Object Level Security, phase 1

.github/CODEOWNERS

@@ -261,6 +261,7 @@
 /x-pack/test/ui_capabilities/ @elastic/kibana-security
 /x-pack/test/encrypted_saved_objects_api_integration/ @elastic/kibana-security
 /x-pack/test/functional/apps/security/ @elastic/kibana-security
+/x-pack/test/saved_object_access_control/ @elastic/kibana-security
 /x-pack/test/security_api_integration/ @elastic/kibana-security
 /x-pack/test/security_functional/ @elastic/kibana-security
 /x-pack/test/spaces_api_integration/ @elastic/kibana-security

docs/development/core/public/kibana-plugin-core-public.md

@@ -103,6 +103,7 @@ The plugin integrates with the core system via lifecycle events: `setup`<!-- -->
 | [PluginInitializerContext](./kibana-plugin-core-public.plugininitializercontext.md) | The available core services passed to a <code>PluginInitializer</code> |
 | [ResolvedSimpleSavedObject](./kibana-plugin-core-public.resolvedsimplesavedobject.md) | This interface is a very simple wrapper for SavedObjects resolved from the server with the [SavedObjectsClient](./kibana-plugin-core-public.savedobjectsclient.md)<!-- -->. |
 | [SavedObject](./kibana-plugin-core-public.savedobject.md) | |
+| [SavedObjectAccessControl](./kibana-plugin-core-public.savedobjectaccesscontrol.md) | The "Access Control" describing which users should be authorized to access this SavedObject. |
 | [SavedObjectAttributes](./kibana-plugin-core-public.savedobjectattributes.md) | The data for a Saved Object is stored as an object in the <code>attributes</code> property. |
 | [SavedObjectError](./kibana-plugin-core-public.savedobjecterror.md) | |
 | [SavedObjectReference](./kibana-plugin-core-public.savedobjectreference.md) | A reference to another saved object. |

docs/development/core/public/kibana-plugin-core-public.savedobject.accesscontrol.md

@@ -0,0 +1,11 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-public](./kibana-plugin-core-public.md) &gt; [SavedObject](./kibana-plugin-core-public.savedobject.md) &gt; [accessControl](./kibana-plugin-core-public.savedobject.accesscontrol.md)
+
+## SavedObject.accessControl property
+
+<b>Signature:</b>
+
+```typescript
+accessControl?: SavedObjectAccessControl;
+```

docs/development/core/public/kibana-plugin-core-public.savedobject.md

@@ -14,6 +14,7 @@ export interface SavedObject<T = unknown>
 
 | Property | Type | Description |
 | --- | --- | --- |
+| [accessControl](./kibana-plugin-core-public.savedobject.accesscontrol.md) | <code>SavedObjectAccessControl</code> | |
 | [attributes](./kibana-plugin-core-public.savedobject.attributes.md) | <code>T</code> | The data for a Saved Object is stored as an object in the <code>attributes</code> property. |
 | [coreMigrationVersion](./kibana-plugin-core-public.savedobject.coremigrationversion.md) | <code>string</code> | A semver value that is used when upgrading objects between Kibana versions. |
 | [error](./kibana-plugin-core-public.savedobject.error.md) | <code>SavedObjectError</code> | |

docs/development/core/public/kibana-plugin-core-public.savedobjectaccesscontrol.md

@@ -0,0 +1,20 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-public](./kibana-plugin-core-public.md) &gt; [SavedObjectAccessControl](./kibana-plugin-core-public.savedobjectaccesscontrol.md)
+
+## SavedObjectAccessControl interface
+
+The "Access Control" describing which users should be authorized to access this SavedObject.
+
+<b>Signature:</b>
+
+```typescript
+export interface SavedObjectAccessControl 
+```
+
+## Properties
+
+| Property | Type | Description |
+| --- | --- | --- |
+| [owner](./kibana-plugin-core-public.savedobjectaccesscontrol.owner.md) | <code>string</code> | The owner of this SavedObject. |
+

docs/development/core/public/kibana-plugin-core-public.savedobjectaccesscontrol.owner.md

