[Write restricted dashboards] Implements upsert for types supporting access control#247941
Merged
jeramysoucy merged 10 commits intoelastic:mainfrom Jan 13, 2026
Merged
[Write restricted dashboards] Implements upsert for types supporting access control#247941jeramysoucy merged 10 commits intoelastic:mainfrom
jeramysoucy merged 10 commits intoelastic:mainfrom
Conversation
jeramysoucy
added
Team:Security
Contributor
|
Pinging @elastic/kibana-security (Team:Security) |
Contributor
|
ACK: will review today |
azasypkin
approved these changes
Jan 12, 2026
Contributor
azasypkin
left a comment
azasypkin
left a comment
There was a problem hiding this comment.
Looks good, thanks for adding the integration tests! Just a couple of minor nits.
Also, are we expected to cover this new case in the update.ts unit tests, or are we relying fully on the integration tests to verify access control functionality in general? I'm fine either way as long as we have integration tests.
src/core/packages/saved-objects/api-server-internal/src/lib/apis/update.ts
Outdated
Show resolved
Hide resolved
src/core/packages/saved-objects/api-server-internal/src/lib/apis/update.ts
Outdated
Show resolved
Hide resolved
...tform/test/spaces_api_integration/common/plugins/access_control_test_plugin/server/plugin.ts
Outdated
Show resolved
Hide resolved
afharo
approved these changes
Jan 13, 2026
Member
afharo
left a comment
afharo
left a comment
There was a problem hiding this comment.
Approving to unblock. I can see that Oleg already covered all my concerns
…is/update.ts Co-authored-by: Aleh Zasypkin <aleh.zasypkin@gmail.com>
Contributor
Author
@azasypkin Good point...let me take a look at what we can verify in the unit tests. |
Contributor
Author
|
@azasypkin Unit tests added in 8888294 |
Contributor
💚 Build Succeeded
Metrics [docs]
History
|
Contributor
Author
|
@SiddharthMantri @legrego Do you think we should backport this to 9.3? |
Contributor
|
@jeramysoucy I'm not sure. It's not something we committed for 9.3 - i'm happy to leave it for a patch or next minor release even. what do you think? |
smith
pushed a commit
to smith/kibana
that referenced
this pull request
Jan 16, 2026
…access control (elastic#247941) Closes elastic#239686 ## Summary This PR implements the "upsert" case for types supporting access control in the Saved Objects update operation. The default access mode is always used during an upsert. The active user profile becomes the owner. If there is no active user profile, no access control metadata is saved during the upsert. ### Tests - x-pack/platform/test/spaces_api_integration/access_control_objects/apis/spaces/access_control_objects.ts - 'should apply defaults when upserting a supported type' - 'should not write access control metadata when upserting unsupported types' - 'should not write access control metadata when upserting a supported type if there is no active user profile ID' Note: "upserting" is not supported in bulk update. --------- Co-authored-by: Aleh Zasypkin <aleh.zasypkin@gmail.com>
jeramysoucy
added
backport:version
kibanamachine
added
backport:skip
Contributor
Author
|
I'll backport it so it lands in 9.3.1. |
jeramysoucy
added
backport:version
Contributor
|
Starting backport for target branches: 9.3 https://github.com/elastic/kibana/actions/runs/21129436370 |
Contributor
|
Starting backport for target branches: 9.3 https://github.com/elastic/kibana/actions/runs/21129436358 |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Jan 19, 2026
…access control (elastic#247941) Closes elastic#239686 ## Summary This PR implements the "upsert" case for types supporting access control in the Saved Objects update operation. The default access mode is always used during an upsert. The active user profile becomes the owner. If there is no active user profile, no access control metadata is saved during the upsert. ### Tests - x-pack/platform/test/spaces_api_integration/access_control_objects/apis/spaces/access_control_objects.ts - 'should apply defaults when upserting a supported type' - 'should not write access control metadata when upserting unsupported types' - 'should not write access control metadata when upserting a supported type if there is no active user profile ID' Note: "upserting" is not supported in bulk update. --------- Co-authored-by: Aleh Zasypkin <aleh.zasypkin@gmail.com> (cherry picked from commit 7975d47)
Contributor
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Jan 19, 2026
…access control (elastic#247941) Closes elastic#239686 ## Summary This PR implements the "upsert" case for types supporting access control in the Saved Objects update operation. The default access mode is always used during an upsert. The active user profile becomes the owner. If there is no active user profile, no access control metadata is saved during the upsert. ### Tests - x-pack/platform/test/spaces_api_integration/access_control_objects/apis/spaces/access_control_objects.ts - 'should apply defaults when upserting a supported type' - 'should not write access control metadata when upserting unsupported types' - 'should not write access control metadata when upserting a supported type if there is no active user profile ID' Note: "upserting" is not supported in bulk update. --------- Co-authored-by: Aleh Zasypkin <aleh.zasypkin@gmail.com> (cherry picked from commit 7975d47)
