Add multiple namespaces support to PIT search and finder

[pgayvallet]

Summary

Fix #99044

Add multi-namespaces support to openPointInTimeForType and createPointInTimeFinder

Checklist

• Documentation was added for features that require explanation or tutorials
• Unit or functional tests were updated or added to match the most common scenarios

[pgayvallet]

This is a rough draft of what I think the implementation should look like given the info provided in #99044.

A question I have regarding the issue's description is regarding this point:

• soClient.createPointInTimeFinder will need to ensure the typeToNamespacesMap is handed off when calling openPointInTimeForType

from my current understanding, createPointInTimeFinder would remain unchanged, as the logic change would be handled in the internal calls of PointInTimeFinder to client.openPointInTimeForType which would leverage the security wrapper's modifications? Could you confirm this?

@jportner @lukeelmers could you take a look and tell me if this seems like the correct approach?

[pgayvallet]

We no longer extend SavedObjectsBaseOptions to remove the namespace option, as this new namespaces option was added.

[jportner]

See my comment in #109062 (review), I think we should leave the SavedObjectsOpenPointInTimeOptions options as-is.

[pgayvallet]

I agree with your approach, so typeToNamespacesMap is no longer necessary here and I will remove it. However SavedObjectsOpenPointInTimeOptions had a namespace?: string option due to this extension, that needs to be changed to a namespaces?: string[], for the security wrapper to use it.

[jportner]

Oh, I was going too fast, yep agreed

[pgayvallet]

In the same scenario, the find wrapper returns SavedObjectsUtils.createEmptyFindResponse, however this is not possible for openPointInTimeForType, as the expected return type is a SavedObjectsOpenPointInTimeResponse. I'm throwing a forbidden error in that case, but really not sure this is the correct error type?

[lukeelmers]

FWIW this makes sense to me: If you are opening a PIT against a type & you don't have permissions to access that type's backing index, I'd expect a forbidden error. But let's see what @jportner thinks.

[jportner]

Yeah, the forbidden error seems like the best approach here. Note that if you are only authorized to access a type in space A, and you attempt to open a PIT for that type only in space B, you'll run into a forbidden error. But that seems acceptable.

[pgayvallet]

if you are only authorized to access a type in space A, and you attempt to open a PIT for that type only in space B, you'll run into a forbidden error. But that seems acceptable.

I would even think that this is expected and not just acceptable? OTOH that's right that it differs from the find behavior that just returns an empty find response without throwing in the same situation.

The alternative would be to call baseClient.openPointInTimeForType with an empty list of types, and have it return a stubbed PIT finder impl that returns no results in that case, but that feels a little over-complicated to me?

[pgayvallet]

Hum, actually we can't do that, as it would need to be done in createPointInTimeFinder, so it doesn't solve the issue when calling openPointInTimeForType directly. So throwing here seems the only viable option anyway

[lukeelmers]

Overall this makes sense to me, but will defer to @jportner to make sure the behavior is what we'd expect here.

from my current understanding, createPointInTimeFinder would remain unchanged, as the logic change would be handled in the internal calls of PointInTimeFinder to client.openPointInTimeForType which would leverage the security wrapper's modifications? Could you confirm this?

Yes, this sounds correct to me as the typeToNamespacesMap would be handled by the wrapper. That issue description was written without doing an actual POC, so most likely I had overlooked this consideration.

[lukeelmers]

FWIW this makes sense to me: If you are opening a PIT against a type & you don't have permissions to access that type's backing index, I'd expect a forbidden error. But let's see what @jportner thinks.

[jportner]

I agree with most of the approach, with one exception:

In the SSOCW, in the openPointInTimeForType function, I don't think we need to pass typeToNamespacesMap down to the base client at all. When the user is partially or fully authorized, we should just pass down the types that the user can access.

The repository just needs to know what types the user is authorized to access in some space so that it can open the PIT against the appropriate indices for those types.
Re-reading the issue, Luke suggested this as an option in #99044 (comment):

2. Don't implement typeToNamespaceMap in openPointInTimeForType, and simply open the PIT against the indices for all allowed types in the request. If permissions change later, the correct namespace filters should still be applied in find. The tradeoff is that you are allowing the PIT to be open against some types which could potentially not be allowed in any namespaces, however as you aren't able to query those with find, this may be fine.

I think this approach is simpler and doesn't compromise security. See my suggestion below: #109062 (comment)

[pgayvallet]

self-review (in addition to the previous, non-closed points)

[pgayvallet]

Not sure why this was there, there isn't a namespace property on SavedObjectsFindOptions

[jportner]

Dead code! thanks for removing it

[pgayvallet]

Previously, per-id unauthorized were returning a 403 (due to bulkGet returning an error) and per-type were returning an empty export instead.

This PR has the side effect to change that, to now returns a 403 for per-type export when the user don't have the permissions for any of the types.

Overall, I think this is an improvement in term of consistency.

[elasticmachine]

Pinging @elastic/kibana-core (Team:Core)

[rudolf]

Our separation between core / security makes documentation really hard here. But in the absence of another good place to write documentation it feels like we should maybe add some details about how this option behaves when the spaces plugin is enabled? Otherwise it's very difficult to figure out how to use this.

Suggested change

	* An optional list of namespaces to be used by the PIT.
	* An optional list of namespaces to be used by the PIT.
	*
	* When the spaces plugin is enabled:
	*. - this will default to the user's current space as determined by the URL
	* - if namespaces is specified the user's current space will be ignored
	* - `['*']` will search across all available spaces

[pgayvallet]

Yea, that's fair. I can't think of any better place...

[lukeelmers]

Changes here all LGTM, thanks for taking this one on 🚀

[jportner]

Minor nits below, otherwise LGTM, thanks for doing this!

[jportner]

You can get rid of this too

[jportner]

Nit

Suggested change

	test(`translates options.namespace: ['*']`, async () => {
	test(`translates options.namespaces: ['*']`, async () => {

[jportner]

Nit

Suggested change

	namespaces: [currentSpace.expectedNamespace ?? 'default'],
	namespaces: [currentSpace.expectedNamespace ?? DEFAULT_SPACE_ID],

[kibanamachine]

💚 Build Succeeded

• continuous-integration/kibana-ci/pull-request
• Commit: 9d5fb6f
• Storybooks Preview

Metrics [docs]

Unknown metric groups

API count

id	before	after	diff
core	2244	2245	+1

History

• 💚 Build #147416 succeeded 16c0b0a
• 💚 Build #147294 succeeded b9a1b38
• 💚 Build #147271 succeeded 3024a47
• 💚 Build #147234 succeeded 7f7d453
• 💔 Build #147227 failed 3c0e37c

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

[kibanamachine]

💚 Backport successful

Status	Branch	Result
✅	7.x

This backport PR will be merged automatically after passing CI.