Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kibana privileges should support custom actions for alerting #62438

Closed
legrego opened this issue Apr 3, 2020 · 1 comment · Fixed by #67157
Closed

Kibana privileges should support custom actions for alerting #62438

legrego opened this issue Apr 3, 2020 · 1 comment · Fixed by #67157
Assignees
@legrego
Labels
Feature:Security/Feature Controls Platform Security - Spaces & Role Mgmt feature controls Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!

Comments

@legrego
Copy link
Member

legrego commented Apr 3, 2020
edited
Loading

Alerting has its own "alerting client":

  • deals with interacting with the alert saved objects (like spaces client)
  • uses fully wrapped SO client -- can't secure the methods that they want
  • users have access to SOs directly by hitting generic SO API

alerting could get SO client excluding the security wrapper

  • add own auth checks inside client
  • no end-user authorization to access alert SOs

allow alerting client to perform these auth checks.

This is a stop-gap solution until we can introduce a flexible privilege/action model
@legrego legrego added Feature:Security/Feature Controls Platform Security - Spaces & Role Mgmt feature controls Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! labels Apr 3, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@legrego legrego self-assigned this Apr 3, 2020
@gmmorris gmmorris mentioned this issue Jun 29, 2020
Merged
6 tasks
gmmorris added a commit that referenced this issue Jul 22, 2020
@gmmorris
Adds Role Based Access-Control to the Alerting & Action plugins based…
4abe864 
… on Kibana Feature Controls (#67157)

This PR adds _Role Based Access-Control_ to the Alerting framework & Actions feature using  Kibana Feature Controls, addressing most of the Meta issue: #43994

This also closes #62438

This PR includes the following:

1. Adds `alerting` specific Security Actions (not to be confused with Alerting Actions) to the `security` plugin which allows us to assign alerting specific privileges to users of other plugins using the `features` plugin.
2. Removes the security wrapper from the savedObjectsClient in AlertsClient and instead plugs in the new AlertsAuthorization which performs the privilege checks on each api call made to the AlertsClient.
3. Adds privileges in each plugin that is already using the Alerting Framework which mirror (as closely as possible) the existing api-level tag-based privileges and plugs them into the AlertsClient.
4. Adds feature granted privileges arounds Actions (by relying on Saved Object privileges under the hood) and plugs them into the ActionsClient
5. Removes the legacy api-level tag-based privilege system from both the Alerts and Action HTTP APIs
gmmorris added a commit to gmmorris/kibana that referenced this issue Jul 22, 2020
@gmmorris
Adds Role Based Access-Control to the Alerting & Action plugins based…
86477e1 
… on Kibana Feature Controls (elastic#67157)

This PR adds _Role Based Access-Control_ to the Alerting framework & Actions feature using  Kibana Feature Controls, addressing most of the Meta issue: elastic#43994

This also closes elastic#62438

This PR includes the following:

1. Adds `alerting` specific Security Actions (not to be confused with Alerting Actions) to the `security` plugin which allows us to assign alerting specific privileges to users of other plugins using the `features` plugin.
2. Removes the security wrapper from the savedObjectsClient in AlertsClient and instead plugs in the new AlertsAuthorization which performs the privilege checks on each api call made to the AlertsClient.
3. Adds privileges in each plugin that is already using the Alerting Framework which mirror (as closely as possible) the existing api-level tag-based privileges and plugs them into the AlertsClient.
4. Adds feature granted privileges arounds Actions (by relying on Saved Object privileges under the hood) and plugs them into the ActionsClient
5. Removes the legacy api-level tag-based privilege system from both the Alerts and Action HTTP APIs
gmmorris added a commit that referenced this issue Jul 22, 2020
@gmmorris @elasticmachine
Adds Role Based Access-Control to the Alerting & Action plugins based…
225cfa1 
… on Kibana Feature Controls (#67157) (#72850)

This PR adds _Role Based Access-Control_ to the Alerting framework & Actions feature using  Kibana Feature Controls, addressing most of the Meta issue: #43994

This also closes #62438

This PR includes the following:

1. Adds `alerting` specific Security Actions (not to be confused with Alerting Actions) to the `security` plugin which allows us to assign alerting specific privileges to users of other plugins using the `features` plugin.
2. Removes the security wrapper from the savedObjectsClient in AlertsClient and instead plugs in the new AlertsAuthorization which performs the privilege checks on each api call made to the AlertsClient.
3. Adds privileges in each plugin that is already using the Alerting Framework which mirror (as closely as possible) the existing api-level tag-based privileges and plugs them into the AlertsClient.
4. Adds feature granted privileges arounds Actions (by relying on Saved Object privileges under the hood) and plugs them into the ActionsClient
5. Removes the legacy api-level tag-based privilege system from both the Alerts and Action HTTP APIs

Co-authored-by: Elastic Machine <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@legrego legrego

Labels
Feature:Security/Feature Controls Platform Security - Spaces & Role Mgmt feature controls Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Projects
None yet
Milestone
No milestone
2 participants
@legrego @elasticmachine