[Read only dashboards] Store Saved object access control information#221916
Merged
SiddharthMantri merged 19 commits intoelastic:security/read-only-dashboardsfrom Jun 19, 2025
Conversation
jeramysoucy
reviewed
Jun 3, 2025
src/platform/plugins/shared/dashboard/server/dashboard_saved_object/dashboard_saved_object.ts
Outdated
Show resolved
Hide resolved
Contributor
Author
|
/ci |
Contributor
Author
|
@elasticmachine merge upstream |
Contributor
Author
|
/ci |
Contributor
Author
|
/ci |
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR introduces support for storing access control information into saved object metadata, allowing the system to track ownership and read-only restrictions on dashboards. Key changes include:
- Adding a new SavedObjectAccessControl interface to define ownership and access mode.
- Propagating the accessControl property in serializers and saved object service logic.
- Extending configuration and type registry to support access control processing and testing.
Reviewed Changes
Copilot reviewed 13 out of 13 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| src/platform/plugins/shared/dashboard/server/plugin.ts | Minor formatting clean-up. |
| src/core/server/index.ts | Re-export of SavedObjectAccessControl. |
| src/core/packages/saved-objects/server/tsconfig.json | Updated dependency list to include @kbn/core. |
| src/core/packages/saved-objects/server/src/serialization.ts | Inclusion of accessControl in raw doc and doc interfaces. |
| src/core/packages/saved-objects/server/src/saved_objects_type.ts | Added supportsAccessControl property in saved object type. |
| src/core/packages/saved-objects/server/index.ts | Export update for the new access control interface. |
| src/core/packages/saved-objects/server-internal/src/saved_objects_service.ts | Updated type registry initialization with accessControlTypes from config. |
| src/core/packages/saved-objects/common/src/server_types.ts | Added the SavedObjectAccessControl definition and updated SavedObject type. |
| src/core/packages/saved-objects/base-server-internal/src/serialization/serializer.ts | Updated serialization logic to support accessControl. |
| src/core/packages/saved-objects/base-server-internal/src/serialization/serializer.test.ts | Added tests to verify accessControl propagation. |
| src/core/packages/saved-objects/base-server-internal/src/saved_objects_type_registry.ts | Introduced accessControlTypes mapping and supportsAccessControl method. |
| src/core/packages/saved-objects/base-server-internal/src/saved_objects_config.ts | Extended configuration to include accessControlTypes. |
| src/core/packages/saved-objects/api-server/index.ts | Re-export of SavedObjectAccessControl for API usage. |
src/core/packages/saved-objects/base-server-internal/src/saved_objects_type_registry.ts
Outdated
Show resolved
Hide resolved
…_objects_type_registry.ts Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
SiddharthMantri
commented
Jun 11, 2025
| } | ||
|
|
||
| public supportsAccessControl(type: string): boolean { | ||
| return this.accessControlTypesMap.has(type); |
Contributor
Author
There was a problem hiding this comment.
Question for core - using config flags to allow specific SO types to have this ownership information. Instead of exposing this to the consumers, we start off with an internal config. What do you think?
Contributor
There was a problem hiding this comment.
Pierre left a similar comment on the RFC, but if types are already having to opt in, I don't think we should have another config option.
If we want to merge this PR and avoid anyone using this before it's fully ready, we could rather comment out the accessControl from the saved object type interface.
Contributor
Author
There was a problem hiding this comment.
We are planning to merge this into a feature branch security/read-only-dashboards for now. What do you think?
SiddharthMantri
changed the base branch from
main
to
security/read-only-dashboards
jeramysoucy
requested changes
Jun 11, 2025
Contributor
jeramysoucy
left a comment
jeramysoucy
left a comment
There was a problem hiding this comment.
Looks good, Sid! Just requesting one change, but I think we can open the PR for review from Core if you're ready. 👍
Co-authored-by: Jeramy Soucy <jeramy.soucy@elastic.co>
jeramysoucy
approved these changes
Jun 12, 2025
rudolf
requested changes
Jun 16, 2025
| }); | ||
| }); | ||
|
|
||
| test('it copies accessControl to _source.accessControl', () => { |
Contributor
There was a problem hiding this comment.
for both these tests we also need to test when accesscontrol isn't defined
| } | ||
|
|
||
| public supportsAccessControl(type: string): boolean { | ||
| return this.accessControlTypesMap.has(type); |
Contributor
There was a problem hiding this comment.
Pierre left a similar comment on the RFC, but if types are already having to opt in, I don't think we should have another config option.
