URL drilldown

[streamich]

URL Drilldown MVP

• Add license support for drilldowns (and actions). Dynamic uiActions & license support #68507
• Basic nested triggers support ([Ui Actions] Support emitting nested triggers and actions #59162)
• Provide trigger info on action execution context ([Discuss] Trigger context interface #63854) (nice to have)
• MVP of URL drilldown with simple <textarea> as input (Embeddable to URL) . [wip] URL drilldown #68235 POC URL drilldown: trigger picker #70421
• Use URL drilldown to navigate to different Kibana apps.
• Add user facing docs for elastic.co website.

Next

• URL editor helpers
• URL encoding
• URL editor improvements
• URL allow-list

Vague ideas & backlog

• Helpers for Handlebars conditional functions, to use in #if statement.
• URL drilldown templates
• Better previews and validation
• SSO.
• Access variables from underlying documents
• Extension points
• Fixed user edited list of variables available in the URL?

Notes

Currently dashboard state (including drilldown state) in edit mode is synced to browser URL. For URL drilldown project we agreed it is OK to use this existing functionality, it is up to KibanaApp team to decide if they want to remove state from the URL in the future.

We also agreed not to build external URL allow-list specifically for the URL drilldown, but in the future Kibana will have a allow-list with which URL drilldown will integrate.

Part of #42845 #61785

[elasticmachine]

Pinging @elastic/kibana-app-arch (Team:AppArch)

[Dosant]

Had a thought during meeting:

We have build-stats and gitHub-stats kibana instances.
Would be great if we could validate our solution using those real world use case Kibanas by building drilldowns to GitHub and to Jenkins

Example GitHub url were we could drilldown to issue list of a team: https://github.com/elastic/kibana/issues?q=is%3Aopen+is%3Aissue+label%3ATeam%3A${team}

[Dosant]

@streamich, wonder what do you meant by "phase"?

• Development phase where we shouldn't move to next "phase" until done with previous?
• Or feature "phase" where we could merge to master and allow using feature after each phase?

My confusion is that: this feature won't go live without phase 1-4 implemented, but phase 5 (sso) is an improvement on top?

So what do you think of moving phase 5 (sso) to different issue and not touch it at all for now? (This was my impression after last drilldowns sync meeting)

[streamich]

By "phase" I just mean a separate piece of work, I guess "phase" is not the best word here.

So what do you think of moving phase 5 (sso) to different issue and not touch it at all for now?

Yes, I think we will move all 5 phases into separate issues.

[Dosant]

By default allow URL drilldown to navigate to any external URL.

I think this isn't right?
I think by default nothing should be allowed.

[Dosant]

Url Drilldowns unknowns: gdoc

[streamich]

Old plan:

Implement Dashboard-to-URL drilldown. It should be available under Gold license.

Phase 1

Solve security issue of storing URLs in Kibana app state. Kibana app state itself is stored in the URL, thus a hacker could send you a Kibana URL with a malicious drilldown URL in it.

• Do not store entered URL in Kibana URL state. A hacker can send a link to a malicious URL.
  • Remove app state from URL in edit mode?
  • Or store drilldown URL somehow differently?
  • Or clean-up Kibana state URL on load?

Issue: #67982

Phase 2

Implement the URL drilldown.

• Create the URL drilldown UrlDrilldownDefinition.
  • Put it in ui_actions_enhanced plugin.
  • Should be available under Gold license.
  • Implement Configurable interface to collect URL drilldown configuration.
    • URL pattern string, with tokens that can be interpolated:
      • Global Kibana values.
        • Cluster name
        • Filters, query, time range
        • etc.
      • Dashboard-specific values.
        • Dashboard ID
        • Dashboard title
        • etc.
      • Panel-specific values.
        • Panel ID
        • Panel title
        • Panel time range, filers, query
        • etc.
      • Trigger-specific data
        • Filter or time range constructed
    • Flags
      • Whether to open in new tab.
  • Implement logic to navigate to the URL in the execute method using redirect in browser.
• Add functional tests.

Phase 3

Create user-facing website docs.

• Documentation about the URL drilldown.
• Add reference about every interpolation token.

Phase 4

Add ability to allow-list URL drilldown origins (protocol + domain + port).

• By default allow URL drilldown to navigate to any external URL.
• Add option to disable URL drilldown entirely.
• Add an opt-in option to kibana.yml to enable URL allow-listing.
• Add option to kibana.yml to specify URL origin allow list.
• Respect URL allow-list configuration in URL drilldown.

# Option to disable URL drilldown entirely:
xpack.ui_actions_enhanced.url_drilldown.enabled: false

# Option to opt-in into allow-list behavior:
xpack.ui_actions_enhanced.url_drilldown.origin_allowlist_enabled: true

# Option to specify origin allow-list:
xpack.ui_actions_enhanced.url_drilldown.origin_allowlist:
  - http://google.com
  - http://bing.com

Maybe origin_allowlist_enabled and origin_allowlist options in kibana.yml can be collapsed into one? If origin_allowlist is specified it means that allow-listing is enabled.

Phase 5

Implement redirection to external URL through Kibana server (instead of directly from browser). This will allow us to support SSO authentication features, will allow users signed-in with SSO to authenticate with destination URL.

• When user executes URL drilldown redirect to Kibana server with all necessary parameters.
• Kibana server should process the request, construct the redirection URL, add correct headers and redirect there.

[amberchandel]

is it possible to use URL drill-down for a number range in the free version without having a gold license

[ppisljar]

Thank you for contributing to this issue, however, we are closing this issue due to inactivity as part of a backlog grooming effort. If you believe this feature/bug should still be considered, please reopen with a comment.