-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Discuss] Upgrading to 7.10 might break Alerts created in 7.7 - 7.9 #70851
Comments
Pinging @elastic/kibana-alerting-services (Team:Alerting Services) |
Your analysis looks correct to me here. Nice job laying this out, it was easy to follow and understand 🏅
@gmmorris and I already discussed this briefly, but for posterity: The only mechanism we have today is for these solutions' features to declare the necessary alerting privileges themselves to interact with the built-in alert types/actions. This is problematic, as it will exacerbate the problem by persisting this behavior for new roles, which is training our administrators the "wrong way" to do things. It also doesn't give administrators the ability to opt-out of this behavior: they wouldn't be able to create a role with access to SIEM, but without access to the built-in types. We don't have a way to special-case existing roles without also impacting future roles. We'd have to treat them the same way. This is because Kibana doesn't have the necessary privileges (by design) to manipulate user roles, so we can't go and patch existing roles to suit our needs, and we don't have a way to detect when a role was created/updated from within Kibana. |
I was talking with @kobelb and I think it's ok to accept this as a breaking change because we are still Beta. This seems like a change we have to do to get RBAC work done for GA. We can make sure it's properly documented with workarounds in the release notes and communicated to support. I also want to make sure @peterschretlen @bmcconaghy and @arisonl are ok with this impact for users.
Do they need a new API key or just updating the role will fix the alert? |
They will need to have their role updated first, and then a new API key created for the alert |
I just realised I might have got one scenario wrong:
I think the user will have to generate a new Api Key for this one as well, right? |
Yes that's correct |
Thanks @legrego , updated the table. |
We have just merged an enhancement designed to mitigate some of the issues raised by this issue. The EnhancementThe approach we chose was to migrate all alerts created prior to 7.10 into a legacy mode where RBAC is "dialed down" so that they can continue to run and execute actions after the upgrade without requiring any human intervention.
This exemption has introduced some tech debt that we'll likely be paying off until 8.0.0, but my personal feeling is that removing this exemption at a later date will be a relatively straight forward change, so I think we've found a reasonable balance. 🤔 Impact in terms of the scenarios mentioned above
|
Following the enhancement we've merged into Main (which will make it into 7.10), I am now closing this issue. Please reopen this issue if there are any additional concerns. 🙏 |
Discussing the new Feature Controls & RBAC (#43994) for Alerting with @legrego we have realised that we're likely to break a bunch of Alerts that already exist for our users when they upgrade to 7.10.
Below I summarise what scenarios are going to break and I'd like us to discuss how we want to proceed with this work given this behavior.
Context
Since version 7.7 we've provided the ability (if somewhat limited in 7.7, though still possible) to create Alerts either through Alerts Management or through solutions that are building on Alerting.
We did so in a permissive manner which did not take into account any form of Feature Controls or Role Based Access Control (RBAC), but did take into account Spaces and Security, meaning that we do ensure that an alert created by a user can't do anything that user wouldn't already be privileged to do themselves, but we didn't provide any way for administrators to limit which users can actually do this.
That said, we only provided access to the Alerts Management to users who also had access to one of the following solutions: APM, Uptime, Metrics, Logs and/or SIEM.
The works introduced in Version 7.10
As part of the work to bring Alerting out of Beta and into General Availability we've prioritised to work to introduced robust Feature Controls and RBAC which would provide the following:
Read
andAll
privileges are respected, so users who are , for example, read-only users can only read an alert, but can't change it.(There are a bunch of other nuanced aspects to this, but that gives you the broad strokes of why we've introduced this work).
The PR introducing the Alert RBAC & Built-In Alerts feature is here: #67157
The PR introducing the Actions RBAC & feature is here: #70304
There's a draft PR that include the entirety of the RBAC work (Alerting and Actions side by side) here: #70734
Upgrading from 7.7 / 7.8 / 7.9 to 7.10
As a consequence of this new RBAC work we are essentially introducing a less permissive permissions model than we had before hand, which means that we will be breaking certain alerts that might already exist in customer deployments.
I'd like to run through the specific scenarios and explain why they will break and explain how users will be able to correct the breakage. It's important to note that in all these cases the Alerts will break, but will not be lost and will be completely recoverable through user interaction.
First, the broad strokes as I understand them (@legrego will correct me if I got something wrong):
What this means is that the following will happen when a deployment is upgraded to 7.10:
Metrics Inventory
alert through the Metrics solution in 7.7/8/9 with an Email action on itI think that table now cover the different situations which are going to break, but there might be more... I'll have to investigate further before I can say for sure.
There are scenarios where nothing will break, of course, such as:
Metrics' Inventory
through the Metrics solution in 7.7/8 without any actionsWhat do we need to do next?
We need to decide whether we can live with the 7.10 release breaking these alerts.
Considering we're officially in Beta, this could be considered reasonable, but we'll definitely have some unhappy users out there, so we'd need to find the best way to communicate this change to them before they upgrade.
If we decide we can't live with this, we're going to have to work with the Security team to find some kind of work around.
If we could some how provide roles with Custom privileges some kind of special casing, such as automatically grant All or Read to the Actions & Built-In Alerts features when they have privileges to one of the solutions that provide alerts, then we could side step most of the issue, but I don't know if that's possible for 7.10.
Let me know what you think.
For now I am marking the Feature Controls issue as Blocked as I don't think we can merge it until this question is addressed.
The text was updated successfully, but these errors were encountered: