Sessionless user profile retrieval#249839
Merged
jeramysoucy merged 36 commits intoelastic:mainfrom Feb 20, 2026
Merged
Conversation
Contributor
Author
|
/ci |
jeramysoucy
commented
Jan 21, 2026
x-pack/platform/plugins/shared/security/server/user_profile/user_profile_service.ts
Outdated
Show resolved
Hide resolved
jeramysoucy
commented
Jan 21, 2026
x-pack/platform/plugins/shared/security/server/user_profile/user_profile_service.ts
Show resolved
Hide resolved
jeramysoucy
commented
Jan 22, 2026
x-pack/platform/plugins/shared/security/server/user_profile/user_profile_service.ts
Show resolved
Hide resolved
jeramysoucy
commented
Jan 22, 2026
x-pack/platform/plugins/shared/security/server/user_profile/user_profile_service.ts
Show resolved
Hide resolved
jeramysoucy
commented
Jan 22, 2026
Comment on lines
+273
to
+277
| const activatedProfile = await this.activate(clusterClient, { | ||
| type: 'password', | ||
| username, | ||
| password, | ||
| }); // ToDo: should we instead catch and wrap the error, or return gracefully with null?ß |
Contributor
Author
There was a problem hiding this comment.
I wonder if it makes more sense to catch and gracefully return null here.
jeramysoucy
commented
Jan 22, 2026
x-pack/platform/plugins/shared/security/server/user_profile/user_profile_service.ts
Show resolved
Hide resolved
Contributor
|
Pinging @elastic/kibana-security (Team:Security) |
Contributor
rgodfrey-elastic
left a comment
There was a problem hiding this comment.
Everything looks good and seems to work well! I left a couple comments/questions. Let me know what you think
x-pack/platform/plugins/shared/security/server/user_profile/user_profile_service.ts
Show resolved
Hide resolved
x-pack/platform/plugins/shared/security/server/user_profile/user_profile_service.ts
Show resolved
Hide resolved
x-pack/platform/plugins/shared/security/server/user_profile/user_profile_service.ts
Outdated
Show resolved
Hide resolved
x-pack/platform/plugins/shared/security/server/user_profile/user_profile_service.ts
Show resolved
Hide resolved
Contributor
Author
|
@rgodfrey-elastic Thanks for the thorough review! I believe I addressed all of your concerns in a3af1ad |
rgodfrey-elastic
approved these changes
Feb 13, 2026
Contributor
rgodfrey-elastic
left a comment
There was a problem hiding this comment.
LGTM. Thanks for making those changes
| describe('no profiles', () => { | ||
| it('returns the users correctly without profile ids', async () => { | ||
| const postedCase = await createCase(supertest, getPostCaseRequest()); | ||
| // We need an API key without security or API privileges to ensure that requests |
Contributor
There was a problem hiding this comment.
Thanks for this comment
jeramysoucy
commented
Feb 19, 2026
| privileges: ['*'], // 'feature_securitySolutionCases.all', <- not sure why this was not enough | ||
| privileges: [ | ||
| 'feature_securitySolutionCasesV2.all', | ||
| 'feature_securitySolutionFixture.all', |
Contributor
Author
There was a problem hiding this comment.
This feature privilege appears to be needed to create the test Case as it is defined.
Contributor
There was a problem hiding this comment.
Most likely due to the configuration here:https://github.com/elastic/kibana/blob/main/x-pack/platform/test/cases_api_integration/common/plugins/security_solution/kibana.jsonc meaning you need access to security solution via this fixture to be able to create a case in security
Contributor
💚 Build Succeeded
Metrics [docs]
History
|
michaelolo24
approved these changes
Feb 19, 2026
Contributor
michaelolo24
left a comment
There was a problem hiding this comment.
Thanks for making these changes!
