elastic · yctercero · Mar 31, 2021 · Mar 31, 2021 · Apr 1, 2021 · Apr 2, 2021
diff --git a/x-pack/plugins/apm/common/alert_types.ts b/x-pack/plugins/apm/common/alert_types.ts
@@ -10,6 +10,8 @@ import type { ValuesType } from 'utility-types';
 import type { ActionGroup } from '../../alerting/common';
 import { ANOMALY_SEVERITY, ANOMALY_THRESHOLD } from './ml_constants';
 
+export const APM_SERVER_FEATURE_ID = 'apm';
+
 export enum AlertType {
   ErrorCount = 'apm.error_rate', // ErrorRate was renamed to ErrorCount but the key is kept as `error_rate` for backwards-compat.
   TransactionErrorRate = 'apm.transaction_error_rate',
@@ -43,7 +45,7 @@ export const ALERT_TYPES_CONFIG: Record<
     actionGroups: [THRESHOLD_MET_GROUP],
     defaultActionGroupId: THRESHOLD_MET_GROUP_ID,
     minimumLicenseRequired: 'basic',
-    producer: 'apm',
+    producer: APM_SERVER_FEATURE_ID,
   },
   [AlertType.TransactionDuration]: {
     name: i18n.translate('xpack.apm.transactionDurationAlert.name', {
@@ -52,7 +54,7 @@ export const ALERT_TYPES_CONFIG: Record<
     actionGroups: [THRESHOLD_MET_GROUP],
     defaultActionGroupId: THRESHOLD_MET_GROUP_ID,
     minimumLicenseRequired: 'basic',
-    producer: 'apm',
+    producer: APM_SERVER_FEATURE_ID,
   },
   [AlertType.TransactionDurationAnomaly]: {
     name: i18n.translate('xpack.apm.transactionDurationAnomalyAlert.name', {
@@ -61,7 +63,7 @@ export const ALERT_TYPES_CONFIG: Record<
     actionGroups: [THRESHOLD_MET_GROUP],
     defaultActionGroupId: THRESHOLD_MET_GROUP_ID,
     minimumLicenseRequired: 'basic',
-    producer: 'apm',
+    producer: APM_SERVER_FEATURE_ID,
   },
   [AlertType.TransactionErrorRate]: {
     name: i18n.translate('xpack.apm.transactionErrorRateAlert.name', {
@@ -70,7 +72,7 @@ export const ALERT_TYPES_CONFIG: Record<
     actionGroups: [THRESHOLD_MET_GROUP],
     defaultActionGroupId: THRESHOLD_MET_GROUP_ID,
     minimumLicenseRequired: 'basic',
-    producer: 'apm',
+    producer: APM_SERVER_FEATURE_ID,
   },
 };
 

diff --git a/x-pack/plugins/apm/public/components/alerting/alerting_flyout/index.tsx b/x-pack/plugins/apm/public/components/alerting/alerting_flyout/index.tsx
@@ -8,7 +8,10 @@
 import React, { useCallback, useMemo } from 'react';
 import { useParams } from 'react-router-dom';
 import { useKibana } from '../../../../../../../src/plugins/kibana_react/public';
-import { AlertType } from '../../../../common/alert_types';
+import {
+  AlertType,
+  APM_SERVER_FEATURE_ID,
+} from '../../../../common/alert_types';
 import { getInitialAlertValues } from '../get_initial_alert_values';
 import { TriggersAndActionsUIPublicPluginStart } from '../../../../../triggers_actions_ui/public';
 interface Props {
@@ -38,7 +41,7 @@ export function AlertingFlyout(props: Props) {
     () =>
       alertType &&
       triggersActionsUi.getAddAlertFlyout({
-        consumer: 'apm',
+        consumer: APM_SERVER_FEATURE_ID,
         onClose: onCloseAddFlyout,
         alertTypeId: alertType,
         canChangeTrigger: false,

diff --git a/x-pack/plugins/apm/server/feature.ts b/x-pack/plugins/apm/server/feature.ts
@@ -7,15 +7,15 @@
 
 import { i18n } from '@kbn/i18n';
 import { LicenseType } from '../../licensing/common/types';
-import { AlertType } from '../common/alert_types';
+import { AlertType, APM_SERVER_FEATURE_ID } from '../common/alert_types';
 import { DEFAULT_APP_CATEGORIES } from '../../../../src/core/server';
 import {
   LicensingPluginSetup,
   LicensingApiRequestHandlerContext,
 } from '../../licensing/server';
 
 export const APM_FEATURE = {
-  id: 'apm',
+  id: APM_SERVER_FEATURE_ID,
   name: i18n.translate('xpack.apm.featureRegistry.apmFeatureName', {
     defaultMessage: 'APM and User Experience',
   }),

diff --git a/x-pack/plugins/apm/server/index.ts b/x-pack/plugins/apm/server/index.ts
@@ -120,6 +120,7 @@ export function mergeConfigs(
 export const plugin = (initContext: PluginInitializerContext) =>
   new APMPlugin(initContext);
 
