[RORDEV-2053] analysis

[coutoPL]

cd ror-demo-cluster && ./clean.sh && ./run.sh

Summary by CodeRabbit

• New Features

  • Automated creation of three Kibana data views for frontend, business, and system logs during initialization.
  • New utility to create Kibana data views programmatically.

• Configuration

  • Access-control rules and user/group setup simplified and restructured for Kibana.
  • ReadonlyREST logging in Kibana set to trace.
  • Elasticsearch and Kibana versions pinned to 8.19.11 with fixed plugin artifacts.
  • Initializer now targets the Kibana endpoint; ReadonlyREST loading timing adjusted.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a shell helper to create Kibana data views, integrates it into the demo init flow, pins ES/Kibana/ROR versions, wires KIBANA_ADDRESS into compose files, and refactors ReadonlyREST access-control and user mappings to a group-based tenancy model.

Changes

Kibana Tenancy and Data View Integration

Layer / File(s)	Summary
Kibana Data View API Helper Function and Configuration shared/init-scripts/utils/lib.sh, ror-demo-cluster/conf/kbn/enterprise-ror-newplatform-kibana.yml	New createKibanaDataView function validates args, resolves KIBANA_ADDRESS and credentials, and POSTs to Kibana /api/data_views/data_view with optional timeFieldName and tenancy header. Kibana config sets readonlyrest_kbn.logLevel: trace and removes the previous auth subtree.
Access Control Rules and User Mappings for Group Tenancy ror-demo-cluster/conf/es/readonlyrest.yml	Replaces access_control_rules with allow rules for admin, g1, g2, and user3:test (Kibana index templating via @{acl:current_group}). Simplifies users to direct admin, user1, user2 entries with auth_key and flat groups arrays.
Environment Configuration and Service Wiring ror-demo-cluster/.env-showcase, examples/ror-with-kibana-reverse-proxy-demo/docker-compose.yml, ror-demo-cluster/docker-compose.yml	Activates pinned versions and Dockerfile selections in .env-showcase; sets KIBANA_ADDRESS=https://kbn-ror:5601 for initializer services in demo compose files; changes es-ror ES_JAVA_OPTS readonlyrest loading delay from 0s to 1.
Demo Initialization with Kibana Data Views shared/init-scripts/init.sh	Adds registration calls to create Kibana data views for logs-frontend-*, logs-business-*, and logs-system-* using @timestamp and assigning groups g1/g2; keeps the existing business index creation/seed line.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• beshu-tech/ror-sandbox#92: Modifies ror-demo-cluster/docker-compose.yml ES_JAVA_OPTS readonlyrest JVM property for settings loading delay.
• beshu-tech/ror-sandbox#76: Related changes to Kibana ReadonlyREST auth/OIDC wiring and readonlyrest.yml user/group configuration.
• beshu-tech/ror-sandbox#96: Similar updates to .env-showcase and demo initialization scripts involving Kibana/data-stream setup.

Suggested reviewers

• Dzuming

Poem

🐰 I hopped through configs, tidy and spry,
Wired KIBANA_ADDRESS so dashboards say hi,
I taught the init script to build data views,
Group g1 and g2 now pick their cues,
Hop—logs bloom bright beneath the sandbox sky.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title '[RORDEV-2053] analysis' is vague and generic, failing to describe the actual changes made across multiple configuration and script files in the changeset.	Replace with a descriptive title that captures the main intent, such as: 'Update demo cluster configuration and add Kibana data view initialization' or 'Configure ROR demo with Kibana reverse proxy and data view setup'.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch support/RORDEV-2053

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@ror-demo-cluster/conf/es/readonlyrest.yml`:
- Around line 21-33: The Group1 users and Group2 users rules only set
kibana.index and don’t restrict Elasticsearch data indices, so add per-tenant
index restrictions that use the selected tenancy/current group; update the
"Group1 users" and "Group2 users" entries (the rules that contain groups_or
["g1"] and ["g2"] and kibana.index .kibana_@{acl:current_group}) to also include
data index permission blocks that reference @{acl:current_group} (e.g. restrict
allowed index patterns like logs-@{acl:current_group}-* or a generic pattern
using @{acl:current_group}) so queries and data-view creation are limited to the
current tenant, and ensure the permission uses acl:current_group rather than
relying on the first-matching group rule.

