Skip to content

Commit

Permalink
[8.16] [Security Solution] Give entity store permissions to built-in …
Browse files Browse the repository at this point in the history 
…and cloud roles (elastic#197383) (elastic#197618)

# Backport

This will backport the following commits from `main` to `8.16`:
- [[Security Solution] Give entity store permissions to built-in and
cloud roles (elastic#197383)](elastic#197383)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Pablo
Machado","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-10-24T11:25:29Z","message":"[Security
Solution] Give entity store permissions to built-in and cloud roles
(elastic#197383)\n\n## Summary\r\n\r\nGive entity store permissions to built-in
and cloud roles.\r\nThe entity store should be available where the
RiskEngine is.\r\n\r\nES controller
PR\r\nhttps://github.com/elastic/elasticsearch-controller/pull/753","sha":"a194211fff9195c1c03c0679dc3aa806e3676515","branchLabelMapping":{"^v9.0.0$":"main","^v8.17.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:
SecuritySolution","Theme: entity_analytics","Feature:Entity
Analytics","Team:Entity
Analytics","v8.16.0","backport:version","v8.17.0"],"title":"[Security
Solution] Give entity store permissions to built-in and cloud
roles","number":197383,"url":"https://github.com/elastic/kibana/pull/197383","mergeCommit":{"message":"[Security
Solution] Give entity store permissions to built-in and cloud roles
(elastic#197383)\n\n## Summary\r\n\r\nGive entity store permissions to built-in
and cloud roles.\r\nThe entity store should be available where the
RiskEngine is.\r\n\r\nES controller
PR\r\nhttps://github.com/elastic/elasticsearch-controller/pull/753","sha":"a194211fff9195c1c03c0679dc3aa806e3676515"}},"sourceBranch":"main","suggestedTargetBranches":["8.16","8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/197383","number":197383,"mergeCommit":{"message":"[Security
Solution] Give entity store permissions to built-in and cloud roles
(elastic#197383)\n\n## Summary\r\n\r\nGive entity store permissions to built-in
and cloud roles.\r\nThe entity store should be available where the
RiskEngine is.\r\n\r\nES controller
PR\r\nhttps://github.com/elastic/elasticsearch-controller/pull/753","sha":"a194211fff9195c1c03c0679dc3aa806e3676515"}},{"branch":"8.16","label":"v8.16.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.x","label":"v8.17.0","branchLabelMappingKey":"^v8.17.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Pablo Machado <[email protected]>
  • Loading branch information
@kibanamachine @machadoum
kibanamachine and machadoum authored Oct 24, 2024
1 parent a9e1ad2 commit e5c9769
Show file tree
Hide file tree
Showing 4 changed files with 44 additions and 1 deletion.
12 changes: 12 additions & 0 deletions packages/kbn-es/src/serverless_resources/project_roles/security/roles.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ viewer:
- '.fleet-actions*'
- 'risk-score.risk-score-*'
- '.asset-criticality.asset-criticality-*'
- '.entities.v1.latest.security_*'
- '.ml-anomalies-*'
privileges:
- read
Expand Down Expand Up @@ -99,6 +100,7 @@ editor:
- 'maintenance'
- names:
- '.asset-criticality.asset-criticality-*'
- '.entities.v1.latest.security_*'
privileges:
- 'read'
- 'write'
Expand Down Expand Up @@ -162,6 +164,7 @@ t1_analyst:
- '.fleet-actions*'
- risk-score.risk-score-*
- .asset-criticality.asset-criticality-*
- .entities.v1.latest.security_*
- '.ml-anomalies-*'
privileges:
- read
Expand Down Expand Up @@ -211,6 +214,7 @@ t2_analyst:
- .fleet-agents*
- .fleet-actions*
- risk-score.risk-score-*
- .entities.v1.latest.security_*
- '.ml-anomalies-*'
privileges:
- read