@@ -0,0 +1,13 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-public](./kibana-plugin-core-public.md) &gt; [SavedObjectAccessControl](./kibana-plugin-core-public.savedobjectaccesscontrol.md) &gt; [owner](./kibana-plugin-core-public.savedobjectaccesscontrol.owner.md)
+
+## SavedObjectAccessControl.owner property
+
+The owner of this SavedObject.
+
+<b>Signature:</b>
+
+```typescript
+owner: string;
+```

docs/development/core/public/kibana-plugin-core-public.savedobjectreferencewithcontext.accesscontrol.md

@@ -0,0 +1,13 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-public](./kibana-plugin-core-public.md) &gt; [SavedObjectReferenceWithContext](./kibana-plugin-core-public.savedobjectreferencewithcontext.md) &gt; [accessControl](./kibana-plugin-core-public.savedobjectreferencewithcontext.accesscontrol.md)
+
+## SavedObjectReferenceWithContext.accessControl property
+
+The access control of the referenced object
+
+<b>Signature:</b>
+
+```typescript
+accessControl?: SavedObjectAccessControl;
+```

docs/development/core/public/kibana-plugin-core-public.savedobjectreferencewithcontext.inboundreferences.md

@@ -12,6 +12,7 @@ References to this object; note that this does not contain \_all inbound referen
 inboundReferences: Array<{
  type: string;
  id: string;
+ accessControl?: SavedObjectAccessControl;
  name: string;
  }>;
 ```

docs/development/core/public/kibana-plugin-core-public.savedobjectreferencewithcontext.md

@@ -16,8 +16,9 @@ export interface SavedObjectReferenceWithContext
 
 | Property | Type | Description |
 | --- | --- | --- |
+| [accessControl](./kibana-plugin-core-public.savedobjectreferencewithcontext.accesscontrol.md) | <code>SavedObjectAccessControl</code> | The access control of the referenced object |
 | [id](./kibana-plugin-core-public.savedobjectreferencewithcontext.id.md) | <code>string</code> | The ID of the referenced object |
-| [inboundReferences](./kibana-plugin-core-public.savedobjectreferencewithcontext.inboundreferences.md) | <code>Array&lt;{</code><br/><code> type: string;</code><br/><code> id: string;</code><br/><code> name: string;</code><br/><code> }&gt;</code> | References to this object; note that this does not contain \_all inbound references everywhere for this object\_, it only contains inbound references for the scope of this operation |
+| [inboundReferences](./kibana-plugin-core-public.savedobjectreferencewithcontext.inboundreferences.md) | <code>Array&lt;{</code><br/><code> type: string;</code><br/><code> id: string;</code><br/><code> accessControl?: SavedObjectAccessControl;</code><br/><code> name: string;</code><br/><code> }&gt;</code> | References to this object; note that this does not contain \_all inbound references everywhere for this object\_, it only contains inbound references for the scope of this operation |
 | [isMissing](./kibana-plugin-core-public.savedobjectreferencewithcontext.ismissing.md) | <code>boolean</code> | Whether or not this object or reference is missing |
 | [spaces](./kibana-plugin-core-public.savedobjectreferencewithcontext.spaces.md) | <code>string[]</code> | The space(s) that the referenced object exists in |
 | [spacesWithMatchingAliases](./kibana-plugin-core-public.savedobjectreferencewithcontext.spaceswithmatchingaliases.md) | <code>string[]</code> | The space(s) that legacy URL aliases matching this type/id exist in |

docs/development/core/server/kibana-plugin-core-server.md

@@ -149,6 +149,7 @@ The plugin integrates with the core system via lifecycle events: `setup`<!-- -->
 | [RouteValidatorConfig](./kibana-plugin-core-server.routevalidatorconfig.md) | The configuration object to the RouteValidator class. Set <code>params</code>, <code>query</code> and/or <code>body</code> to specify the validation logic to follow for that property. |
 | [RouteValidatorOptions](./kibana-plugin-core-server.routevalidatoroptions.md) | Additional options for the RouteValidator class to modify its default behaviour. |
 | [SavedObject](./kibana-plugin-core-server.savedobject.md) | |
+| [SavedObjectAccessControl](./kibana-plugin-core-server.savedobjectaccesscontrol.md) | The "Access Control" describing which users should be authorized to access this SavedObject. |
 | [SavedObjectAttributes](./kibana-plugin-core-server.savedobjectattributes.md) | The data for a Saved Object is stored as an object in the <code>attributes</code> property. |
 | [SavedObjectExportBaseOptions](./kibana-plugin-core-server.savedobjectexportbaseoptions.md) | |
 | [SavedObjectMigrationContext](./kibana-plugin-core-server.savedobjectmigrationcontext.md) | Migration context provided when invoking a [migration handler](./kibana-plugin-core-server.savedobjectmigrationfn.md) |
@@ -163,6 +164,7 @@ The plugin integrates with the core system via lifecycle events: `setup`<!-- -->
 | [SavedObjectsBulkUpdateOptions](./kibana-plugin-core-server.savedobjectsbulkupdateoptions.md) | |
 | [SavedObjectsBulkUpdateResponse](./kibana-plugin-core-server.savedobjectsbulkupdateresponse.md) | |
 | [SavedObjectsCheckConflictsObject](./kibana-plugin-core-server.savedobjectscheckconflictsobject.md) | |
+| [SavedObjectsCheckConflictsOptions](./kibana-plugin-core-server.savedobjectscheckconflictsoptions.md) | |
 | [SavedObjectsCheckConflictsResponse](./kibana-plugin-core-server.savedobjectscheckconflictsresponse.md) | |
 | [SavedObjectsClientProviderOptions](./kibana-plugin-core-server.savedobjectsclientprovideroptions.md) | Options to control the creation of the Saved Objects Client. |
 | [SavedObjectsClientWrapperOptions](./kibana-plugin-core-server.savedobjectsclientwrapperoptions.md) | Options passed to each SavedObjectsClientWrapperFactory to aid in creating the wrapper instance. |
@@ -318,6 +320,7 @@ The plugin integrates with the core system via lifecycle events: `setup`<!-- -->
 | [SavedObjectAttributeSingle](./kibana-plugin-core-server.savedobjectattributesingle.md) | Don't use this type, it's simply a helper type for [SavedObjectAttribute](./kibana-plugin-core-server.savedobjectattribute.md) |
 | [SavedObjectMigrationFn](./kibana-plugin-core-server.savedobjectmigrationfn.md) | A migration function for a [saved object type](./kibana-plugin-core-server.savedobjectstype.md) used to migrate it to a given version |
 | [SavedObjectSanitizedDoc](./kibana-plugin-core-server.savedobjectsanitizeddoc.md) | Describes Saved Object documents that have passed through the migration framework and are guaranteed to have a <code>references</code> root property. |
+| [SavedObjectsBulkCreateOptions](./kibana-plugin-core-server.savedobjectsbulkcreateoptions.md) | |
 | [SavedObjectsClientContract](./kibana-plugin-core-server.savedobjectsclientcontract.md) | Saved Objects is Kibana's data persisentence mechanism allowing plugins to use Elasticsearch for storing plugin state.<!-- -->\#\# SavedObjectsClient errors<!-- -->Since the SavedObjectsClient has its hands in everything we are a little paranoid about the way we present errors back to to application code. Ideally, all errors will be either:<!-- -->1. Caused by bad implementation (ie. undefined is not a function) and as such unpredictable 2. An error that has been classified and decorated appropriately by the decorators in [SavedObjectsErrorHelpers](./kibana-plugin-core-server.savedobjectserrorhelpers.md)<!-- -->Type 1 errors are inevitable, but since all expected/handle-able errors should be Type 2 the <code>isXYZError()</code> helpers exposed at <code>SavedObjectsErrorHelpers</code> should be used to understand and manage error responses from the <code>SavedObjectsClient</code>.<!-- -->Type 2 errors are decorated versions of the source error, so if the elasticsearch client threw an error it will be decorated based on its type. That means that rather than looking for <code>error.body.error.type</code> or doing substring checks on <code>error.body.error.reason</code>, just use the helpers to understand the meaning of the error:<!-- -->\`\`\`<!-- -->js if (SavedObjectsErrorHelpers.isNotFoundError(error)) { // handle 404 }<!-- -->if (SavedObjectsErrorHelpers.isNotAuthorizedError(error)) { // 401 handling should be automatic, but in case you wanted to know }<!-- -->// always rethrow the error unless you handle it throw error; \`\`\`<!-- -->\#\#\# 404s from missing index<!-- -->From the perspective of application code and APIs the SavedObjectsClient is a black box that persists objects. One of the internal details that users have no control over is that we use an elasticsearch index for persistance and that index might be missing.<!-- -->At the time of writing we are in the process of transitioning away from the operating assumption that the SavedObjects index is always available. Part of this transition is handling errors resulting from an index missing. These used to trigger a 500 error in most cases, and in others cause 404s with different error messages.<!-- -->From my (Spencer) perspective, a 404 from the SavedObjectsApi is a 404; The object the request/call was targeting could not be found. This is why \#14141 takes special care to ensure that 404 errors are generic and don't distinguish between index missing or document missing.<!-- -->See [SavedObjectsClient](./kibana-plugin-core-server.savedobjectsclient.md) See [SavedObjectsErrorHelpers](./kibana-plugin-core-server.savedobjectserrorhelpers.md) |