Contributor
|
Starting backport for target branches: 9.3 |
kibanamachine
added a commit
to kibanamachine/kibana
that referenced
this pull request
Feb 20, 2026
Closes elastic#245091 ## Summary This PR enhances the user profile [getCurrent function](https://github.com/elastic/kibana/blob/a7aca33f10bc8ccf0c4c71c458ffdc06e1e5124a/x-pack/platform/plugins/shared/security/server/user_profile/user_profile_service.ts#L191-L242) API, and subsequently the `/internal/security/user_profile` endpoint, to retrieve the user profile for requests authenticated via `basic` and `apikey` authorization headers. No breaking changes or release notes - only internal APIs are enhanced and retain original behavior. ### Telemetry This PR adds an OTel counter for invocations of the getCurrent function, with optional attributes for when profile activation or API key retrieval is required. Note: The counter is not increased if authorization is not via session, basic, or API key. However, in this case nothing happens and `null` is returned. ### Tests - x-pack/platform/plugins/shared/security/server/user_profile/user_profile_service.test.ts - x-pack/platform/test/security_api_integration/tests/user_profiles/get_current.ts - x-pack/platform/test/cases_api_integration/security_and_spaces/config_basic.ts - x-pack/platform/test/cases_api_integration/security_and_spaces/config_trial.ts The cases tests had to be updated to account for the additionally activated user profiles. Note: I have temporarily skipped some tests which aimed to confirm when no profile is available. I am currently evaluating whether these tests should remain and how to implement them given the changes. ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [ ] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations. - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [ ] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> (cherry picked from commit 6447a06)
Contributor
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
Contributor
|
Looks like this PR has a backport PR but it still hasn't been merged. Please merge it ASAP to keep the branches relatively in sync. |
Merged
10 tasks
jeramysoucy
added a commit
that referenced
this pull request
Mar 11, 2026
…ouldAddAccessControl (#255065) ## Summary This PR changes how the dashboard save modal determines if access control metadata should be added to a dashboard. Previously it used the user profile service, however, since #249839, the getCurrent function now attempts to retrieve the user profile when the incoming request is authenticated via Basic or API key. This resulted in adding the access control metadata when authenticated to the UI via a proxy or the anonymous authc provider. The Saved Object Repository does not use the user profiles service to determine the current user, but rather the authentication service, which does not retrieve the user profile when authenticated via API key. This caused errors when creating dashboards in the UI when authenticated via a proxy or the anonymous authc provider - the UI would add the access control meta data and the SO repository would reject the operation due to lacking a profile ID for the owner field. This PR implements a short term solution by switching to the authentication service in the dashboard save modal - matching the mechanism of checking for an active profile ID in the SO repository. A longer-term solution might be different, should we want to support creating dashboards with access control via API key. In this case, we would need to modify the SO repository code (actually, the security extension), if feasible, to use the user profile service. However, his may introduce too much overhead. ### Testing The easiest way to test this fix is to configure the anonymous authentication provider. When users are authenticated anonymously they do not activate a user profile. ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [X] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [ ] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations. - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [ ] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. ### Identify risks Does this PR introduce any risks? For example, consider risks like hard to test bugs, performance regression, potential of data loss. Describe the risk, its severity, and mitigation for each identified risk. Invite stakeholders and evaluate how to proceed before merging. - [ ] [See some risk examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx) - [ ] ... ## Release note Fixes an issue where saving a dashboard included access control features when a user profile, which is required for access control, was not available. --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
kibanamachine
added a commit
to kibanamachine/kibana
that referenced
this pull request
Mar 11, 2026