In `@ror-demo-cluster/docker-compose.yml`:
- Line 43: The docker-compose environment string sets
com.readonlyrest.settings.loading.delay without a duration unit which
ReadonlyREST requires; update the ES_JAVA_OPTS value that contains
"com.readonlyrest.settings.loading.delay=1" to use an explicit unit such as
"com.readonlyrest.settings.loading.delay=1s" so the setting is parseable (locate
the ES_JAVA_OPTS entry in the compose service, modify the delay token
accordingly).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1d82bbab-8552-4ccd-bfed-f0968c18b6e3

📥 Commits

Reviewing files that changed from the base of the PR and between 09822ba and f37a1ab.

📒 Files selected for processing (7)

• examples/ror-with-kibana-reverse-proxy-demo/docker-compose.yml
• ror-demo-cluster/.env-showcase
• ror-demo-cluster/conf/es/readonlyrest.yml
• ror-demo-cluster/conf/kbn/enterprise-ror-newplatform-kibana.yml
• ror-demo-cluster/docker-compose.yml
• shared/init-scripts/init.sh
• shared/init-scripts/utils/lib.sh

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add per-tenant index restrictions to the g1/g2 rules.

These blocks only switch the Kibana saved-object index. They do not restrict Elasticsearch data indices, so a g1 user can still create a data view for logs-system-* and query another tenant's data. That breaks the group isolation this PR is introducing. Because user1 belongs to both groups, the restriction also needs to follow the selected tenancy/current group rather than just the first matching group rule.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ror-demo-cluster/conf/es/readonlyrest.yml` around lines 21 - 33, The Group1
users and Group2 users rules only set kibana.index and don’t restrict
Elasticsearch data indices, so add per-tenant index restrictions that use the
selected tenancy/current group; update the "Group1 users" and "Group2 users"
entries (the rules that contain groups_or ["g1"] and ["g2"] and kibana.index
.kibana_@{acl:current_group}) to also include data index permission blocks that
reference @{acl:current_group} (e.g. restrict allowed index patterns like
logs-@{acl:current_group}-* or a generic pattern using @{acl:current_group}) so
queries and data-view creation are limited to the current tenant, and ensure the
permission uses acl:current_group rather than relying on the first-matching
group rule.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

What is the accepted value format for ReadonlyREST JVM property com.readonlyrest.settings.loading.delay? Is 1valid, or must it include a time unit like1s?

💡 Result:

Accepted value format for ReadonlyREST JVM property com.readonlyrest.settings.loading.delay is a Java-style duration that includes a time unit (e.g., 1s), not a bare integer like 1. [1][2] Evidence: ReadonlyREST documents duration-valued configuration parameters using explicit unit suffixes (table shows s, m, h, d with examples like "1s"). [2] A community discussion also references com.readonlyrest.settings.loading.delay specifically as a setting to adjust delay, implying it’s handled as a duration-like value. [1] So: use -Dcom.readonlyrest.settings.loading.delay=1s (seconds) rather than =1. [2][1]

Citations:

• 1: Option to disable loading settings from .readonlyrest readonlyrest-docs#78
• 2: https://docs.readonlyrest.com/kibana

---

Use an explicit duration unit for com.readonlyrest.settings.loading.delay (ror-demo-cluster/docker-compose.yml line 43)

ReadonlyREST expects com.readonlyrest.settings.loading.delay to be a duration value with a unit suffix (e.g., 1s), so =1 is not a valid/explicitly parseable form. Update to 1s.

Proposed fix

-      - "ES_JAVA_OPTS=-Xms512m -Xmx512m -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5005 -Dcom.readonlyrest.settings.attempts.count=1 -Dcom.readonlyrest.settings.loading.delay=1"
+      - "ES_JAVA_OPTS=-Xms512m -Xmx512m -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5005 -Dcom.readonlyrest.settings.attempts.count=1 -Dcom.readonlyrest.settings.loading.delay=1s"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ror-demo-cluster/docker-compose.yml` at line 43, The docker-compose
environment string sets com.readonlyrest.settings.loading.delay without a
duration unit which ReadonlyREST requires; update the ES_JAVA_OPTS value that
contains "com.readonlyrest.settings.loading.delay=1" to use an explicit unit
such as "com.readonlyrest.settings.loading.delay=1s" so the setting is parseable
(locate the ES_JAVA_OPTS entry in the compose service, modify the delay token
accordingly).

