-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Timeline][RBAC] - Add RBAC logic to timeline alerts search strategy #105333
Conversation
14582e6
to
fb865ab
Compare
x-pack/plugins/rule_registry/server/utils/create_persistence_rule_type_factory.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/alerting/server/authorization/alerting_authorization_kuery.ts
Outdated
Show resolved
Hide resolved
…h strategy all, need to update details search strategy
4d4d6f8
to
7f93d65
Compare
x-pack/plugins/alerting/server/authorization/alerting_authorization_kuery.test.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/alerting/server/authorization/alerting_authorization_kuery.ts
Outdated
Show resolved
Hide resolved
…ng internal user. does not affect or expose to existing search strategies
x-pack/plugins/rule_registry/server/utils/create_persistence_rule_type_factory.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/security_solution/server/lib/detection_engine/reference_rules/query.ts
Show resolved
Hide resolved
@@ -6,6 +6,6 @@ | |||
"extraPublicDirs": ["common"], | |||
"server": true, | |||
"ui": true, | |||
"requiredPlugins": ["data", "dataEnhanced", "kibanaReact", "kibanaUtils"], | |||
"requiredPlugins": ["alerting", "data", "dataEnhanced", "kibanaReact", "kibanaUtils"], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would timeline still work if alerting was optional instead of required?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's a good question. So it's kind of interesting. If security is enabled, then yes, alerting is required because we have to do auth. But if security is disabled, then no, it's not required.
Guess I should move this to optional and add a test.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TBD in follow up pr.
|
||
const queryFactory: TimelineFactory<T> = timelineFactory[factoryQueryType]; | ||
|
||
if (entityType != null && entityType === EntityType.ALERTS) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a way to force entityType
to be required on the request so we don't have to do these null checks?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes! So my plan was to have a separate PR to update the front end code and that's when I would flip this to required. This allows me to not have to do it all in one PR>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
or you can do something simple like that [EntityType.ALERTS].includes(entityType)
x-pack/plugins/timelines/server/search_strategy/timeline/index.ts
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is still in draft so mostly just pointed out a few questions I had, a few nits. Otherwise this looks great!
x-pack/plugins/alerting/server/authorization/alerting_authorization.ts
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good to go!!! and good job on it much appreciated!
jenkins test this |
@yctercero #106519 just got merged, looks like there are merge conflicts |
x-pack/plugins/timelines/server/search_strategy/timeline/index.ts
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code LGTM
💚 Build Succeeded
Metrics [docs]Module Count
Public APIs missing comments
Async chunks
Page load bundle
Unknown metric groupsAPI count
References to deprecated APIs
History
To update your PR or re-run it, just comment with: cc @yctercero |
💔 Backport failed
To backport manually run: |
…lastic#105333) ## Summary Adds RBAC layer to timeline plugin search strategy for alerts. # Conflicts: # x-pack/plugins/alerting/server/alerting_authorization_client_factory.ts
…105333) (#107005) ## Summary Adds RBAC layer to timeline plugin search strategy for alerts. # Conflicts: # x-pack/plugins/alerting/server/alerting_authorization_client_factory.ts Co-authored-by: Kibana Machine <[email protected]>
…lastic#105333) ## Summary Adds RBAC layer to timeline plugin search strategy for alerts.
Summary
Adds RBAC layer to timeline plugin search strategy for alerts. Alerts RBAC is built off of the
alerting
plugin's authorization class. A few things that I came across:Users will not have ES privileges - they will have Kibana privileges - so need to query using Kibana user
The existing search strategy implementation does not expose a method for querying using the Kibana user. Upon discussions with @lukasolson figured out a simple way to expose this option to us in a way that does not expose it to existing search strategies. There may be a need to revisit this code, but seemed like a good option to keep things moving. A comment is added in the code to explain why this option was added.
Because of the need to query alerts using Kibana user, can't query other non-alerts indices at the same time (those need to be queried using
asCurrentUser
)For the time being, this logic will be separated. So you can either query for alerts by specifying the
entityType: EntityType.ALERTS
or for events by specifyingentityType: EntityType.EVENTS
.Timeline search strategy needs access to alerting's auth class and full Kibana request
@lukasolson was kind enough to expose the full Kibana request in the search strategy dependencies in a previous #98566. To get the alerting auth class, added
alerting
as a dependency. Should be added as optional assecurity
can be disabled, in which case no auth is performed.Client should be able to specify that they want to get more than one solution's alerts
Added a prop to timeline search strategy -
alertsConsumers
- an array of alert consumers for which solution alerts to search/return. An enum (non enum) of allalertsConsumers
options can be found in a kbn package -packages/kbn-rule-data-utils/src/alerts_as_data_rbac.ts
. Based off of this array, we determine which indices to query.TO DO
403
instead of500
for unauthorized users after [Search Strategy] - Errors being swallowed and reported as 500 #106005 is fixedChecklist
Risk Matrix
For maintainers