Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Dataset quality] States for missing permissions #179638

Closed
1 of 4 tasks
yngrdyn opened this issue Mar 28, 2024 · 12 comments · Fixed by #183947
Closed
1 of 4 tasks

[Dataset quality] States for missing permissions #179638

yngrdyn opened this issue Mar 28, 2024 · 12 comments · Fixed by #183947
Assignees
Labels
Feature:Dataset Health Team:obs-ux-logs Observability Logs User Experience Team Team:Observability Team label for Observability Team (for things that are handled across all of observability)

Comments

@yngrdyn
Copy link
Contributor

yngrdyn commented Mar 28, 2024

📓 Summary

When users have viewer role, they are able to see only Datasets Quality summary

image

If they use a direct url for accessing dataset details (flyout opened), this is what they see

image
Errors

Error from the endpoint dataset_quality/data_streams/stats?type=logs

security_exception
  Root causes:
    security_exception: action [indices:monitor/data_stream/stats] is unauthorized for user [viewer] with effective roles [viewer] on indices [logs-*], this action is granted by the index privileges [monitor,manage,all]

Error form endpoint dataset_quality/data_streams/estimated_data?type=logs&start=2024-03-27T14%3A51%3A17.556Z&end=2024-03-28T14%3A51%3A17.556Z

security_exception
  Root causes:
    security_exception: action [indices:monitor/stats] is unauthorized for user [viewer] with effective roles [viewer] on indices [logs-*-*], this action is granted by the index privileges [monitor,cross_cluster_replication,manage,all]

Error from endpoint ``

security_exception
  Root causes:
    security_exception: action [indices:monitor/data_stream/stats] is unauthorized for user [viewer] with effective roles [viewer] on indices [logs-*system.syslog-default*], this action is granted by the index privileges [monitor,manage,all]

Adding a role with index monitor privileges over logs-*-* fixes the failures in the aforementioned endpoints and the user is able to see all the information

image

Since we still can fetch information about degraded Docs we should present the users with this information, and point them to documentation on how to fix their permissions problems instead of just failing the page when the requests have fall because of permissions problems. For doing that Isa has proposed the following mock up

image

For achieving this new state I propose the following tasks

Tasks

Preview Give feedback
  1. backport:skip release_note:skip v8.14.0
    yngrdyn

✔️ Acceptance criteria

When users don't have the required privileges to have all the information we show in dataset quality, they should be able to see a reduced version of the page:

  • Table with Dataset name with integration information related (icon), Namespace, Degraded Docs, Actions.
  • Content inside Active datasets and Estimated data replaced by You don't have the necessary privileges to see this information. Learn more. and a link to the dataset quality page documentation where they can check the required permission for the full version of the page.
  • Flyout should be accessible presenting the information we can show. Consider replacing Dataset details information with the message about the missing privileges as well
@botelastic botelastic bot added the needs-team Issues missing a team label label Mar 28, 2024
@yngrdyn
Copy link
Contributor Author

yngrdyn commented Mar 28, 2024

@mdbirnstiehl, additionally we should document the permission model needed to access dataset quality feature, I was thinking in something similar on how it's done for security Data quality dashboard, wdyt?

@mohamedhamed-ahmed
Copy link
Contributor

lets also keep in mind when deciding on the acceptance criteria to handle pasting urls where the flyout state is set to open for example

@dej611 dej611 added the Team:Observability Team label for Observability Team (for things that are handled across all of observability) label Mar 28, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/unified-observability (Team:Observability)

@botelastic botelastic bot removed the needs-team Issues missing a team label label Mar 28, 2024
@yngrdyn yngrdyn added the Team:obs-ux-logs Observability Logs User Experience Team label Mar 28, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/obs-ux-logs-team (Team:obs-ux-logs)

@ruflin
Copy link
Contributor

ruflin commented Apr 2, 2024

What part of the table needs the stats call? As we are able to show a summary, I assume we could also show some info for each dataset, just not all columns?

@yngrdyn
Copy link
Contributor Author

yngrdyn commented Apr 2, 2024

As of now we are relying in the dataStreamStats api for most of the table columns, without that call we might be able to show, with some changes, rawName of the dataset (no integration information or human-readable name), namespace and degraded Docs column.

