[Bug] [Search Homepage] Disable API keys on insufficient permissions#248072
Merged
efegurkan merged 4 commits intoelastic:mainfrom Jan 8, 2026
Merged
[Bug] [Search Homepage] Disable API keys on insufficient permissions#248072efegurkan merged 4 commits intoelastic:mainfrom
efegurkan merged 4 commits intoelastic:mainfrom
Conversation
API keys tab in the connection details flyout is hidden when user does not have permissions to manage API keys including personal. This commit adds same check through the useSearchApiKey hooks status field and disables the button to open the flyout with API keys tab. Added tests to check the conditional disabling.
efegurkan
added
the
bug
efegurkan
added
release_note:fix
Team:Search
backport:version
Member
Author
|
@elasticmachine merge upstream |
mdefazio
reviewed
Jan 7, 2026
Contributor
mdefazio
left a comment
mdefazio
left a comment
There was a problem hiding this comment.
Reviewed screen recordings (ty!!) LGTM.
Just commenting to avoid approving for code review.
Contributor
|
Perhaps we should consider a follow-up that removes the badge for "You don't have access to manage API keys". Or is it worth removing with this one? Curious to get your take on if we need it. |
Member
Author
|
@mdefazio better as a follow up, as I would like to have the opportunity to do more tests in there. If I include it here, this will slow this one up considering deadlines. |
saikatsarkar056
approved these changes
Jan 7, 2026
Member
Author
|
@elasticmachine merge upstream |
Contributor
|
Starting backport for target branches: 9.3 |
Contributor
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]Async chunks
Page load bundle
History
|
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Jan 8, 2026
…lastic#248072) ## Summary API keys tab in the connection details flyout is hidden when user does not have permissions to manage API keys including personal. This commit adds same check through the useSearchApiKey hooks status field and disables the button to open the flyout with API keys tab. Added tests to check the conditional disabling. With permissions: https://github.com/user-attachments/assets/73777f5c-f69c-48f1-b16f-20a592a0a8a2 without: https://github.com/user-attachments/assets/be78cd72-179a-4bd9-99d5-8042aac49b12 To test locally: - Run in self managed or hosted - Create a new user with `viewer` builtin role - Login in a new browser or private window with newly created user - Check API Keys button in homepage. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations. - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [x] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. ## Release Note Disabled 'API keys' button on Elasticsearch homepage when logged in user have insufficient permissions. --------- Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> (cherry picked from commit 5af94d0)
Contributor
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Jan 8, 2026
…sions (#248072) (#248272) # Backport This will backport the following commits from `main` to `9.3`: - [[Bug] [Search Homepage] Disable API keys on insufficient permissions (#248072)](#248072) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Efe Gürkan YALAMAN","email":"efeguerkan.yalaman@elastic.co"},"sourceCommit":{"committedDate":"2026-01-08T13:34:04Z","message":"[Bug] [Search Homepage] Disable API keys on insufficient permissions (#248072)\n\n## Summary\n\nAPI keys tab in the connection details flyout is hidden when user does\nnot have permissions to manage API keys including personal. This commit\nadds same check through the useSearchApiKey hooks status field and\ndisables the button to open the flyout with API keys tab.\n\nAdded tests to check the conditional disabling.\n\nWith permissions:\n\n\nhttps://github.com/user-attachments/assets/73777f5c-f69c-48f1-b16f-20a592a0a8a2\n\nwithout:\n\n\n\nhttps://github.com/user-attachments/assets/be78cd72-179a-4bd9-99d5-8042aac49b12\n\n\nTo test locally: \n- Run in self managed or hosted\n- Create a new user with `viewer` builtin role\n- Login in a new browser or private window with newly created user\n- Check API Keys button in homepage.\n\n\n### Checklist\n\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [x] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [x] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.\n\n## Release Note\n\nDisabled 'API keys' button on Elasticsearch homepage when logged in user\nhave insufficient permissions.\n\n---------\n\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"5af94d06dc580058e0f66075410448b7cea329e1","branchLabelMapping":{"^v9.4.