If we want to merge this PR and avoid anyone using this before it's fully ready, we could rather comment out the accessControl from the saved object type interface.
rudolf
approved these changes
Jun 19, 2025
SiddharthMantri
merged commit 5487e4c
into
elastic:security/read-only-dashboards
8 of 10 checks passed
Contributor
💚 Build Succeeded
Metrics [docs]Public APIs missing comments
Public APIs missing exports
Unknown metric groupsAPI count
History
|
4 tasks
kowalczyk-krzysztof
pushed a commit
to kowalczyk-krzysztof/kibana
that referenced
this pull request
Aug 30, 2025
…lastic#221916) Closes elastic#221752 PR introduces support for storing access control information into saved object metadata. By itself this won't do anything in this PR but we'll use it for the next phase implementing the various APIs for dashboard specific operations. Note: Merging into a feature branch before merging into main. --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Jeramy Soucy <jeramy.soucy@elastic.co>
SiddharthMantri
added a commit
that referenced
this pull request
Dec 12, 2025
Closes elastic/kibana-team#808 The respective teams have been raising PRs against this feature branch. Approved PRs merged so far: - #221916 - #224411 - #239973 - #241101 - #238468 - #233552 - #228416 - #241168 - #244746 - #244830 ## Summary This pull request overhauls the saved object management workflow by introducing the concept of ownership for SOs - specifically enabled for dashboards only at the moment. Owners and administrators can now control a new write-restricted flag on their objects, allowing them to keep work draft/uneditable state before publishing. This change enables users to define who can modify shared objects, providing a crucial capability to manage and share dashboards. ## Release note Kibana Dashboards now support ownership and "write_restricted" mode. Users can now keep dashboards publicly editable or in a write-restricted state until they are ready to publish, giving them more control over who can edit their dashboards, regardless of broader space permissions. ## How to test ### Serverless Please reach out to me via slack or in the project channel (#read-only-dashboards) to be invited to the serverless environment where this feature has been enabled. ### Local - Clone this PR - Enable the feature by editing kibana.yml to include ``` savedObjects.enableAccessControl: true ``` - Start ES and Kibana as you would - Once started, seed Kibana with sample data. This should create a few dashboards. - Navigate to dashboards and create a new one. - In the share modal, change the view mode `Everybody in the space Can View`, <img width="500" height="410" alt="image" src="https://github.com/user-attachments/assets/b895442f-cce3-41a6-8b47-d206a9afbf43" /> - Now create a new role which grants access to indices and dashboards all. Create a new user and then assign that role to the newly created user. <img width="500" height="410" alt="image" src="https://github.com/user-attachments/assets/dd5251e1-a3b5-41a8-abc1-7e67399d65d2" /> - Login as the new user and navigate to the dashboard you had initially set as `Can view`. You'll see that you're not able to edit the dashboard and a warning like <img width="500" height="410" alt="Screenshot 2025-11-28 at 12 30 50" src="https://github.com/user-attachments/assets/1f71ccc7-9dc6-4a68-9a2c-540aa74e4f03" /> ### Local (2nd option) You can also follow the instructions in #224411 that detail how to use the funtional test runner to test this using the test plugin created for this feature. ### Risk matrix - What happens when your feature is used in a non-default space or a custom space? Works as expected - What happens when there are multiple Kibana nodes using the same Elasticsearch cluster? Does not depend on functionality of kibana nodes - What happens when a plugin you depend on is disabled? Changes are in core and security - both are always available - What happens when a feature you depend on is disabled? No dependency - What happens when a third party integration you depend on is not responding? No third party inregration - Does the feature work in Elastic Cloud? Yes - Does the feature create a setting that needs to be exposed, or configured differently than the default, on the Elastic Cloud? No - Is there a significant performance impact that may affect Cloud Kibana instances? No - Does your feature need to be aware of running in a container? No - Does the feature Work with security disabled, or fails gracefully? If disabled, fails gracefully. - Are there performance risks associated with your feature? No - Could this cause memory to leak in either the browser or server? No - Will your feature still work if Kibana is run behind a reverse proxy? Yes - Does your feature affect other plugins? No, other plugins could choose to use it if registering a SO with ownable types - Are migrations handled gracefully? Does the feature affect old indices or saved objects? Yes, migrations taken care of. - Are you using any technologies, protocols, techniques, conventions, libraries, NPM modules, etc. that may be new or unprecedented in Kibana? No --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Jeramy Soucy <jeramy.soucy@elastic.co> Co-authored-by: Aleh Zasypkin <aleh.zasypkin@gmail.com> Co-authored-by: Christiane (Tina) Heiligers <christiane.heiligers@elastic.co> Co-authored-by: Krzysztof Kowalczyk <krzysztof.kowalczyk@elastic.co> Co-authored-by: Gerard Soldevila <gerard.soldevila@elastic.co>