…ouldAddAccessControl (elastic#255065) ## Summary This PR changes how the dashboard save modal determines if access control metadata should be added to a dashboard. Previously it used the user profile service, however, since elastic#249839, the getCurrent function now attempts to retrieve the user profile when the incoming request is authenticated via Basic or API key. This resulted in adding the access control metadata when authenticated to the UI via a proxy or the anonymous authc provider. The Saved Object Repository does not use the user profiles service to determine the current user, but rather the authentication service, which does not retrieve the user profile when authenticated via API key. This caused errors when creating dashboards in the UI when authenticated via a proxy or the anonymous authc provider - the UI would add the access control meta data and the SO repository would reject the operation due to lacking a profile ID for the owner field. This PR implements a short term solution by switching to the authentication service in the dashboard save modal - matching the mechanism of checking for an active profile ID in the SO repository. A longer-term solution might be different, should we want to support creating dashboards with access control via API key. In this case, we would need to modify the SO repository code (actually, the security extension), if feasible, to use the user profile service. However, his may introduce too much overhead. ### Testing The easiest way to test this fix is to configure the anonymous authentication provider. When users are authenticated anonymously they do not activate a user profile. ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [X] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [ ] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations. - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [ ] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. ### Identify risks Does this PR introduce any risks? For example, consider risks like hard to test bugs, performance regression, potential of data loss. Describe the risk, its severity, and mitigation for each identified risk. Invite stakeholders and evaluate how to proceed before merging. - [ ] [See some risk examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx) - [ ] ... ## Release note Fixes an issue where saving a dashboard included access control features when a user profile, which is required for access control, was not available. --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> (cherry picked from commit 009aea1)
kibanamachine
added a commit
that referenced
this pull request
Mar 11, 2026
… getShouldAddAccessControl (#255065) (#257050) # Backport This will backport the following commits from `main` to `9.3`: - [[Write-restricted dashboards] Update user profile retrieval for getShouldAddAccessControl (#255065)](#255065) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Jeramy Soucy","email":"jeramy.soucy@elastic.co"},"sourceCommit":{"committedDate":"2026-03-11T08:37:12Z","message":"[Write-restricted dashboards] Update user profile retrieval for getShouldAddAccessControl (#255065)\n\n## Summary\n\nThis PR changes how the dashboard save modal determines if access\ncontrol metadata should be added to a dashboard. Previously it used the\nuser profile service, however, since\nhttps://github.com//pull/249839, the getCurrent function\nnow attempts to retrieve the user profile when the incoming request is\nauthenticated via Basic or API key. This resulted in adding the access\ncontrol metadata when authenticated to the UI via a proxy or the\nanonymous authc provider.\n\nThe Saved Object Repository does not use the user profiles service to\ndetermine the current user, but rather the authentication service, which\ndoes not retrieve the user profile when authenticated via API key. This\ncaused errors when creating dashboards in the UI when authenticated via\na proxy or the anonymous authc provider - the UI would add the access\ncontrol meta data and the SO repository would reject the operation due\nto lacking a profile ID for the owner field.\n\nThis PR implements a short term solution by switching to the\nauthentication service in the dashboard save modal - matching the\nmechanism of checking for an active profile ID in the SO repository.\n\nA longer-term solution might be different, should we want to support\ncreating dashboards with access control via API key. In this case, we\nwould need to modify the SO repository code (actually, the security\nextension), if feasible, to use the user profile service. However, his\nmay introduce too much overhead.\n\n### Testing\n\nThe easiest way to test this fix is to configure the anonymous\nauthentication provider. When users are authenticated anonymously they\ndo not activate a user profile.\n\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [ ] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n- [ ]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas added for features that require explanation or tutorials\n- [X] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [ ] If a plugin configuration key changed, check if it needs to be\nallowlisted in the cloud and added to the [docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)\n- [ ] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [ ] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [ ] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.\n\n### Identify risks\n\nDoes this PR introduce any risks? For example, consider risks like hard\nto test bugs, performance regression, potential of data loss.\n\nDescribe the risk, its severity, and mitigation for each identified\nrisk. Invite stakeholders and evaluate how to proceed before merging.\n\n- [ ] [See some risk\nexamples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)\n- [ ] ...\n\n## Release note\nFixes an issue where saving a dashboard included access control features\nwhen a user profile, which is required for access control, was not\navailable.