feat: consume permissions in repository

Signed-off-by: SuZhou-Joe <suzhou@amazon.com>

src/core/server/saved_objects/service/lib/repository.ts

@@ -243,6 +243,7 @@ export class SavedObjectsRepository {
       originId,
       initialNamespaces,
       version,
+      permissions,
     } = options;
     const namespace = normalizeNamespace(options.namespace);
 
@@ -289,6 +290,7 @@ export class SavedObjectsRepository {
       migrationVersion,
       updated_at: time,
       ...(Array.isArray(references) && { references }),
+      ...(permissions && { permissions }),
     });
 
     const raw = this._serializer.savedObjectToRaw(migrated as SavedObjectSanitizedDoc);
@@ -976,7 +978,7 @@ export class SavedObjectsRepository {
       throw SavedObjectsErrorHelpers.createGenericNotFoundError(type, id);
     }
 
-    const { originId, updated_at: updatedAt } = body._source;
+    const { originId, updated_at: updatedAt, permissions } = body._source;
 
     let namespaces: string[] = [];
     if (!this._registry.isNamespaceAgnostic(type)) {
@@ -991,6 +993,7 @@ export class SavedObjectsRepository {
       namespaces,
       ...(originId && { originId }),
       ...(updatedAt && { updated_at: updatedAt }),
+      ...(permissions && { permissions }),
       version: encodeHitVersion(body),
       attributes: body._source[type],
       references: body._source.references || [],
@@ -1019,7 +1022,7 @@ export class SavedObjectsRepository {
       throw SavedObjectsErrorHelpers.createGenericNotFoundError(type, id);
     }
 
-    const { version, references, refresh = DEFAULT_REFRESH_SETTING } = options;
+    const { version, references, refresh = DEFAULT_REFRESH_SETTING, permissions } = options;
     const namespace = normalizeNamespace(options.namespace);
 
     let preflightResult: SavedObjectsRawDoc | undefined;
@@ -1033,6 +1036,7 @@ export class SavedObjectsRepository {
       [type]: attributes,
       updated_at: time,
       ...(Array.isArray(references) && { references }),
+      ...(permissions && { permissions }),
     };
 
     const { body, statusCode } = await this.client.update<SavedObjectsRawDocSource>(
@@ -1754,7 +1758,7 @@ function getSavedObjectFromSource<T>(
   id: string,
   doc: { _seq_no?: number; _primary_term?: number; _source: SavedObjectsRawDocSource }
 ): SavedObject<T> {
-  const { originId, updated_at: updatedAt } = doc._source;
+  const { originId, updated_at: updatedAt, permissions } = doc._source;
 
   let namespaces: string[] = [];
   if (!registry.isNamespaceAgnostic(type)) {
@@ -1773,6 +1777,7 @@ function getSavedObjectFromSource<T>(
     attributes: doc._source[type],
     references: doc._source.references || [],
     migrationVersion: doc._source.migrationVersion,
+    permissions,
   };
 }
 

src/core/server/saved_objects/service/saved_objects_client.ts

@@ -68,6 +68,8 @@ export interface SavedObjectsCreateOptions extends SavedObjectsBaseOptions {
    * Note: this can only be used for multi-namespace object types.
    */
   initialNamespaces?: string[];
+  /** permission control describe by ACL object */
+  permissions?: Permissions;
 }
 
 /**
@@ -180,6 +182,8 @@ export interface SavedObjectsUpdateOptions extends SavedObjectsBaseOptions {
   references?: SavedObjectReference[];
   /** The OpenSearch Refresh setting for this operation */
   refresh?: MutatingOperationRefreshSetting;
+  /** permission control describe by ACL object */
+  permissions?: Permissions;
 }
 
 /**

src/core/types/saved_objects.ts

@@ -27,6 +27,7 @@
  * specific language governing permissions and limitations
  * under the License.
  */
+import { Permissions } from '../server/saved_objects/permission_control/acl';
 
 /**
  * Don't use this type, it's simply a helper type for {@link SavedObjectAttribute}
@@ -113,6 +114,7 @@ export interface SavedObject<T = unknown> {
    * space.
    */
   originId?: string;
+  permissions?: Permissions;
 }
 
 export interface SavedObjectError {