Skip to content

[Synthetics] Validate private location spaces for multi-space monitors#260642

Merged
benakansara merged 20 commits into
elastic:mainfrom
benakansara:feat/multi-space-monitors-and-private-locations
May 4, 2026
Merged

[Synthetics] Validate private location spaces for multi-space monitors#260642
benakansara merged 20 commits into
elastic:mainfrom
benakansara:feat/multi-space-monitors-and-private-locations

Conversation

@benakansara
Copy link
Copy Markdown
Contributor

@benakansara benakansara commented Apr 1, 2026

Resolves #233434, #247904

Summary

Multi-space monitors can reference private locations that are not shared to all the monitor's spaces. This caused confusing red error boxes in the UI when editing from a space where the location isn't available, and allowed invalid monitor configurations to be persisted silently.

This PR adds server-side validation to enforce that every private location assigned to a monitor is available in all spaces the monitor is shared to, for both UI and project monitors. It also improves the UI to surface a clear, actionable warning when a selected private location is not available in all monitor spaces.

Testing

Prerequisites

  • Two spaces: default and space-a
  • A private location shared only to default (not space-a)
  • A user with monitor permissions in both spaces

UI monitor - create

  • From default space, create a monitor.
  • Set Kibana spaces to [default, space-a].
  • Select the private location (shared only to default space).
  • Expected: Save is blocked with: "The following private locations are not available in all spaces this monitor is shared to: . Either share the private locations to all monitor spaces, or remove those spaces from the monitor."
  • Also verify a red warning appears below the locations picker before even saving.

UI monitor - edit

Step 1 - Create the bad state on main

  • Make sure you have two spaces: default and space-a
  • Create a private location
  • Share the private location only to default space (not space-a)
  • Go to Synthetics -> Create Monitor from default space
  • Set Kibana spaces to [default, space-a]
  • Select the private location
  • Save - it will succeed (no validation on main)

Step 2 - Switch back to PR branch

Step 3 - Test the edit flow

  • Scenario A - edit from default space (where private location exists):

    • Open the monitor from default space
    • Make any change (e.g. change the monitor name)
    • Click Save
    • Expected: 400 error: "The following private locations are not available in all spaces this monitor is shared to: . Either share the private locations to all monitor spaces, or remove those spaces from the monitor."
    • Also verify the red warning text is visible below the locations picker

  • Scenario B - edit from space-a (where private location is not available):

    • Switch to space-a
    • Open the same monitor
    • Expected: The private location chip appears in red in the locations field, and the red warning message is shown below the combo box
    • Try to save -> same 400 error as Scenario A

  • Scenario C - fix and save:

    • From either space, remove space-a from the spaces field (or remove the private location)
    • Save
    • Expected: Saves successfully, no error

Authorization check

  • As a user with monitor permissions in default but not space-a, open a monitor shared to both spaces.
  • Try to save any change.
  • Expected: 403 error: "This monitor is shared to spaces where you do not have update permissions. To save changes, either request access to those spaces or remove them from the monitor."

Project monitors

  • Push a project monitor config with a private location that isn't shared to all the monitor's spaces.
  • Expected: API returns a validation error identifying the location and missing spaces.

Monitors with only public locations

  • Monitors using only public locations should create/edit without any new errors.

Single-space monitors

  • Monitors in a single space with a private location in that space should work as before.

@benakansara benakansara self-assigned this Apr 1, 2026
@github-actions github-actions Bot added the author:actionable-obs PRs authored by the actionable obs team label Apr 1, 2026
@benakansara benakansara added release_note:skip Skip the PR/issue when compiling release notes backport:skip This PR does not require backporting and removed author:actionable-obs PRs authored by the actionable obs team labels Apr 1, 2026
@benakansara benakansara marked this pull request as ready for review April 1, 2026 09:01
@benakansara benakansara requested a review from a team as a code owner April 1, 2026 09:01
@benakansara benakansara linked an issue Apr 1, 2026 that may be closed by this pull request
[Synthetics] Editing a multi-space monitor with a single-space private location shows an error #247904
Closed
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Apr 13, 2026
edited
Loading

💔 Build Failed

Failed CI Steps

Test Failures

  • [job] [logs] Scout: [ security / entity_store ] plugin / local-stateful-classic - Entity Store Logs Extraction with pagination (max 5 docs per page) - Should extract properly extract host with pagination
  • [job] [logs] Scout: [ security / entity_store ] plugin / local-stateful-classic - Entity Store Logs Extraction with pagination (max 5 docs per page) - Should extract properly extract host with pagination

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
synthetics 1.1MB 1.1MB +796.0B

History

cc @benakansara

@macroscopeapp
Copy link
Copy Markdown
Contributor

macroscopeapp Bot commented Apr 27, 2026

Catch flakiness early (recommended)

Recommended before merge: run the flaky test runner against this PR to catch flakiness early.

New async API calls (sharePrivateLocationToSpaces) were added to legacy_and_multispace_monitor_api.ts, introducing state-mutating network requests in test setup that both configs exercise.

Trigger a run with the Flaky Test Runner UI or post this comment on the PR:

/flaky ftrConfig:x-pack/solutions/observability/test/api_integration_deployment_agnostic/configs/serverless/oblt.synthetics.serverless.config.ts:30 ftrConfig:x-pack/solutions/observability/test/api_integration_deployment_agnostic/configs/stateful/oblt.stateful.config.ts:30

Share feedback in the #appex-qa channel.

Posted via Macroscope — Flaky Test Runner nudge

@benakansara benakansara requested a review from a team as a code owner April 27, 2026 16:48
@elastic-vault-github-plugin-prod elastic-vault-github-plugin-prod Bot requested a review from a team as a code owner April 27, 2026 17:06
cauemarcondes
cauemarcondes approved these changes Apr 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cauemarcondes cauemarcondes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Obs UI changes LGTM

shahzad31
shahzad31 reviewed Apr 30, 2026
View reviewed changes
Comment thread ...ions/observability/plugins/synthetics/server/routes/monitor_cruds/monitor_locations_utils.ts Outdated
server.security.authz.checkSavedObjectsPrivilegesWithRequest(request);

const { hasAllRequested } = await checkSavedObjectsPrivileges(
'saved_object:synthetics-monitor/bulk_update',
Copy link
Copy Markdown
Contributor

@shahzad31 shahzad31 Apr 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
'saved_object:synthetics-monitor/bulk_update',
'synthetics-monitor-multi-space/bulk_update' //. or it would synthetics-monitor depending on type,

i just realized this is a bug,synthetics-monitor is only single space monitor, when we start supporting multi space monitor, you will need to check against synthetics-monitor-multi-space

so i think in edit route when you fetch saved object, you can see it's type and based on that we will need to check which saved object to use.

Copy link
Copy Markdown
Contributor Author

@benakansara benakansara Apr 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in 331ac59

Also, applied the fix in edit_private_location.ts. When editing a private location, the checkPrivileges was using saved_object:synthetics-monitor/bulk_update: 2baeb18

shahzad31
shahzad31 approved these changes May 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@shahzad31 shahzad31 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM !!

@kibanamachine
Copy link
Copy Markdown
Contributor

kibanamachine commented May 4, 2026

💚 Build Succeeded

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
synthetics 1.1MB 1.1MB +796.0B

History

cc @benakansara

@benakansara benakansara merged commit a80721e into elastic:main May 4, 2026
24 checks passed
@benakansara benakansara added the author:actionable-obs PRs authored by the actionable obs team label May 4, 2026
seanrathier pushed a commit to seanrathier/kibana that referenced this pull request May 4, 2026
@benakansara @shahzad31
@kibanamachine @seanrathier
[Synthetics] Validate private location spaces for multi-space monitors (
cccb8ce 
elastic#260642)

Resolves elastic#233434,
elastic#247904

## Summary

Multi-space monitors can reference private locations that are not shared
to all the monitor's spaces. This caused confusing red error boxes in
the UI when editing from a space where the location isn't available, and
allowed invalid monitor configurations to be persisted silently.

This PR adds server-side validation to enforce that every private
location assigned to a monitor is available in all spaces the monitor is
shared to, for both UI and project monitors. It also improves the UI to
surface a clear, actionable warning when a selected private location is
not available in all monitor spaces.

## Testing

### Prerequisites

- Two spaces: default and space-a
- A private location shared only to default (not space-a)
- A user with monitor permissions in both spaces

### UI monitor - create

- From default space, create a monitor.
- Set Kibana spaces to [default, space-a].
- Select the private location (shared only to default space).
- Expected: Save is blocked with: "The following private locations are
not available in all spaces this monitor is shared to: <name>. Either
share the private locations to all monitor spaces, or remove those
spaces from the monitor."
- Also verify a red warning appears below the locations picker before
even saving.

### UI monitor - edit

**Step 1 - Create the bad state on main**

- Make sure you have two spaces: default and space-a
- Create a private location
- Share the private location only to default space (not space-a)
- Go to Synthetics -> Create Monitor from default space
- Set Kibana spaces to [default, space-a]
- Select the private location
- Save - it will succeed (no validation on main)

**Step 2 - Switch back to PR branch**

**Step 3 - Test the edit flow**

- Scenario A - edit from default space (where private location exists):
  - Open the monitor from default space
  - Make any change (e.g. change the monitor name)
  - Click Save
- Expected: 400 error: "The following private locations are not
available in all spaces this monitor is shared to: <name>. Either share
the private locations to all monitor spaces, or remove those spaces from
the monitor."
- Also verify the red warning text is visible below the locations picker

- Scenario B - edit from space-a (where private location is not
available):
    - Switch to space-a
    - Open the same monitor
- Expected: The private location chip appears in red in the locations
field, and the red warning message is shown below the combo box
    - Try to save -> same 400 error as Scenario A

- Scenario C - fix and save:
- From either space, remove space-a from the spaces field (or remove the
private location)
  - Save
  - Expected: Saves successfully, no error

### Authorization check

- As a user with monitor permissions in default but not space-a, open a
monitor shared to both spaces.
- Try to save any change.
- Expected: 403 error: "This monitor is shared to spaces where you do
not have update permissions. To save changes, either request access to
those spaces or remove them from the monitor."

### Project monitors

- Push a project monitor config with a private location that isn't
shared to all the monitor's spaces.
- Expected: API returns a validation error identifying the location and
missing spaces.

### Monitors with only public locations

- Monitors using only public locations should create/edit without any
new errors.

### Single-space monitors

- Monitors in a single space with a private location in that space
should work as before.

---------

Co-authored-by: Shahzad <shahzad31comp@gmail.com>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
shahzad31 added a commit to shahzad31/kibana that referenced this pull request May 25, 2026
@shahzad31 @cursoragent
fix CI: port getPrivateLocationsForNamespaces to 9.4
2eea0c2 
PR elastic#270540's monitor_integration_health_api.{ts,test.ts} import
getPrivateLocationsForNamespaces, which was added on main by PR elastic#260642
but does not exist on 9.4 yet — causing 5 type errors in CI.

Port the symbol verbatim from main: add the multi-namespace export and
rewrite getPrivateLocations as a one-line wrapper. The public signature
of getPrivateLocations is preserved, so all existing 9.4 callers are
unaffected.

Co-authored-by: Cursor <cursoragent@cursor.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@macroscopeapp macroscopeapp[bot] macroscopeapp[bot] left review comments

@shahzad31 shahzad31 shahzad31 approved these changes

@cauemarcondes cauemarcondes cauemarcondes approved these changes

@steliosmavro steliosmavro steliosmavro approved these changes

Assignees

@benakansara benakansara

Labels

author:actionable-obs PRs authored by the actionable obs team backport:skip This PR does not require backporting release_note:skip Skip the PR/issue when compiling release notes v9.5.0

Projects

None yet

Milestone

No milestone

7 participants

@benakansara @elasticmachine @kibanamachine @shahzad31 @cauemarcondes @steliosmavro @jasonrhodes