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

shared/init-scripts/utils/lib.sh (1)

133-152: 💤 Low value

Unescaped interpolation into JSON body and x-ror-tenancy-id header.

$INDEX_PATTERN, $DATA_VIEW_NAME, $TIME_FIELD_NAME, and $TENANCY are inlined verbatim. A value containing ", \, or a newline will break the JSON document or, in the tenancy case, allow CRLF header smuggling. Inputs are demo-controlled today, so this is robustness-only, but a quick jq -nc --arg ... (or a printf %q-style sanitizer) eliminates the foot-gun for free.

♻️ Sketch using `jq` to build the body

-  data_view_fields="\"title\": \"$INDEX_PATTERN\", \"name\": \"$DATA_VIEW_NAME\""
-  if [ -n "$TIME_FIELD_NAME" ]; then
-    data_view_fields="$data_view_fields, \"timeFieldName\": \"$TIME_FIELD_NAME\""
-  fi
+  body=$(jq -nc \
+    --arg title "$INDEX_PATTERN" \
+    --arg name "$DATA_VIEW_NAME" \
+    --arg tf "$TIME_FIELD_NAME" \
+    '{data_view: ({title:$title, name:$name} + (if $tf == "" then {} else {timeFieldName:$tf} end))}')
@@
-    "${tenancy_header[@]}" -d "{
-      \"data_view\": { $data_view_fields }
-    }"
+    "${tenancy_header[@]}" -d "$body"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@shared/init-scripts/utils/lib.sh` around lines 133 - 152, The JSON body and
tenancy header are built by directly interpolating INDEX_PATTERN,
DATA_VIEW_NAME, TIME_FIELD_NAME and TENANCY into data_view_fields and
tenancy_header before the curl POST to /api/data_views/data_view, which can
break JSON or allow header smuggling; instead, build the request body using a
safe serializer (e.g. jq -n --arg INDEX_PATTERN "$INDEX_PATTERN" --arg
DATA_VIEW_NAME "$DATA_VIEW_NAME" --arg TIME_FIELD_NAME "$TIME_FIELD_NAME" '...')
to produce a properly escaped JSON object for the -d argument, and
sanitize/escape TENANCY before adding it to tenancy_header (or only add the
header when the sanitized value is non-empty) so you never inline raw unescaped
values into data_view_fields, tenancy_header or the curl -d payload.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@shared/init-scripts/init.sh`:
- Around line 10-17: The script only registers the frontend Kibana data view
because the other lines are commented out; either re-enable the corresponding
data stream creation and data view calls (uncomment the createDataStream
"logs-business-dev" / "logs-system-dev" + generate_log_documents | putDocument
lines and uncomment createKibanaDataView "logs-business-*" and "logs-system-*"
so groups g1/g2 get views), or remove those commented stubs entirely to avoid
misleading the PR summary; update the same symbols createDataStream,
generate_log_documents, putDocument, and createKibanaDataView accordingly so
running ./run.sh produces the expected indices and data views for g1 and g2.

---

Nitpick comments:
In `@shared/init-scripts/utils/lib.sh`:
- Around line 133-152: The JSON body and tenancy header are built by directly
interpolating INDEX_PATTERN, DATA_VIEW_NAME, TIME_FIELD_NAME and TENANCY into
data_view_fields and tenancy_header before the curl POST to
/api/data_views/data_view, which can break JSON or allow header smuggling;
instead, build the request body using a safe serializer (e.g. jq -n --arg
INDEX_PATTERN "$INDEX_PATTERN" --arg DATA_VIEW_NAME "$DATA_VIEW_NAME" --arg
TIME_FIELD_NAME "$TIME_FIELD_NAME" '...') to produce a properly escaped JSON
object for the -d argument, and sanitize/escape TENANCY before adding it to
tenancy_header (or only add the header when the sanitized value is non-empty) so
you never inline raw unescaped values into data_view_fields, tenancy_header or
the curl -d payload.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e997b7c6-43a4-4880-acd4-05fa02e7551a

📥 Commits

Reviewing files that changed from the base of the PR and between f37a1ab and daf97e1.