seanrathier
pushed a commit
to seanrathier/kibana
that referenced
this pull request
Dec 15, 2025
Closes elastic/kibana-team#808 The respective teams have been raising PRs against this feature branch. Approved PRs merged so far: - elastic#221916 - elastic#224411 - elastic#239973 - elastic#241101 - elastic#238468 - elastic#233552 - elastic#228416 - elastic#241168 - elastic#244746 - elastic#244830 ## Summary This pull request overhauls the saved object management workflow by introducing the concept of ownership for SOs - specifically enabled for dashboards only at the moment. Owners and administrators can now control a new write-restricted flag on their objects, allowing them to keep work draft/uneditable state before publishing. This change enables users to define who can modify shared objects, providing a crucial capability to manage and share dashboards. ## Release note Kibana Dashboards now support ownership and "write_restricted" mode. Users can now keep dashboards publicly editable or in a write-restricted state until they are ready to publish, giving them more control over who can edit their dashboards, regardless of broader space permissions. ## How to test ### Serverless Please reach out to me via slack or in the project channel (#read-only-dashboards) to be invited to the serverless environment where this feature has been enabled. ### Local - Clone this PR - Enable the feature by editing kibana.yml to include ``` savedObjects.enableAccessControl: true ``` - Start ES and Kibana as you would - Once started, seed Kibana with sample data. This should create a few dashboards. - Navigate to dashboards and create a new one. - In the share modal, change the view mode `Everybody in the space Can View`, <img width="500" height="410" alt="image" src="https://github.com/user-attachments/assets/b895442f-cce3-41a6-8b47-d206a9afbf43" /> - Now create a new role which grants access to indices and dashboards all. Create a new user and then assign that role to the newly created user. <img width="500" height="410" alt="image" src="https://github.com/user-attachments/assets/dd5251e1-a3b5-41a8-abc1-7e67399d65d2" /> - Login as the new user and navigate to the dashboard you had initially set as `Can view`. You'll see that you're not able to edit the dashboard and a warning like <img width="500" height="410" alt="Screenshot 2025-11-28 at 12 30 50" src="https://github.com/user-attachments/assets/1f71ccc7-9dc6-4a68-9a2c-540aa74e4f03" /> ### Local (2nd option) You can also follow the instructions in elastic#224411 that detail how to use the funtional test runner to test this using the test plugin created for this feature. ### Risk matrix - What happens when your feature is used in a non-default space or a custom space? Works as expected - What happens when there are multiple Kibana nodes using the same Elasticsearch cluster? Does not depend on functionality of kibana nodes - What happens when a plugin you depend on is disabled? Changes are in core and security - both are always available - What happens when a feature you depend on is disabled? No dependency - What happens when a third party integration you depend on is not responding? No third party inregration - Does the feature work in Elastic Cloud? Yes - Does the feature create a setting that needs to be exposed, or configured differently than the default, on the Elastic Cloud? No - Is there a significant performance impact that may affect Cloud Kibana instances? No - Does your feature need to be aware of running in a container? No - Does the feature Work with security disabled, or fails gracefully? If disabled, fails gracefully. - Are there performance risks associated with your feature? No - Could this cause memory to leak in either the browser or server? No - Will your feature still work if Kibana is run behind a reverse proxy? Yes - Does your feature affect other plugins? No, other plugins could choose to use it if registering a SO with ownable types - Are migrations handled gracefully? Does the feature affect old indices or saved objects? Yes, migrations taken care of. - Are you using any technologies, protocols, techniques, conventions, libraries, NPM modules, etc. that may be new or unprecedented in Kibana? No --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Jeramy Soucy <jeramy.soucy@elastic.co> Co-authored-by: Aleh Zasypkin <aleh.zasypkin@gmail.com> Co-authored-by: Christiane (Tina) Heiligers <christiane.heiligers@elastic.co> Co-authored-by: Krzysztof Kowalczyk <krzysztof.kowalczyk@elastic.co> Co-authored-by: Gerard Soldevila <gerard.soldevila@elastic.co>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #221752
PR introduces support for storing access control information into saved object metadata.
By itself this won't do anything in this PR but we'll use it for the next phase implementing the various APIs for dashboard specific operations.
Note: Merging into a feature branch before merging into main.