Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add necessary privileges to apps using alerting #60135

Closed
1 of 3 tasks
peterschretlen opened this issue Mar 13, 2020 · 2 comments · Fixed by #61113
Closed
1 of 3 tasks

Add necessary privileges to apps using alerting #60135

peterschretlen opened this issue Mar 13, 2020 · 2 comments · Fixed by #61113
Assignees
@pmuellr
Labels
Feature:Actions Feature:Alerting Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)

Comments

@peterschretlen
Copy link
Contributor

peterschretlen commented Mar 13, 2020
edited
Loading

Right now SIEM is the only app with alerting and actions privileges. Until features privileges is fully supported, we should add permissions to:

This snippet shows how it is done for SIEM, we would do the same in other apps:

kibana/x-pack/legacy/plugins/siem/server/plugin.ts

Lines 86 to 144 in 875e2a5

plugins.features.registerFeature({
id: this.name,
name: i18n.translate('xpack.siem.featureRegistry.linkSiemTitle', {
defaultMessage: 'SIEM',
}),
icon: 'securityAnalyticsApp',
navLinkId: 'siem',
app: ['siem', 'kibana'],
catalogue: ['siem'],
privileges: {
all: {
api: ['siem', 'actions-read', 'actions-all', 'alerting-read', 'alerting-all'],
savedObject: {
all: [
'alert',
'action',
'action_task_params',
noteSavedObjectType,
pinnedEventSavedObjectType,
timelineSavedObjectType,
ruleStatusSavedObjectType,
],
read: ['config'],
},
ui: [
'show',
'crud',
'alerting:show',
'actions:show',
'alerting:save',
'actions:save',
'alerting:delete',
'actions:delete',
],
},
read: {
api: ['siem', 'actions-read', 'actions-all', 'alerting-read', 'alerting-all'],
savedObject: {
all: ['alert', 'action', 'action_task_params'],
read: [
'config',
noteSavedObjectType,
pinnedEventSavedObjectType,
timelineSavedObjectType,
ruleStatusSavedObjectType,
],
},
ui: [
'show',
'alerting:show',
'actions:show',
'alerting:save',
'actions:save',
'alerting:delete',
'actions:delete',
],
},
},
});

Alerting/Actions management UI capabilities have explicit checks on the SIEM feature, this may need some rework:

kibana/x-pack/plugins/triggers_actions_ui/public/application/lib/capabilities.ts

Lines 13 to 25 in 8951424

export function hasShowAlertsCapability(capabilities: any): boolean {
if (capabilities.siem && capabilities.siem['alerting:show']) {
return true;
}
return false;
}
export function hasShowActionsCapability(capabilities: any): boolean {
if (capabilities.siem && capabilities.siem['actions:show']) {
return true;
}
return false;
}

@peterschretlen peterschretlen added Feature:Alerting Feature:Actions Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) labels Mar 13, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-alerting-services (Team:Alerting Services)

@peterschretlen peterschretlen self-assigned this Mar 13, 2020
@peterschretlen peterschretlen removed their assignment Mar 18, 2020
@mikecote mikecote added blocked and removed blocked labels Mar 23, 2020
@gmmorris gmmorris mentioned this issue Mar 24, 2020
Closed
@pmuellr pmuellr self-assigned this Mar 24, 2020
@mikecote mikecote removed the blocked label Mar 24, 2020
@pmuellr
Copy link
Member

pmuellr commented Mar 24, 2020
edited
Loading

Some notes while I work on this ...

The following files need changes

Metrics is under infra, which also includes logs, so it's not as 1-1 as uptime.

To repro not being able to see alerts with these users now, I created the following role and user:

role: alerting_uptime_metrics

  • cluster privileges: all
  • space privilege: global; everything NONE but uptime/metrics ALL - but you should test them independently - only one on at a time

user: al (erting)

  • roles: alerting_uptime_metrics, monitoring_user, transport_client (added randomly, thought I might need it), apm_user

Logged in as this user, the Alerts and Actions management app does not appear.