Expand Down Expand Up @@ -274,6 +278,7 @@ t3_analyst:
- .fleet-agents*
- .fleet-actions*
- risk-score.risk-score-*
- .entities.v1.latest.security_*
- '.ml-anomalies-*'
privileges:
- read
Expand Down Expand Up @@ -346,6 +351,7 @@ threat_intelligence_analyst:
- .fleet-agents*
- .fleet-actions*
- risk-score.risk-score-*
- .entities.v1.latest.security_*
- '.ml-anomalies-*'
privileges:
- read
Expand Down Expand Up @@ -406,6 +412,7 @@ rule_author:
- .fleet-agents*
- .fleet-actions*
- risk-score.risk-score-*
- .entities.v1.latest.security_*
- '.ml-anomalies-*'
privileges:
- read
Expand Down Expand Up @@ -472,6 +479,7 @@ soc_manager:
- .fleet-agents*
- .fleet-actions*
- risk-score.risk-score-*
- .entities.v1.latest.security_*
- '.ml-anomalies-*'
privileges:
- read
Expand Down Expand Up @@ -543,6 +551,7 @@ detections_admin:
- all
- names:
- .asset-criticality.asset-criticality-*
- .entities.v1.latest.security_*
privileges:
- read
- write
Expand Down Expand Up @@ -590,6 +599,7 @@ platform_engineer:
- all
- names:
- .asset-criticality.asset-criticality-*
- .entities.v1.latest.security_*
privileges:
- read
- write
Expand Down Expand Up @@ -648,6 +658,7 @@ endpoint_operations_analyst:
- .lists*
- .items*
- risk-score.risk-score-*
- .entities.v1.latest.security_*
- '.ml-anomalies-*'
privileges:
- read
Expand Down Expand Up @@ -717,6 +728,7 @@ endpoint_policy_manager:
- winlogbeat-*
- logstash-*
- risk-score.risk-score-*
- .entities.v1.latest.security_*
privileges:
- read
- names:
Expand Down
7 changes: 6 additions & 1 deletion packages/kbn-es/src/serverless_resources/security_roles.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -120,7 +120,12 @@
"privileges": ["read", "write"]
},
{
"names": ["metrics-endpoint.metadata_current_*", ".fleet-agents*", ".fleet-actions*", "risk-score.risk-score-*"],
"names": [
"metrics-endpoint.metadata_current_*",
".fleet-agents*", ".fleet-actions*",
"risk-score.risk-score-*",
".entities.v1.latest.security_*"
],
"privileges": ["read"]
}
],
Expand Down
13 changes: 13 additions & 0 deletions ...solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/roles.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@ viewer:
- ".fleet-actions*"
- "risk-score.risk-score-*"
- ".asset-criticality.asset-criticality-*"
- ".entities.v1.latest.security_*"
- ".ml-anomalies-*"
privileges:
- read
Expand Down Expand Up @@ -117,6 +118,7 @@ editor:
- "maintenance"
- names:
- ".asset-criticality.asset-criticality-*"
- .entities.v1.latest.security_*
privileges:
- "read"
- "write"
Expand Down Expand Up @@ -181,6 +183,7 @@ t1_analyst:
- ".fleet-actions*"
- risk-score.risk-score-*
- .asset-criticality.asset-criticality-*
- .entities.v1.latest.security_*
- ".ml-anomalies-*"
privileges:
- read
Expand Down Expand Up @@ -231,6 +234,7 @@ t2_analyst:
- .fleet-agents*
- .fleet-actions*
- risk-score.risk-score-*
- .entities.v1.latest.security_*
- ".ml-anomalies-*"
privileges:
- read
Expand Down Expand Up @@ -295,6 +299,7 @@ t3_analyst:
- .fleet-agents*
- .fleet-actions*
- risk-score.risk-score-*
- .entities.v1.latest.security_*
- ".ml-anomalies-*"
privileges:
- read
Expand Down Expand Up @@ -363,6 +368,7 @@ threat_intelligence_analyst:
- .fleet-agents*
- .fleet-actions*
- risk-score.risk-score-*
- .entities.v1.latest.security_*
- ".ml-anomalies-*"
privileges:
- read
Expand Down Expand Up @@ -424,6 +430,7 @@ rule_author:
- .fleet-agents*
- .fleet-actions*
- risk-score.risk-score-*
- .entities.v1.latest.security_*
- ".ml-anomalies-*"
privileges:
- read
Expand Down Expand Up @@ -468,6 +475,7 @@ soc_manager:
- packetbeat-*
- winlogbeat-*
- .asset-criticality.asset-criticality-*
- .entities.v1.latest.security_*
