Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[8.x] [EDR Workflows] Fix Endpoint list RBAC problems (#199803) #203534

Merged
merged 1 commit into from
Dec 10, 2024

Conversation

kibanamachine
Copy link
Contributor

Backport

This will backport the following commits from main to 8.x:

Questions ?

Please refer to the Backport tool documentation

## Summary

This PR fixes multiple Endpoint list privilege issues. It can be
reviewed commit-by-commit so the fixes are mostly separated (although
some solutions and tests are reused, hence the reason to have them in
one pr):
- a3311ad fixes issue when during
onboarding (no hosts, policies are indiferent) calls are made to `GET
api/fleet/package_policies` without correct privilege (needs policy
management READ or fleet:READ+integration:READ), and causes `Forbidden`
page. ([issue](elastic/security-team#10581))
_UI_: we display the usual 'onboarding without correct privileges' UI
for users
<img width="1958" alt="image"
src="https://github.com/user-attachments/assets/9e1701cc-9c3d-4a80-9c7a-df792d88dab3">

- 63ca011 fixes issue when during
onboarding (no hosts, no policies) the `Add Elastic Defend` button was
shown when user had `Fleet:ALL` and `Integrations:READ` privilege, while
both should be `ALL` in order to be able to create an integration policy
([issue](elastic/security-team#10765))
_UI_: the 'Add Elastic Defend' button is hidden, so the result is the
same as above

https://github.com/user-attachments/assets/87fe3a95-131d-484b-8ca0-d06c4caafee1

- ffafa14 fixes issue when after having
hosts in Endpoint list and we're calling `POST
api/fleet/package_policies/_bulk_get` without privilege (needs policy
management READ or fleet:READ+integration:READ), which does not cause
any visible issue, but is logged to dev console
([issue](elastic/security-team#10580))

some additions:
- c7021b3 adds an acceptance test for
all 3 issues above, with failing test run
[here](https://buildkite.com/elastic/kibana-pull-request/builds/250428#019320cf-c433-4979-a998-d0f8b8f7be16).
- 8e10847 enables policy list
integration test, this closes elastic#169133

### Checklist

Delete any items that are not applicable to this PR.

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] [Flaky Test
Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was
used on any tests changed

---------

Co-authored-by: Elastic Machine <[email protected]>
(cherry picked from commit 2fa8f47)
@kibanamachine kibanamachine merged commit cd14a9c into elastic:8.x Dec 10, 2024
11 checks passed
@elasticmachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 13.4MB 13.4MB +1.5KB

cc @gergoabraham

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants