copy Markdown
Contributor Author

@dominiqueclarke dominiqueclarke Jul 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressed here.

@dominiqueclarke
unskip tests in MKI
2e09361
@dominiqueclarke
Merge branch 'feature/observability-custom-roles-on-by-default' of gi…
7f8f6da 
…thub.com:dominiqueclarke/kibana into feature/observability-custom-roles-on-by-default
awahab07
awahab07 approved these changes Jul 17, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@awahab07 awahab07 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

obs-ux-logs changes LGTM

@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Jul 17, 2025
edited
Loading

💚 Build Succeeded

  • Buildkite Build
  • Commit: 7f8f6da
  • Kibana Serverless Image: docker.elastic.co/kibana-ci/kibana-serverless:pr-227878-7f8f6dad4c73

Metrics [docs]

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id before after diff
serverlessObservability 14.5KB 14.5KB +2.0B

History

@pheyos pheyos merged commit 9149e15 into elastic:main Jul 18, 2025
12 checks passed
Bluefinger pushed a commit to Bluefinger/kibana that referenced this pull request Jul 22, 2025
@dominiqueclarke @kibanamachine
@jeramysoucy @Bluefinger
[Observability serverless] turn on custom roles by default (elastic#2…
19e1301 
…27878)

## Summary

Relates to elastic#219861
Relates to elastic/observability-dev#4539

Turns on Custom roles by default in serverless by turning on the feature
flag

Original implementation found
[here](elastic#219861).

Moves tests from the feature flag specific files to the standard files.

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: “jeramysoucy” <jeramy.soucy@elastic.co>
kertal pushed a commit to kertal/kibana that referenced this pull request Jul 25, 2025
@dominiqueclarke @kibanamachine
@jeramysoucy @kertal
[Observability serverless] turn on custom roles by default (elastic#2…
fdbf3c6 
…27878)

## Summary

Relates to elastic#219861
Relates to elastic/observability-dev#4539

Turns on Custom roles by default in serverless by turning on the feature
flag

Original implementation found
[here](elastic#219861).

Moves tests from the feature flag specific files to the standard files.

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: “jeramysoucy” <jeramy.soucy@elastic.co>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@awahab07 awahab07 awahab07 approved these changes

@mgiota mgiota mgiota approved these changes

@csr csr csr approved these changes

@Ikuni17 Ikuni17 Ikuni17 approved these changes

@jeramysoucy jeramysoucy jeramysoucy approved these changes

Assignees

No one assigned

Labels

author:obs-ux-management PRs authored by the obs ux management team backport:skip This PR does not require backporting ci:project-deploy-observability Create an Observability project release_note:enhancement v9.2.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

9 participants

@dominiqueclarke @elasticmachine @awahab07 @mgiota @csr @Ikuni17 @jeramysoucy @pheyos @kibanamachine