[Security Solution][Detections] Handle RBAC edge case for Related Integration on the FE side #134299
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
banderror
added
bug
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
4 tasks
spong
approved these changes
Jun 14, 2022
There was a problem hiding this comment.
Checked out, tested locally, and code reviewed -- LGTM! 👍
Great cleanup and fixes here @banderror! So much easier to grok with everything broken out into smaller, pure functions. Nice that the privilege checks are in their own hook and composed into the useInstalledIntegrations hook directly, and even better composability now with separate components for the Link/StatusBadge/VersionMismatchIcon.
I tested all the permutations of privileges between SOM/Fleet/Integrations, and each is working as expected. Even tested the error scenario by throwing within useInstalledIntegrations and looks like we're falling back as expected there as well 🙂.
Thank you for the tag-team here and all your efforts in getting these final fixes in -- LGTM! 🚀
💚 Build SucceededMetrics [docs]Module Count
Async chunks
To update your PR or re-run it, just comment with: cc @banderror |
kibanamachine
pushed a commit
that referenced
this pull request
Jun 14, 2022
…egration on the FE side (#134299) ## Summary Some users won't be able to get additional information about rule's related integrations, such as which of them are installed, enabled, etc. In order to have access to integrations' data in Fleet, a user needs either of these 3 Kibana privileges: - `Integrations`: `Read` or `All` - `Fleet`: `All` - `Saved Objects Management`: `Read` or `All` If all of them are `None`, the Related Integrations feature incorrectly shows all integrations as `Not Installed` even if some of them may be: <img width="1549" alt="Screenshot 2022-06-14 at 04 41 35" src="https://user-images.githubusercontent.com/7359339/173484715-291fa9dd-a1f1-4b91-a752-b7eb64bba2d4.png"> This PR adds a client-side privilege check and falls back to the basic UI that just shows the integration name+link and not any install information. ## Test instructions To test, configure a role with the 3 mentioned privileges as `None`, e.g. <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/173156872-dfaece7e-a6ef-4774-b01d-e2fa7b66a068.png" /> </p> Then UI should fall back to no installed information: **Rule Details** <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/173156901-572c4eb3-661f-4edf-974d-ec8ee13d849c.png" /> </p> **Rule Management** <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/173156924-fbfec8ef-cbff-4966-8bee-bf3e29678cb9.png" /> </p> ## TODO In follow-up PRs: - [ ] Handle the same RBAC edge case for Related Integration on the BE side. Return 403 from the endpoint. - [ ] A test to exercise this fallback (either unit or cypress w/ specific role should do) - [ ] Ensure docs mention the required privileges for this feature ### Checklist Delete any items that are not applicable to this PR. - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios (cherry picked from commit f9aa32d)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Jun 14, 2022
…egration on the FE side (#134299) (#134300) ## Summary Some users won't be able to get additional information about rule's related integrations, such as which of them are installed, enabled, etc. In order to have access to integrations' data in Fleet, a user needs either of these 3 Kibana privileges: - `Integrations`: `Read` or `All` - `Fleet`: `All` - `Saved Objects Management`: `Read` or `All` If all of them are `None`, the Related Integrations feature incorrectly shows all integrations as `Not Installed` even if some of them may be: <img width="1549" alt="Screenshot 2022-06-14 at 04 41 35" src="https://user-images.githubusercontent.com/7359339/173484715-291fa9dd-a1f1-4b91-a752-b7eb64bba2d4.png"> This PR adds a client-side privilege check and falls back to the basic UI that just shows the integration name+link and not any install information. ## Test instructions To test, configure a role with the 3 mentioned privileges as `None`, e.g. <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/173156872-dfaece7e-a6ef-4774-b01d-e2fa7b66a068.png" /> </p> Then UI should fall back to no installed information: **Rule Details** <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/173156901-572c4eb3-661f-4edf-974d-ec8ee13d849c.png" /> </p> **Rule Management** <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/173156924-fbfec8ef-cbff-4966-8bee-bf3e29678cb9.png" /> </p> ## TODO In follow-up PRs: - [ ] Handle the same RBAC edge case for Related Integration on the BE side. Return 403 from the endpoint. - [ ] A test to exercise this fallback (either unit or cypress w/ specific role should do) - [ ] Ensure docs mention the required privileges for this feature ### Checklist Delete any items that are not applicable to this PR. - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios (cherry picked from commit f9aa32d) Co-authored-by: Georgii Gorbachev <[email protected]>
banderror
pushed a commit
that referenced
this pull request
Jun 20, 2022