\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"009aea16e601c1dad4a3f1b55754bd239fb4b65d","branchLabelMapping":{"^v9.4.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Feature:Dashboard","release_note:fix","Team:Security","Team:Presentation","loe:small","impact:low","backport:version","v9.4.0","v9.3.2"],"title":"[Write-restricted dashboards] Update user profile retrieval for getShouldAddAccessControl","number":255065,"url":"https://github.com/elastic/kibana/pull/255065","mergeCommit":{"message":"[Write-restricted dashboards] Update user profile retrieval for getShouldAddAccessControl (#255065)\n\n## Summary\n\nThis PR changes how the dashboard save modal determines if access\ncontrol metadata should be added to a dashboard. Previously it used the\nuser profile service, however, since\nhttps://github.com//pull/249839, the getCurrent function\nnow attempts to retrieve the user profile when the incoming request is\nauthenticated via Basic or API key. This resulted in adding the access\ncontrol metadata when authenticated to the UI via a proxy or the\nanonymous authc provider.\n\nThe Saved Object Repository does not use the user profiles service to\ndetermine the current user, but rather the authentication service, which\ndoes not retrieve the user profile when authenticated via API key. This\ncaused errors when creating dashboards in the UI when authenticated via\na proxy or the anonymous authc provider - the UI would add the access\ncontrol meta data and the SO repository would reject the operation due\nto lacking a profile ID for the owner field.\n\nThis PR implements a short term solution by switching to the\nauthentication service in the dashboard save modal - matching the\nmechanism of checking for an active profile ID in the SO repository.\n\nA longer-term solution might be different, should we want to support\ncreating dashboards with access control via API key. In this case, we\nwould need to modify the SO repository code (actually, the security\nextension), if feasible, to use the user profile service. However, his\nmay introduce too much overhead.\n\n### Testing\n\nThe easiest way to test this fix is to configure the anonymous\nauthentication provider. When users are authenticated anonymously they\ndo not activate a user profile.\n\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [ ] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n- [ ]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas added for features that require explanation or tutorials\n- [X] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [ ] If a plugin configuration key changed, check if it needs to be\nallowlisted in the cloud and added to the [docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)\n- [ ] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [ ] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [ ] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.\n\n### Identify risks\n\nDoes this PR introduce any risks? For example, consider risks like hard\nto test bugs, performance regression, potential of data loss.\n\nDescribe the risk, its severity, and mitigation for each identified\nrisk. Invite stakeholders and evaluate how to proceed before merging.\n\n- [ ] [See some risk\nexamples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)\n- [ ] ...\n\n## Release note\nFixes an issue where saving a dashboard included access control features\nwhen a user profile, which is required for access control, was not\navailable.\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"009aea16e601c1dad4a3f1b55754bd239fb4b65d"}},"sourceBranch":"main","suggestedTargetBranches":["9.3"],"targetPullRequestStates":[{"branch":"main","label":"v9.4.0","branchLabelMappingKey":"^v9.4.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/255065","number":255065,"mergeCommit":{"message":"[Write-restricted dashboards] Update user profile retrieval for getShouldAddAccessControl (#255065)\n\n## Summary\n\nThis PR changes how the dashboard save modal determines if access\ncontrol metadata should be added to a dashboard. Previously it used the\nuser profile service, however, since\nhttps://github.com//pull/249839, the getCurrent function\nnow attempts to retrieve the user profile when the incoming request is\nauthenticated via Basic or API key. This resulted in adding the access\ncontrol metadata when authenticated to the UI via a proxy or the\nanonymous authc provider.\n\nThe Saved Object Repository does not use the user profiles service to\ndetermine the current user, but rather the authentication service, which\ndoes not retrieve the user profile when authenticated via API key. This\ncaused errors when creating dashboards in the UI when authenticated via\na proxy or the anonymous authc provider - the UI would add the access\ncontrol meta data and the SO repository would reject the operation due\nto lacking a profile ID for the owner field.\n\nThis PR implements a short term solution by switching to the\nauthentication service in the dashboard save modal - matching the\nmechanism of checking for an active profile ID in the SO repository.\n\nA longer-term solution might be different, should we want to support\ncreating dashboards with access control via API key. In this case, we\nwould need to modify the SO repository code (actually, the security\nextension), if feasible, to use the user profile service. However, his\nmay introduce too much overhead.