+export { APM_SERVER_FEATURE_ID } from '../common/alert_types';
 export { APMPlugin } from './plugin';
 export { APMPluginSetup } from './types';
 export { APMServerRouteRepository } from './routes/get_global_apm_server_route_repository';

diff --git a/x-pack/plugins/apm/server/lib/alerts/register_error_count_alert_type.ts b/x-pack/plugins/apm/server/lib/alerts/register_error_count_alert_type.ts
@@ -22,6 +22,7 @@ import { apmActionVariables } from './action_variables';
 import { alertingEsClient } from './alerting_es_client';
 import { RegisterRuleDependencies } from './register_apm_alerts';
 import { createAPMLifecycleRuleType } from './create_apm_lifecycle_rule_type';
+import { APM_SERVER_FEATURE_ID } from '../../../common/alert_types';
 
 const paramsSchema = schema.object({
   windowSize: schema.number(),
@@ -55,7 +56,7 @@ export function registerErrorCountAlertType({
           apmActionVariables.interval,
         ],
       },
-      producer: 'apm',
+      producer: APM_SERVER_FEATURE_ID,
       minimumLicenseRequired: 'basic',
       executor: async ({ services, params }) => {
         const config = await config$.pipe(take(1)).toPromise();

diff --git a/x-pack/plugins/apm/server/lib/alerts/register_transaction_duration_alert_type.ts b/x-pack/plugins/apm/server/lib/alerts/register_transaction_duration_alert_type.ts
@@ -9,7 +9,11 @@ import { schema } from '@kbn/config-schema';
 import { take } from 'rxjs/operators';
 import { QueryContainer } from '@elastic/elasticsearch/api/types';
 import { parseEnvironmentUrlParam } from '../../../common/environment_filter_values';
-import { AlertType, ALERT_TYPES_CONFIG } from '../../../common/alert_types';
+import {
+  AlertType,
+  ALERT_TYPES_CONFIG,
+  APM_SERVER_FEATURE_ID,
+} from '../../../common/alert_types';
 import {
   PROCESSOR_EVENT,
   SERVICE_ENVIRONMENT,
@@ -65,7 +69,7 @@ export function registerTransactionDurationAlertType({
           apmActionVariables.interval,
         ],
       },
-      producer: 'apm',
+      producer: APM_SERVER_FEATURE_ID,
       minimumLicenseRequired: 'basic',
       executor: async ({ services, params }) => {
         const config = await config$.pipe(take(1)).toPromise();

diff --git a/x-pack/plugins/apm/server/lib/alerts/register_transaction_duration_anomaly_alert_type.ts b/x-pack/plugins/apm/server/lib/alerts/register_transaction_duration_anomaly_alert_type.ts
@@ -24,6 +24,7 @@ import {
   AlertType,
   ALERT_TYPES_CONFIG,
   ANOMALY_ALERT_SEVERITY_TYPES,
+  APM_SERVER_FEATURE_ID,
 } from '../../../common/alert_types';
 import { getMLJobs } from '../service_map/get_service_anomalies';
 import { apmActionVariables } from './action_variables';
@@ -70,7 +71,7 @@ export function registerTransactionDurationAnomalyAlertType({
           apmActionVariables.triggerValue,
         ],
       },
-      producer: 'apm',
+      producer: APM_SERVER_FEATURE_ID,
       minimumLicenseRequired: 'basic',
       executor: async ({ services, params }) => {
         if (!ml) {

diff --git a/x-pack/plugins/apm/server/lib/alerts/register_transaction_error_rate_alert_type.ts b/x-pack/plugins/apm/server/lib/alerts/register_transaction_error_rate_alert_type.ts
@@ -7,7 +7,11 @@
 
 import { schema } from '@kbn/config-schema';
 import { take } from 'rxjs/operators';
-import { AlertType, ALERT_TYPES_CONFIG } from '../../../common/alert_types';
+import {
+  AlertType,
+  ALERT_TYPES_CONFIG,
+  APM_SERVER_FEATURE_ID,
+} from '../../../common/alert_types';
 import {
   EVENT_OUTCOME,
   PROCESSOR_EVENT,
@@ -59,7 +63,7 @@ export function registerTransactionErrorRateAlertType({
           apmActionVariables.interval,
         ],
       },
-      producer: 'apm',
+      producer: APM_SERVER_FEATURE_ID,
       minimumLicenseRequired: 'basic',
       executor: async ({ services, params: alertParams }) => {
         const config = await config$.pipe(take(1)).toPromise();

