Register kibana_dashboard_only_user and kibana_user roles deprecations in UA.

[azasypkin]

Summary

Register kibana_dashboard_only_user and kibana_user roles deprecations in UA.

Screenshots

There are 2 different deprecations, but each affects 2 slightly different parts of the Kibana (users and role mappings) and hence will be handled differently. That's why we see 2 pairs of entries with the same title in the main Upgrade Assistant list view. The detailed description, as you'll see below, is different for every entry though:

Detailed view for list entry №1:

Detailed view for list entry №2:

Detailed view for list entry №3:

Detailed view for list entry №4:

**Previous screenshots**

Detailed view for list entry №1:

Detailed view for list entry №2:

Detailed view for list entry №3:

Detailed view for list entry №4:

Fixes #81690
Fixes #54755
Fixes #42853

[azasypkin]

NOTE to myself: We all should agree how we use quotes/brackets in UA messages (always use " maybe?). Right now we have this (and it looks awful):

• Setting "plugins.scanDirs" is deprecated
• Config key [monitoring.cluster_alerts.email_notifications.email_address] will be required
• Set 'xpack.reporting.roles.enabled' to
• The `kibana_dashboard_only_user` role is removed
• xpack.reporting has a deprecated setting

cc @gchaps (Sorry for the noise, just noticed we already mandate using " for setting names in Deprecation messages guidelines 🎉, I assume we should use " for reserved terms and user/role names too? )

[azasypkin]

note: I don't try to analyze Advanced Settings to figure out if users change default role for the Dashboard only mode as it turned out to be a non-trivial task: as far as I'm aware we cannot use UI Settings client to retrieve settings from all spaces, and at the same time we cannot use SO Client directly since we need to account for UI Settings overrides coming from predefined defaults and kibana.yml. It feels like the amount of complexity wouldn't be justified for this deprecation.

[azasypkin]

note: I use the same title for all cases, including fetch_error. It feels reasonable to me since we know what deprecation exactly we want to handled, but I'm not sure if we have any best practices here.

[jportner]

I think using the same title for all cases is fine. The title isn't even shown for the fetch error anyway.

I'd personally recommend moving the translation to the top level scope so you're only defining it once.

[azasypkin]

I'd personally recommend moving the translation to the top level scope so you're only defining it once.

IIRC i18n might not work well with any label you define at the file level (it will always be in English) since file require may happen before we asynchronously initialize translations in i18n (it's OK for the client side though). I haven't heard of it being improved, but my knowledge may be outdated.

But we can have a global function to return this label, I'll go this route.

[jportner]

IIRC i18n might not work well with any label you define at the file level (it will always be in English) since file require may happen before we asynchronously initialize translations in i18n (it's OK for the client side though). I haven't heard of it being improved, but my knowledge may be outdated.

TIL!

[azasypkin]

question: if I understand correctly we should not use critical here since it doesn't really blocks upgrade?

[azasypkin]

note: I split role mappings and users related cases in two separate deprecation entries. I don't like that it has the same name in the UA table, but apart from that the finer granularity fits nicely here (since user needs to use different screens during manual resolution).

[azasypkin]

note: I'd better suggest using custom roles with more precise Kibana privileges set, and only use kibana_admin as the last resort, but I couldn't figure out how to keep it short, concise and not confusing.

[jportner]

I agree, let's keep it simple

[azasypkin]

Hey @jportner , would you mind giving a preliminary feedback here? Handling of these two deprecations cover quite a few use cases (e.g. failure to perform a deprecation check, quick resolve action etc.) we may see in other places too, and it'd be great to have a formal agreement on how we handle all these cases.

[azasypkin]

question: are we concerned with mentioning user names in the logs in this case?

[jportner]

Seeing as these are debug logs, and they will only be generated by authorized users who use the upgrade assistant, I think this is OK.

[jportner]

I'm planning to review this when I return on Sep 27 👍

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security)

[jportner]

Time got away from me today, will plan to review first thing tomorrow 👍

[jportner]

A couple of nits on wording and docs links, other than that I think this is ready!

[jportner]

I suggest shortening this

Suggested change

	defaultMessage:
	'The "{userRoleName}" role is deprecated. Use "{adminRoleName}" role instead.',
	values: { userRoleName: KIBANA_USER_ROLE_NAME, adminRoleName: KIBANA_ADMIN_ROLE_NAME },
	defaultMessage: 'The "{userRoleName}" role is deprecated',
	values: { userRoleName: KIBANA_USER_ROLE_NAME },

[azasypkin]

It was actually inspired by the example from deprecation guide: The timezone Xyz used by Rollup job Abc is deprecated. Use Tz instead.. But I'm fine with either honestly - will change.

[jportner]

s/a/the/

Suggested change

	'Use a "{adminRoleName}" role to grant access to all Kibana features in all spaces. The "{userRoleName}" role will be removed in 8.0.',
	'Use the "{adminRoleName}" role to grant access to all Kibana features in all spaces. The "{userRoleName}" role will be removed in 8.0.',

[jportner]

I think it would be better to direct users to the "Built-in roles" page, which describes both the deprecated role and the new one:

Suggested change

	documentationUrl: `https://www.elastic.co/guide/en/kibana/${packageInfo.branch}/xpack-security-authorization.html`,
	documentationUrl: `https://www.elastic.co/guide/en/elasticsearch/reference/${packageInfo.branch}/built-in-roles.html`,

[azasypkin]

Agree!

[jportner]

Same as above

Suggested change

	defaultMessage:
	'The "{userRoleName}" role is deprecated. Use "{adminRoleName}" role instead.',
	values: { userRoleName: KIBANA_USER_ROLE_NAME, adminRoleName: KIBANA_ADMIN_ROLE_NAME },
	defaultMessage: 'The "{userRoleName}" role is deprecated',
	values: { userRoleName: KIBANA_USER_ROLE_NAME },

[jportner]

Same as above

Suggested change

	'Use a "{adminRoleName}" role to grant access to all Kibana features in all spaces. The "{userRoleName}" role will be removed in 8.0.',
	'Use the "{adminRoleName}" role to grant access to all Kibana features in all spaces. The "{userRoleName}" role will be removed in 8.0.',

[jportner]

Same as above

Suggested change

	documentationUrl: `https://www.elastic.co/guide/en/kibana/${packageInfo.branch}/xpack-security-authorization.html`,
	documentationUrl: `https://www.elastic.co/guide/en/elasticsearch/reference/${packageInfo.branch}/built-in-roles.html`,

[jportner]

Sorry to ask you to change this again:

Suggested change

	documentationUrl: `https://www.elastic.co/guide/en/kibana/${packageInfo.branch}/xpack-dashboard-only-mode.html`,
	documentationUrl: `https://www.elastic.co/guide/en/elasticsearch/reference/${packageInfo.branch}/built-in-roles.html`,

[jportner]

Same as above

Suggested change

	documentationUrl: `https://www.elastic.co/guide/en/kibana/${packageInfo.branch}/xpack-dashboard-only-mode.html`,
	documentationUrl: `https://www.elastic.co/guide/en/elasticsearch/reference/${packageInfo.branch}/built-in-roles.html`,

[jportner]

I missed this in my review! Since it uses the same i18n key, the defaultMessage needs to be the same:

Suggested change

	defaultMessage: 'The "{userRoleName}" role is deprecated. Use "{adminRoleName}" role instead.',
	values: { userRoleName: KIBANA_USER_ROLE_NAME, adminRoleName: KIBANA_ADMIN_ROLE_NAME },
	defaultMessage: 'The "{userRoleName}" role is deprecated',
	values: { userRoleName: KIBANA_USER_ROLE_NAME },

[jportner]

Sorry, I messed up a couple things in my previous review, see below 🙈

[jportner]

I'm so sorry, I messed up. I forgot that we aren't actually removing the kibana_user role in 8.0 (see #111160).

So we should probably change this message accordingly:

Suggested change

	'Use the "{adminRoleName}" role to grant access to all Kibana features in all spaces. The "{userRoleName}" role will be removed in 8.0.',
	'Use the "{adminRoleName}" role to grant access to all Kibana features in all spaces. The "{userRoleName}" role will be removed in a future release.',

[azasypkin]

Great catch, thanks! I should have read this table more attentively.

[jportner]

Same as above

Suggested change

	'Use the "{adminRoleName}" role to grant access to all Kibana features in all spaces. The "{userRoleName}" role will be removed in 8.0.',
	'Use the "{adminRoleName}" role to grant access to all Kibana features in all spaces. The "{userRoleName}" role will be removed in a future release.',

[azasypkin]

Fixed and updated screenshots

[gchaps]

With help from @jportner, here are some edits:

---

(No 1)

The "kibana_dashboard_only_user" role is deprecated

Users with the "kibana_dashboard_only_user" role will not be able to access the Dashboard app. Use Kibana privileges instead.

1. Create a custom role with Kibana privileges to grant access to Dashboard only.
2. Remove the "kibana_dashboard_only_user" role from all users and add the custom role. The affected users are:

---

(No 2)

The "kibana_dashboard_only_user" role is deprecated

Users with the "kibana_dashboard_only_user" role will not be able to access the Dashboard app. Use Kibana privileges instead.

1. Create a custom role with Kibana privileges to grant access to Dashboard only.
2. Remove the "kibana_dashboard_only_user" role from all role mappings and add the custom role. The affected users are:

---

(No 3)

The "kibana_user" role is deprecated

Use the "kibana_admin" role to grant access to all Kibana features in all spaces.

Remove the "kibana_user" role from all users and add the "kibana_admin" role. The affected users are:

---

(No 4)

The "kibana_user" role is deprecated

Use the "kibana_admin" role to grant access to all Kibana features in all spaces.

Remove the "kibana_user" role from all role mappings and add the "kibana_admin" role. The affected role mappings are:

---

Note

I removed the line "xxx will be removed in a future release." Our guidelines say "You do not need to include any form of "and will be removed in a future release".

If an item is deprecated, but won’t be removed in the next major version, the message should indicate that:

Note: Support for the "kibana_user" role will be removed following the release of n.0.

[azasypkin]

<--- JS stacktrace --->

FATAL ERROR: Ineffective mark-compacts near heap limit Allocation failed - JavaScript heap out of memory

Looks unrelated.

[azasypkin]

@elasticmachine merge upstream

[azasypkin]

With help from @jportner, here are some edits:

Thanks @gchaps and @jportner! Updated messages and the screenshots.

[jportner]

LGTM, sorry for all the back-and-forth, we had some confusion regarding the deprecation message guidance!

[kibanamachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 88fa862
• Storybooks Preview

Metrics [docs]

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id	before	after	diff
security	51	54	+3

Public APIs missing exports

Total count of every type that is part of your API that should be exported but is not. This will cause broken links in the API documentation system. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats exports for more detailed information.

id	before	after	diff
security	7	8	+1

Unknown metric groups

API count

id	before	after	diff
security	113	116	+3

History

• 💔 Build #416 failed 7fd0a88
• 💚 Build #338 succeeded f4026be
• 💚 Build #329 succeeded 921aff2
• 💚 Build #272 succeeded 98f000a
• 💚 Build #264 succeeded 7d9b3e5

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

[gchaps]

updated screenshots lgtm