[Infra][ECO] Fix RBAC issue in hosts view

[crespocarlos]

closes #200151

Summary

This PR change the getApmIndices function from apm_data_access to fetch the information using Kibana's internal user. This was done for 2 reasons:

1 - Plugins using savedObjects.client might face a situation where the logged in user doesn't have permission to read saved objects, causing the retrieval of apm indices to fail, which could lead to unexpected exceptions
2 - Elasticsearch is able to determine whether the user has permission to view docs in the index patterns, therefore, it's ok to retrieve the index pattern with Kibana's internal user because ultimately elasticsearch will only return the data the user has access to.

Infra app permission

Role config:

Without access to APM indices

With access to APM indices

Admin

How to test

• Follow the steps above
• Other areas affected: assistant and profiling

[crespocarlos]

/ci

[crespocarlos]

/ci

[crespocarlos]

/ci

[crespocarlos]

/ci

[crespocarlos]

/ci

[elasticmachine]

Pinging @elastic/obs-ux-infra_services-team (Team:obs-ux-infra_services)

[crespocarlos]

@elasticmachine merge upstream

[github-actions]

🤖 GitHub comments

Expand to view the GitHub comments

Just comment with:

• /oblt-deploy : Deploy a Kibana instance using the Observability test environments.
• run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

[jennypavlova]

The code LGTM 🚀
One security concern: I am not sure if that's related to the change but if the user is restricted to read everything in observability except APM and has restricted indices he is still able to see the services in the details view (the link won't navigate to APM because the user doesn't have the permission - it will be Application not found) but should we still show the services section/name in the host view if we set that restriction (no APM UI/Indecies access)?
The role I created to test this case:

no_apm_permission.mov

This could be something to address separately from this PR

[crespocarlos]

The code LGTM 🚀 One security concern: I am not sure if that's related to the change but if the user is restricted to read everything in observability except APM and has restricted indices he is still able to see the services in the details view (the link won't navigate to APM because the user doesn't have the permission - it will be Application not found) but should we still show the services section/name in the host view if we set that restriction (no APM UI/Indecies access)?

This could be something to address separately from this PR

Hey @jennypavlova, great finding. In such cases we should IMO show the services but not link to APM. Users can still query for APM data in Discover, so the data is not restricted. What is restricted in your scenario is the access to APM app.

edit: let's open a new ticket for this problem

[crespocarlos]

@elasticmachine merge upstream

[crespocarlos]

@elasticmachine merge upstream

[rudolf]

Changes to x-pack/plugins/observability_solution/apm_data_access/kibana.jsonc lgtm

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: e8903b2
• Kibana Serverless Image: docker.elastic.co/kibana-ci/kibana-serverless:pr-199841-e8903b2b3be2

Metrics [docs]

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id	before	after	diff
apmDataAccess	93	86	-7

Unknown metric groups

API count

id	before	after	diff
apmDataAccess	93	86	-7

ESLint disabled line counts

id	before	after	diff
apmDataAccess	0	1	+1

Total ESLint disabled count

id	before	after	diff
apmDataAccess	1	2	+1

History

• 💛 Build #252690 was flaky 3fa96de
• 💔 Build #252628 failed aa12aa5
• 💚 Build #251787 succeeded 9db942b
• 💛 Build #251306 was flaky 45414dd
• 💔 Build #251245 failed 914bff5

[kibanamachine]

Starting backport for target branches: 8.x

https://github.com/elastic/kibana/actions/runs/11952856046

[kibanamachine]

💔 All backports failed

Status	Branch	Result
❌	8.x	Backport failed because of merge conflicts

Manual backport

To create the backport manually run:

node scripts/backport --pr 199841

Questions ?

Please refer to the Backport tool documentation

[kibanamachine]

Friendly reminder: Looks like this PR hasn’t been backported yet.
To create automatically backports add a backport:* label or prevent reminders by adding the backport:skip label.
You can also create backports manually by running node scripts/backport --pr 199841 locally

[kibanamachine]

Friendly reminder: Looks like this PR hasn’t been backported yet.
To create automatically backports add a backport:* label or prevent reminders by adding the backport:skip label.
You can also create backports manually by running node scripts/backport --pr 199841 locally

[kibanamachine]

Friendly reminder: Looks like this PR hasn’t been backported yet.
To create automatically backports add a backport:* label or prevent reminders by adding the backport:skip label.
You can also create backports manually by running node scripts/backport --pr 199841 locally

[kibanamachine]

Friendly reminder: Looks like this PR hasn’t been backported yet.
To create automatically backports add a backport:* label or prevent reminders by adding the backport:skip label.
You can also create backports manually by running node scripts/backport --pr 199841 locally

[kibanamachine]

Friendly reminder: Looks like this PR hasn’t been backported yet.
To create automatically backports add a backport:* label or prevent reminders by adding the backport:skip label.
You can also create backports manually by running node scripts/backport --pr 199841 locally

[kibanamachine]

Friendly reminder: Looks like this PR hasn’t been backported yet.
To create automatically backports add a backport:* label or prevent reminders by adding the backport:skip label.
You can also create backports manually by running node scripts/backport --pr 199841 locally