-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Kibana alerting RBAC - impact on detection rules' actions #74170
Comments
Pinging @elastic/siem (Team:SIEM) |
@dhurley14 thanks for putting this together. I had a few questions. If I've created a detection rule with an action to send to an external system anytime there's a new alert, and then I upgrade to 7.10:
|
I'm also curious what work we need to do in order to address #67157 (comment) |
@tonymeehan I spoke with @gmmorris and we discussed at a high level the changes that this introduces. My initial understanding was these changes would only affect the process of creating new rules with actions and not have an effect on previously created rules. That assumption was incorrect. This will have an effect on rules with actions that were previously created and will require those rules to be enabled / disabled manually. I will summarize the changes to the best of my ability below and I invite Gidi to add / correct anything I miss:
Any rule rule with an action created before 7.10 will need to be disabled / enabled by a user with either "Read" or "All" permissions for "Actions" without which the action will never fire. There is no way for us or the kibana alerting team to migrate actions and update the api key for the action / rule (alert). The end user (while logged in as a user with the necessary permissions for actions) must disable / re-enable all rules with actions.
This will help with the creation of new rules with actions. I don't believe we can do this automatically though. Also, this will not alleviate issues around rules with actions which are migrated from 7.9, 7.8 etc.. to 7.10 failing to fire when triggered. New API keys must be generated for the rules via manually re-enabling the rules (by a user with the permissions listed above). Gidi and the kibana security team discussed this further here.
That situation will occur if the user creating the rule (in 7.10) does not have, at a minimum "Read" permissions for actions. If that is the case, we need to hide the actions step. Or develop some UX. Maybe display to the user "hey you don't have permissions to setup actions for a rule. Talk to your kibana admin about getting those permissions or skip this step" etc. |
#75563 fixes the issues around actions not firing for rules created before 7.10, but we still have some decisions to make around permissions for creating new rules in 7.10. In order for a user to create a rule in 7.10, the user will need “All” permissions for Alerts. In addition to this, we need to determine what the requisite (if any) permissions for the "Actions" setting will be for creating a rule. There are four options as far as I see:
What’s everyones opinion on this? |
With the introduction of RBAC in kibana alerting (#67157, #67157 (comment)), users who wish to create or edit or view rules will need to set permissions for alerting and actions if:
In general the suggestion will be to set alerting and actions permissions to be whatever the permissions are for the security solution in that given role.
The text was updated successfully, but these errors were encountered: