[APM] Fix indefinite loading state in agent settings for unauthorized user roles #44970
Conversation
ogupte
changed the title
💚 Build Succeeded |
| @@ -7,7 +7,7 @@ import React from 'react'; | |||
| import { APMLink, APMLinkExtendProps } from './APMLink'; | |||
|
|
|||
| const SettingsLink = (props: APMLinkExtendProps) => { | |||
| return <APMLink path="/" {...props} />; | |||
| return <APMLink path="/settings" {...props} />; | |||
There was a problem hiding this comment.
woops 😅 thanks for catching this.
| {status === 'success' && !hasConfigurations ? ( | ||
| emptyStatePrompt | ||
| ) : ( | ||
| {status === 'failure' ? ( |
There was a problem hiding this comment.
Not a super big fan of nested ternaries in terms of readability, might be just me though.
There was a problem hiding this comment.
I agree. I just didn't have any better suggestions :)
| @@ -20,13 +20,19 @@ import { transactionSampleRateRt } from '../../common/runtime_types/transaction_ | |||
| // get list of configurations | |||
| export const agentConfigurationRoute = createRoute(core => ({ | |||
| path: '/api/apm/settings/agent-configuration', | |||
| handler: async req => { | |||
| await createApmAgentConfigurationIndex(core.http.server); | |||
| handler: async (req, _, h) => { | |||
There was a problem hiding this comment.
are we using h? can't see it being used below.
There was a problem hiding this comment.
my mistake for leaving this in
| const setup = await setupRequest(req); | ||
| return await listConfigurations({ setup }); | ||
| } catch (error) { | ||
| if (error.statusCode === 403) { |
There was a problem hiding this comment.
If we catch 403 authorization errors, how does the user ever see failurePrompt? What other status codes should we expect here? just 500?
There was a problem hiding this comment.
failurePrompt is now make more generic and the statusCode check was removed
| 'xpack.apm.settings.agentConf.configTable.failurePromptText', | ||
| { | ||
| defaultMessage: | ||
| 'Whoops! The settings management failed to initialize. This might be because the user that is logged in does not have permission to read or write the APM agent configuration index. The next time a user with adequate privileges loads this screen, Kibana will complete this step.' |
There was a problem hiding this comment.
This text is still confusing. Our implementation details wrt creating the index lazily should not shine through to the end-user.
If we assume the apm_user has read/write access to the agent configuration index we have a couple of use cases:
- An unknown backend error occurred (network glitch, database corruption, anything). We do not handle this in the rest of APM UI except for showing the automatic toast that the request failed. Feel free to explicitly handle the failure state. In that text the text needs to be something vague like "The list of agent configurations could not be fetched".
- The user has neither read or write permission: they'd get the above error. That's better than most other places in APM UI.
- The user has read permission but not write permission: the user should be able to see the list (and shouldn't see errors regardless if the index could not be created)
- The user has read and write permissions: the user should be able to see the list
| return await listConfigurations({ setup }); | ||
| } catch (error) { | ||
| if (error.statusCode === 403) { | ||
| // return an empty list if user is not authorized |
There was a problem hiding this comment.
I think you should only do this for createApmAgentConfigurationIndex. I don't think we should swallow errors for listConfigurations this way.
There was a problem hiding this comment.
This assumes that the apm_user as a minimum has read access to the index.
There was a problem hiding this comment.
The latest commit removed all the assumptions and displays a message to the user that a failure occurred when loading settings.
Index creation uses callWithInternalUser during plugin setup, so any index creation failures should not occur when a user loads the settings screen. but it will error if the user does not have permission to read from the .apm-agent-configuration index. as per your list of use cases above.
When testing with a user with the role apm_user, i discovered that it does not have read permissions on this index. Since it's not appropriate to call callWithInternalUser for querying this index, it will show the failure message. The alternative is to give the apm_user role the permission to read the agent config index. I created a PR to update the role, however it looks like it will not get approval (elastic/elasticsearch#46423).
- display to user when a failure occurred in settings initialization - fix incorrect settings link path
- make failure text reflect a general failure to load settings
ogupte
force-pushed
the
apm-43326-handle-settings-init-failure
branch
from
c369642 to
4b2303b
Compare
| ) : ( | ||
| emptyStatePrompt | ||
| ) | ||
| ) : null} |
There was a problem hiding this comment.
The previous status === 'success' && !hasConfigurations logic was rending emptyStatePrompt when status was loading so the new nested logic makes sure that nothing is rendered at that time. This is especially jarring if there's a failure message since it used to flash the emptyStatePrompt immediately prior to the failure message.
I'm open to alternatives for the nested ternary. :)
There was a problem hiding this comment.
What about a new component:
function Foo(status) {
if (status === 'failure') {
return failurePrompt;
}
if (status === 'success') {
if (!hasConfigurations) {
return emptyStatePrompt;
}
return (
<ManagedTable
noItemsMessage={<LoadingStatePrompt />}
columns={COLUMNS}
items={data}
initialSortField="service.name"
initialSortDirection="asc"
initialPageSize={50}
/>
);
}
}There was a problem hiding this comment.
created a new component for this called SettingsList (the old SettingsList is now just Settings/index since it renders the settings page.
💚 Build Succeeded |
| 'xpack.apm.settings.agentConf.configTable.failurePromptText', | ||
| { | ||
| defaultMessage: | ||
| 'The list of agent configurations could not be fetched' |
There was a problem hiding this comment.
I know I'm going back and forth on this but my assumptions have changed a little.
If we do not expect the apm_user to have read access, and we therefore expect many users to see this issue because of permission problems, it might make sense to hint about that.
Eg. "The list of agent configurations could not be fetched. Your user may not have the sufficient permissions."
To be clear, I was more against the fact that the user was seeing an error for something they shouldn't be concerned about (they were seeing an issue if they didn't have write access, even if they just wanted to view/read the list).
- Add Settings/SettingsList to render only the list/messaging - Mention permissions issue in failure message
💚 Build Succeeded |
… user roles (elastic#44970) * - handle unauthorized error to return empty list of agent settings - display to user when a failure occurred in settings initialization - fix incorrect settings link path * - moved agent config index creation to the plugin setup step - make failure text reflect a general failure to load settings * - Rename Settings/SettingsList -> Settings/index - Add Settings/SettingsList to render only the list/messaging - Mention permissions issue in failure message
…-to-np-ready * 'master' of github.com:elastic/kibana: (138 commits) [Canvas] i18n work on workpad header (and a few header CTAs) and convert to typescript (elastic#44943) update close/delete system index modals (elastic#45037) TS return type of createIndexPatternSelect (elastic#45107) [ML] Fix focus chart updating. (elastic#45146) [ML] Data frame transform: Fix progress in wizard create step. (elastic#45116) [Graph] Re-enable functional test (elastic#44683) [SIEM] unique table id for each top talkers table (elastic#45014) [SIEM] ip details heading draggable (elastic#45179) [Maps][File upload] Set complete on index pattern creation (elastic#44423) [Maps] unmount map embeddable component on destroy (elastic#45183) [SIEM] Adds error toasts to MapEmbeddable component (elastic#45088) fix redirect to maintain search query string (elastic#45184) [APM] One-line trace summary (elastic#44842) [Infra UI] Display non-metric details on Node Detail page (elastic#43551) [Maps][File upload] Removing bbox from parsed file pending upstream lib fix (elastic#45194) [Logs UI] Improve live streaming behavior when scrolling (elastic#44923) [APM] Fix indefinite loading state in agent settings for unauthorized user roles (elastic#44970) [Reporting] Rewrite addForceNowQuerystring to getFullUrls (elastic#44851) [Reporting/ESQueue] Improve logging of doc-update events (elastic#45077) [Reporting] Make screenshot capture less noisy by default (elastic#45185) ...
… user roles (#44970) (#45206) * - handle unauthorized error to return empty list of agent settings - display to user when a failure occurred in settings initialization - fix incorrect settings link path * - moved agent config index creation to the plugin setup step - make failure text reflect a general failure to load settings * - Rename Settings/SettingsList -> Settings/index - Add Settings/SettingsList to render only the list/messaging - Mention permissions issue in failure message
… user roles (elastic#44970) * - handle unauthorized error to return empty list of agent settings - display to user when a failure occurred in settings initialization - fix incorrect settings link path * - moved agent config index creation to the plugin setup step - make failure text reflect a general failure to load settings * - Rename Settings/SettingsList -> Settings/index - Add Settings/SettingsList to render only the list/messaging - Mention permissions issue in failure message
… user roles (#44970) (#45207) * - handle unauthorized error to return empty list of agent settings - display to user when a failure occurred in settings initialization - fix incorrect settings link path * - moved agent config index creation to the plugin setup step - make failure text reflect a general failure to load settings * - Rename Settings/SettingsList -> Settings/index - Add Settings/SettingsList to render only the list/messaging - Mention permissions issue in failure message
|
@ogupte fyi: added the |
|
This works as expected. However a new issue has been opened related to this: #45610 |
Addresses #43326 (in conjunction with elastic/elasticsearch#46423)