[ResponseOps][Alerts] Fix stack alerts plugin API and page permissions #191110
Conversation
umbopepato
added
release_note:fix
Team:ResponseOps
|
/ci |
umbopepato
force-pushed
the
186451-fix-stack-alerts-page-permissions
branch
from
4532beb to
e57eca2
Compare
|
/ci |
umbopepato
force-pushed
the
186451-fix-stack-alerts-page-permissions
branch
from
e57eca2 to
2ede3c6
Compare
|
/ci |
umbopepato
force-pushed
the
186451-fix-stack-alerts-page-permissions
branch
from
2ede3c6 to
e504d0e
Compare
|
/ci |
umbopepato
force-pushed
the
186451-fix-stack-alerts-page-permissions
branch
from
e504d0e to
d163ced
Compare
|
/ci |
umbopepato
force-pushed
the
186451-fix-stack-alerts-page-permissions
branch
from
d163ced to
d37fb0c
Compare
|
/ci |
umbopepato
force-pushed
the
186451-fix-stack-alerts-page-permissions
branch
from
d37fb0c to
c0ca606
Compare
|
/ci |
|
Pinging @elastic/response-ops (Team:ResponseOps) |
x-pack/test/rule_registry/security_and_spaces/tests/basic/index.ts
Outdated
Show resolved
Hide resolved
...rs_actions_ui/public/application/sections/alerts_search_bar/url_synced_alerts_search_bar.tsx
Outdated
Show resolved
Hide resolved
| /** | ||
| * Indicates if the end user has read access to the index, besides the alerting authorization | ||
| */ | ||
| hasReadIndexPrivilege?: boolean; |
There was a problem hiding this comment.
question about this field, shouldn't we do this implicitly on the backend based on the request user? Seems a bit odd to expose a field like this to the client.
There was a problem hiding this comment.
The main use case is authorizing views like the filter controls bar that are unaware of the alerting RBAC and directly work with the indices. In these cases we don't have a way to know if the end user (besides their alerting permissions) has direct read access to the alerting indices. Since this is particularly useful for unprivileged users, checking the index permissions directly on the client seems a bit fragile: the user should have access to the plugin(s) that expose the privilege check functionality, which is unlikely in this case.
I could be missing a more straightforward way to check this so please if you have any ideas let me know 🙂
There was a problem hiding this comment.
Right but this means anyone could "spoof" the read index privilege by passing this field? At that point you might as well just always assume the user has privilege
In these cases we don't have a way to know if the end user (besides their alerting permissions) has direct read access to the alerting indices.
Since we have the request, we'll have the user, can't we check the user's index privilege? unless we're someone making a request on behalf of another user or something.
the user should have access to the plugin(s) that expose the privilege check functionality
Then how does the client know of the user's index privilege but not the server? The client had to get it's data from somewhere.
There was a problem hiding this comment.
Right but this means anyone could "spoof" the read index privilege by passing this field? At that point you might as well just always assume the user has privilege
Not sure I follow you here. This is set by the server, not the client, (I assume) similarly to how the capabilities object informs the client on what the user has access to for example.
Since we have the request, we'll have the user, can't we check the user's index privilege? unless we're someone making a request on behalf of another user or something.
This privilege is not instrumental to authenticating the alerts/_index request itsefl, but to tell the client if the user has access to the ES alerts index itself. Unprivileged users might not have a direct access but still be able to indirectly access them through the alerting APIs.
The controls embeddable thought works directly with the ES indices, not through the alerting APIs. That's why we need to check if the user has "direct" access to those indices: to hide the controls and avoid 403 errors.
There was a problem hiding this comment.
If you create a Role with only Security read capabilities without access to the indices and try to open the Security > Alerts page, you'll see a missing authn prompt that pretty much exemplifies this situation. We'd have to do something similar with the controls embeddable
…k-alerts-page-permissions
…:umbopepato/kibana into 186451-fix-stack-alerts-page-permissions
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]Module Count
Async chunks
Page load bundle
History
To update your PR or re-run it, just comment with: |
| appMockRender = createAppMockRenderer(); | ||
| (getIsExperimentalFeatureEnabled as jest.Mock).mockImplementation(() => false); | ||
| afterEach(() => { | ||
| appMockRender.queryClient.clear(); |
| '.alerts-observability.uptime.alerts-*', | ||
| '.alerts-observability.metrics.alerts-*', | ||
| '.alerts-observability.logs.alerts-*', | ||
| '.alerts-observability.apm.alerts-*', | ||
| ]); | ||
| ], | ||
| hasReadIndexPrivilege: false, |
There was a problem hiding this comment.
If we are going to use this field at the end, could you please add some tests for hasReadIndexPrivilege: true behaviour?
Summary
Adds the(done in [ResponseOps][Alerting] Fix stackAlerts plugin missing rac API auth scope #193948)racapi privilege tostackAlertsplugin's Kibana feature registrationfetchAlertsIndexNamesAPI to return a boolean flag that indicates if the end user (not Kibana user) has (at least) read index privileges on the alert index name returned by the API, regardless of the alerting authorizationuseAlertsDataViewto return an intermediate empty data view object while loadingTo verify
Stack Management > Rules : ReadprivilegestackAlertsrule types and without the filter controls bar.alerts-*index to the roleReferences
Fixes #186451
Checklist
Delete any items that are not applicable to this PR.