Contributor
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Jan 19, 2026
…rting access control (#247941) (#249503) # Backport This will backport the following commits from `main` to `9.3`: - [[Write restricted dashboards] Implements upsert for types supporting access control (#247941)](#247941) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Jeramy Soucy","email":"jeramy.soucy@elastic.co"},"sourceCommit":{"committedDate":"2026-01-13T15:45:02Z","message":"[Write restricted dashboards] Implements upsert for types supporting access control (#247941)\n\nCloses #239686\n\n## Summary\n\nThis PR implements the \"upsert\" case for types supporting access control\nin the Saved Objects update operation. The default access mode is always\nused during an upsert. The active user profile becomes the owner. If\nthere is no active user profile, no access control metadata is saved\nduring the upsert.\n\n### Tests\n\n-\nx-pack/platform/test/spaces_api_integration/access_control_objects/apis/spaces/access_control_objects.ts\n - 'should apply defaults when upserting a supported type'\n- 'should not write access control metadata when upserting unsupported\ntypes'\n- 'should not write access control metadata when upserting a supported\ntype if there is no active user profile ID'\n\nNote: \"upserting\" is not supported in bulk update.\n\n---------\n\nCo-authored-by: Aleh Zasypkin <aleh.zasypkin@gmail.com>","sha":"7975d473559c90f7361f7238023331fc906af47c","branchLabelMapping":{"^v9.4.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:Security","release_note:skip","backport:version","v9.3.0","v9.4.0"],"title":"[Write restricted dashboards] Implements upsert for types supporting access control","number":247941,"url":"https://github.com/elastic/kibana/pull/247941","mergeCommit":{"message":"[Write restricted dashboards] Implements upsert for types supporting access control (#247941)\n\nCloses #239686\n\n## Summary\n\nThis PR implements the \"upsert\" case for types supporting access control\nin the Saved Objects update operation. The default access mode is always\nused during an upsert. The active user profile becomes the owner. If\nthere is no active user profile, no access control metadata is saved\nduring the upsert.\n\n### Tests\n\n-\nx-pack/platform/test/spaces_api_integration/access_control_objects/apis/spaces/access_control_objects.ts\n - 'should apply defaults when upserting a supported type'\n- 'should not write access control metadata when upserting unsupported\ntypes'\n- 'should not write access control metadata when upserting a supported\ntype if there is no active user profile ID'\n\nNote: \"upserting\" is not supported in bulk update.\n\n---------\n\nCo-authored-by: Aleh Zasypkin <aleh.zasypkin@gmail.com>","sha":"7975d473559c90f7361f7238023331fc906af47c"}},"sourceBranch":"main","suggestedTargetBranches":["9.3"],"targetPullRequestStates":[{"branch":"9.3","label":"v9.3.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.4.0","branchLabelMappingKey":"^v9.4.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/247941","number":247941,"mergeCommit":{"message":"[Write restricted dashboards] Implements upsert for types supporting access control (#247941)\n\nCloses #239686\n\n## Summary\n\nThis PR implements the \"upsert\" case for types supporting access control\nin the Saved Objects update operation. The default access mode is always\nused during an upsert. The active user profile becomes the owner. If\nthere is no active user profile, no access control metadata is saved\nduring the upsert.\n\n### Tests\n\n-\nx-pack/platform/test/spaces_api_integration/access_control_objects/apis/spaces/access_control_objects.ts\n - 'should apply defaults when upserting a supported type'\n- 'should not write access control metadata when upserting unsupported\ntypes'\n- 'should not write access control metadata when upserting a supported\ntype if there is no active user profile ID'\n\nNote: \"upserting\" is not supported in bulk update.\n\n---------\n\nCo-authored-by: Aleh Zasypkin <aleh.zasypkin@gmail.com>","sha":"7975d473559c90f7361f7238023331fc906af47c"}}]}] BACKPORT--> Co-authored-by: Jeramy Soucy <jeramy.soucy@elastic.co> Co-authored-by: Aleh Zasypkin <aleh.zasypkin@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #239686
Summary
This PR implements the "upsert" case for types supporting access control in the Saved Objects update operation. The default access mode is always used during an upsert. The active user profile becomes the owner. If there is no active user profile, no access control metadata is saved during the upsert.
Tests
Note: "upserting" is not supported in bulk update.