[Entity Store] Fix Enrich Policy execution in multiple namespaces #230746
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
romulets
added
backport:version
hop-dev
approved these changes
Aug 6, 2025
Contributor
|
Starting backport for target branches: 9.1 https://github.com/elastic/kibana/actions/runs/16777255835 |
Contributor
💚 Build Succeeded
Metrics [docs]
cc @romulets |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Aug 6, 2025
…astic#230746) ## Summary Solves two bugs: - The API key was not being found once multiple spaces were created, and **no enrich policy** should be working before this PR in a kibana with multiple spaces. We were missing the `option` `namespace` to get `getDecryptedAsInternalUser` (doesn't feel that like that much of an option). The call chain: - [`getDecryptedAsInternalUser` calls `internalRepository.get` passing options down](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/encrypted_saved_objects/server/saved_objects/index.ts#L77) - [A `performGet` is done passing options down](https://github.com/elastic/kibana/blob/main/src/core/packages/saved-objects/api-server-internal/src/lib/repository.ts#L377) - [`options.namespace` is normalized (and remais undefined)](https://github.com/elastic/kibana/blob/main/src/core/packages/saved-objects/api-server-internal/src/lib/apis/get.ts#L34) - [We check if document exists in the namespace, passing the undefined namespace](https://github.com/elastic/kibana/blob/main/src/core/packages/saved-objects/api-server-internal/src/lib/apis/get.ts#L56) - [On verifying that the namespace saved in the SavedObject is the same as the passed down](https://github.com/elastic/kibana/blob/main/src/core/packages/saved-objects/api-server-internal/src/lib/apis/utils/internal_utils.ts#L178), we [normalize the namespace to `default`](https://github.com/elastic/kibana/blob/main/src/core/packages/saved-objects/utils-server/src/saved_objects_utils.ts#L39), which is then preset in the list stored in the saved object. - If no API key found for namespace, return all entity types. Before it was being returned an object. Decided to just use method `getEnabledEntityTypes` passing the feature flag as enabled (there is also a log). Relates to elastic#230723 #### Logs Before PR <img width="1671" height="735" alt="image" src="https://github.com/user-attachments/assets/0fc538b9-ecf3-4f9b-9209-198d514b44c7" /> #### Logs with PR <img width="1574" height="141" alt="image" src="https://github.com/user-attachments/assets/1574531f-57e7-4848-8e8b-0aeff033f1c9" /> (cherry picked from commit d495428)
Contributor
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Aug 6, 2025
…es (#230746) (#230779) # Backport This will backport the following commits from `main` to `9.1`: - [[Entity Store] Fix Enrich Policy execution in multiple namespaces (#230746)](#230746) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Rômulo Farias","email":"romulo.farias@elastic.co"},"sourceCommit":{"committedDate":"2025-08-06T12:43:29Z","message":"[Entity Store] Fix Enrich Policy execution in multiple namespaces (#230746)\n\n## Summary\n\nSolves two bugs:\n\n- The API key was not being found once multiple spaces were created, and\n**no enrich policy** should be working before this PR in a kibana with\nmultiple spaces. We were missing the `option` `namespace` to get\n`getDecryptedAsInternalUser` (doesn't feel that like that much of an\noption). The call chain:\n- [`getDecryptedAsInternalUser` calls `internalRepository.get` passing\noptions\ndown](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/encrypted_saved_objects/server/saved_objects/index.ts#L77)\n- [A `performGet` is done passing options\ndown](https://github.com/elastic/kibana/blob/main/src/core/packages/saved-objects/api-server-internal/src/lib/repository.ts#L377)\n- [`options.namespace` is normalized (and remais\nundefined)](https://github.com/elastic/kibana/blob/main/src/core/packages/saved-objects/api-server-internal/src/lib/apis/get.ts#L34)\n- [We check if document exists in the namespace, passing the undefined\nnamespace](https://github.com/elastic/kibana/blob/main/src/core/packages/saved-objects/api-server-internal/src/lib/apis/get.ts#L56)\n- [On verifying that the namespace saved in the SavedObject is the same\nas the passed\ndown](https://github.com/elastic/kibana/blob/main/src/core/packages/saved-objects/api-server-internal/src/lib/apis/utils/internal_utils.ts#L178),\nwe [normalize the namespace to\n`default`](https://github.com/elastic/kibana/blob/main/src/core/packages/saved-objects/utils-server/src/saved_objects_utils.ts#L39),\nwhich is then preset in the list stored in the saved object.\n- If no API key found for namespace, return all entity types. Before it\nwas being returned an object. Decided to just use method\n`getEnabledEntityTypes` passing the feature flag as enabled (there is\nalso a log).\n\nRelates to https://github.com/elastic/kibana/issues/230723\n\n#### Logs Before PR\n<img width=\"1671\" height=\"735\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/0fc538b9-ecf3-4f9b-9209-198d514b44c7\"\n/>\n\n#### Logs with PR\n\n<img width=\"1574\" height=\"141\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/1574531f-57e7-4848-8e8b-0aeff033f1c9\"\n/>","sha":"d495428f9771ab0dfed11447f78c4e0e4641635d","branchLabelMapping":{"^v9.2.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","backport:version","v9.2.0","Team:Core Analysis","v9.1.1"],"title":"[Entity Store] Fix Enrich Policy execution in multiple namespaces","number":230746,"url":"https://github.com/elastic/kibana/pull/230746","mergeCommit":{"message":"[Entity Store] Fix Enrich Policy execution in multiple namespaces (#230746)\n\n## Summary\n\nSolves two bugs:\n\n- The API key was not being found once multiple spaces were created, and\n**no enrich policy** should be working before this PR in a kibana with\nmultiple spaces. We were missing the `option` `namespace` to get\n`getDecryptedAsInternalUser` (doesn't feel that like that much of an\noption). The call chain:\n- [`getDecryptedAsInternalUser` calls `internalRepository.get` passing\noptions\ndown](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/encrypted_saved_objects/server/saved_objects/index.ts#L77)\n- [A `performGet` is done passing options\ndown](https://github.com/elastic/kibana/blob/main/src/core/packages/saved-objects/api-server-internal/src/lib/repository.ts#L377)\n- [`options.namespace` is normalized (and remais\nundefined)](https://github.com/elastic/kibana/blob/main/src/core/packages/saved-objects/api-server-internal/src/lib/apis/get.ts#L34)\n- [We check if document exists in the namespace, passing the undefined\nnamespace](https://github.com/elastic/kibana/blob/main/src/core/packages/saved-objects/api-server-internal/src/lib/apis/get.ts#L56)\n- [On verifying that the namespace saved in the SavedObject is the same\nas the passed\ndown](https://github.com/elastic/kibana/blob/main/src/core/packages/saved-objects/api-server-internal/src/lib/apis/utils/internal_utils.ts#L178),\nwe [normalize the namespace to\n`default`](https://github.com/elastic/kibana/blob/main/src/core/packages/saved-objects/utils-server/src/saved_objects_utils.ts#L39),\nwhich is then preset in the list stored in the saved object.\n- If no API key found for namespace, return all entity types. Before it\nwas being returned an object. Decided to just use method\n`getEnabledEntityTypes` passing the feature flag as enabled (there is\nalso a log).\n\nRelates to https://github.com/elastic/kibana/issues/230723\n\n#### Logs Before PR\n<img width=\"1671\" height=\"735\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/0fc538b9-ecf3-4f9b-9209-198d514b44c7\"\n/>\n\n#### Logs with PR\n\n<img width=\"1574\" height=\"141\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/1574531f-57e7-4848-8e8b-0aeff033f1c9\"\n/>","sha":"d495428f9771ab0dfed11447f78c4e0e4641635d"}},"sourceBranch":"main","suggestedTargetBranches":["9.1"],"targetPullRequestStates":[{"branch":"main","label":"v9.2.0","branchLabelMappingKey":"^v9.2.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/230746","number":230746,"mergeCommit":{"message":"[Entity Store] Fix Enrich Policy execution in multiple namespaces (#230746)\n\n## Summary\n\nSolves two bugs:\n\n- The API key was not being found once multiple spaces were created, and\n**no enrich policy** should be working before this PR in a kibana with\nmultiple spaces. We were missing the `option` `namespace` to get\n`getDecryptedAsInternalUser` (doesn't feel that like that much of an\noption). The call chain:\n- [`getDecryptedAsInternalUser` calls `internalRepository.get` passing\noptions\ndown](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/encrypted_saved_objects/server/saved_objects/index.ts#L77)\n- [A `performGet` is done passing options\ndown](https://github.com/elastic/kibana/blob/main/src/core/packages/saved-objects/api-server-internal/src/lib/repository.ts#L377)\n- [`options.namespace` is normalized (and remais\nundefined)](https://github.com/elastic/kibana/blob/main/src/core/packages/saved-objects/api-server-internal/src/lib/apis/get.ts#L34)\n- [We check if document exists in the namespace, passing the undefined\nnamespace](https://github.com/elastic/kibana/blob/main/src/core/packages/saved-objects/api-server-internal/src/lib/apis/get.ts#L56)\n- [On verifying that the namespace saved in the SavedObject is the same\nas the passed\ndown](https://github.com/elastic/kibana/blob/main/src/core/packages/saved-objects/api-server-internal/src/lib/apis/utils/internal_utils.ts#L178),\nwe [normalize the namespace to\n`default`](https://github.com/elastic/kibana/blob/main/src/core/packages/saved-objects/utils-server/src/saved_objects_utils.ts#L39),\nwhich is then preset in the list stored in the saved object.\n- If no API key found for namespace, return all entity types. Before it\nwas being returned an object. Decided to just use method\n`getEnabledEntityTypes` passing the feature flag as enabled (there is\nalso a log).\n\nRelates to https://github.com/elastic/kibana/issues/230723\n\n#### Logs Before PR\n<img width=\"1671\" height=\"735\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/0fc538b9-ecf3-4f9b-9209-198d514b44c7\"\n/>\n\n#### Logs with PR\n\n<img width=\"1574\" height=\"141\" alt=\"image\"\nsrc=\"https://github.com/user-attachments/assets/1574531f-57e7-4848-8e8b-0aeff033f1c9\"\n/>","sha":"d495428f9771ab0dfed11447f78c4e0e4641635d"}},{"branch":"9.1","label":"v9.1.1","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Rômulo Farias <romulo.farias@elastic.co>
gergoabraham
pushed a commit
to gergoabraham/kibana
that referenced
this pull request
Aug 7, 2025
…astic#230746) ## Summary Solves two bugs: - The API key was not being found once multiple spaces were created, and **no enrich policy** should be working before this PR in a kibana with multiple spaces. We were missing the `option` `namespace` to get `getDecryptedAsInternalUser` (doesn't feel that like that much of an option). The call chain: - [`getDecryptedAsInternalUser` calls `internalRepository.get` passing options down](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/encrypted_saved_objects/server/saved_objects/index.ts#L77) - [A `performGet` is done passing options down](https://github.com/elastic/kibana/blob/main/src/core/packages/saved-objects/api-server-internal/src/lib/repository.ts#L377) - [`options.namespace` is normalized (and remais undefined)](https://github.com/elastic/kibana/blob/main/src/core/packages/saved-objects/api-server-internal/src/lib/apis/get.ts#L34) - [We check if document exists in the namespace, passing the undefined namespace](https://github.com/elastic/kibana/blob/main/src/core/packages/saved-objects/api-server-internal/src/lib/apis/get.ts#L56) - [On verifying that the namespace saved in the SavedObject is the same as the passed down](https://github.com/elastic/kibana/blob/main/src/core/packages/saved-objects/api-server-internal/src/lib/apis/utils/internal_utils.ts#L178), we [normalize the namespace to `default`](https://github.com/elastic/kibana/blob/main/src/core/packages/saved-objects/utils-server/src/saved_objects_utils.ts#L39), which is then preset in the list stored in the saved object. - If no API key found for namespace, return all entity types. Before it was being returned an object. Decided to just use method `getEnabledEntityTypes` passing the feature flag as enabled (there is also a log). Relates to elastic#230723 #### Logs Before PR <img width="1671" height="735" alt="image" src="https://github.com/user-attachments/assets/0fc538b9-ecf3-4f9b-9209-198d514b44c7" /> #### Logs with PR <img width="1574" height="141" alt="image" src="https://github.com/user-attachments/assets/1574531f-57e7-4848-8e8b-0aeff033f1c9" />
NicholasPeretti
pushed a commit
to NicholasPeretti/kibana
that referenced
this pull request
Aug 18, 2025
…astic#230746) ## Summary Solves two bugs: - The API key was not being found once multiple spaces were created, and **no enrich policy** should be working before this PR in a kibana with multiple spaces. We were missing the `option` `namespace` to get `getDecryptedAsInternalUser` (doesn't feel that like that much of an option). The call chain: - [`getDecryptedAsInternalUser` calls `internalRepository.get` passing options down](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/encrypted_saved_objects/server/saved_objects/index.ts#L77) - [A `performGet` is done passing options down](https://github.com/elastic/kibana/blob/main/src/core/packages/saved-objects/api-server-internal/src/lib/repository.ts#L377) - [`options.namespace` is normalized (and remais undefined)](https://github.com/elastic/kibana/blob/main/src/core/packages/saved-objects/api-server-internal/src/lib/apis/get.ts#L34) - [We check if document exists in the namespace, passing the undefined namespace](https://github.com/elastic/kibana/blob/main/src/core/packages/saved-objects/api-server-internal/src/lib/apis/get.ts#L56) - [On verifying that the namespace saved in the SavedObject is the same as the passed down](https://github.com/elastic/kibana/blob/main/src/core/packages/saved-objects/api-server-internal/src/lib/apis/utils/internal_utils.ts#L178), we [normalize the namespace to `default`](https://github.com/elastic/kibana/blob/main/src/core/packages/saved-objects/utils-server/src/saved_objects_utils.ts#L39), which is then preset in the list stored in the saved object. - If no API key found for namespace, return all entity types. Before it was being returned an object. Decided to just use method `getEnabledEntityTypes` passing the feature flag as enabled (there is also a log). Relates to elastic#230723 #### Logs Before PR <img width="1671" height="735" alt="image" src="https://github.com/user-attachments/assets/0fc538b9-ecf3-4f9b-9209-198d514b44c7" /> #### Logs with PR <img width="1574" height="141" alt="image" src="https://github.com/user-attachments/assets/1574531f-57e7-4848-8e8b-0aeff033f1c9" />
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Solves two bugs:
optionnamespaceto getgetDecryptedAsInternalUser(doesn't feel that like that much of an option). The call chain:getDecryptedAsInternalUsercallsinternalRepository.getpassing options downperformGetis done passing options downoptions.namespaceis normalized (and remais undefined)default, which is then preset in the list stored in the saved object.getEnabledEntityTypespassing the feature flag as enabled (there is also a log).Relates to #230723
Logs Before PR
Logs with PR