[Ai4DSoc][Serverless] Update search_ai_lake tier specific roles#229919
Merged
ashokaditya merged 18 commits intoelastic:mainfrom Aug 8, 2025
Merged
[Ai4DSoc][Serverless] Update search_ai_lake tier specific roles#229919ashokaditya merged 18 commits intoelastic:mainfrom
search_ai_lake tier specific roles#229919ashokaditya merged 18 commits intoelastic:mainfrom
Conversation
ashokaditya
added
v9.2.0
release_note:skip
ashokaditya
force-pushed
the
task/pre-defined-roles-ai4dsoc
branch
from
4091b2c to
a6bda9d
Compare
Contributor
|
Pinging @elastic/security-defend-workflows (Team:Defend Workflows) |
ashokaditya
force-pushed
the
task/pre-defined-roles-ai4dsoc
branch
3 times, most recently
from
2311854 to
fe5e42b
Compare
jbudz
approved these changes
Aug 4, 2025
Contributor
jbudz
left a comment
jbudz
left a comment
There was a problem hiding this comment.
src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/search_ai_lake.roles.yml LGTM
ashokaditya
force-pushed
the
task/pre-defined-roles-ai4dsoc
branch
2 times, most recently
from
884fa54 to
e0afc94
Compare
ashokaditya
commented
Aug 5, 2025
| ); | ||
| } | ||
|
|
||
| if (options.productTier) { |
Member
Author
There was a problem hiding this comment.
productTier is optional with this change to minimise the changes needed in all the files that use src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/roles.yml for security serverless tests.
ashokaditya
commented
Aug 5, 2025
| @@ -1,6 +1,5 @@ | |||
| # ----- | |||
Member
Author
There was a problem hiding this comment.
With the introduction of ability to load product tier specific roles, ideally the role files within src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/ for each project should take into account product tiers.
In the furture we should address this in Kibana by renaming/moving role files such as:
src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/essentials.roles.yml
or
src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/essentials/roles.yml
ashokaditya
force-pushed
the
task/pre-defined-roles-ai4dsoc
branch
from
e0afc94 to
545703d
Compare
PhilippeOberti
approved these changes
Aug 6, 2025
jbudz
approved these changes
Aug 6, 2025
review suggestion
joeypoon
approved these changes
Aug 6, 2025
pzl
approved these changes
Aug 7, 2025
gergoabraham
approved these changes
Aug 7, 2025
| } | ||
|
|
||
| export const serverlessProjectTypes = new Set<string>(['es', 'oblt', 'security', 'chat']); | ||
| export const ServerlessProductTiers = new Set<string>([ |
Contributor
There was a problem hiding this comment.
nittest of all nits: should start with small letter
Contributor
💔 Build Failed
Failed CI StepsTest Failures
Metrics [docs]
History
cc @ashokaditya |
ashokaditya
requested review from
achuguy,
dkirchan,
enriquesanchez-elastic and
pborgonovi
NicholasPeretti
pushed a commit
to NicholasPeretti/kibana
that referenced
this pull request
Aug 18, 2025
…astic#229919) ## Summary Adds changes to allow switching `search_ai_lake` pre-defined roles selection based on security project tier Note: The changes in this PR is to minimise changes to all the files that use the serverless roles from `src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/<projectType>`. Ideally we should introduce the ability to pick roles based on project type and project tier. clip for roles with `search_ai_lake_tier`  **Testing** On a CLI: 1. Within your local `serverless.security.dev.yml` (make a copy of `serverless.security.yml`) file ensure that only the `search_ai_lake` tier is active ```js xpack.securitySolutionServerless.productTypes: [ { product_line: 'ai_soc', product_tier: 'search_ai_lake' } ] ``` 2. Run serverless ES with `productType=search_ai_lake` ``` yarn es serverless --kill --license trial -E xpack.security.authc.api_key.enabled=true --projectType security --productType search_ai_lake --kibanaUrl=http://0.0.0.0:5601 ``` 3. On another cli window run Kibana with ``` yarn serverless-security --no-base-path ``` 4. On a browser, navigate to `http://0.0.0.0:5601/` and verify that the Test User login method is selected and a dropdown with two roles (specific to `search_ai_lake`) is seen. 5. Repeat the test at step 1. with other product tiers active, and verify that the usual set of roles are loaded. ``` xpack.securitySolutionServerless.productTypes: [ { product_line: 'security', product_tier: 'complete' }, { product_line: 'endpoint', product_tier: 'complete' }, ] ``` ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [ ] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations. - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [ ] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. ### Identify risks Does this PR introduce any risks? For example, consider risks like hard to test bugs, performance regression, potential of data loss. Describe the risk, its severity, and mitigation for each identified risk. Invite stakeholders and evaluate how to proceed before merging. - [ ] [See some risk examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx) - [ ] ... --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
qn895
pushed a commit
to qn895/kibana
that referenced
this pull request
Aug 26, 2025
…astic#229919) ## Summary Adds changes to allow switching `search_ai_lake` pre-defined roles selection based on security project tier Note: The changes in this PR is to minimise changes to all the files that use the serverless roles from `src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/<projectType>`. Ideally we should introduce the ability to pick roles based on project type and project tier. clip for roles with `search_ai_lake_tier`  **Testing** On a CLI: 1. Within your local `serverless.security.dev.yml` (make a copy of `serverless.security.yml`) file ensure that only the `search_ai_lake` tier is active ```js xpack.securitySolutionServerless.productTypes: [ { product_line: 'ai_soc', product_tier: 'search_ai_lake' } ] ``` 2. Run serverless ES with `productType=search_ai_lake` ``` yarn es serverless --kill --license trial -E xpack.security.authc.api_key.enabled=true --projectType security --productType search_ai_lake --kibanaUrl=http://0.0.0.0:5601 ``` 3. On another cli window run Kibana with ``` yarn serverless-security --no-base-path ``` 4. On a browser, navigate to `http://0.0.0.0:5601/` and verify that the Test User login method is selected and a dropdown with two roles (specific to `search_ai_lake`) is seen. 5. Repeat the test at step 1. with other product tiers active, and verify that the usual set of roles are loaded. ``` xpack.securitySolutionServerless.productTypes: [ { product_line: 'security', product_tier: 'complete' }, { product_line: 'endpoint', product_tier: 'complete' }, ] ``` ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [ ] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations. - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [ ] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. ### Identify risks Does this PR introduce any risks? For example, consider risks like hard to test bugs, performance regression, potential of data loss. Describe the risk, its severity, and mitigation for each identified risk. Invite stakeholders and evaluate how to proceed before merging. - [ ] [See some risk examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx) - [ ] ... --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
12 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds changes to allow switching
search_ai_lakepre-defined roles selection based on security project tierNote: The changes in this PR is to minimise changes to all the files that use the serverless roles from
src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/<projectType>. Ideally we should introduce the ability to pick roles based on project type and project tier.clip for roles with
search_ai_lake_tierTesting
On a CLI:
serverless.security.dev.yml(make a copy ofserverless.security.yml) file ensure that only thesearch_ai_laketier is activeproductType=search_ai_lakeOn a browser, navigate to
http://0.0.0.0:5601/and verify that the Test User login method is selected and a dropdown with two roles (specific tosearch_ai_lake) is seen.Repeat the test at step 1. with other product tiers active, and verify that the usual set of roles are loaded.
Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
release_note:breakinglabel should be applied in these situations.release_note:*label is applied per the guidelinesbackport:*labels.Identify risks
Does this PR introduce any risks? For example, consider risks like hard to test bugs, performance regression, potential of data loss.
Describe the risk, its severity, and mitigation for each identified risk. Invite stakeholders and evaluate how to proceed before merging.