diff --git a/x-pack/plugins/features/common/feature_kibana_privileges.ts b/x-pack/plugins/features/common/feature_kibana_privileges.ts
@@ -104,6 +104,34 @@ export interface FeatureKibanaPrivileges {
      */
     read?: readonly string[];
   };
+
+  /**
+   * Solutions should specify owners of alerts here which will provide the solution read / write access to those alerts.
+   */
+  rac?: {
 alerting: { 
 alerting: { 
+    /**
+     * List of owners of alerts which users should have full read/write access to when granted this privilege.
+     * @example
+     * ```ts
+     *  {
+     *    all: ['securitySolution']
+     *  }
+     * ```
+     */
+    all?: readonly string[];
+
+    /**
+     * List of owners of alerts which users should have read-only access to when granted this privilege.
+     * @example
+     * ```ts
+     *  {
+     *    read: ['securitySolution', 'observability']
+     *  }
+     * ```
+     */
+    read?: readonly string[];
+  };
+
   /**
    * If your feature requires access to specific saved objects, then specify your access needs here.
    */

diff --git a/x-pack/plugins/features/common/kibana_feature.ts b/x-pack/plugins/features/common/kibana_feature.ts
@@ -98,6 +98,11 @@ export interface KibanaFeatureConfig {
    */
   alerting?: readonly string[];
 
+  /**
+   * If your feature grants access to specific alerts, you can specify them here to control visibility based on the current space.
+   */
+  rac?: readonly string[];
+
   /**
    * Feature privilege definition.
    *
@@ -191,6 +196,10 @@ export class KibanaFeature {
     return this.config.reserved;
   }
 
+  public get rac() {
+    return this.config.rac;
+  }
+
   public toRaw() {
     return { ...this.config } as KibanaFeatureConfig;
   }

diff --git a/x-pack/plugins/features/server/feature_schema.ts b/x-pack/plugins/features/server/feature_schema.ts
@@ -33,6 +33,7 @@ const managementSchema = Joi.object().pattern(
 );
 const catalogueSchema = Joi.array().items(Joi.string().regex(uiCapabilitiesRegex));
 const alertingSchema = Joi.array().items(Joi.string());
+const racSchema = Joi.array().items(Joi.string());
 
 const appCategorySchema = Joi.object({
   id: Joi.string().required(),
@@ -56,6 +57,10 @@ const kibanaPrivilegeSchema = Joi.object({
     all: Joi.array().items(Joi.string()).required(),
     read: Joi.array().items(Joi.string()).required(),
   }).required(),
+  rac: Joi.object({
+    all: racSchema,
+    read: racSchema,
+  }),
   ui: Joi.array().items(Joi.string().regex(uiCapabilitiesRegex)).required(),
 });
 
@@ -113,6 +118,7 @@ const kibanaFeatureSchema = Joi.object({
   management: managementSchema,
   catalogue: catalogueSchema,
   alerting: alertingSchema,
+  rac: racSchema,
   privileges: Joi.object({
     all: kibanaPrivilegeSchema,
     read: kibanaPrivilegeSchema,
@@ -161,7 +167,7 @@ export function validateKibanaFeature(feature: KibanaFeatureConfig) {
     throw validateResult.error;
   }
   // the following validation can't be enforced by the Joi schema, since it'd require us looking "up" the object graph for the list of valid value, which they explicitly forbid.
-  const { app = [], management = {}, catalogue = [], alerting = [] } = feature;
+  const { app = [], management = {}, catalogue = [], alerting = [], rac = [] } = feature;
 
   const unseenApps = new Set(app);
 
@@ -176,6 +182,8 @@ export function validateKibanaFeature(feature: KibanaFeatureConfig) {
 
   const unseenAlertTypes = new Set(alerting);
 
+  const unseenRacTypes = new Set(rac);
+
   function validateAppEntry(privilegeId: string, entry: readonly string[] = []) {
     entry.forEach((privilegeApp) => unseenApps.delete(privilegeApp));
 
@@ -219,6 +227,23 @@ export function validateKibanaFeature(feature: KibanaFeatureConfig) {
     }
   }
 
