Skip to content

Add support for create api when there is no specifying id #11020

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
yujin-emma wants to merge 2 commits into
base: main
Choose a base branch
from
+184 −75
Open

Add support for create api when there is no specifying id #11020

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ee5b126
Add support for create api when there is no specifying id
yujin-emma Dec 3, 2025
426e89b
Changeset file for PR #11020 created/updated
opensearch-changeset-bot[bot] Dec 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions changelogs/fragments/11020.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
fix:
- Update the graph ([#11020](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/11020))
257 changes: 182 additions & 75 deletions docs/openapi/saved_objects/saved_objects.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,168 @@ info:
tags:
- name: saved objects
description: Manage Dashboards saved objects, including dashboards, visualizations, saved search, and more.
components:
parameters:
type:
name: type
in: path
description: The type of SavedObject to retrieve.
required: true
schema:
type: string
enum:
- dashboard
- config
- index-pattern
example: dashboard
id:
name: id
in: path
description: Unique id of the saved object.
required: true
schema:
type: string
example: I2CFyW_27a48aa0-b274-11ef-b63c-9f43fceaea0c_7adfa750-4c81-11e8-b3d7-01146121b73d
schemas:
SavedObjectCreateRequest:
type: object
required:
- attributes
properties:
attributes:
type: object
description: The metadata of the saved object to be created, and the object is not validated.
migrationVersion:
type: object
description: The information about the migrations that have been applied to this saved object to be created.
references:
description: List of objects that describe other saved objects the created object references.
type: array
items:
type: object
properties:
id:
type: string
name:
type: string
type:
type: string
Comment on lines +46 to +57
Copy link

@coderabbitai coderabbitai bot Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Add maxItems constraint to the references array.

Checkov flags that arrays should have a maximum number of items defined. The references array lacks a maxItems constraint, which could allow unbounded arrays in requests.

Consider adding an upper bound to prevent abuse:

         references:
           description: List of objects that describe other saved objects the created object references. 
           type: array
+          maxItems: 100
           items:
             type: object

This ensures the API is more resilient against potentially malicious or accidental requests with excessive references.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
references:
description: List of objects that describe other saved objects the created object references.
type: array
items:
type: object
properties:
id:
type: string
name:
type: string
type:
type: string
references:
description: List of objects that describe other saved objects the created object references.
type: array
maxItems: 100
items:
type: object
properties:
id:
type: string
name:
type: string
type:
type: string
🤖 Prompt for AI Agents 
In docs/openapi/saved_objects/saved_objects.yml around lines 46 to 57, the
`references` array schema is missing a `maxItems` constraint; add a sensible
upper bound (for example `maxItems: 100` or another project-appropriate limit)
directly under the `references:` definition so the YAML defines both `type:
array`, `items: ...`, and `maxItems: <limit>` to prevent unbounded arrays in
requests and update any related validation/tests accordingly.

initialNamespaces:
description: Namespaces that this saved object exists in. This attribute is only used for multi-namespace saved object types.
type: array
items:
type: string
workspaces:
type: array
items:
type: string
description: Workspaces that this saved object exists in.
Comment on lines +46 to +67
Copy link

@coderabbitai coderabbitai bot Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Add maxItems constraints to unbounded arrays in SavedObjectCreateRequest.

The references, initialNamespaces, and workspaces arrays lack maxItems constraints. This allows unbounded arrays in requests, which can impact resilience and security. This concern was previously flagged but appears not to have been addressed.

Apply this diff to add sensible upper bounds:

        references:
          description: List of objects that describe other saved objects the created object references. 
          type: array
+         maxItems: 100
          items:
            type: object
            properties:
              id:
                type: string
              name:
                type: string
              type:
                type: string
        initialNamespaces:
          description: Namespaces that this saved object exists in. This attribute is only used for multi-namespace saved object types.
          type: array
+         maxItems: 50
          items:
            type: string
        workspaces:
          type: array
+         maxItems: 50
          items:
            type: string
          description: Workspaces that this saved object exists in.

Adjust the limits (100, 50) based on project requirements.

🧰 Tools
🪛 Checkov (3.2.334)

[medium] 47-59: Ensure that arrays have a maximum number of items

(CKV_OPENAPI_21)

🤖 Prompt for AI Agents 
In docs/openapi/saved_objects/saved_objects.yml around lines 46 to 67, the
arrays references, initialNamespaces, and workspaces are unbounded; add maxItems
to each to limit request size (suggest maxItems: 100 for references and
maxItems: 50 for initialNamespaces and workspaces or adjust to project needs),
keep existing types/descriptions intact, and update any schema documentation or
tests that assert array sizes accordingly.

400_bad_request:
title: Bad request
type: object
required:
- error
- message
- statusCode
properties:
error:
type: string
enum:
- Bad Request
message:
type: string
statusCode:
type: integer
enum:
- 400
paths:
/api/saved_objects/{type}:
post:
tags:
- saved objects
summary: Create a new saved object without specifying an ID
parameters:
- $ref: '#/components/parameters/type'
- in: query
name: overwrite
description: If set to true, will overwrite the existing saved object with same type and id.
schema:
type: boolean
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/SavedObjectCreateRequest'
examples:
indexPattern:
summary: Example of creating an index pattern saved object
value:
attributes:
title: 'my-index-pattern'
fields: '[{"count":"1","name":"@timestamp","searchable":"true"}]'
references:
- id: '51339560-1d7c-11ef-b757-55fac6c80d9a'
name: 'dataSource'
type: 'data-source'
vegaVisualization:
summary: Example of creating a Vega visualization saved object
value:
attributes:
title: 'my-vega-visualization'
visState: '{"title":"vegaVisualization","type":"vega","aggs":[]}}'
uiStateJSON: '{}'
description: ''
version: 1
kibanaSavedObjectMeta: {
searchSourceJSON: '{"query":{"language":"kuery","query":""},"filter":[]}'
}
references:
- id: '51339560-1d7c-11ef-b757-55fac6c80d9a'
name: 'dataSource'
type: 'data-source'
dashboards:
summary: Example of creating a dashboard saved object
value:
attributes:
title: 'Revenue Dashboard'
description: 'Revenue dashboard'
panelsJSON: '[{"version":"2.9.0","gridData":{"x":0,"y":0,"w":24,"h":15,"i":"5db1d75d-f680-4869-a0e8-0f2b8b05b99c"},"panelIndex":"5db1d75d-f680-4869-a0e8-0f2b8b05b99c","embeddableConfig":{},"panelRefName":"panel_0"}]'
optionsJSON: '{"hidePanelTitles":false,"useMargins":true}'
version: 1
timeRestore: true
kibanaSavedObjectMeta: {
searchSourceJSON: '{"query":{"language":"kuery","query":""},"filter":[]}'
}
references:
- id: '37cc8650-b882-11e8-a6d9-e546fe2bba5f'
name: 'panel_0'
type: 'visualization'
responses:
'200':
description: The creation request is successful
content:
application/json:
schema:
type: object
'400':
description: Bad request
content:
application/json:
schema:
$ref: '#/components/schemas/400_bad_request'
'409':
description: There was a conflict when processing the request, usually due to a saved object with the same id
content:
application/json:
schema:
type: object
'500':
description: An internal server error occurred when processing the request
content:
application/json:
schema:
type: object
/api/saved_objects/{type}/{id}:
get:
tags:
Expand All @@ -34,10 +195,10 @@ paths:
post:
tags:
- saved objects
summary: Create a new saved object with type and id.
summary: Create a new saved object with a specific ID
parameters:
- $ref: '#components/parameters/type'
- $ref: '#components/parameters/id'
- $ref: '#/components/parameters/type'
- $ref: '#/components/parameters/id'
- in: query
name: overwrite
description: If set to true, will overwrite the existing saved object with same type and id.
Expand All @@ -48,38 +209,7 @@ paths:
content:
application/json:
schema:
type: object
required:
- attributes
properties:
attributes:
type: object
description: The metadata of the saved object to be created, and the object is not validated.
migrationVersion:
type: object
description: The information about the migrations that have been applied to this saved object to be created.
references:
description: List of objects that describe other saved objects the created object references.
type: array
items:
type: object
properties:
id:
type: string
name:
type: string
type:
type: string
initialNamespaces:
description: Namespaces that this saved object exists in. This attribute is only used for multi-namespace saved object types.
type: array
items:
type: string
workspaces:
type: array
items:
type: string
description: Workspaces that this saved object exists in.
$ref: '#/components/schemas/SavedObjectCreateRequest'
examples:
indexPattern:
summary: Example of creating an index pattern saved object
Expand Down Expand Up @@ -137,13 +267,25 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/400_bad_request'
'409':
description: There was a conflict when processing the request, usually due to a saved object with the same id
content:
application/json:
schema:
type: object
'500':
description: An internal server error occurred when processing the request
content:
application/json:
schema:
type: object
put:
tags:
- saved objects
summary: Update existing saved object
parameters:
- $ref: '#components/parameters/type'
- $ref: '#components/parameters/id'
- $ref: '#/components/parameters/type'
- $ref: '#/components/parameters/id'
requestBody:
required: true
content:
Expand Down Expand Up @@ -188,8 +330,8 @@ paths:
- saved objects
summary: Delete a saved object
parameters:
- $ref: '#components/parameters/type'
- $ref: '#components/parameters/id'
- $ref: '#/components/parameters/type'
- $ref: '#/components/parameters/id'
- in: query
name: force
description: If set to true, will force deletion of an object that exists in multiple namespaces.
Expand Down Expand Up @@ -526,7 +668,7 @@ paths:
content:
application/json:
schema:
type: object
type: object
/api/saved_objects/_import:
post:
tags:
Expand Down Expand Up @@ -830,38 +972,3 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/400_bad_request'
components:
parameters:
type:
name: type
in: path
description: The type of SavedObject to retrieve.
required: true
schema:
type: string
id:
name: id
in: path
description: Unique id of the saved object.
required: true
schema:
type: string
schemas:
400_bad_request:
title: Bad request
type: object
required:
- error
- message
- statusCode
properties:
error:
type: string
enum:
- Bad Request
message:
type: string
statusCode:
type: integer
enum:
- 400