 | [SavedObjectsClientFactory](./kibana-plugin-core-server.savedobjectsclientfactory.md) | Describes the factory used to create instances of the Saved Objects Client. |
 | [SavedObjectsClientFactoryProvider](./kibana-plugin-core-server.savedobjectsclientfactoryprovider.md) | Provider to invoke to retrieve a [SavedObjectsClientFactory](./kibana-plugin-core-server.savedobjectsclientfactory.md)<!-- -->. |

docs/development/core/server/kibana-plugin-core-server.savedobject.accesscontrol.md

@@ -0,0 +1,11 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-server](./kibana-plugin-core-server.md) &gt; [SavedObject](./kibana-plugin-core-server.savedobject.md) &gt; [accessControl](./kibana-plugin-core-server.savedobject.accesscontrol.md)
+
+## SavedObject.accessControl property
+
+<b>Signature:</b>
+
+```typescript
+accessControl?: SavedObjectAccessControl;
+```

docs/development/core/server/kibana-plugin-core-server.savedobject.md

@@ -14,6 +14,7 @@ export interface SavedObject<T = unknown>
 
 | Property | Type | Description |
 | --- | --- | --- |
+| [accessControl](./kibana-plugin-core-server.savedobject.accesscontrol.md) | <code>SavedObjectAccessControl</code> | |
 | [attributes](./kibana-plugin-core-server.savedobject.attributes.md) | <code>T</code> | The data for a Saved Object is stored as an object in the <code>attributes</code> property. |
 | [coreMigrationVersion](./kibana-plugin-core-server.savedobject.coremigrationversion.md) | <code>string</code> | A semver value that is used when upgrading objects between Kibana versions. |
 | [error](./kibana-plugin-core-server.savedobject.error.md) | <code>SavedObjectError</code> | |

docs/development/core/server/kibana-plugin-core-server.savedobjectaccesscontrol.md

@@ -0,0 +1,20 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-server](./kibana-plugin-core-server.md) &gt; [SavedObjectAccessControl](./kibana-plugin-core-server.savedobjectaccesscontrol.md)
+
+## SavedObjectAccessControl interface
+
+The "Access Control" describing which users should be authorized to access this SavedObject.
+
+<b>Signature:</b>
+
+```typescript
+export interface SavedObjectAccessControl 
+```
+
+## Properties
+
+| Property | Type | Description |
+| --- | --- | --- |
+| [owner](./kibana-plugin-core-server.savedobjectaccesscontrol.owner.md) | <code>string</code> | The owner of this SavedObject. |
+

docs/development/core/server/kibana-plugin-core-server.savedobjectaccesscontrol.owner.md

@@ -0,0 +1,13 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-server](./kibana-plugin-core-server.md) &gt; [SavedObjectAccessControl](./kibana-plugin-core-server.savedobjectaccesscontrol.md) &gt; [owner](./kibana-plugin-core-server.savedobjectaccesscontrol.owner.md)
+
+## SavedObjectAccessControl.owner property
+
+The owner of this SavedObject.
+
+<b>Signature:</b>
+
+```typescript
+owner: string;
+```

docs/development/core/server/kibana-plugin-core-server.savedobjectreferencewithcontext.accesscontrol.md

@@ -0,0 +1,13 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-server](./kibana-plugin-core-server.md) &gt; [SavedObjectReferenceWithContext](./kibana-plugin-core-server.savedobjectreferencewithcontext.md) &gt; [accessControl](./kibana-plugin-core-server.savedobjectreferencewithcontext.accesscontrol.md)
+
+## SavedObjectReferenceWithContext.accessControl property
+
+The access control of the referenced object
+
+<b>Signature:</b>
+
+```typescript
+accessControl?: SavedObjectAccessControl;
+```

docs/development/core/server/kibana-plugin-core-server.savedobjectreferencewithcontext.inboundreferences.md

@@ -12,6 +12,7 @@ References to this object; note that this does not contain \_all inbound referen
 inboundReferences: Array<{
  type: string;
  id: string;
+ accessControl?: SavedObjectAccessControl;
  name: string;
  }>;
 ```