@flash1293
Copy link
Contributor

@yngrdyn will the the metering API for serverless provide all the information we need eventually? Or are there gaps we won't be able to close this way?

@yngrdyn
Copy link
Contributor Author

yngrdyn commented Apr 2, 2024

We'll miss information to correlate to an integration. I think we could flip it around eventually and get the correlation from fleet, where we could know which datasets should belong to a certain integration, but in any case we would need certain level of permissions to get that information.

@gbamparop
Copy link
Contributor

As of now we are relying in the dataStreamStats api for most of the table columns, without that call we might be able to show, with some changes, rawName of the dataset (no integration information or human-readable name), namespace and degraded Docs column.

The list of integrations and datasets in the data source selector can be displayed with the viewer role, so I guess it's possible to correlate datasets with integrations in the table as well?

@isaclfreire
Copy link

isaclfreire commented Apr 2, 2024

@ruflin has a point. If there's already something we could show, then we shouldn't preclude it to the user. We could also dedicate a column to quality (now it's just communicated as part of the degraded docs column), so it will remain in the version with less privileges as well. This column could also be filterable if users only want to see poor quality datasets, for example. See below the full access example:
image

Another thing to consider is: should we completely remove the "active datasets" and "estimated data" box from the summary, or should we invest in an empty state? Can users eventually request access? Should we propose them with any available documentation? See below a very quick mock
image

I wonder in the case of restricted permissions, if it still makes sense to keep the flyout...

@gbamparop
Copy link
Contributor

Another thing to consider is: should we completely remove the "active datasets" and "estimated data" box from the summary, or should we invest in an empty state? Can users eventually request access? Should we propose them with any available documentation? See below a very quick mock

+1 for empty states where it makes sense, to make it easier for users to see what's missing and request the necessary permissions from their admins, we could display the missing privileges in the tooltip.

@yngrdyn
Copy link
Contributor Author

yngrdyn commented Apr 2, 2024

The list of integrations and datasets in the data source selector can be displayed with the viewer role, so I guess it's possible to correlate datasets with integrations in the table as well?

will have a closer look on how can we get this information, we might be getting this info using an internal user rather than current user (?)

I wonder in the case of restricted permissions, if it still makes sense to keep the flyout...

They will be able to see, for example, the evolution of the degradation, but without permissions they probably wouldn't be able to act on any future recommendation/action proposed by us. If we can get Integration info they could also be able to navigate to them from there

yngrdyn added a commit that referenced this issue Apr 17, 2024
…0560)

Relates to #179638.

## 📝 Summary

This PR is all about decoupling `integrations` from `DataStreamStats`
request.
This change is needed in order to render dataset quality table from only
`DegradedDocsStats` or `DataStreamStats`, this will allow us to show the
users the information as soon as it arrives, also will help us to
introduce soonish states according to user privileges.

### Changes

- New internal endpoint `GET /internal/dataset_quality/integrations`
that will return all the installed integrations that are of a specific
type, e.g. `logs`.
- Generating datasets when integrations request has finished, so we
render the integration information correctly and show the information
available: dataStreamStats and/or degradedDocs.

### App statechart

<img width="949" alt="image"
src="https://github.com/elastic/kibana/assets/1313018/3548d3e8-f99c-4d79-86af-4926dfec7b5e">

### Demos
#### dataStreamStats taking longer to resolve


https://github.com/elastic/kibana/assets/1313018/c1127ec2-2cfe-4796-a331-47a3ef718e98

#### degradedDocs taking longer to resolve


https://github.com/elastic/kibana/assets/1313018/b6f9954f-8e2b-445f-89a5-b6d213abe4b1

#### dataStreamStats and degradedDocs loading


https://github.com/elastic/kibana/assets/1313018/e7987657-41cd-4cfc-b24e-6ad47aed0df1

#### Integration request failed but we still show information related to
datasets


https://github.com/elastic/kibana/assets/1313018/965558f3-4660-47e9-a7a1-068491e08a8a
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Feature:Dataset Health Team:obs-ux-logs Observability Logs User Experience Team Team:Observability Team label for Observability Team (for things that are handled across all of observability)
Projects
None yet
Development

Successfully merging a pull request may close this issue.

9 participants