[So tagging] Add automatic read privileges for "tag" SO type (#202400)

sebelga · web-flow · commit af0f2910db13 · 2024-12-11T12:11:13.000Z
diff --git a/x-pack/plugins/features/server/feature_registry.test.ts b/x-pack/plugins/features/server/feature_registry.test.ts
@@ -57,15 +57,15 @@ describe('FeatureRegistry', () => {
             app: ['app1'],
             savedObject: {
               all: ['space', 'etc', 'telemetry'],
-              read: ['canvas', 'config', 'config-global', 'url'],
+              read: ['canvas', 'config', 'config-global', 'url', 'tag'],
             },
             api: ['someApiEndpointTag', 'anotherEndpointTag'],
             ui: ['allowsFoo', 'showBar', 'showBaz'],
           },
           read: {
             savedObject: {
               all: [],
-              read: ['config', 'config-global', 'url', 'telemetry'],
+              read: ['config', 'config-global', 'url', 'telemetry', 'tag'],
             },
             ui: [],
           },
@@ -130,7 +130,7 @@ describe('FeatureRegistry', () => {
                 app: ['app1'],
                 savedObject: {
                   all: ['space', 'etc', 'telemetry'],
-                  read: ['canvas', 'config', 'config-global', 'url'],
+                  read: ['canvas', 'config', 'config-global', 'url', 'tag'],
                 },
                 api: ['someApiEndpointTag', 'anotherEndpointTag'],
                 ui: ['allowsFoo', 'showBar', 'showBaz'],
@@ -314,7 +314,7 @@ describe('FeatureRegistry', () => {
       expect(allPrivilege?.savedObject.all).toEqual(['telemetry']);
     });
 
-    it(`automatically grants access to config, config-global, url, and telemetry saved objects`, () => {
+    it(`automatically grants access to config, config-global, url, telemetry and tag saved objects`, () => {
       const feature: KibanaFeatureConfig = {
         id: 'test-feature',
         name: 'Test Feature',
@@ -348,16 +348,17 @@ describe('FeatureRegistry', () => {
 
       const allPrivilege = result[0].privileges?.all;
       const readPrivilege = result[0].privileges?.read;
-      expect(allPrivilege?.savedObject.read).toEqual(['config', 'config-global', 'url']);
+      expect(allPrivilege?.savedObject.read).toEqual(['config', 'config-global', 'url', 'tag']);
       expect(readPrivilege?.savedObject.read).toEqual([
         'config',
         'config-global',
         'telemetry',
         'url',
+        'tag',
       ]);
     });
 
-    it(`automatically grants 'all' access to telemetry and 'read' to [config, config-global, url] saved objects for the reserved privilege`, () => {
+    it(`automatically grants 'all' access to telemetry and 'read' to [config, config-global, url, tag] saved objects for the reserved privilege`, () => {
       const feature: KibanaFeatureConfig = {
         id: 'test-feature',
         name: 'Test Feature',
@@ -388,7 +389,7 @@ describe('FeatureRegistry', () => {
 
       const reservedPrivilege = result[0]!.reserved!.privileges[0].privilege;
       expect(reservedPrivilege.savedObject.all).toEqual(['telemetry']);
-      expect(reservedPrivilege.savedObject.read).toEqual(['config', 'config-global', 'url']);
+      expect(reservedPrivilege.savedObject.read).toEqual(['config', 'config-global', 'url', 'tag']);
     });
 
