Object Level Security, phase 1

.github/CODEOWNERS

@@ -255,6 +255,7 @@
 /x-pack/test/ui_capabilities/ @elastic/kibana-security
 /x-pack/test/encrypted_saved_objects_api_integration/ @elastic/kibana-security
 /x-pack/test/functional/apps/security/ @elastic/kibana-security
+/x-pack/test/saved_object_access_control/ @elastic/kibana-security
 /x-pack/test/security_api_integration/ @elastic/kibana-security
 /x-pack/test/security_functional/ @elastic/kibana-security
 /x-pack/test/spaces_api_integration/ @elastic/kibana-security

docs/development/core/public/kibana-plugin-core-public.md

@@ -99,6 +99,7 @@ The plugin integrates with the core system via lifecycle events: `setup`<!-- -->
 | [Plugin](./kibana-plugin-core-public.plugin.md) | The interface that should be returned by a <code>PluginInitializer</code>. |
 | [PluginInitializerContext](./kibana-plugin-core-public.plugininitializercontext.md) | The available core services passed to a <code>PluginInitializer</code> |
 | [SavedObject](./kibana-plugin-core-public.savedobject.md) | |
+| [SavedObjectAccessControl](./kibana-plugin-core-public.savedobjectaccesscontrol.md) | The "Access Control" describing which users should be authorized to access this SavedObject. |
 | [SavedObjectAttributes](./kibana-plugin-core-public.savedobjectattributes.md) | The data for a Saved Object is stored as an object in the <code>attributes</code> property. |
 | [SavedObjectError](./kibana-plugin-core-public.savedobjecterror.md) | |
 | [SavedObjectReference](./kibana-plugin-core-public.savedobjectreference.md) | A reference to another saved object. |

docs/development/core/public/kibana-plugin-core-public.savedobject.accesscontrol.md

@@ -0,0 +1,11 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-public](./kibana-plugin-core-public.md) &gt; [SavedObject](./kibana-plugin-core-public.savedobject.md) &gt; [accessControl](./kibana-plugin-core-public.savedobject.accesscontrol.md)
+
+## SavedObject.accessControl property
+
+<b>Signature:</b>
+
+```typescript
+accessControl?: SavedObjectAccessControl;
+```

docs/development/core/public/kibana-plugin-core-public.savedobject.md

@@ -14,6 +14,7 @@ export interface SavedObject<T = unknown>
 
 | Property | Type | Description |
 | --- | --- | --- |
+| [accessControl](./kibana-plugin-core-public.savedobject.accesscontrol.md) | <code>SavedObjectAccessControl</code> | |
 | [attributes](./kibana-plugin-core-public.savedobject.attributes.md) | <code>T</code> | The data for a Saved Object is stored as an object in the <code>attributes</code> property. |
 | [coreMigrationVersion](./kibana-plugin-core-public.savedobject.coremigrationversion.md) | <code>string</code> | A semver value that is used when upgrading objects between Kibana versions. |
 | [error](./kibana-plugin-core-public.savedobject.error.md) | <code>SavedObjectError</code> | |

docs/development/core/public/kibana-plugin-core-public.savedobjectaccesscontrol.md

@@ -0,0 +1,20 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-public](./kibana-plugin-core-public.md) &gt; [SavedObjectAccessControl](./kibana-plugin-core-public.savedobjectaccesscontrol.md)
+
+## SavedObjectAccessControl interface
+
+The "Access Control" describing which users should be authorized to access this SavedObject.
+
+<b>Signature:</b>
+
+```typescript
+export interface SavedObjectAccessControl 
+```
+
+## Properties
+
+| Property | Type | Description |
+| --- | --- | --- |
+| [owner](./kibana-plugin-core-public.savedobjectaccesscontrol.owner.md) | <code>string</code> | The owner of this SavedObject. |
+

docs/development/core/public/kibana-plugin-core-public.savedobjectaccesscontrol.owner.md

