ruanyl · SuZhou-Joe · Aug 9, 2023 · Aug 1, 2023 · Aug 2, 2023 · Aug 3, 2023
@@ -42,6 +42,7 @@ import {
 
 import { SimpleSavedObject } from './simple_saved_object';
 import { HttpFetchOptions, HttpSetup } from '../http';
+import { PUBLIC_WORKSPACE } from '../../utils';
 
 type SavedObjectsFindOptions = Omit<
   SavedObjectFindOptionsServer,
@@ -184,7 +185,11 @@ const getObjectsToFetch = (queue: BatchQueueEntry[]): ObjectTypeAndId[] => {
 export class SavedObjectsClient {
   private http: HttpSetup;
   private batchQueue: BatchQueueEntry[];
-  private currentWorkspaceId?: string;
+  /**
+   * if currentWorkspaceId is undefined, it means
+   * we should not carry out workspace info when doing any operation.
+   */
+  private currentWorkspaceId: string | undefined;
 
   /**
    * Throttled processing of get requests into bulk requests at 100ms interval
@@ -229,11 +234,11 @@ export class SavedObjectsClient {
     this.batchQueue = [];
   }
 
-  private async _getCurrentWorkspace(): Promise<string | null> {
-    return this.currentWorkspaceId || null;
+  private _getCurrentWorkspace(): string | undefined {
+    return this.currentWorkspaceId;
   }
 
-  public async setCurrentWorkspace(workspaceId: string): Promise<boolean> {
+  public setCurrentWorkspace(workspaceId: string): boolean {
     this.currentWorkspaceId = workspaceId;
     return true;
   }
@@ -259,7 +264,13 @@ export class SavedObjectsClient {
     const query = {
       overwrite: options.overwrite,
     };
-    const currentWorkspaceId = await this._getCurrentWorkspace();
+    const currentWorkspaceId = this._getCurrentWorkspace();
+    let finalWorkspaces;
+    if (options.hasOwnProperty('workspaces')) {
+      finalWorkspaces = options.workspaces;
+    } else if (typeof currentWorkspaceId === 'string') {
+      finalWorkspaces = [currentWorkspaceId];
+    }
 
     const createRequest: Promise<SavedObject<T>> = this.savedObjectsFetch(path, {
       method: 'POST',
@@ -268,9 +279,9 @@ export class SavedObjectsClient {
         attributes,
         migrationVersion: options.migrationVersion,
         references: options.references,
-        ...(options.workspaces || currentWorkspaceId
+        ...(finalWorkspaces
           ? {
-              workspaces: options.workspaces || [currentWorkspaceId],
+              workspaces: finalWorkspaces,
             }
           : {}),
       }),
@@ -366,14 +377,24 @@ export class SavedObjectsClient {
       queryDSL: 'queryDSL',
     };
 
-    const workspaces = [
-      ...(options.workspaces || [await this._getCurrentWorkspace()]),
-      'public',
-    ].filter((item) => item);
+    const currentWorkspaceId = this._getCurrentWorkspace();
+    let finalWorkspaces;
+    if (options.hasOwnProperty('workspaces')) {
+      finalWorkspaces = options.workspaces;
+    } else if (typeof currentWorkspaceId === 'string') {
+      finalWorkspaces =
+        currentWorkspaceId === PUBLIC_WORKSPACE
+          ? undefined
+          : [PUBLIC_WORKSPACE, currentWorkspaceId];
+    }
 
     const renamedQuery = renameKeys<SavedObjectsFindOptions, any>(renameMap, {
       ...options,
-      workspaces,
+      ...(finalWorkspaces
+        ? {
+            workspaces: finalWorkspaces,
+          }
+        : {}),
     });
     const query = pick.apply(null, [renamedQuery, ...Object.values<string>(renameMap)]) as Partial<
       Record<string, any>

@@ -32,4 +32,8 @@ export { shareWeakReplay } from './share_weak_replay';
 export { Sha256 } from './crypto';
 export { MountWrapper, mountReactNode } from './mount';
 export { getWorkspaceIdFromUrl, WORKSPACE_TYPE } from './workspace';
-export { WORKSPACE_PATH_PREFIX } from '../../utils';
+export {
+  WORKSPACE_PATH_PREFIX,
+  PUBLIC_WORKSPACE,
+  WORKSPACE_FEATURE_FLAG_KEY_IN_UI_SETTINGS,
+} from '../../utils';
@@ -5,6 +5,7 @@
 
 import { InternalHttpServiceSetup } from '../../../http';
 import { SavedObjectsPermissionControlContract } from '../client';
+import { registerListRoute } from './principals';
 import { registerValidateRoute } from './validate';
 
 export function registerPermissionCheckRoutes({
@@ -17,4 +18,5 @@ export function registerPermissionCheckRoutes({
   const router = http.createRouter('/api/saved_objects_permission_control/');
 
   registerValidateRoute(router, permissionControl);
+  registerListRoute(router, permissionControl);
 }
@@ -9,7 +9,7 @@ import { exportSavedObjectsToStream } from '../export';
 import { validateObjects } from './utils';
 import { collectSavedObjects } from '../import/collect_saved_objects';
 import { WORKSPACE_TYPE } from '../../workspaces';
-import { GLOBAL_WORKSPACE_ID } from '../../workspaces/constants';
+import { PUBLIC_WORKSPACE } from '../../../utils/constants';
 
 const SHARE_LIMIT = 10000;
 
