[Obs AI Assistant] Add security configs to API

[viduni94]

Summary

Problem

The API /internal/observability/assistant/alert_details_contextual_insights does not provide explicit authorization settings.

Solution

Add access privileges (ai_assistant) to the above API

Checklist

• Unit or functional tests were updated or added to match the most common scenarios
• The PR description includes the appropriate Release Notes section, and the correct release_note:* label is applied per the guidelines

[viduni94]

/ci

[elasticmachine]

Pinging @elastic/obs-ai-assistant (Team:Obs AI Assistant)

[elasticmachine]

Pinging @elastic/obs-ux-management-team (Team:obs-ux-management)

[github-actions]

🤖 GitHub comments

Expand to view the GitHub comments

Just comment with:

• /oblt-deploy : Deploy a Kibana instance using the Observability test environments.
• run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

[dgieselaar]

eh, does this mean they never worked before?

[viduni94]

Earlier we didn't have any access privilege specified for this API. So it worked before too as far as I know (and from my testing before adding the feature privilege).

[dgieselaar]

hmm I actually thought tags were used for this purpose, but I'm not sure if we tested it in any case. Do you mind adding an API test that checks if there's a 403 when using a user with insufficient access privileges?

[dgieselaar]

oh, now I get it, this is for the Observability plugin. Hmm. I think the outcome of this should be that you only have access to this API if you have the Obs AI Assistant feature privilege. With this change, is that the case?

[viduni94]

Yes that's my understanding @dgieselaar
I added an API tests - https://github.com/elastic/kibana/pull/201439/files#diff-e1c9265ab37c43c162cde67fef054bdc1a734737e03b3fd346ce4be96bbdbb30R517

[dgieselaar]

Sorry, what I mean is that the feature privilege for the AI Assistant is defined here:

kibana/x-pack/plugins/observability_solution/observability_ai_assistant/server/plugin.ts

Line 80 in c46d94c

api: [OBSERVABILITY_AI_ASSISTANT_FEATURE_ID, 'ai_assistant', 'manage_llm_product_doc'],

If the user has this privilege, they should have access to /internal/observability/assistant/alert_details_contextual_insights. If they don't have this privilege, they shouldn't. If I understand this PR correctly, you're changing a different feature privilege?

[viduni94]

I'm adding the same feature privilege (ai_assistant) to the contextual details endpoint. With the new authz migration, options.tags are not used anymore. It's added under the security.authz.requiredPrivileges property.

[dominiqueclarke]

LGTM

[viduni94]

Update: removed rac because this error happens on the main branch too, therefore not related to authz updates.

---

I added rac here, because I saw the below error:

[2024-11-25T16:42:54.842-05:00][ERROR][plugins.apm] Error while fetching observability alert details context
[2024-11-25T16:42:54.842-05:00][ERROR][plugins.apm] Error: Insufficient privileges to access feature
    at /Users/viduni/Workspace/Elastic/kibana/x-pack/plugins/ml/server/lib/capabilities/check_capabilities.ts:64:13
    at getApmServiceSummary (/Users/viduni/Workspace/Elastic/kibana/x-pack/plugins/observability_solution/apm/server/routes/assistant_functions/get_apm_service_summary/index.ts:75:11)
    at getAnomalies (/Users/viduni/Workspace/Elastic/kibana/x-pack/plugins/observability_solution/apm/server/routes/assistant_functions/get_apm_service_summary/get_anomalies.ts:24:28)
    at getApmServiceSummary (/Users/viduni/Workspace/Elastic/kibana/x-pack/plugins/observability_solution/apm/server/routes/assistant_functions/get_apm_service_summary/index.ts:67:39)
    at /Users/viduni/Workspace/Elastic/kibana/x-pack/plugins/observability_solution/apm/server/routes/assistant_functions/get_observability_alert_details_context/index.ts:101:88
    at /Users/viduni/Workspace/Elastic/kibana/x-pack/plugins/observability_solution/apm/server/routes/assistant_functions/get_observability_alert_details_context/index.ts:272:22
    at /Users/viduni/Workspace/Elastic/kibana/x-pack/plugins/observability_solution/apm/server/routes/assistant_functions/get_observability_alert_details_context/index.ts:270:50
    at async /Users/viduni/Workspace/Elastic/kibana/x-pack/plugins/observability_solution/observability/server/services/index.ts:49:16
    at async AlertDetailsContextualInsightsService.getAlertDetailsContext (/Users/viduni/Workspace/Elastic/kibana/x-pack/plugins/observability_solution/observability/server/services/index.ts:47:21)
    at async /Users/viduni/Workspace/Elastic/kibana/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/rule_connector/index.ts:174:20
    at async /Users/viduni/Workspace/Elastic/kibana/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/rule_connector/index.ts:297:97
    at async getAlertGroupDetails (/Users/viduni/Workspace/Elastic/kibana/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/rule_connector/index.ts:296:30)
    at async getAlertsContext (/Users/viduni/Workspace/Elastic/kibana/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/rule_connector/index.ts:306:73)
    at async executor (/Users/viduni/Workspace/Elastic/kibana/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/rule_connector/index.ts:173:25)
    at async /Users/viduni/Workspace/Elastic/kibana/x-pack/plugins/actions/server/lib/action_executor.ts:395:21
    at async ActionExecutor.execute (/Users/viduni/Workspace/Elastic/kibana/x-pack/plugins/actions/server/lib/action_executor.ts:77:12)
    at async Object.run (/Users/viduni/Workspace/Elastic/kibana/x-pack/plugins/actions/server/lib/task_runner_factory.ts:91:28)
    at async TaskManagerRunner.run (/Users/viduni/Workspace/Elastic/kibana/x-pack/plugins/task_manager/server/task_running/task_runner.ts:325:22)
    at /Users/viduni/Workspace/Elastic/kibana/x-pack/plugins/observability_solution/apm/server/routes/assistant_functions/get_observability_alert_details_context/index.ts:74:54
    at /Users/viduni/Workspace/Elastic/kibana/x-pack/plugins/observability_solution/apm/server/routes/assistant_functions/get_observability_alert_details_context/index.ts:74:54
    at async /Users/viduni/Workspace/Elastic/kibana/x-pack/plugins/observability_solution/observability/server/services/index.ts:49:16
    at async AlertDetailsContextualInsightsService.getAlertDetailsContext (/Users/viduni/Workspace/Elastic/kibana/x-pack/plugins/observability_solution/observability/server/services/index.ts:47:21)
    at async /Users/viduni/Workspace/Elastic/kibana/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/rule_connector/index.ts:174:20
    at async /Users/viduni/Workspace/Elastic/kibana/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/rule_connector/index.ts:297:97
    at async getAlertGroupDetails (/Users/viduni/Workspace/Elastic/kibana/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/rule_connector/index.ts:296:30)
    at async getAlertsContext (/Users/viduni/Workspace/Elastic/kibana/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/rule_connector/index.ts:306:73)
    at async executor (/Users/viduni/Workspace/Elastic/kibana/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/rule_connector/index.ts:173:25)
    at async /Users/viduni/Workspace/Elastic/kibana/x-pack/plugins/actions/server/lib/action_executor.ts:395:21
    at async ActionExecutor.execute (/Users/viduni/Workspace/Elastic/kibana/x-pack/plugins/actions/server/lib/action_executor.ts:77:12)
    at async Object.run (/Users/viduni/Workspace/Elastic/kibana/x-pack/plugins/actions/server/lib/task_runner_factory.ts:91:28)
    at async TaskManagerRunner.run (/Users/viduni/Workspace/Elastic/kibana/x-pack/plugins/task_manager/server/task_running/task_runner.ts:325:22)
    at /Users/viduni/Workspace/Elastic/kibana/x-pack/plugins/observability_solution/apm/server/routes/assistant_functions/get_observability_alert_details_context/index.ts:69:118
    at Object.getScopedLogSourcesService (/Users/viduni/Workspace/Elastic/kibana/x-pack/plugins/observability_solution/logs_data_access/server/services/log_sources_service/index.ts:40:37)
    at /Users/viduni/Workspace/Elastic/kibana/x-pack/plugins/observability_solution/apm/server/routes/assistant_functions/get_observability_alert_details_context/index.ts:69:118
    at async /Users/viduni/Workspace/Elastic/kibana/x-pack/plugins/observability_solution/observability/server/services/index.ts:49:16
    at async AlertDetailsContextualInsightsService.getAlertDetailsContext (/Users/viduni/Workspace/Elastic/kibana/x-pack/plugins/observability_solution/observability/server/services/index.ts:47:21)
    at async /Users/viduni/Workspace/Elastic/kibana/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/rule_connector/index.ts:174:20
    at async /Users/viduni/Workspace/Elastic/kibana/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/rule_connector/index.ts:297:97
    at async getAlertGroupDetails (/Users/viduni/Workspace/Elastic/kibana/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/rule_connector/index.ts:296:30)
    at async getAlertsContext (/Users/viduni/Workspace/Elastic/kibana/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/rule_connector/index.ts:306:73)
    at async executor (/Users/viduni/Workspace/Elastic/kibana/x-pack/plugins/observability_solution/observability_ai_assistant_app/server/rule_connector/index.ts:173:25)
    at async /Users/viduni/Workspace/Elastic/kibana/x-pack/plugins/actions/server/lib/action_executor.ts:395:21
    at async ActionExecutor.execute (/Users/viduni/Workspace/Elastic/kibana/x-pack/plugins/actions/server/lib/action_executor.ts:77:12)
    at async Object.run (/Users/viduni/Workspace/Elastic/kibana/x-pack/plugins/actions/server/lib/task_runner_factory.ts:91:28)
    at async TaskManagerRunner.run (/Users/viduni/Workspace/Elastic/kibana/x-pack/plugins/task_manager/server/task_running/task_runner.ts:325:22)
    at /Users/viduni/Workspace/Elastic/kibana/x-pack/plugins/observability_solution/apm/server/routes/assistant_functions/get_observability_alert_details_context/index.ts:69:75
    at Object.start (/Users/viduni/Workspace/Elastic/kibana/x-pack/plugins/observability_solution/apm/server/plugin.ts:88:46)
    at /Users/viduni/Workspace/Elastic/kibana/x-pack/plugins/observability_solution/apm/server/routes/assistant_functions/get_observability_alert_details_context/index.ts:69:75
    at async /Users/viduni/Workspace/Elastic/kibana/x-pack/plugins/observability_solution/observability/server/services/index.ts:49:16
    at async AlertDetailsContextualInsightsService.getAlertDetailsContext (/Users/viduni/Workspace/Elastic/kibana/x-pack/plugins/observability_solution/observability/server/services/index.ts:47:21)

[sorenlouv]

Is ai_assistant a privilege? I'd expect something like ai_assistant_contextual_details:read

[viduni94]

Based on the below, ai_assistant is a privilege:

kibana/x-pack/plugins/observability_solution/observability_ai_assistant/server/plugin.ts

Line 80 in c46d94c

api: [OBSERVABILITY_AI_ASSISTANT_FEATURE_ID, 'ai_assistant', 'manage_llm_product_doc'],

It's the same as options.tags we've had before:

kibana/x-pack/plugins/observability_solution/observability_ai_assistant/server/routes/chat/route.ts

Line 130 in c46d94c

tags: ['access:ai_assistant'],

[elasticmachine]

💛 Build succeeded, but was flaky

• Buildkite Build
• Commit: 4bebb68
• Kibana Serverless Image: docker.elastic.co/kibana-ci/kibana-serverless:pr-201439-4bebb68808b3

Failed CI Steps

• Jest Tests #7

Metrics [docs]

✅ unchanged

History

• 💛 Build #255033 was flaky c0f46cf
• 💛 Build #254710 was flaky 00db57c
• 💔 Build #254545 failed 9a7fcfa
• 💚 Build #254272 succeeded d313154
• 💔 Build #254258 failed e8b3acd

cc @viduni94

[kibanamachine]

Starting backport for target branches: 8.x

https://github.com/elastic/kibana/actions/runs/12073264279

[kibanamachine]

💔 All backports failed

Status	Branch	Result
❌	8.x	Backport failed because of merge conflicts You might need to backport the following PRs to 8.x: - [Streams] App plugin (#200060)

Manual backport

To create the backport manually run:

node scripts/backport --pr 201439

Questions ?

Please refer to the Backport tool documentation

[viduni94]

Please fix the conflicts in /Users/viduni/.backport/repositories/elastic/kibana
Hint: Before fixing the conflicts manually you should consider backporting the following pull requests to "8.x":

• [Streams] App plugin ([Streams] App plugin #200060) (backport pending)
  [8.x] [Streams] App plugin (#200060) #201999

The streams app plugin backport PR needs to be merged first for me to backport this PR.

[kibanamachine]

Friendly reminder: Looks like this PR hasn’t been backported yet.
To create automatically backports add a backport:* label or prevent reminders by adding the backport:skip label.
You can also create backports manually by running node scripts/backport --pr 201439 locally

[kibanamachine]

Friendly reminder: Looks like this PR hasn’t been backported yet.
To create automatically backports add a backport:* label or prevent reminders by adding the backport:skip label.
You can also create backports manually by running node scripts/backport --pr 201439 locally

[kibanamachine]

Friendly reminder: Looks like this PR hasn’t been backported yet.
To create automatically backports add a backport:* label or prevent reminders by adding the backport:skip label.
You can also create backports manually by running node scripts/backport --pr 201439 locally

[kibanamachine]

Friendly reminder: Looks like this PR hasn’t been backported yet.
To create automatically backports add a backport:* label or prevent reminders by adding the backport:skip label.
You can also create backports manually by running node scripts/backport --pr 201439 locally

[kibanamachine]

Friendly reminder: Looks like this PR hasn’t been backported yet.
To create automatically backports add a backport:* label or prevent reminders by adding the backport:skip label.
You can also create backports manually by running node scripts/backport --pr 201439 locally

[kibanamachine]

Friendly reminder: Looks like this PR hasn’t been backported yet.
To create automatically backports add a backport:* label or prevent reminders by adding the backport:skip label.
You can also create backports manually by running node scripts/backport --pr 201439 locally

[viduni94]

💚 All backports created successfully

Status	Branch	Result
✅	8.x

Note: Successful backport PRs will be merged automatically after passing CI.

Questions ?

Please refer to the Backport tool documentation

[kibanamachine]

Looks like this PR has a backport PR but it still hasn't been merged. Please merge it ASAP to keep the branches relatively in sync.