⛔ Files ignored due to path filters (1)

• ror-demo-cluster/readonlyrest-1.70.0-pre7_es8.19.11.zip is excluded by !**/*.zip

📒 Files selected for processing (3)

• ror-demo-cluster/.env-showcase
• shared/init-scripts/init.sh
• shared/init-scripts/utils/lib.sh

[coderabbitai]

♻️ Duplicate comments (1)

ror-demo-cluster/conf/es/readonlyrest.yml (1)

21-33: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Re-enable tenant isolation in g1/g2 rules before merge.

kibana.index is still commented (Line 26, Line 33), and these rules still do not constrain Elasticsearch data indices. That leaves tenancy separation incomplete for both saved objects and data access.

Suggested minimal config direction

     - name: "Group1 users"
       type: allow
       groups_or: ["g1"]
       kibana:
         access: rw
-        `#index`: .kibana_@{acl:current_group}
+        index: .kibana_@{acl:current_group}
+      indices: ["logs-frontend-*", "logs-business-*"]

     - name: "Group2 users"
       type: allow
       groups_or: ["g2"]
       kibana:
         access: rw
-        `#index`: .kibana_@{acl:current_group}
+        index: .kibana_@{acl:current_group}
+      indices: ["logs-system-*"]

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ror-demo-cluster/conf/es/readonlyrest.yml` around lines 21 - 33, Re-enable
tenant isolation by uncommenting and restoring the kibana.index entries in the
"Group1 users" and "Group2 users" rules so saved objects and Kibana access are
scoped to each group's tenant (restore the kibana.index setting to use the
.kibana_@{acl:current_group} placeholder for the rules named "Group1 users" and
"Group2 users"); ensure the kibana.access remains rw and verify the index
pattern exactly matches .kibana_@{acl:current_group} so both saved objects and
data access are constrained to each group's tenant.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@ror-demo-cluster/conf/es/readonlyrest.yml`:
- Around line 21-33: Re-enable tenant isolation by uncommenting and restoring
the kibana.index entries in the "Group1 users" and "Group2 users" rules so saved
objects and Kibana access are scoped to each group's tenant (restore the
kibana.index setting to use the .kibana_@{acl:current_group} placeholder for the
rules named "Group1 users" and "Group2 users"); ensure the kibana.access remains
rw and verify the index pattern exactly matches .kibana_@{acl:current_group} so
both saved objects and data access are constrained to each group's tenant.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 691463a9-19f9-40e6-bded-cbc15b44e31d

📥 Commits

Reviewing files that changed from the base of the PR and between daf97e1 and aecb8fa.

⛔ Files ignored due to path filters (1)

• ror-demo-cluster/readonlyrest_kbn_universal-1.70.0-pre11_es8.19.11.zip is excluded by !**/*.zip

📒 Files selected for processing (3)

• ror-demo-cluster/.env-showcase
• ror-demo-cluster/conf/es/readonlyrest.yml
• shared/init-scripts/init.sh

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@shared/init-scripts/init.sh`:
- Line 18: The createKibanaDataView invocation in init.sh passes "kibana"
"kibana" without a tenancy which may lack saved-object privileges under the
"KIBANA" readonlyrest rule; either change that call to use the admin user like
the other data view calls (use admin:admin) or update the "KIBANA" rule in
ror-demo-cluster/conf/es/readonlyrest.yml to include a kibana block granting the
saved-objects/data-views rights (e.g., kibana: { access: rw, index:
<appropriate-kibana-index> }) so the createKibanaDataView function can
successfully POST to "$KIBANA_ADDRESS/api/data_views/data_view".

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7db0a2d2-1899-4607-bfe4-25c14bf9d8a0

📥 Commits

Reviewing files that changed from the base of the PR and between 828a903 and 7ff21a3.

📒 Files selected for processing (2)

• ror-demo-cluster/conf/es/readonlyrest.yml
• shared/init-scripts/init.sh