[Alerts][Actions] Removed isESOUsingEphemeralEncryptionKey determination. Set ESO plugin as a required dependency for Actions and Alerts plugins. Changed UI to show the proper info for disabled ESO plugin. #87936
Conversation
…ion. Set ESO plugin as an optional dependancy for actions and alerts plugins.
YulNaumenko
added
Feature:Alerting
v8.0.0
release_note:skip
|
Pinging @elastic/kibana-alerting-services (Team:Alerting Services) |
|
Suggested text: Encrypted saved objects are not available Set a value for |
x-pack/plugins/actions/kibana.json
Outdated
| "requiredPlugins": ["licensing", "taskManager", "encryptedSavedObjects", "eventLog", "features"], | ||
| "optionalPlugins": ["usageCollection", "spaces", "security"], | ||
| "requiredPlugins": ["licensing", "taskManager", "eventLog", "features"], | ||
| "optionalPlugins": ["usageCollection", "spaces", "security", "encryptedSavedObjects"], |
There was a problem hiding this comment.
What's the expected behaviour when ESO is disabled?
Should Actions and Alerts still works without encryption?
If not, seems like this should still be in requiredPlugins.
If so, then seems like we're missing a whole test suite of e2e tests where Alerting & Actions run without ESOs
There was a problem hiding this comment.
What's the expected behaviour when ESO is disabled?
In the alerting management and in the API responses we show the message that the user should configure ESO (like it was done for ephemeral encryption key). So I kept the same behavior.
There was a problem hiding this comment.
Should Actions and Alerts still works without encryption?
Actions and Alerts won't normally work without the encryption. For the existing alerts and actions executions user will get the error messages, where we are proposing to the user to enable the ESO plugin by the link Learn how in the UI message and configuration link in the API message.
There was a problem hiding this comment.
If so, then seems like we're missing a whole test suite of e2e tests where Alerting & Actions run without ESOs
Alerts and actions cannot run without ESO.
ESO is in the optional plugins list, because the users should be able to get the info about possible missing configuration, I think..
Do you think we should disable it at all?
To clarify: this PR changes is needed because there won't be support for ephemeral encryption key any more. But currently, with this key our framework is also not working properly for create and execute and we are not disabling plugins and just saying to the user that he should be able to change the configuration to make it works normal.
There was a problem hiding this comment.
I suspect that if we leave it as a required plugin, we'll end up with no alert/action UI at all, and the only diagnostic would be the list of plugins listed at Kibana startup, where alerts/actions wouldn't be listed. Perhaps some messaging that the plugins were disabled because a required plugin wasn't available? Or would Kibana just not start up at that point?
So seems odd, but the only reason to keep the alerts/actions plugins loadable is to display the message. Which is probably important enough that we'd want to make this optional instead of required. Presumably some read-only activities could still work (maybe not now, but could be made to work?)? Eg, listing alerts, alert instances?
There was a problem hiding this comment.
@elastic/apm-ui, @elastic/siem, @elastic/uptime please let us know here if you have any objections about disabling alerts and actions plugins if encrypted_saved_objects is disabled.
There was a problem hiding this comment.
Will this impact if/when we move the alerting UI code to the alerts plugin?
There was a problem hiding this comment.
Good point. Yes, it will be disabled as well..
There was a problem hiding this comment.
I don't see how we have much of a choice here, this is required for things to be secure right? Is there any action we need to take on Uptime? If not, of course I support keeping things secure.
There was a problem hiding this comment.
@andrewvc just want to let you know that if we decide to make ESO as a required dependency for alerts and actions and uptime app will keep the alerts as required plugin it will be disabled as well on Kibana start.
|
I'm a little concerned on the timing of #81511 - which is the PR which changes the ESO plugin behavior. I believe that all the plugins depending on ESO will need to switch within the same Kibana release, so we should double check that all the other plugins are ready for 7.12, before merging. Even when we do switch, there will be some span between when the ESO-using plugins land and #81511 lands, in which the |
There are only our plugins and |
YulNaumenko
changed the title
| describe('routeHandlerContext.getActionsClient()', () => { | ||
| it('should not throw error when ESO plugin not using a generated key', async () => { |
There was a problem hiding this comment.
Now that actions is dependent on ESO I think we can remove this all together, no?
It should never be possible for getActionsClient to be available when ESO is not... right? 🤔
| @@ -227,34 +191,19 @@ describe('Actions Plugin', () => { | |||
| expect(pluginStart.isActionExecutable('preconfiguredServerLog', '.server-log')).toBe(true); | |||
| }); | |||
|
|
|||
| it('should not throw error when ESO plugin not using a generated key', async () => { | |||
| it('should not throw error when ESO plugin is available', async () => { | |||
There was a problem hiding this comment.
Same with this test... I think we can remove it altogether now, no?
| const encryptedSavedObjectsClient = plugins.encryptedSavedObjects.getClient({ | ||
| includedHiddenTypes, | ||
| }); | ||
|
|
There was a problem hiding this comment.
This code used to reside outside of getActionsClientWithRequest to prevent us from creating a new encryptedSavedObjectsClient every time an ActionsClient is created.
Is there a reason why this has been moved in now? 🤔
| if (!encryptedSavedObjects) { | ||
| throw new Error( | ||
| `Unable to run task because the Encrypted Saved Objects plugin is not available. Please set xpack.encryptedSavedObjects.encryptionKey in the kibana.yml or use the bin/kibana-encryption-keys command.` | ||
| ); | ||
| } |
There was a problem hiding this comment.
This shouldn't happen, right? Now that it's a required plugin it should always be there, so this is redundant code (unless I'm missing something)
| if (!internalSavedObjectsRepository) { | ||
| healthStatuses.decryptionHealth = { | ||
| status: HealthStatus.Warning, | ||
| timestamp: new Date().toISOString(), | ||
| }; | ||
| return healthStatuses; | ||
| } |
There was a problem hiding this comment.
Why have we made internalSavedObjectsRepository optional here? Am I missing something?
It doesn't look like we've changed the call to getHealth so this looks like it might be leftovers from the original approach?
There was a problem hiding this comment.
Thank you for catching this leftovers!
💚 Build SucceededMetrics [docs]Module Count
Async chunks
History
To update your PR or re-run it, just comment with: |
Removed usingEphemeralEncryptionKey check for alerts and actions plugins.
This is needed due to the upcoming changes in the ESO plugin, where the plugin won't be enabled if encryptionKey was not set: '
enabledcannot be set totrueuntilencryptionKeyis specified.'Extended
triggers_actions_uiplugin to have an own health api, which return the current state based on the different factors like availability of the related plugins.Used this health API to replace the obsolete alerting framework health option
hasPermanentEncryptionKey.Modified UI warning message from:
to:Resolves #80678