privileges:
- read
- write
Expand All @@ -491,6 +499,7 @@ soc_manager:
- .fleet-agents*
- .fleet-actions*
- risk-score.risk-score-*
- .asset-criticality.asset-criticality-*
- ".ml-anomalies-*"
privileges:
- read
Expand Down Expand Up @@ -563,6 +572,7 @@ detections_admin:
- all
- names:
- .asset-criticality.asset-criticality-*
- .entities.v1.latest.security_*
privileges:
- read
- write
Expand Down Expand Up @@ -611,6 +621,7 @@ platform_engineer:
- all
- names:
- .asset-criticality.asset-criticality-*
- .entities.v1.latest.security_*
privileges:
- read
- write
Expand Down Expand Up @@ -670,6 +681,7 @@ endpoint_operations_analyst:
- .lists*
- .items*
- risk-score.risk-score-*
- .entities.v1.latest.security_*
- ".ml-anomalies-*"
privileges:
- read
Expand Down Expand Up @@ -740,6 +752,7 @@ endpoint_policy_manager:
- packetbeat-*
- winlogbeat-*
- risk-score.risk-score-*
- .entities.v1.latest.security_*
- ".ml-anomalies-*"
privileges:
- read
Expand Down
13 changes: 13 additions & 0 deletions ...ck/test_serverless/shared/lib/security/kibana_roles/project_controller_security_roles.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ viewer:
- ".fleet-actions*"
- "risk-score.risk-score-*"
- ".asset-criticality.asset-criticality-*"
- ".entities.v1.latest.security_*"
- ".ml-anomalies-*"
privileges:
- read
Expand Down Expand Up @@ -98,6 +99,7 @@ editor:
- "maintenance"
- names:
- ".asset-criticality.asset-criticality-*"
- ".entities.v1.latest.security_*"
privileges:
- "read"
- "write"
Expand Down Expand Up @@ -162,6 +164,7 @@ t1_analyst:
- ".fleet-actions*"
- risk-score.risk-score-*
- .asset-criticality.asset-criticality-*
- .entities.v1.latest.security_*
- ".ml-anomalies-*"
privileges:
- read
Expand Down Expand Up @@ -212,6 +215,7 @@ t2_analyst:
- .fleet-agents*
- .fleet-actions*
- risk-score.risk-score-*
- .entities.v1.latest.security_*
- ".ml-anomalies-*"
privileges:
- read
Expand Down Expand Up @@ -276,6 +280,7 @@ t3_analyst:
- .fleet-agents*
- .fleet-actions*
- risk-score.risk-score-*
- .entities.v1.latest.security_*
- ".ml-anomalies-*"
privileges:
- read
Expand Down Expand Up @@ -344,6 +349,7 @@ threat_intelligence_analyst:
- .fleet-agents*
- .fleet-actions*
- risk-score.risk-score-*
- .entities.v1.latest.security_*
- ".ml-anomalies-*"
privileges:
- read
Expand Down Expand Up @@ -405,6 +411,7 @@ rule_author:
- .fleet-agents*
- .fleet-actions*
- risk-score.risk-score-*
- .entities.v1.latest.security_*
- ".ml-anomalies-*"
privileges:
- read
Expand Down Expand Up @@ -449,6 +456,7 @@ soc_manager:
- packetbeat-*
- winlogbeat-*
- .asset-criticality.asset-criticality-*
- .entities.v1.latest.security_*
privileges:
- read
- write
Expand All @@ -472,6 +480,7 @@ soc_manager:
- .fleet-agents*
- .fleet-actions*
- risk-score.risk-score-*
- .asset-criticality.asset-criticality-*
- ".ml-anomalies-*"
privileges:
- read
Expand Down Expand Up @@ -544,6 +553,7 @@ detections_admin:
- all
- names:
- .asset-criticality.asset-criticality-*
- .entities.v1.latest.security_*
privileges:
- read
- write
Expand Down Expand Up @@ -592,6 +602,7 @@ platform_engineer:
- all
- names:
- .asset-criticality.asset-criticality-*
- .entities.v1.latest.security_*
privileges:
- read
- write
Expand Down Expand Up @@ -651,6 +662,7 @@ endpoint_operations_analyst:
- .lists*
- .items*
- risk-score.risk-score-*
- .entities.v1.latest.security_*
- ".ml-anomalies-*"
privileges:
- read
Expand Down Expand Up @@ -721,6 +733,7 @@ endpoint_policy_manager:
- packetbeat-*
- winlogbeat-*
- risk-score.risk-score-*
- .entities.v1.latest.security_*
- ".ml-anomalies-*"
privileges:
- read
Expand Down

0 comments on commit e5c9769

Please sign in to comment.