Disable UI of security apps for serverless

elastic · May 22, 2023 · 9633c22 · 9633c22
1 parent adcede2
commit 9633c22
Show file tree

Hide file tree

Showing 10 changed files with 95 additions and 13 deletions.
diff --git a/config/serverless.yml b/config/serverless.yml
@@ -19,6 +19,11 @@ xpack.license_management.enabled: false
 xpack.reporting.enabled: false
 xpack.cloud_integrations.data_migration.enabled: false
 
+# Disabled plugin UIs
+xpack.security.ui.usersEnabled: false
+xpack.security.ui.rolesEnabled: false
+xpack.security.ui.roleMappingsEnabled: false
+
 # Enforce restring access to internal APIs see https://github.com/elastic/kibana/issues/151940
 # server.restrictInternalApis: true
 # Telemetry enabled by default and not disableable via UI

diff --git a/src/plugins/management/public/index.ts b/src/plugins/management/public/index.ts
@@ -21,6 +21,7 @@ export type {
   ManagementSetup,
   ManagementStart,
   DefinedSections,
+  ClientConfigType,
 } from './types';
 
 export { MANAGEMENT_APP_ID } from '../common/contants';
diff --git a/src/plugins/management/public/types.ts b/src/plugins/management/public/types.ts
@@ -78,3 +78,9 @@ export interface CreateManagementItemArgs {
   capabilitiesId?: string; // overrides app id
   redirectFrom?: string; // redirects from an old app id to the current app id
 }
+
+export interface ClientConfigType {
+  usersEnabled: boolean;
+  rolesEnabled: boolean;
+  roleMappingsEnabled: boolean;
+}
diff --git a/x-pack/plugins/security/public/config.ts b/x-pack/plugins/security/public/config.ts
@@ -10,4 +10,9 @@ export interface ConfigType {
   showInsecureClusterWarning: boolean;
   sameSiteCookies: 'Strict' | 'Lax' | 'None' | undefined;
   showNavLinks: boolean;
+  ui: {
+    usersEnabled: boolean;
+    rolesEnabled: boolean;
+    roleMappingsEnabled: boolean;
+  };
 }
diff --git a/x-pack/plugins/security/public/management/management_service.test.ts b/x-pack/plugins/security/public/management/management_service.test.ts
@@ -9,6 +9,7 @@ import { BehaviorSubject } from 'rxjs';
 
 import { coreMock } from '@kbn/core/public/mocks';
 import type {
+  ClientConfigType,
   DefinedSections,
   ManagementApp,
   ManagementSetup,
@@ -43,13 +44,20 @@ describe('ManagementService', () => {
         locator: {} as any,
       };
 
+      const uiConfig: ClientConfigType = {
+        usersEnabled: true,
+        rolesEnabled: true,
+        roleMappingsEnabled: true,
+      };
+
       const service = new ManagementService();
       service.setup({
         getStartServices: getStartServices as any,
         license,
         fatalErrors,
         authc,
         management: managementSetup,
+        uiConfig,
       });
 
       expect(mockSection.registerApp).toHaveBeenCalledTimes(4);
@@ -105,12 +113,19 @@ describe('ManagementService', () => {
         locator: {} as any,
       };
 
+      const uiConfig: ClientConfigType = {
+        usersEnabled: true,
+        rolesEnabled: true,
+        roleMappingsEnabled: true,
+      };
+
       service.setup({
         getStartServices: getStartServices as any,
         license,
         fatalErrors,
         authc: securityMock.createSetup().authc,
         management: managementSetup,
+        uiConfig,
       });
 
       const getMockedApp = (id: string) => {
@@ -150,6 +165,7 @@ describe('ManagementService', () => {
           navLinks: {},
           catalogue: {},
         },
+        uiConfig,
       });
 
       return {

diff --git a/x-pack/plugins/security/public/management/management_service.ts b/x-pack/plugins/security/public/management/management_service.ts
@@ -9,6 +9,7 @@ import type { Subscription } from 'rxjs';
 
 import type { Capabilities, FatalErrorsSetup, StartServicesAccessor } from '@kbn/core/public';
 import type {
+  ClientConfigType,
   ManagementApp,
   ManagementSection,
   ManagementSetup,
@@ -28,42 +29,65 @@ interface SetupParams {
   authc: AuthenticationServiceSetup;
   fatalErrors: FatalErrorsSetup;
   getStartServices: StartServicesAccessor<PluginStartDependencies>;
+  uiConfig: ClientConfigType;
 }
 
 interface StartParams {
   capabilities: Capabilities;
+  uiConfig: ClientConfigType;
 }
 
 export class ManagementService {
   private license!: SecurityLicense;
   private licenseFeaturesSubscription?: Subscription;
   private securitySection?: ManagementSection;
 
-  setup({ getStartServices, management, authc, license, fatalErrors }: SetupParams) {
+  setup({ getStartServices, management, authc, license, fatalErrors, uiConfig }: SetupParams) {
     this.license = license;
     this.securitySection = management.sections.section.security;
 
-    this.securitySection.registerApp(usersManagementApp.create({ authc, getStartServices }));
-    this.securitySection.registerApp(
-      rolesManagementApp.create({ fatalErrors, license, getStartServices })
-    );
+    if (uiConfig.usersEnabled) {
+      this.securitySection.registerApp(usersManagementApp.create({ authc, getStartServices }));
+    }
+    if (uiConfig.rolesEnabled) {
+      this.securitySection.registerApp(
+        rolesManagementApp.create({ fatalErrors, license, getStartServices })
+      );
+    }
     this.securitySection.registerApp(apiKeysManagementApp.create({ authc, getStartServices }));
-    this.securitySection.registerApp(roleMappingsManagementApp.create({ getStartServices }));
+    if (uiConfig.roleMappingsEnabled) {
+      this.securitySection.registerApp(roleMappingsManagementApp.create({ getStartServices }));
+    }
   }
 
-  start({ capabilities }: StartParams) {
+  start({ capabilities, uiConfig }: StartParams) {
     this.licenseFeaturesSubscription = this.license.features$.subscribe(async (features) => {
       const securitySection = this.securitySection!;
 
       const securityManagementAppsStatuses: Array<[ManagementApp, boolean]> = [
-        [securitySection.getApp(usersManagementApp.id)!, features.showLinks],
-        [securitySection.getApp(rolesManagementApp.id)!, features.showLinks],
         [securitySection.getApp(apiKeysManagementApp.id)!, features.showLinks],
-        [
+      ];
+
+      if (uiConfig.usersEnabled) {
+        securityManagementAppsStatuses.push([
+          securitySection.getApp(usersManagementApp.id)!,
+          features.showLinks,
+        ]);
+      }
+
+      if (uiConfig.rolesEnabled) {
+        securityManagementAppsStatuses.push([
+          securitySection.getApp(rolesManagementApp.id)!,
+          features.showLinks,
+        ]);
+      }
+
+      if (uiConfig.roleMappingsEnabled) {
+        securityManagementAppsStatuses.push([
           securitySection.getApp(roleMappingsManagementApp.id)!,
           features.showLinks && features.showRoleMappingsManagement,
-        ],
-      ];
+        ]);
+      }
 
       // Iterate over all registered apps and update their enable status depending on the available
       // license features.

diff --git a/x-pack/plugins/security/public/plugin.tsx b/x-pack/plugins/security/public/plugin.tsx
@@ -132,6 +132,7 @@ export class SecurityPlugin
         authc: this.authc,
         fatalErrors: core.fatalErrors,
         getStartServices: core.getStartServices,
+        uiConfig: this.config.ui,
       });
     }
 
@@ -180,7 +181,10 @@ export class SecurityPlugin
     this.securityCheckupService.start({ http, notifications, docLinks });
 
     if (management) {
-      this.managementService.start({ capabilities: application.capabilities });
+      this.managementService.start({
+        capabilities: application.capabilities,
+        uiConfig: this.config.ui,
+      });
     }
 
     if (share) {

diff --git a/x-pack/plugins/security/server/config.test.ts b/x-pack/plugins/security/server/config.test.ts
@@ -72,6 +72,11 @@ describe('config schema', () => {
         },
         "showInsecureClusterWarning": true,
         "showNavLinks": true,
+        "ui": Object {
+          "roleMappingsEnabled": true,
+          "rolesEnabled": true,
+          "usersEnabled": true,
+        },
       }
     `);
 
@@ -127,6 +132,11 @@ describe('config schema', () => {
         },
         "showInsecureClusterWarning": true,
         "showNavLinks": true,
+        "ui": Object {
+          "roleMappingsEnabled": true,
+          "rolesEnabled": true,
+          "usersEnabled": true,
+        },
       }
     `);
 
@@ -181,6 +191,11 @@ describe('config schema', () => {
         },
         "showInsecureClusterWarning": true,
         "showNavLinks": true,
+        "ui": Object {
+          "roleMappingsEnabled": true,
+          "rolesEnabled": true,
+          "usersEnabled": true,
+        },
       }
     `);
   });

diff --git a/x-pack/plugins/security/server/config.ts b/x-pack/plugins/security/server/config.ts
@@ -297,6 +297,11 @@ export const ConfigSchema = schema.object({
     ),
   }),
   enabled: schema.boolean({ defaultValue: true }),
+  ui: schema.object({
+    usersEnabled: schema.boolean({ defaultValue: true }),
+    rolesEnabled: schema.boolean({ defaultValue: true }),
+    roleMappingsEnabled: schema.boolean({ defaultValue: true }),
+  }),
 });
 
 export function createConfig(

diff --git a/x-pack/plugins/security/server/index.ts b/x-pack/plugins/security/server/index.ts
@@ -53,6 +53,7 @@ export const config: PluginConfigDescriptor<TypeOf<typeof ConfigSchema>> = {
     showInsecureClusterWarning: true,
     sameSiteCookies: true,
     showNavLinks: true,
+    ui: true,
   },
 };
 export const plugin: PluginInitializer<