Change WatchlistConfigClient to use internal Elasticsearch client instead of current user #265966
Merged
CAWilson94 merged 4 commits intoelastic:mainfrom Apr 29, 2026
Merged
Change WatchlistConfigClient to use internal Elasticsearch client instead of current user #265966CAWilson94 merged 4 commits intoelastic:mainfrom
CAWilson94 merged 4 commits intoelastic:mainfrom
Conversation
- Added `internalEsClient` dependency to `WatchlistConfigClientDeps` for system index operations. - Updated `WatchlistConfigClient` to throw an error if `internalEsClient` is not provided. - Modified index creation logic to use `internalEsClient` instead of the regular `esClient`. - Adjusted related tests to mock the new internal client dependency.
![macroscopeapp[bot]](https://avatars.githubusercontent.com/in/900172?s=60&v=4){kind=small}
- Removed the `fetchWatchlistPrivileges` function from the entity analytics API as it is no longer needed. - Deleted the `useWatchlistsPrivileges` hook, which was dependent on the removed function. - Updated the `Watchlists` component to eliminate privilege checks and loading states related to watchlist privileges, simplifying the rendering logic. - Adjusted Cypress tests to remove references to the now-deleted watchlist privileges API.
CAWilson94
added
release_note:skip
|
Pinging @elastic/security-entity-analytics (Team:Entity Analytics) |
tiansivive
approved these changes
Apr 28, 2026
Contributor
tiansivive
left a comment
tiansivive
left a comment
There was a problem hiding this comment.
I'm approving, but leaving a comment which I think we could discuss a bit
Contributor
There was a problem hiding this comment.
I thought about this when we were debugging, but I didnt want to get sidetracked.
I wonder if this is the best API?
I do like that the create endpoint can check and reject non-internal user clients, I'm just not sure that means we need to "duplicate" fields in the deps for basically the same thing 🤔
Ideally, I would say it's one esClient field and then we could try to check if it's internal or not?
Otherwise I suppose this approach is the best fallback option
Contributor
💛 Build succeeded, but was flaky
Failed CI StepsMetrics [docs]Module Count
Async chunks
History
cc @CAWilson94 |
Contributor
|
Starting backport for target branches: 9.4 https://github.com/elastic/kibana/actions/runs/25117926603 |
Contributor
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Apr 29, 2026
…nt instead of current user (#265966) (#266437) # Backport This will backport the following commits from `main` to `9.4`: - [Change WatchlistConfigClient to use internal Elasticsearch client instead of current user (#265966)](#265966) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Charlotte Alexandra Wilson","email":"CAWilson94@users.noreply.github.com"},"sourceCommit":{"committedDate":"2026-04-29T15:27:00Z","message":"Change WatchlistConfigClient to use internal Elasticsearch client instead of current user (#265966)\n\n### Summary\n\nThis PR changes the create watchlist to use internalUser instead of\ncurrentUser for creating the internal watchlist index. Additionally,\nthis PR removes the placeholder privileged user monitoring permissions\nchecks from the watchlist management page as we only need access to the\ninternal watchlist index and any indicies permissions, should be handled\nper user e.g. if a user requires access to the ml indicies, this is not\nthe responsibility of watchlists specifically.\n\n- Added `internalEsClient` dependency to `WatchlistConfigClientDeps` for\nsystem index operations.\n- Updated `WatchlistConfigClient` to throw an error if\n`internalEsClient` is not provided.\n- Modified index creation logic to use `internalEsClient` instead of the\nregular `esClient`.\n- Adjusted related tests to mock the new internal client dependency.\n\n#### Testing steps\nFeature Flags: \n```\nxpack.securitySolution.enableExperimental:\n - entityAnalyticsWatchlistEnabled\n - securitySolution:entityStoreEnableV2\n - entityAnalyticsEntityStoreV2\n\n\nuiSettings.overrides:\n securitySolution:entityStoreEnableV2: true\n```\n\n1. Open a kibana instance \n2. Create a user with basic role - security all, no access to specific\nwatchlist indicies.\n3. Login with that user and try to load up the entity analytics\nmanagement page, go to watchlists tab\n4. Note that, the watchlists management table shows no permissions error\nmessages\n5. Click create watchlist, ensure you can now create a watchlist without\nerror messages\n\nNo data generation required for this.","sha":"48b46672d404a11a60177c3f5fcbced8711bfa64","branchLabelMapping":{"^v9.5.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","ci:cloud-deploy","Team:Entity Analytics","backport:version","v9.4.0","v9.5.0"],"title":"Change WatchlistConfigClient to use internal Elasticsearch client instead of current user ","number":265966,"url":"https://github.com/elastic/kibana/pull/265966","mergeCommit":{"message":"Change WatchlistConfigClient to use internal Elasticsearch client instead of current user (#265966)\n\n### Summary\n\nThis PR changes the create watchlist to use internalUser instead of\ncurrentUser for creating the internal watchlist index. Additionally,\nthis PR removes the placeholder privileged user monitoring permissions\nchecks from the watchlist management page as we only need access to the\ninternal watchlist index and any indicies permissions, should be handled\nper user e.g. if a user requires access to the ml indicies, this is not\nthe responsibility of watchlists specifically.\n\n- Added `internalEsClient` dependency to `WatchlistConfigClientDeps` for\nsystem index operations.\n- Updated `WatchlistConfigClient` to throw an error if\n`internalEsClient` is not provided.\n- Modified index creation logic to use `internalEsClient` instead of the\nregular `esClient`.\n- Adjusted related tests to mock the new internal client dependency.\n\n#### Testing steps\nFeature Flags: \n```\nxpack.securitySolution.enableExperimental:\n - entityAnalyticsWatchlistEnabled\n - securitySolution:entityStoreEnableV2\n - entityAnalyticsEntityStoreV2\n\n\nuiSettings.overrides:\n securitySolution:entityStoreEnableV2: true\n```\n\n1. Open a kibana instance \n2. Create a user with basic role - security all, no access to specific\nwatchlist indicies.\n3. Login with that user and try to load up the entity analytics\nmanagement page, go to watchlists tab\n4. Note that, the watchlists management table shows no permissions error\nmessages\n5. Click create watchlist, ensure you can now create a watchlist without\nerror messages\n\nNo data generation required for this.","sha":"48b46672d404a11a60177c3f5fcbced8711bfa64"}},"sourceBranch":"main","suggestedTargetBranches":["9.4"],"targetPullRequestStates":[{"branch":"9.4","label":"v9.4.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.5.0","branchLabelMappingKey":"^v9.5.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/265966","number":265966,"mergeCommit":{"message":"Change WatchlistConfigClient to use internal Elasticsearch client instead of current user (#265966)\n\n### Summary\n\nThis PR changes the create watchlist to use internalUser instead of\ncurrentUser for creating the internal watchlist index. Additionally,\nthis PR removes the placeholder privileged user monitoring permissions\nchecks from the watchlist management page as we only need access to the\ninternal watchlist index and any indicies permissions, should be handled\nper user e.g. if a user requires access to the ml indicies, this is not\nthe responsibility of watchlists specifically.\n\n- Added `internalEsClient` dependency to `WatchlistConfigClientDeps` for\nsystem index operations.\n- Updated `WatchlistConfigClient` to throw an error if\n`internalEsClient` is not provided.\n- Modified index creation logic to use `internalEsClient` instead of the\nregular `esClient`.\n- Adjusted related tests to mock the new internal client dependency.\n\n#### Testing steps\nFeature Flags: \n```\nxpack.securitySolution.enableExperimental:\n - entityAnalyticsWatchlistEnabled\n - securitySolution:entityStoreEnableV2\n - entityAnalyticsEntityStoreV2\n\n\nuiSettings.overrides:\n securitySolution:entityStoreEnableV2: true\n```\n\n1. Open a kibana instance \n2. Create a user with basic role - security all, no access to specific\nwatchlist indicies.\n3. Login with that user and try to load up the entity analytics\nmanagement page, go to watchlists tab\n4. Note that, the watchlists management table shows no permissions error\nmessages\n5. Click create watchlist, ensure you can now create a watchlist without\nerror messages\n\nNo data generation required for this.","sha":"48b46672d404a11a60177c3f5fcbced8711bfa64"}}]}] BACKPORT--> Co-authored-by: Charlotte Alexandra Wilson <CAWilson94@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR changes the create watchlist to use internalUser instead of currentUser for creating the internal watchlist index. Additionally, this PR removes the placeholder privileged user monitoring permissions checks from the watchlist management page as we only need access to the internal watchlist index and any indicies permissions, should be handled per user e.g. if a user requires access to the ml indicies, this is not the responsibility of watchlists specifically.
internalEsClientdependency toWatchlistConfigClientDepsfor system index operations.WatchlistConfigClientto throw an error ifinternalEsClientis not provided.internalEsClientinstead of the regularesClient.Testing steps
Feature Flags:
No data generation required for this.