\n\n### Testing\n\nThe easiest way to test this fix is to configure the anonymous\nauthentication provider. When users are authenticated anonymously they\ndo not activate a user profile.\n\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [ ] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n- [ ]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas added for features that require explanation or tutorials\n- [X] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [ ] If a plugin configuration key changed, check if it needs to be\nallowlisted in the cloud and added to the [docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)\n- [ ] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [ ] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [ ] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.\n\n### Identify risks\n\nDoes this PR introduce any risks? For example, consider risks like hard\nto test bugs, performance regression, potential of data loss.\n\nDescribe the risk, its severity, and mitigation for each identified\nrisk. Invite stakeholders and evaluate how to proceed before merging.\n\n- [ ] [See some risk\nexamples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)\n- [ ] ...\n\n## Release note\nFixes an issue where saving a dashboard included access control features\nwhen a user profile, which is required for access control, was not\navailable.\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"009aea16e601c1dad4a3f1b55754bd239fb4b65d"}},{"branch":"9.3","label":"v9.3.2","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> --------- Co-authored-by: Jeramy Soucy <jeramy.soucy@elastic.co>
sorenlouv
pushed a commit
that referenced
this pull request
Mar 17, 2026
…ouldAddAccessControl (#255065) ## Summary This PR changes how the dashboard save modal determines if access control metadata should be added to a dashboard. Previously it used the user profile service, however, since #249839, the getCurrent function now attempts to retrieve the user profile when the incoming request is authenticated via Basic or API key. This resulted in adding the access control metadata when authenticated to the UI via a proxy or the anonymous authc provider. The Saved Object Repository does not use the user profiles service to determine the current user, but rather the authentication service, which does not retrieve the user profile when authenticated via API key. This caused errors when creating dashboards in the UI when authenticated via a proxy or the anonymous authc provider - the UI would add the access control meta data and the SO repository would reject the operation due to lacking a profile ID for the owner field. This PR implements a short term solution by switching to the authentication service in the dashboard save modal - matching the mechanism of checking for an active profile ID in the SO repository. A longer-term solution might be different, should we want to support creating dashboards with access control via API key. In this case, we would need to modify the SO repository code (actually, the security extension), if feasible, to use the user profile service. However, his may introduce too much overhead. ### Testing The easiest way to test this fix is to configure the anonymous authentication provider. When users are authenticated anonymously they do not activate a user profile. ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [X] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [ ] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations. - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [ ] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. ### Identify risks Does this PR introduce any risks? For example, consider risks like hard to test bugs, performance regression, potential of data loss. Describe the risk, its severity, and mitigation for each identified risk. Invite stakeholders and evaluate how to proceed before merging. - [ ] [See some risk examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx) - [ ] ... ## Release note Fixes an issue where saving a dashboard included access control features when a user profile, which is required for access control, was not available. --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
8 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #245091
Summary
This PR enhances the user profile getCurrent function API, and subsequently the
/internal/security/user_profileendpoint, to retrieve the user profile for requests authenticated viabasicandapikeyauthorization headers.No breaking changes or release notes - only internal APIs are enhanced and retain original behavior.
Telemetry
This PR adds an OTel counter for invocations of the getCurrent function, with optional attributes for when profile activation or API key retrieval is required.
Note: The counter is not increased if authorization is not via session, basic, or API key. However, in this case nothing happens and
nullis returned.Tests
The cases tests had to be updated to account for the additionally activated user profiles. Note: I have temporarily skipped some tests which aimed to confirm when no profile is available. I am currently evaluating whether these tests should remain and how to implement them given the changes.
Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
release_note:breakinglabel should be applied in these situations.release_note:*label is applied per the guidelinesbackport:*labels.