@@ -73,7 +73,7 @@ export const registerShareRoute = (router: IRouter) => {
           (obj) =>
             obj.workspaces &&
             obj.workspaces.length > 0 &&
-            !obj.workspaces.includes(GLOBAL_WORKSPACE_ID)
+            !obj.workspaces.includes(PUBLIC_WORKSPACE)
         )
         .map((obj) => ({ id: obj.id, type: obj.type, workspaces: obj.workspaces }));
 

@@ -87,7 +87,7 @@ import {
   FIND_DEFAULT_PER_PAGE,
   SavedObjectsUtils,
 } from './utils';
-import { GLOBAL_WORKSPACE_ID } from '../../../workspaces/constants';
+import { PUBLIC_WORKSPACE } from '../../../../utils/constants';
 
 // BEWARE: The SavedObjectClient depends on the implementation details of the SavedObjectsRepository
 // so any breaking changes to this repository are considered breaking changes to the SavedObjectsClient.
@@ -1299,7 +1299,7 @@ export class SavedObjectsRepository {
         if (
           obj.workspaces &&
           obj.workspaces.length > 0 &&
-          !obj.workspaces.includes(GLOBAL_WORKSPACE_ID)
+          !obj.workspaces.includes(PUBLIC_WORKSPACE)
         ) {
           return intersection(obj.workspaces, options.workspaces).length === 0;
         }
@@ -1352,7 +1352,7 @@ export class SavedObjectsRepository {
             params: {
               time,
               workspaces,
-              globalWorkspaceId: GLOBAL_WORKSPACE_ID,
+              globalWorkspaceId: PUBLIC_WORKSPACE,
             },
           },
         },

@@ -142,14 +142,6 @@ function getClauseForWorkspace(workspace: string) {
     };
   }
 
-  if (workspace === 'public') {
-    return {
-      bool: {
-        must_not: [{ exists: { field: 'workspaces' } }],
-      },
-    };
-  }
-
   return {
     bool: {
       must: [{ term: { workspaces: workspace } }],

@@ -29,7 +29,6 @@
  */
 
 import { Permissions } from '../permission_control/acl';
-
 import { ISavedObjectsRepository } from './lib';
 import {
   SavedObject,

@@ -262,7 +262,9 @@ export class Server {
       opensearch: opensearchStart,
       savedObjects: savedObjectsStart,
     });
-    await this.workspaces.start();
+    await this.workspaces.start({
+      savedObjects: savedObjectsStart,
+    });
 
     this.coreStart = {
       capabilities: capabilitiesStart,

diff --git a/src/core/server/ui_settings/settings/workspace.ts b/src/core/server/ui_settings/settings/workspace.ts
@@ -0,0 +1,26 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+import { schema } from '@osd/config-schema';
+import { i18n } from '@osd/i18n';
+import { UiSettingsParams } from '../../../types';
+import { WORKSPACE_FEATURE_FLAG_KEY_IN_UI_SETTINGS } from '../../../utils';
+
+export const getWorkspaceSettings = (): Record<string, UiSettingsParams> => {
+  return {
+    [WORKSPACE_FEATURE_FLAG_KEY_IN_UI_SETTINGS]: {
+      name: i18n.translate('core.ui_settings.params.workspace.enableWorkspaceTitle', {
+        defaultMessage: 'Enable Workspace',
+      }),
+      value: false,
+      requiresPageReload: true,
+      description: i18n.translate('core.ui_settings.params.workspace.enableWorkspaceTitle', {
+        defaultMessage: 'Enable or disable OpenSearch Dashboards Workspace',
+      }),
+      category: ['workspace'],
+      schema: schema.boolean(),
+    },
+  };
+};
@@ -4,4 +4,3 @@
  */
 
 export const WORKSPACE_TYPE = 'workspace';
-export const GLOBAL_WORKSPACE_ID = 'public';
@@ -214,26 +214,57 @@ export class WorkspaceSavedObjectsClientWrapper {
         );
         if (options.workspaces) {
           const isEveryWorkspaceIsPermitted = options.workspaces.every((item) =>
-            // TODO modify this line to use permittedWorkspaceIds if public workspace is also a workspace
-            ['public', ...(permittedWorkspaceIds || [])]?.includes(item)
+            (permittedWorkspaceIds || []).includes(item)
           );
           if (!isEveryWorkspaceIsPermitted) {
             throw generateWorkspacePermissionError();
           }
         } else {
           const queryDSL = ACL.genereateGetPermittedSavedObjectsQueryDSL(
-            [
-              PermissionMode.LibraryRead,
-              PermissionMode.LibraryWrite,
-              PermissionMode.Management,
-              PermissionMode.Read,
-              PermissionMode.Write,
-            ],
+            [PermissionMode.Read, PermissionMode.Write],
             principals,
             options.type
           );
-          options.workspaces = permittedWorkspaceIds;
-          options.queryDSL = queryDSL;
+          options.workspaces = undefined;
+          /**
+           * Select all the docs that
+           * 1. ACL matches read or write permission OR
+           * 2. workspaces matches library_read or library_write or management OR
+           * 3. Advanced settings
+           */
+          options.queryDSL = {
+            query: {
+              bool: {
+                filter: [
+                  {
+                    bool: {
+                      should: [
+                        {
+                          bool: {
+                            must: {
+                              term: {
+                                type: 'config',
+                              },
+                            },
+                          },
+                        },
+                        queryDSL.query,
+                        {
+                          bool: {
+                            should: permittedWorkspaceIds?.map((item) => ({
+                              terms: {
+                                workspaces: [item],
+                              },
+                            })),
+                          },
+                        },
+                      ],
+                    },
+                  },
+                ],
+              },
+            },
+          };
         }
       }