     it(`does not duplicate the automatic grants if specified on the incoming feature`, () => {
@@ -402,14 +403,14 @@ describe('FeatureRegistry', () => {
             ui: [],
             savedObject: {
               all: ['telemetry'],
-              read: ['config', 'config-global', 'url'],
+              read: ['config', 'config-global', 'url', 'tag'],
             },
           },
           read: {
             ui: [],
             savedObject: {
               all: [],
-              read: ['config', 'config-global', 'url'],
+              read: ['config', 'config-global', 'url', 'tag'],
             },
           },
         },
@@ -426,11 +427,12 @@ describe('FeatureRegistry', () => {
       const allPrivilege = result[0].privileges!.all;
       const readPrivilege = result[0].privileges!.read;
       expect(allPrivilege?.savedObject.all).toEqual(['telemetry']);
-      expect(allPrivilege?.savedObject.read).toEqual(['config', 'config-global', 'url']);
+      expect(allPrivilege?.savedObject.read).toEqual(['config', 'config-global', 'url', 'tag']);
       expect(readPrivilege?.savedObject.read).toEqual([
         'config',
         'config-global',
         'url',
+        'tag',
         'telemetry',
       ]);
     });
@@ -518,7 +520,7 @@ describe('FeatureRegistry', () => {
             name: 'Foo',
             app: ['app1', 'app2'],
             savedObject: {
-              all: ['config', 'config-global', 'space', 'etc'],
+              all: ['config', 'config-global', 'space', 'tag', 'etc'],
               read: ['canvas'],
             },
             api: ['someApiEndpointTag', 'anotherEndpointTag'],
@@ -2455,15 +2457,15 @@ describe('FeatureRegistry', () => {
         expect(featureA.privileges).toEqual({
           all: {
             ui: [],
-            savedObject: { all: ['telemetry'], read: ['config', 'config-global', 'url'] },
+            savedObject: { all: ['telemetry'], read: ['config', 'config-global', 'url', 'tag'] },
             composedOf: [
               { feature: 'featureC', privileges: ['subFeatureCOne'] },
               { feature: 'featureD', privileges: ['all'] },
             ],
           },
           read: {
             ui: [],
-            savedObject: { all: [], read: ['config', 'config-global', 'telemetry', 'url'] },
+            savedObject: { all: [], read: ['config', 'config-global', 'telemetry', 'url', 'tag'] },
             composedOf: [{ feature: 'featureD', privileges: ['read'] }],
           },
         });
@@ -2483,12 +2485,12 @@ describe('FeatureRegistry', () => {
         expect(featureA.privileges).toEqual({
           all: {
             ui: [],
-            savedObject: { all: ['telemetry'], read: ['config', 'config-global', 'url'] },
+            savedObject: { all: ['telemetry'], read: ['config', 'config-global', 'url', 'tag'] },
             composedOf: [{ feature: 'featureE', privileges: ['all'] }],
           },
           read: {
             ui: [],
-            savedObject: { all: [], read: ['config', 'config-global', 'telemetry', 'url'] },
+            savedObject: { all: [], read: ['config', 'config-global', 'telemetry', 'url', 'tag'] },
           },
         });
       });
diff --git a/x-pack/plugins/features/server/feature_registry.ts b/x-pack/plugins/features/server/feature_registry.ts
@@ -340,6 +340,7 @@ function applyAutomaticAllPrivilegeGrants(
         'config',
         'config-global',
         'url',
+        'tag',
       ]);
     }
   });
@@ -356,6 +357,7 @@ function applyAutomaticReadPrivilegeGrants(
         'config-global',
         'telemetry',
         'url',
+        'tag',
       ]);
     }
   });
diff --git a/x-pack/plugins/features/server/plugin.test.ts b/x-pack/plugins/features/server/plugin.test.ts
@@ -168,6 +168,7 @@ describe('Features Plugin', () => {
                   "config",
                   "config-global",
                   "url",
+                  "tag",
                 ],
               },
               "ui": Array [],
@@ -183,6 +184,7 @@ describe('Features Plugin', () => {
                   "config-global",
                   "telemetry",
                   "url",
+                  "tag",
                 ],
               },
               "ui": Array [],
diff --git a/x-pack/test/saved_object_tagging/api_integration/security_and_spaces/apis/_find.ts b/x-pack/test/saved_object_tagging/api_integration/security_and_spaces/apis/_find.ts
@@ -80,8 +80,9 @@ export default function (ftrContext: FtrProviderContext) {
         USERS.DEFAULT_SPACE_DASHBOARD_READ_USER,
         USERS.DEFAULT_SPACE_VISUALIZE_READ_USER,
         USERS.DEFAULT_SPACE_MAPS_READ_USER,
+        USERS.DEFAULT_SPACE_ADVANCED_SETTINGS_READ_USER,
       ],
-      noResults: [USERS.DEFAULT_SPACE_ADVANCED_SETTINGS_READ_USER],
+      noResults: [],
       unauthorized: [USERS.NOT_A_KIBANA_USER],
     };
 
diff --git a/x-pack/test/saved_object_tagging/api_integration/security_and_spaces/apis/get.ts b/x-pack/test/saved_object_tagging/api_integration/security_and_spaces/apis/get.ts
@@ -69,7 +69,7 @@ export default function (ftrContext: FtrProviderContext) {
         USERS.DEFAULT_SPACE_VISUALIZE_READ_USER,
         USERS.DEFAULT_SPACE_MAPS_READ_USER,
       ],
-      unauthorized: [USERS.NOT_A_KIBANA_USER, USERS.DEFAULT_SPACE_ADVANCED_SETTINGS_READ_USER],
+      unauthorized: [USERS.NOT_A_KIBANA_USER],
     };
 
     const createUserTest = (
diff --git a/x-pack/test/saved_object_tagging/api_integration/security_and_spaces/apis/get_all.ts b/x-pack/test/saved_object_tagging/api_integration/security_and_spaces/apis/get_all.ts
@@ -86,7 +86,7 @@ export default function (ftrContext: FtrProviderContext) {
         USERS.DEFAULT_SPACE_VISUALIZE_READ_USER,
         USERS.DEFAULT_SPACE_MAPS_READ_USER,
       ],
-      unauthorized: [USERS.NOT_A_KIBANA_USER, USERS.DEFAULT_SPACE_ADVANCED_SETTINGS_READ_USER],
+      unauthorized: [USERS.NOT_A_KIBANA_USER],
     };
 
     const createUserTest = (
diff --git a/x-pack/test_serverless/api_integration/test_suites/observability/platform_security/authorization.ts b/x-pack/test_serverless/api_integration/test_suites/observability/platform_security/authorization.ts
diff --git a/x-pack/test_serverless/api_integration/test_suites/search/platform_security/authorization.ts b/x-pack/test_serverless/api_integration/test_suites/search/platform_security/authorization.ts
diff --git a/x-pack/test_serverless/api_integration/test_suites/security/platform_security/authorization.ts b/x-pack/test_serverless/api_integration/test_suites/security/platform_security/authorization.ts