@@ -0,0 +1,13 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-public](./kibana-plugin-core-public.md) &gt; [SavedObjectAccessControl](./kibana-plugin-core-public.savedobjectaccesscontrol.md) &gt; [owner](./kibana-plugin-core-public.savedobjectaccesscontrol.owner.md)
+
+## SavedObjectAccessControl.owner property
+
+The owner of this SavedObject.
+
+<b>Signature:</b>
+
+```typescript
+owner: string;
+```

docs/development/core/server/kibana-plugin-core-server.md

@@ -139,6 +139,7 @@ The plugin integrates with the core system via lifecycle events: `setup`<!-- -->
 | [RouteValidatorConfig](./kibana-plugin-core-server.routevalidatorconfig.md) | The configuration object to the RouteValidator class. Set <code>params</code>, <code>query</code> and/or <code>body</code> to specify the validation logic to follow for that property. |
 | [RouteValidatorOptions](./kibana-plugin-core-server.routevalidatoroptions.md) | Additional options for the RouteValidator class to modify its default behaviour. |
 | [SavedObject](./kibana-plugin-core-server.savedobject.md) | |
+| [SavedObjectAccessControl](./kibana-plugin-core-server.savedobjectaccesscontrol.md) | The "Access Control" describing which users should be authorized to access this SavedObject. |
 | [SavedObjectAttributes](./kibana-plugin-core-server.savedobjectattributes.md) | The data for a Saved Object is stored as an object in the <code>attributes</code> property. |
 | [SavedObjectExportBaseOptions](./kibana-plugin-core-server.savedobjectexportbaseoptions.md) | |
 | [SavedObjectMigrationContext](./kibana-plugin-core-server.savedobjectmigrationcontext.md) | Migration context provided when invoking a [migration handler](./kibana-plugin-core-server.savedobjectmigrationfn.md) |
@@ -154,6 +155,7 @@ The plugin integrates with the core system via lifecycle events: `setup`<!-- -->
 | [SavedObjectsBulkUpdateOptions](./kibana-plugin-core-server.savedobjectsbulkupdateoptions.md) | |
 | [SavedObjectsBulkUpdateResponse](./kibana-plugin-core-server.savedobjectsbulkupdateresponse.md) | |
 | [SavedObjectsCheckConflictsObject](./kibana-plugin-core-server.savedobjectscheckconflictsobject.md) | |
+| [SavedObjectsCheckConflictsOptions](./kibana-plugin-core-server.savedobjectscheckconflictsoptions.md) | |
 | [SavedObjectsCheckConflictsResponse](./kibana-plugin-core-server.savedobjectscheckconflictsresponse.md) | |
 | [SavedObjectsClientProviderOptions](./kibana-plugin-core-server.savedobjectsclientprovideroptions.md) | Options to control the creation of the Saved Objects Client. |
 | [SavedObjectsClientWrapperOptions](./kibana-plugin-core-server.savedobjectsclientwrapperoptions.md) | Options passed to each SavedObjectsClientWrapperFactory to aid in creating the wrapper instance. |
@@ -304,6 +306,7 @@ The plugin integrates with the core system via lifecycle events: `setup`<!-- -->
 | [SavedObjectAttributeSingle](./kibana-plugin-core-server.savedobjectattributesingle.md) | Don't use this type, it's simply a helper type for [SavedObjectAttribute](./kibana-plugin-core-server.savedobjectattribute.md) |
 | [SavedObjectMigrationFn](./kibana-plugin-core-server.savedobjectmigrationfn.md) | A migration function for a [saved object type](./kibana-plugin-core-server.savedobjectstype.md) used to migrate it to a given version |
 | [SavedObjectSanitizedDoc](./kibana-plugin-core-server.savedobjectsanitizeddoc.md) | Describes Saved Object documents that have passed through the migration framework and are guaranteed to have a <code>references</code> root property. |
+| [SavedObjectsBulkCreateOptions](./kibana-plugin-core-server.savedobjectsbulkcreateoptions.md) | |
 | [SavedObjectsClientContract](./kibana-plugin-core-server.savedobjectsclientcontract.md) | Saved Objects is Kibana's data persisentence mechanism allowing plugins to use Elasticsearch for storing plugin state.<!-- -->\#\# SavedObjectsClient errors<!-- -->Since the SavedObjectsClient has its hands in everything we are a little paranoid about the way we present errors back to to application code. Ideally, all errors will be either:<!-- -->1. Caused by bad implementation (ie. undefined is not a function) and as such unpredictable 2. An error that has been classified and decorated appropriately by the decorators in [SavedObjectsErrorHelpers](./kibana-plugin-core-server.savedobjectserrorhelpers.md)<!-- -->Type 1 errors are inevitable, but since all expected/handle-able errors should be Type 2 the <code>isXYZError()</code> helpers exposed at <code>SavedObjectsErrorHelpers</code> should be used to understand and manage error responses from the <code>SavedObjectsClient</code>.<!-- -->Type 2 errors are decorated versions of the source error, so if the elasticsearch client threw an error it will be decorated based on its type. That means that rather than looking for <code>error.body.error.type</code> or doing substring checks on <code>error.body.error.reason</code>, just use the helpers to understand the meaning of the error:<!-- -->\`\`\`<!-- -->js if (SavedObjectsErrorHelpers.isNotFoundError(error)) { // handle 404 }<!-- -->if (SavedObjectsErrorHelpers.isNotAuthorizedError(error)) { // 401 handling should be automatic, but in case you wanted to know }<!-- -->// always rethrow the error unless you handle it throw error; \`\`\`<!-- -->\#\#\# 404s from missing index<!-- -->From the perspective of application code and APIs the SavedObjectsClient is a black box that persists objects. One of the internal details that users have no control over is that we use an elasticsearch index for persistance and that index might be missing.<!-- -->At the time of writing we are in the process of transitioning away from the operating assumption that the SavedObjects index is always available. Part of this transition is handling errors resulting from an index missing. These used to trigger a 500 error in most cases, and in others cause 404s with different error messages.<!-- -->From my (Spencer) perspective, a 404 from the SavedObjectsApi is a 404; The object the request/call was targeting could not be found. This is why \#14141 takes special care to ensure that 404 errors are generic and don't distinguish between index missing or document missing.<!-- -->See [SavedObjectsClient](./kibana-plugin-core-server.savedobjectsclient.md) See [SavedObjectsErrorHelpers](./kibana-plugin-core-server.savedobjectserrorhelpers.md) |
 | [SavedObjectsClientFactory](./kibana-plugin-core-server.savedobjectsclientfactory.md) | Describes the factory used to create instances of the Saved Objects Client. |
 | [SavedObjectsClientFactoryProvider](./kibana-plugin-core-server.savedobjectsclientfactoryprovider.md) | Provider to invoke to retrieve a [SavedObjectsClientFactory](./kibana-plugin-core-server.savedobjectsclientfactory.md)<!-- -->. |