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:fix","Team:Search","backport:version","v9.3.0","v9.4.0"],"title":"[Bug] [Search Homepage] Disable API keys on insufficient permissions","number":248072,"url":"https://github.com/elastic/kibana/pull/248072","mergeCommit":{"message":"[Bug] [Search Homepage] Disable API keys on insufficient permissions (#248072)\n\n## Summary\n\nAPI keys tab in the connection details flyout is hidden when user does\nnot have permissions to manage API keys including personal. This commit\nadds same check through the useSearchApiKey hooks status field and\ndisables the button to open the flyout with API keys tab.\n\nAdded tests to check the conditional disabling.\n\nWith permissions:\n\n\nhttps://github.com/user-attachments/assets/73777f5c-f69c-48f1-b16f-20a592a0a8a2\n\nwithout:\n\n\n\nhttps://github.com/user-attachments/assets/be78cd72-179a-4bd9-99d5-8042aac49b12\n\n\nTo test locally: \n- Run in self managed or hosted\n- Create a new user with `viewer` builtin role\n- Login in a new browser or private window with newly created user\n- Check API Keys button in homepage.\n\n\n### Checklist\n\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [x] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [x] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.\n\n## Release Note\n\nDisabled 'API keys' button on Elasticsearch homepage when logged in user\nhave insufficient permissions.\n\n---------\n\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"5af94d06dc580058e0f66075410448b7cea329e1"}},"sourceBranch":"main","suggestedTargetBranches":["9.3"],"targetPullRequestStates":[{"branch":"9.3","label":"v9.3.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.4.0","branchLabelMappingKey":"^v9.4.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/248072","number":248072,"mergeCommit":{"message":"[Bug] [Search Homepage] Disable API keys on insufficient permissions (#248072)\n\n## Summary\n\nAPI keys tab in the connection details flyout is hidden when user does\nnot have permissions to manage API keys including personal. This commit\nadds same check through the useSearchApiKey hooks status field and\ndisables the button to open the flyout with API keys tab.\n\nAdded tests to check the conditional disabling.\n\nWith permissions:\n\n\nhttps://github.com/user-attachments/assets/73777f5c-f69c-48f1-b16f-20a592a0a8a2\n\nwithout:\n\n\n\nhttps://github.com/user-attachments/assets/be78cd72-179a-4bd9-99d5-8042aac49b12\n\n\nTo test locally: \n- Run in self managed or hosted\n- Create a new user with `viewer` builtin role\n- Login in a new browser or private window with newly created user\n- Check API Keys button in homepage.\n\n\n### Checklist\n\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [x] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.\n- [ ] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [x] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.\n\n## Release Note\n\nDisabled 'API keys' button on Elasticsearch homepage when logged in user\nhave insufficient permissions.\n\n---------\n\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"5af94d06dc580058e0f66075410448b7cea329e1"}}]}] BACKPORT--> Co-authored-by: Efe Gürkan YALAMAN <efeguerkan.yalaman@elastic.co> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
devamanv
pushed a commit
to devamanv/kibana
that referenced
this pull request
Jan 12, 2026
…lastic#248072) ## Summary API keys tab in the connection details flyout is hidden when user does not have permissions to manage API keys including personal. This commit adds same check through the useSearchApiKey hooks status field and disables the button to open the flyout with API keys tab. Added tests to check the conditional disabling. With permissions: https://github.com/user-attachments/assets/73777f5c-f69c-48f1-b16f-20a592a0a8a2 without: https://github.com/user-attachments/assets/be78cd72-179a-4bd9-99d5-8042aac49b12 To test locally: - Run in self managed or hosted - Create a new user with `viewer` builtin role - Login in a new browser or private window with newly created user - Check API Keys button in homepage. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations. - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [x] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. ## Release Note Disabled 'API keys' button on Elasticsearch homepage when logged in user have insufficient permissions. --------- Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
API keys tab in the connection details flyout is hidden when user does not have permissions to manage API keys including personal. This commit adds same check through the useSearchApiKey hooks status field and disables the button to open the flyout with API keys tab.
Added tests to check the conditional disabling.
With permissions:
Screen.Recording.2026-01-07.at.13.34.12.mov
without:
Screen.Recording.2026-01-07.at.13.34.51.mov
To test locally:
viewerbuiltin roleChecklist
release_note:breakinglabel should be applied in these situations.release_note:*label is applied per the guidelinesbackport:*labels.Release Note
Disabled 'API keys' button on Elasticsearch homepage when logged in user have insufficient permissions.