In order to create an index threshold alert, you'll need to have an index pattern for the index to read from. I'm using es-apm-sys-sim, and so started it, then created an index pattern for it. You'll then need to add this under Index Privileges for the role created, and can give it the all permission,

@pmuellr pmuellr mentioned this issue Mar 24, 2020
Merged
pmuellr added a commit to pmuellr/kibana that referenced this issue Mar 24, 2020
@pmuellr
[Alerting] add alerting privileges for uptime and metrics
daf35f9 
resolves elastic#60135

See the reference issue for how to configure Kibana to test this manually.
There are no automated tests for this ATM.

The basic test scenario is to create a role with just the Uptime space
privilege, make sure it get to the Alerts and Actions management app,
make sure you can create an action (server log), and alert (index threshold),
and that the alert and action run successfully.

Then repeat with just the Metrics space privilege.
pmuellr added a commit that referenced this issue Apr 1, 2020
@pmuellr
[Alerting] add alerting privileges for uptime and metrics (#61113)
014ea12 
resolves #60135

See the reference issue for how to configure Kibana to test this manually.
There are no automated tests for this ATM.

The basic test scenario is to create a role with just the Uptime space
privilege, make sure it get to the Alerts and Actions management app,
make sure you can create an action (server log), and alert (index threshold),
and that the alert and action run successfully.

Then repeat with just the Metrics space privilege.
pmuellr added a commit to pmuellr/kibana that referenced this issue Apr 1, 2020
@pmuellr
[Alerting] add alerting privileges for uptime and metrics (elastic#61113
920efaf 
)

resolves elastic#60135

See the reference issue for how to configure Kibana to test this manually.
There are no automated tests for this ATM.

The basic test scenario is to create a role with just the Uptime space
privilege, make sure it get to the Alerts and Actions management app,
make sure you can create an action (server log), and alert (index threshold),
and that the alert and action run successfully.

Then repeat with just the Metrics space privilege.
pmuellr added a commit to pmuellr/kibana that referenced this issue Apr 1, 2020
@pmuellr
[Alerting] add alerting privileges for uptime and metrics (elastic#61113
835a181 
)

resolves elastic#60135

See the reference issue for how to configure Kibana to test this manually.
There are no automated tests for this ATM.

The basic test scenario is to create a role with just the Uptime space
privilege, make sure it get to the Alerts and Actions management app,
make sure you can create an action (server log), and alert (index threshold),
and that the alert and action run successfully.

Then repeat with just the Metrics space privilege.
pmuellr added a commit that referenced this issue Apr 1, 2020
@pmuellr
[Alerting] add alerting privileges for uptime and metrics (#61113) (#…
82b5bec 
…62188)

resolves #60135

See the reference issue for how to configure Kibana to test this manually.
There are no automated tests for this ATM.

The basic test scenario is to create a role with just the Uptime space
privilege, make sure it get to the Alerts and Actions management app,
make sure you can create an action (server log), and alert (index threshold),
and that the alert and action run successfully.

Then repeat with just the Metrics space privilege.
pmuellr added a commit that referenced this issue Apr 1, 2020
@pmuellr
[Alerting] add alerting privileges for uptime and metrics (#61113) (#…
cdfea64 
…62189)

resolves #60135

See the reference issue for how to configure Kibana to test this manually.
There are no automated tests for this ATM.

The basic test scenario is to create a role with just the Uptime space
privilege, make sure it get to the Alerts and Actions management app,
make sure you can create an action (server log), and alert (index threshold),
and that the alert and action run successfully.

Then repeat with just the Metrics space privilege.
@kobelb kobelb added the needs-team Issues missing a team label label Jan 31, 2022
@botelastic botelastic bot removed the needs-team Issues missing a team label label Jan 31, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pmuellr pmuellr

Labels
Feature:Actions Feature:Alerting Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Alerting] add alerting privileges for uptime and metrics pmuellr/kibana
6 participants
@pmuellr @gmmorris @kobelb @mikecote @peterschretlen @elasticmachine