docs/development/core/server/kibana-plugin-core-server.savedobject.accesscontrol.md

@@ -0,0 +1,11 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-server](./kibana-plugin-core-server.md) &gt; [SavedObject](./kibana-plugin-core-server.savedobject.md) &gt; [accessControl](./kibana-plugin-core-server.savedobject.accesscontrol.md)
+
+## SavedObject.accessControl property
+
+<b>Signature:</b>
+
+```typescript
+accessControl?: SavedObjectAccessControl;
+```

docs/development/core/server/kibana-plugin-core-server.savedobject.md

@@ -14,6 +14,7 @@ export interface SavedObject<T = unknown>
 
 | Property | Type | Description |
 | --- | --- | --- |
+| [accessControl](./kibana-plugin-core-server.savedobject.accesscontrol.md) | <code>SavedObjectAccessControl</code> | |
 | [attributes](./kibana-plugin-core-server.savedobject.attributes.md) | <code>T</code> | The data for a Saved Object is stored as an object in the <code>attributes</code> property. |
 | [coreMigrationVersion](./kibana-plugin-core-server.savedobject.coremigrationversion.md) | <code>string</code> | A semver value that is used when upgrading objects between Kibana versions. |
 | [error](./kibana-plugin-core-server.savedobject.error.md) | <code>SavedObjectError</code> | |

docs/development/core/server/kibana-plugin-core-server.savedobjectaccesscontrol.md

@@ -0,0 +1,20 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-server](./kibana-plugin-core-server.md) &gt; [SavedObjectAccessControl](./kibana-plugin-core-server.savedobjectaccesscontrol.md)
+
+## SavedObjectAccessControl interface
+
+The "Access Control" describing which users should be authorized to access this SavedObject.
+
+<b>Signature:</b>
+
+```typescript
+export interface SavedObjectAccessControl 
+```
+
+## Properties
+
+| Property | Type | Description |
+| --- | --- | --- |
+| [owner](./kibana-plugin-core-server.savedobjectaccesscontrol.owner.md) | <code>string</code> | The owner of this SavedObject. |
+

docs/development/core/server/kibana-plugin-core-server.savedobjectaccesscontrol.owner.md

@@ -0,0 +1,13 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-server](./kibana-plugin-core-server.md) &gt; [SavedObjectAccessControl](./kibana-plugin-core-server.savedobjectaccesscontrol.md) &gt; [owner](./kibana-plugin-core-server.savedobjectaccesscontrol.owner.md)
+
+## SavedObjectAccessControl.owner property
+
+The owner of this SavedObject.
+
+<b>Signature:</b>
+
+```typescript
+owner: string;
+```

docs/development/core/server/kibana-plugin-core-server.savedobjectsbulkcreateobject.accesscontrol.md

@@ -0,0 +1,13 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-server](./kibana-plugin-core-server.md) &gt; [SavedObjectsBulkCreateObject](./kibana-plugin-core-server.savedobjectsbulkcreateobject.md) &gt; [accessControl](./kibana-plugin-core-server.savedobjectsbulkcreateobject.accesscontrol.md)
+
+## SavedObjectsBulkCreateObject.accessControl property
+
+The [accessControl](./kibana-plugin-core-server.savedobjectaccesscontrol.md) to associate with this saved object.
+
+<b>Signature:</b>
+
+```typescript
+accessControl?: SavedObjectAccessControl;
+```

docs/development/core/server/kibana-plugin-core-server.savedobjectsbulkcreateobject.md

@@ -15,6 +15,7 @@ export interface SavedObjectsBulkCreateObject<T = unknown>
 
 | Property | Type | Description |
 | --- | --- | --- |
+| [accessControl](./kibana-plugin-core-server.savedobjectsbulkcreateobject.accesscontrol.md) | <code>SavedObjectAccessControl</code> | The [accessControl](./kibana-plugin-core-server.savedobjectaccesscontrol.md) to associate with this saved object. |
 | [attributes](./kibana-plugin-core-server.savedobjectsbulkcreateobject.attributes.md) | <code>T</code> | |
 | [coreMigrationVersion](./kibana-plugin-core-server.savedobjectsbulkcreateobject.coremigrationversion.md) | <code>string</code> | A semver value that is used when upgrading objects between Kibana versions. If undefined, this will be automatically set to the current Kibana version when the object is created. If this is set to a non-semver value, or it is set to a semver value greater than the current Kibana version, it will result in an error. |
 | [id](./kibana-plugin-core-server.savedobjectsbulkcreateobject.id.md) | <code>string</code> | |

docs/development/core/server/kibana-plugin-core-server.savedobjectsbulkcreateoptions.md

@@ -0,0 +1,12 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-server](./kibana-plugin-core-server.md) &gt; [SavedObjectsBulkCreateOptions](./kibana-plugin-core-server.savedobjectsbulkcreateoptions.md)
+
+## SavedObjectsBulkCreateOptions type
+
+
+<b>Signature:</b>
+
+```typescript
+export declare type SavedObjectsBulkCreateOptions = Omit<SavedObjectsCreateOptions, 'accessControl'>;
+```

docs/development/core/server/kibana-plugin-core-server.savedobjectscheckconflictsoptions.accesscontrol.md

@@ -0,0 +1,13 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-server](./kibana-plugin-core-server.md) &gt; [SavedObjectsCheckConflictsOptions](./kibana-plugin-core-server.savedobjectscheckconflictsoptions.md) &gt; [accessControl](./kibana-plugin-core-server.savedobjectscheckconflictsoptions.accesscontrol.md)
+
+## SavedObjectsCheckConflictsOptions.accessControl property
+
+An [accessControl](./kibana-plugin-core-server.savedobjectaccesscontrol.md) which should be compatible with conflicting objects.
+
+<b>Signature:</b>
+
+```typescript
+accessControl?: SavedObjectAccessControl;
+```

docs/development/core/server/kibana-plugin-core-server.savedobjectscheckconflictsoptions.md

@@ -0,0 +1,19 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-server](./kibana-plugin-core-server.md) &gt; [SavedObjectsCheckConflictsOptions](./kibana-plugin-core-server.savedobjectscheckconflictsoptions.md)
+
+## SavedObjectsCheckConflictsOptions interface
+
+
+<b>Signature:</b>
+
+```typescript
+export interface SavedObjectsCheckConflictsOptions extends SavedObjectsBaseOptions 
+```
+
+## Properties
+
+| Property | Type | Description |
+| --- | --- | --- |
+| [accessControl](./kibana-plugin-core-server.savedobjectscheckconflictsoptions.accesscontrol.md) | <code>SavedObjectAccessControl</code> | An [accessControl](./kibana-plugin-core-server.savedobjectaccesscontrol.md) which should be compatible with conflicting objects. |
+

docs/development/core/server/kibana-plugin-core-server.savedobjectsclient.checkconflicts.md