docs/development/core/server/kibana-plugin-core-server.savedobjectreferencewithcontext.md

@@ -16,8 +16,9 @@ export interface SavedObjectReferenceWithContext
 
 | Property | Type | Description |
 | --- | --- | --- |
+| [accessControl](./kibana-plugin-core-server.savedobjectreferencewithcontext.accesscontrol.md) | <code>SavedObjectAccessControl</code> | The access control of the referenced object |
 | [id](./kibana-plugin-core-server.savedobjectreferencewithcontext.id.md) | <code>string</code> | The ID of the referenced object |
-| [inboundReferences](./kibana-plugin-core-server.savedobjectreferencewithcontext.inboundreferences.md) | <code>Array&lt;{</code><br/><code> type: string;</code><br/><code> id: string;</code><br/><code> name: string;</code><br/><code> }&gt;</code> | References to this object; note that this does not contain \_all inbound references everywhere for this object\_, it only contains inbound references for the scope of this operation |
+| [inboundReferences](./kibana-plugin-core-server.savedobjectreferencewithcontext.inboundreferences.md) | <code>Array&lt;{</code><br/><code> type: string;</code><br/><code> id: string;</code><br/><code> accessControl?: SavedObjectAccessControl;</code><br/><code> name: string;</code><br/><code> }&gt;</code> | References to this object; note that this does not contain \_all inbound references everywhere for this object\_, it only contains inbound references for the scope of this operation |
 | [isMissing](./kibana-plugin-core-server.savedobjectreferencewithcontext.ismissing.md) | <code>boolean</code> | Whether or not this object or reference is missing |
 | [spaces](./kibana-plugin-core-server.savedobjectreferencewithcontext.spaces.md) | <code>string[]</code> | The space(s) that the referenced object exists in |
 | [spacesWithMatchingAliases](./kibana-plugin-core-server.savedobjectreferencewithcontext.spaceswithmatchingaliases.md) | <code>string[]</code> | The space(s) that legacy URL aliases matching this type/id exist in |

docs/development/core/server/kibana-plugin-core-server.savedobjectsbulkcreateobject.accesscontrol.md

@@ -0,0 +1,13 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-server](./kibana-plugin-core-server.md) &gt; [SavedObjectsBulkCreateObject](./kibana-plugin-core-server.savedobjectsbulkcreateobject.md) &gt; [accessControl](./kibana-plugin-core-server.savedobjectsbulkcreateobject.accesscontrol.md)
+
+## SavedObjectsBulkCreateObject.accessControl property
+
+The [accessControl](./kibana-plugin-core-server.savedobjectaccesscontrol.md) to associate with this saved object.
+
+<b>Signature:</b>
+
+```typescript
+accessControl?: SavedObjectAccessControl;
+```

docs/development/core/server/kibana-plugin-core-server.savedobjectsbulkcreateobject.md

@@ -15,6 +15,7 @@ export interface SavedObjectsBulkCreateObject<T = unknown>
 
 | Property | Type | Description |
 | --- | --- | --- |
+| [accessControl](./kibana-plugin-core-server.savedobjectsbulkcreateobject.accesscontrol.md) | <code>SavedObjectAccessControl</code> | The [accessControl](./kibana-plugin-core-server.savedobjectaccesscontrol.md) to associate with this saved object. |
 | [attributes](./kibana-plugin-core-server.savedobjectsbulkcreateobject.attributes.md) | <code>T</code> | |
 | [coreMigrationVersion](./kibana-plugin-core-server.savedobjectsbulkcreateobject.coremigrationversion.md) | <code>string</code> | A semver value that is used when upgrading objects between Kibana versions. If undefined, this will be automatically set to the current Kibana version when the object is created. If this is set to a non-semver value, or it is set to a semver value greater than the current Kibana version, it will result in an error. |
 | [id](./kibana-plugin-core-server.savedobjectsbulkcreateobject.id.md) | <code>string</code> | |