[ResponseOps][Alerting] Fix stackAlerts plugin missing rac API auth scope #193948
Conversation
umbopepato
added
release_note:fix
Team:ResponseOps
umbopepato
force-pushed
the
fix-stack-alerts-endpoints-authentication
branch
from
6a3603f to
37fdc74
Compare
| }; | ||
|
|
||
| const getSecuritySolutionIndexName = async ( | ||
| const getIndexName = async ( |
There was a problem hiding this comment.
Reduced similar functions to a single one parametrized based on featureIds
|
Pinging @elastic/response-ops (Team:ResponseOps) |
| @@ -126,6 +126,14 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) { | |||
| spaces: ['*'], | |||
| }, | |||
| ], | |||
| elasticsearch: { | |||
There was a problem hiding this comment.
What is the reason for adding this?
There was a problem hiding this comment.
But before it was working without it, why does this role (alerts_and_actions_role) need extra permission? Did some tests start failing because we added the rac API privilege?
There was a problem hiding this comment.
But before it was working without it, why does this role (alerts_and_actions_role) need extra permission? Did some tests start failing because we added the rac API privilege?
There was a problem hiding this comment.
I just added it to simulate a correct scenario (currently the user needs access to the index to be able to see the controls bar) but if we don't mind seeing the error toast in the functional test I can remove it, the other tests work just fine
There was a problem hiding this comment.
I think is fine what I do not get is why the alerts_and_actions_role role needs it and not the stackAlertsOnlyReadSpacesAll which is used by the tests. I am sure I am missing something 🙂.
That's the broader issue I was trying to solve with the other PR we decided to split. If you don't have direct (at least read) access to the alerting index the controls embeddable cannot work correctly. 🙂 |
Make sense, thanks for that! |
Hey! Seems like those alerts have been created with the |
Oops! My bad 🤦♀️ |
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]
History
To update your PR or re-run it, just comment with: |
|
Starting backport for target branches: 8.x |
…cope (elastic#193948) ## Summary Adds the `['rac']` API access scope to the Stack Alerts feature to correctly authenticate alerts API endpoints with the `stackAlerts` permission. Also adds a dedicated API integration test for the impacted endpoint and permission set. ## Release note Fix Stack Alerts feature API access control ## To verify 1. Create rules that fire alerts in Stack management 2. Wait for alerts to be created 3. Create a role with only `Stack Management > Rules : Read` privilege 4. Create a user with that role 5. In another window, open Kibana with the newly created user 6. Check that the Stack Management > Alerts page renders correctly, not showing any missing 403 error toasts (cherry picked from commit 17fcaa5)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
…auth scope (#193948) (#195279) # Backport This will backport the following commits from `main` to `8.x`: - [[ResponseOps][Alerting] Fix stackAlerts plugin missing rac API auth scope (#193948)](#193948) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Umberto Pepato","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-10-07T15:17:31Z","message":"[ResponseOps][Alerting] Fix stackAlerts plugin missing rac API auth scope (#193948)\n\n## Summary\r\n\r\nAdds the `['rac']` API access scope to the Stack Alerts feature to\r\ncorrectly authenticate alerts API endpoints with the `stackAlerts`\r\npermission.\r\nAlso adds a dedicated API integration test for the impacted endpoint and\r\npermission set.\r\n\r\n## Release note\r\n\r\nFix Stack Alerts feature API access control\r\n\r\n## To verify\r\n\r\n1. Create rules that fire alerts in Stack management\r\n2. Wait for alerts to be created\r\n3. Create a role with only `Stack Management > Rules : Read` privilege\r\n4. Create a user with that role\r\n5. In another window, open Kibana with the newly created user\r\n6. Check that the Stack Management > Alerts page renders correctly, not\r\nshowing any missing 403 error toasts","sha":"17fcaa5c8eb6cdff5f89a2fa28a20f42d020381f","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","Team:ResponseOps","v9.0.0","backport:prev-minor"],"title":"[ResponseOps][Alerting] Fix stackAlerts plugin missing rac API auth scope","number":193948,"url":"https://github.com/elastic/kibana/pull/193948","mergeCommit":{"message":"[ResponseOps][Alerting] Fix stackAlerts plugin missing rac API auth scope (#193948)\n\n## Summary\r\n\r\nAdds the `['rac']` API access scope to the Stack Alerts feature to\r\ncorrectly authenticate alerts API endpoints with the `stackAlerts`\r\npermission.\r\nAlso adds a dedicated API integration test for the impacted endpoint and\r\npermission set.\r\n\r\n## Release note\r\n\r\nFix Stack Alerts feature API access control\r\n\r\n## To verify\r\n\r\n1. Create rules that fire alerts in Stack management\r\n2. Wait for alerts to be created\r\n3. Create a role with only `Stack Management > Rules : Read` privilege\r\n4. Create a user with that role\r\n5. In another window, open Kibana with the newly created user\r\n6. Check that the Stack Management > Alerts page renders correctly, not\r\nshowing any missing 403 error toasts","sha":"17fcaa5c8eb6cdff5f89a2fa28a20f42d020381f"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/193948","number":193948,"mergeCommit":{"message":"[ResponseOps][Alerting] Fix stackAlerts plugin missing rac API auth scope (#193948)\n\n## Summary\r\n\r\nAdds the `['rac']` API access scope to the Stack Alerts feature to\r\ncorrectly authenticate alerts API endpoints with the `stackAlerts`\r\npermission.\r\nAlso adds a dedicated API integration test for the impacted endpoint and\r\npermission set.\r\n\r\n## Release note\r\n\r\nFix Stack Alerts feature API access control\r\n\r\n## To verify\r\n\r\n1. Create rules that fire alerts in Stack management\r\n2. Wait for alerts to be created\r\n3. Create a role with only `Stack Management > Rules : Read` privilege\r\n4. Create a user with that role\r\n5. In another window, open Kibana with the newly created user\r\n6. Check that the Stack Management > Alerts page renders correctly, not\r\nshowing any missing 403 error toasts","sha":"17fcaa5c8eb6cdff5f89a2fa28a20f42d020381f"}}]}] BACKPORT--> Co-authored-by: Umberto Pepato <[email protected]>
Summary
Adds the
['rac']API access scope to the Stack Alerts feature to correctly authenticate alerts API endpoints with thestackAlertspermission.Also adds a dedicated API integration test for the impacted endpoint and permission set.
Release note
Fix Stack Alerts feature API access control
To verify
Stack Management > Rules : Readprivilege