@@ -9,15 +9,15 @@ Check what conflicts will result when creating a given array of saved objects. T
 <b>Signature:</b>
 
 ```typescript
-checkConflicts(objects?: SavedObjectsCheckConflictsObject[], options?: SavedObjectsBaseOptions): Promise<SavedObjectsCheckConflictsResponse>;
+checkConflicts(objects?: SavedObjectsCheckConflictsObject[], options?: SavedObjectsCheckConflictsOptions): Promise<SavedObjectsCheckConflictsResponse>;
 ```
 
 ## Parameters
 
 | Parameter | Type | Description |
 | --- | --- | --- |
 | objects | <code>SavedObjectsCheckConflictsObject[]</code> | |
-| options | <code>SavedObjectsBaseOptions</code> | |
+| options | <code>SavedObjectsCheckConflictsOptions</code> | |
 
 <b>Returns:</b>
 

docs/development/core/server/kibana-plugin-core-server.savedobjectscreateoptions.accesscontrol.md

@@ -0,0 +1,13 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-server](./kibana-plugin-core-server.md) &gt; [SavedObjectsCreateOptions](./kibana-plugin-core-server.savedobjectscreateoptions.md) &gt; [accessControl](./kibana-plugin-core-server.savedobjectscreateoptions.accesscontrol.md)
+
+## SavedObjectsCreateOptions.accessControl property
+
+The [accessControl](./kibana-plugin-core-server.savedobjectaccesscontrol.md) to associate with this saved object.
+
+<b>Signature:</b>
+
+```typescript
+accessControl?: SavedObjectAccessControl;
+```

docs/development/core/server/kibana-plugin-core-server.savedobjectscreateoptions.md

@@ -15,6 +15,7 @@ export interface SavedObjectsCreateOptions extends SavedObjectsBaseOptions
 
 | Property | Type | Description |
 | --- | --- | --- |
+| [accessControl](./kibana-plugin-core-server.savedobjectscreateoptions.accesscontrol.md) | <code>SavedObjectAccessControl</code> | The [accessControl](./kibana-plugin-core-server.savedobjectaccesscontrol.md) to associate with this saved object. |
 | [coreMigrationVersion](./kibana-plugin-core-server.savedobjectscreateoptions.coremigrationversion.md) | <code>string</code> | A semver value that is used when upgrading objects between Kibana versions. If undefined, this will be automatically set to the current Kibana version when the object is created. If this is set to a non-semver value, or it is set to a semver value greater than the current Kibana version, it will result in an error. |
 | [id](./kibana-plugin-core-server.savedobjectscreateoptions.id.md) | <code>string</code> | (not recommended) Specify an id for the document |
 | [initialNamespaces](./kibana-plugin-core-server.savedobjectscreateoptions.initialnamespaces.md) | <code>string[]</code> | Optional initial namespaces for the object to be created in. If this is defined, it will supersede the namespace ID that is in [SavedObjectsCreateOptions](./kibana-plugin-core-server.savedobjectscreateoptions.md)<!-- -->.<!-- -->Note: this can only be used for multi-namespace object types. |

docs/development/core/server/kibana-plugin-core-server.savedobjectserrorhelpers.createincompatibleaccesscontrolerror.md

@@ -0,0 +1,23 @@
+<!-- Do not edit this file. It is automatically generated by API Documenter. -->
+
+[Home](./index.md) &gt; [kibana-plugin-core-server](./kibana-plugin-core-server.md) &gt; [SavedObjectsErrorHelpers](./kibana-plugin-core-server.savedobjectserrorhelpers.md) &gt; [createIncompatibleAccessControlError](./kibana-plugin-core-server.savedobjectserrorhelpers.createincompatibleaccesscontrolerror.md)
+
+## SavedObjectsErrorHelpers.createIncompatibleAccessControlError() method
+
+<b>Signature:</b>
+
+```typescript
+static createIncompatibleAccessControlError(type: string, id: string): DecoratedError;
+```
+
+## Parameters
+
+| Parameter | Type | Description |
+| --- | --- | --- |
+| type | <code>string</code> | |
+| id | <code>string</code> | |
+
+<b>Returns:</b>
+
+`DecoratedError`
+