[Alerting][Connectors] Export rules and connectors

[ymao1]

This issue covers the export portion of importing/exporting rules and connectors. We want to be able to export rules and connectors from the saved object management page.

1. Export rules

Set rules to exportable when registering the alert saved object type. Add an onExport hook that sets the rule to disabled and sensitive values within the rule to null before exporting.

The following fields should be modified on export:

• enabled: false
• apiKey: null
• apiKeyOwner: null
• scheduledTaskId: null

What should we do with the alert execution status? Would lastExecutionDate make sense on a new kibana instance? Should we clear it out and reset the execution status altogether?

2. Export connectors

Set connectors to exportable when registering the action saved object type. Add an onExport hook that sets the connector to disabled and secret values to null before exporting.

The following fields should be modified on export:

• isMissingSecrets: true
• secrets: null

There are some connectors (server log & es index, example) that have no secrets. It would be nice to not disable these so they can be ready to use right after import. There are also some connectors that have optional secrets (webhook & email, if hasAuth is enabled, for example). If the secret is not required, then the flag should not be set on export.

3. Audit log entry for exports

Based on this comment and the ensuring discussion, we should be generating alerting/action specific audit log entries on export so the exports don't just show up as generic saved object actions.

[elasticmachine]

Pinging @elastic/kibana-alerting-services (Team:Alerting Services)

[ymao1]

Blocked by #94106

[ymao1]

Access to hidden saved object types is controlled by feature privileges for users with limited roles. Giving a user access to the "Actions and Connectors" privilege allows them to see connectors in the saved object management page. Since alerting doesn't have its own privilege, @legrego suggested adding alert to the Saved Objects Management privilege. This means a user with the ability to manage saved objects will be able to export all rules, even if they don't have specific privileges to create them.

The update would be done here by adding 'alert' to the [...savedObjectTypes] array

kibana/x-pack/plugins/features/server/oss_features.ts

Lines 398 to 441 in 2660362

	{
	id: 'savedObjectsManagement',
	name: i18n.translate('xpack.features.savedObjectsManagementFeatureName', {
	defaultMessage: 'Saved Objects Management',
	}),
	order: 1700,
	category: DEFAULT_APP_CATEGORIES.management,
	app: ['kibana'],
	catalogue: ['saved_objects'],
	management: {
	kibana: ['objects'],
	},
	privileges: {
	all: {
	app: ['kibana'],
	catalogue: ['saved_objects'],
	management: {
	kibana: ['objects'],
	},
	api: ['copySavedObjectsToSpaces'],
	savedObject: {
	all: [...savedObjectTypes],
	read: [],
	},
	ui: ['read', 'edit', 'delete', 'copyIntoSpace', 'shareIntoSpace'],
	},
	read: {
	app: ['kibana'],
	catalogue: ['saved_objects'],
	management: {
	kibana: ['objects'],
	},
	api: ['copySavedObjectsToSpaces'],
	savedObject: {
	all: [],
	read: [...savedObjectTypes],
	},
	ui: ['read'],
	},
	},
	},
	...(includeTimelion ? [timelionFeature] : []),
	] as KibanaFeatureConfig[];
	};

[mikecote]

Access to hidden saved object types is controlled by feature privileges for users with limited roles. Giving a user access to the "Actions and Connectors" privilege allows them to see connectors in the saved object management page.

This is interesting. Is this something specific to hidden types in saved objects management?

[ymao1]

Yes, right now the Saved Objects Management privilege explicitly gives access to "visible types", so if a user only had access to Saved Objects Management, they would not see rules or connectors or any other hidden types. Adding the Actions and Connectors privilege gives access to the action type but there's no privilege currently that gives access to the alert type. I think this is probably unique to the alert hidden type only because Alerting doesn't have an explicit privilege and we depend on the privileges of the alerting rule producers.

[mikecote]

I see now, thanks!

I wonder if the user will understand this limitation for alerts and connectors (mostly connectors) or if we should auto-grant access to both when a role has the SO management feature. That way if they don't have the connectors privilege, they would see those automatically.

[ymao1]

That's definitely an option! I think it's not as confusing for actions because if you don't have the connectors privilege you don't see the connectors tab at all and are unable to add any actions, whereas if you had the stack alerts privilege and were able to create rules and see the rule management page, it would be confusing why you can't see them in Saved Objects Management

[legrego]

Based on an earlier conversation, my understanding is that we would update the saved objects management privilege to grant access to all exportable types, even if they were hidden.

If that's still the path we plan on taking, then I think it addresses the inconsistency/potential confustion.

[ymao1]

@legrego I see that was added in the POC. It looks like this PR got merged recently to allow import/export of hidden types but it did not include updating the saved objects management privilege. Should I create an issue for this?

[legrego]

@legrego I see that was added in the POC. It looks like this PR got merged recently to allow import/export of hidden types but it did not include updating the saved objects management privilege. Should I create an issue for this?

Good question -- @Bamieh do you have any insight here?

[ymao1]

PR for #94106 is open so removing blocked label since you can branch off the PR