…ute to use Internal SO Client (#134373) ## Summary Follow up to #134299 that updates the `Get Installed Integrations` route to use the Internal SO Client and removes client-side privilege checks. This change ensures the `Related Integrations` feature works regardless of client users Fleet/Integration/SOM privileges, enabling all Security Solution users the ability to see which integrations are installed/configured with relation to their Detection Rules. This change is helpful for low privilege users like T1/T2 Analysts that may not have more broad privileges like SOM or Fleet to still see which of their Detection Rules have the necessary integrations. ### Test instructions To test, configure a role with the 3 mentioned privileges (SOM/Integrations/Fleet) as `None`, e.g. <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/173156872-dfaece7e-a6ef-4774-b01d-e2fa7b66a068.png" /> </p> Then the UI should _still show_ installed details (installed/not installed badges): ##### Rules Table <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/173658501-9b384ce6-ddef-4643-a36e-3da3082c8972.png" /> </p> ##### Rules Details <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/173658533-a60b6e96-7283-441a-8faa-ed186476c1ac.png" /> </p> ### Checklist Delete any items that are not applicable to this PR. - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials * Working docs as part of elastic/security-docs#2015 - [X] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### Risk Ma
kibanamachine
pushed a commit
that referenced
this pull request
Jun 20, 2022
…ute to use Internal SO Client (#134373) ## Summary Follow up to #134299 that updates the `Get Installed Integrations` route to use the Internal SO Client and removes client-side privilege checks. This change ensures the `Related Integrations` feature works regardless of client users Fleet/Integration/SOM privileges, enabling all Security Solution users the ability to see which integrations are installed/configured with relation to their Detection Rules. This change is helpful for low privilege users like T1/T2 Analysts that may not have more broad privileges like SOM or Fleet to still see which of their Detection Rules have the necessary integrations. ### Test instructions To test, configure a role with the 3 mentioned privileges (SOM/Integrations/Fleet) as `None`, e.g. <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/173156872-dfaece7e-a6ef-4774-b01d-e2fa7b66a068.png" /> </p> Then the UI should _still show_ installed details (installed/not installed badges): ##### Rules Table <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/173658501-9b384ce6-ddef-4643-a36e-3da3082c8972.png" /> </p> ##### Rules Details <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/173658533-a60b6e96-7283-441a-8faa-ed186476c1ac.png" /> </p> ### Checklist Delete any items that are not applicable to this PR. - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials * Working docs as part of elastic/security-docs#2015 - [X] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### Risk Ma (cherry picked from commit 01b8482)
kibanamachine
added a commit
that referenced
this pull request
Jun 20, 2022
…ute to use Internal SO Client (#134373) (#134734) ## Summary Follow up to #134299 that updates the `Get Installed Integrations` route to use the Internal SO Client and removes client-side privilege checks. This change ensures the `Related Integrations` feature works regardless of client users Fleet/Integration/SOM privileges, enabling all Security Solution users the ability to see which integrations are installed/configured with relation to their Detection Rules. This change is helpful for low privilege users like T1/T2 Analysts that may not have more broad privileges like SOM or Fleet to still see which of their Detection Rules have the necessary integrations. ### Test instructions To test, configure a role with the 3 mentioned privileges (SOM/Integrations/Fleet) as `None`, e.g. <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/173156872-dfaece7e-a6ef-4774-b01d-e2fa7b66a068.png" /> </p> Then the UI should _still show_ installed details (installed/not installed badges): ##### Rules Table <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/173658501-9b384ce6-ddef-4643-a36e-3da3082c8972.png" /> </p> ##### Rules Details <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/173658533-a60b6e96-7283-441a-8faa-ed186476c1ac.png" /> </p> ### Checklist Delete any items that are not applicable to this PR. - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials * Working docs as part of elastic/security-docs#2015 - [X] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### Risk Ma (cherry picked from commit 01b8482) Co-authored-by: Garrett Spong <[email protected]>
Merged
21 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Some users won't be able to get additional information about rule's related integrations, such as which of them are installed, enabled, etc. In order to have access to integrations' data in Fleet, a user needs either of these 3 Kibana privileges:
Integrations:ReadorAllFleet:AllSaved Objects Management:ReadorAllIf all of them are
None, the Related Integrations feature incorrectly shows all integrations asNot Installedeven if some of them may be:This PR adds a client-side privilege check and falls back to the basic UI that just shows the integration name+link and not any install information.
Test instructions
To test, configure a role with the 3 mentioned privileges as
None, e.g.Then UI should fall back to no installed information:
Rule Details
Rule Management
TODO
In follow-up PRs:
Checklist
Delete any items that are not applicable to this PR.