+  function validateRacEntry(privilegeId: string, entry: FeatureKibanaPrivileges['rac']) {
+    const all = entry?.all ?? [];
+    const read = entry?.read ?? [];
+
+    all.forEach((privilegeOwner) => unseenRacTypes.delete(privilegeOwner));
+    read.forEach((privilegeOwner) => unseenRacTypes.delete(privilegeOwner));
+
+    const unknownRacEntries = difference([...all, ...read], rac);
+    if (unknownRacEntries.length > 0) {
+      throw new Error(
+        `Feature privilege ${
+          feature.id
+        }.${privilegeId} has unknown rac entries: ${unknownRacEntries.join(', ')}`
+      );
+    }
+  }
+
   function validateManagementEntry(
     privilegeId: string,
     managementEntry: Record<string, readonly string[]> = {}
@@ -280,6 +305,8 @@ export function validateKibanaFeature(feature: KibanaFeatureConfig) {
 
     validateManagementEntry(privilegeId, privilegeDefinition.management);
     validateAlertingEntry(privilegeId, privilegeDefinition.alerting);
+
+    // validateRacEntry(privilegeId, privilegeDefinition.rac);
   });
 
   const subFeatureEntries = feature.subFeatures ?? [];
@@ -290,6 +317,7 @@ export function validateKibanaFeature(feature: KibanaFeatureConfig) {
         validateCatalogueEntry(subFeaturePrivilege.id, subFeaturePrivilege.catalogue);
         validateManagementEntry(subFeaturePrivilege.id, subFeaturePrivilege.management);
         validateAlertingEntry(subFeaturePrivilege.id, subFeaturePrivilege.alerting);
+        // validateRacEntry(subFeaturePrivilege.id, subFeaturePrivilege.rac);
       });
     });
   });

diff --git a/x-pack/plugins/monitoring/kibana.json b/x-pack/plugins/monitoring/kibana.json
@@ -6,6 +6,7 @@
   "requiredPlugins": [
     "licensing",
     "features",
+    "ruleRegistry",
     "data",
     "navigation",
     "kibanaLegacy",

diff --git a/x-pack/plugins/monitoring/server/plugin.ts b/x-pack/plugins/monitoring/server/plugin.ts
@@ -176,6 +176,19 @@ export class MonitoringPlugin
         logger: this.log,
       });
       initInfraSource(config, plugins.infra);
+      router.get({ path: '/monitoring-myfakepath', validate: false }, async (context, req, res) => {
+        try {
+          const racClient = await context.ruleRegistry?.getRacClient();
+          const thing = await racClient?.find({ owner: 'observability' });
+          console.error('THE THING!!!', JSON.stringify(thing.body, null, 2));
+          return res.ok({ body: { success: true, alerts: thing.body.hits.hits } });
+        } catch (err) {
+          console.error('monitoring route threw an error');
+          console.error(err);
+          return res.unauthorized({ body: { message: err.message } });
+          // return res.customError({ statusCode: err.statusCode, body: { message: err.message } });
+        }
+      });
     }
 
     return {
@@ -244,8 +257,30 @@ export class MonitoringPlugin
       }),
       category: DEFAULT_APP_CATEGORIES.management,
       app: ['monitoring', 'kibana'],
+      rac: ['observability'],
       catalogue: ['monitoring'],
-      privileges: null,
+      privileges: {
+        all: {
+          rac: {
+            all: ['observability'],
+          },
+          savedObject: {
+            all: [],
+            read: [],
+          },
+          ui: ['show', 'save', 'alerting:show', 'alerting:save'],
+        },
+        read: {
+          rac: {
+            all: ['observability'],
+          },
+          savedObject: {
+            all: [],
+            read: [],
+          },
+          ui: ['show', 'save', 'alerting:show', 'alerting:save'],
+        },
+      },
       alerting: ALERTS,
       reserved: {
         description: i18n.translate('xpack.monitoring.feature.reserved.description', {

diff --git a/x-pack/plugins/monitoring/server/types.ts b/x-pack/plugins/monitoring/server/types.ts
@@ -21,6 +21,7 @@ import type {
   ActionsApiRequestHandlerContext,
 } from '../../actions/server';
 import type { AlertingApiRequestHandlerContext } from '../../alerting/server';
+import { RacApiRequestHandlerContext } from '../../rule_registry/server';
 import {
   PluginStartContract as AlertingPluginStartContract,
   PluginSetupContract as AlertingPluginSetupContract,
@@ -58,6 +59,7 @@ export interface RequestHandlerContextMonitoringPlugin extends RequestHandlerCon
   actions?: ActionsApiRequestHandlerContext;
   alerting?: AlertingApiRequestHandlerContext;
   infra: InfraRequestHandlerContext;
+  ruleRegistry?: RacApiRequestHandlerContext;
 }
 
 export interface PluginsStart {