Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
) # Backport This will backport the following commits from `main` to `8.x`: - [[EDR Workflows] Fix Endpoint list RBAC problems (#199803)](#199803) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Gergő Ábrahám","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-12-10T10:46:03Z","message":"[EDR Workflows] Fix Endpoint list RBAC problems (#199803)\n\n## Summary\r\n\r\nThis PR fixes multiple Endpoint list privilege issues. It can be\r\nreviewed commit-by-commit so the fixes are mostly separated (although\r\nsome solutions and tests are reused, hence the reason to have them in\r\none pr):\r\n- a3311ad fixes issue when during\r\nonboarding (no hosts, policies are indiferent) calls are made to `GET\r\napi/fleet/package_policies` without correct privilege (needs policy\r\nmanagement READ or fleet:READ+integration:READ), and causes `Forbidden`\r\npage. ([issue](https://github.com/elastic/security-team/issues/10581))\r\n_UI_: we display the usual 'onboarding without correct privileges' UI\r\nfor users\r\n<img width=\"1958\" alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/9e1701cc-9c3d-4a80-9c7a-df792d88dab3\">\r\n\r\n\r\n- 63ca011 fixes issue when during\r\nonboarding (no hosts, no policies) the `Add Elastic Defend` button was\r\nshown when user had `Fleet:ALL` and `Integrations:READ` privilege, while\r\nboth should be `ALL` in order to be able to create an integration policy\r\n([issue](https://github.com/elastic/security-team/issues/10765))\r\n_UI_: the 'Add Elastic Defend' button is hidden, so the result is the\r\nsame as above\r\n\r\n\r\nhttps://github.com/user-attachments/assets/87fe3a95-131d-484b-8ca0-d06c4caafee1\r\n\r\n\r\n- ffafa14 fixes issue when after having\r\nhosts in Endpoint list and we're calling `POST\r\napi/fleet/package_policies/_bulk_get` without privilege (needs policy\r\nmanagement READ or fleet:READ+integration:READ), which does not cause\r\nany visible issue, but is logged to dev console\r\n([issue](https://github.com/elastic/security-team/issues/10580))\r\n\r\nsome additions:\r\n- c7021b3 adds an acceptance test for\r\nall 3 issues above, with failing test run\r\n[here](https://buildkite.com/elastic/kibana-pull-request/builds/250428#019320cf-c433-4979-a998-d0f8b8f7be16).\r\n- 8e10847 enables policy list\r\nintegration test, this closes #169133\r\n\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n- [ ] [Flaky Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\r\nused on any tests changed\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine <[email protected]>","sha":"2fa8f47064c9aeac378f9c547dc13482de7cb566","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Defend Workflows","backport:prev-minor"],"title":"[EDR Workflows] Fix Endpoint list RBAC problems","number":199803,"url":"https://github.com/elastic/kibana/pull/199803","mergeCommit":{"message":"[EDR Workflows] Fix Endpoint list RBAC problems (#199803)\n\n## Summary\r\n\r\nThis PR fixes multiple Endpoint list privilege issues. It can be\r\nreviewed commit-by-commit so the fixes are mostly separated (although\r\nsome solutions and tests are reused, hence the reason to have them in\r\none pr):\r\n- a3311ad fixes issue when during\r\nonboarding (no hosts, policies are indiferent) calls are made to `GET\r\napi/fleet/package_policies` without correct privilege (needs policy\r\nmanagement READ or fleet:READ+integration:READ), and causes `Forbidden`\r\npage. ([issue](https://github.com/elastic/security-team/issues/10581))\r\n_UI_: we display the usual 'onboarding without correct privileges' UI\r\nfor users\r\n<img width=\"1958\" alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/9e1701cc-9c3d-4a80-9c7a-df792d88dab3\">\r\n\r\n\r\n- 63ca011 fixes issue when during\r\nonboarding (no hosts, no policies) the `Add Elastic Defend` button was\r\nshown when user had `Fleet:ALL` and `Integrations:READ` privilege, while\r\nboth should be `ALL` in order to be able to create an integration policy\r\n([issue](https://github.com/elastic/security-team/issues/10765))\r\n_UI_: the 'Add Elastic Defend' button is hidden, so the result is the\r\nsame as above\r\n\r\n\r\nhttps://github.com/user-attachments/assets/87fe3a95-131d-484b-8ca0-d06c4caafee1\r\n\r\n\r\n- ffafa14 fixes issue when after having\r\nhosts in Endpoint list and we're calling `POST\r\napi/fleet/package_policies/_bulk_get` without privilege (needs policy\r\nmanagement READ or fleet:READ+integration:READ), which does not cause\r\nany visible issue, but is logged to dev console\r\n([issue](https://github.com/elastic/security-team/issues/10580))\r\n\r\nsome additions:\r\n- c7021b3 adds an acceptance test for\r\nall 3 issues above, with failing test run\r\n[here](https://buildkite.com/elastic/kibana-pull-request/builds/250428#019320cf-c433-4979-a998-d0f8b8f7be16).\r\n- 8e10847 enables policy list\r\nintegration test, this closes #169133\r\n\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n- [ ] [Flaky Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\r\nused on any tests changed\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine <[email protected]>","sha":"2fa8f47064c9aeac378f9c547dc13482de7cb566"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/199803","number":199803,"mergeCommit":{"message":"[EDR Workflows] Fix Endpoint list RBAC problems (#199803)\n\n## Summary\r\n\r\nThis PR fixes multiple Endpoint list privilege issues. It can be\r\nreviewed commit-by-commit so the fixes are mostly separated (although\r\nsome solutions and tests are reused, hence the reason to have them in\r\none pr):\r\n- a3311ad fixes issue when during\r\nonboarding (no hosts, policies are indiferent) calls are made to `GET\r\napi/fleet/package_policies` without correct privilege (needs policy\r\nmanagement READ or fleet:READ+integration:READ), and causes `Forbidden`\r\npage. ([issue](https://github.com/elastic/security-team/issues/10581))\r\n_UI_: we display the usual 'onboarding without correct privileges' UI\r\nfor users\r\n<img width=\"1958\" alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/9e1701cc-9c3d-4a80-9c7a-df792d88dab3\">\r\n\r\n\r\n- 63ca011 fixes issue when during\r\nonboarding (no hosts, no policies) the `Add Elastic Defend` button was\r\nshown when user had `Fleet:ALL` and `Integrations:READ` privilege, while\r\nboth should be `ALL` in order to be able to create an integration policy\r\n([issue](https://github.com/elastic/security-team/issues/10765))\r\n_UI_: the 'Add Elastic Defend' button is hidden, so the result is the\r\nsame as above\r\n\r\n\r\nhttps://github.com/user-attachments/assets/87fe3a95-131d-484b-8ca0-d06c4caafee1\r\n\r\n\r\n- ffafa14 fixes issue when after having\r\nhosts in Endpoint list and we're calling `POST\r\napi/fleet/package_policies/_bulk_get` without privilege (needs policy\r\nmanagement READ or fleet:READ+integration:READ), which does not cause\r\nany visible issue, but is logged to dev console\r\n([issue](https://github.com/elastic/security-team/issues/10580))\r\n\r\nsome additions:\r\n- c7021b3 adds an acceptance test for\r\nall 3 issues above, with failing test run\r\n[here](https://buildkite.com/elastic/kibana-pull-request/builds/250428#019320cf-c433-4979-a998-d0f8b8f7be16).\r\n- 8e10847 enables policy list\r\nintegration test, this closes #169133\r\n\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n- [ ] [Flaky Test\r\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\r\nused on any tests changed\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine <[email protected]>","sha":"2fa8f47064c9aeac378f9c547dc13482de7cb566"}}]}] BACKPORT--> Co-authored-by: Gergő Ábrahám <[email protected]>
- Loading branch information