-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RAM] Apply maintenance windows privilege to UI #156191
[RAM] Apply maintenance windows privilege to UI #156191
Conversation
…tenance-capabilities-ui
…avierM/kibana into add-window-maintenance-capabilities-ui
Pinging @elastic/response-ops (Team:ResponseOps) |
…tenance-capabilities-ui
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Checked out, tested locally, code reviewed Detection Rules changes and everything LGTM! 🚀 🙌 🔐
Left a few nits if you'd like to take care of those but not necessary.
To test I did the following:
Create three roles, one for each all
/read
/none
maintenance privileges (via Dev Tools):
PUT /_security/role/maintenance_window_all
PUT /_security/role/maintenance_window_all
{
"cluster": [
"all"
],
"indices": [
{
"names": [
"*"
],
"privileges": [
"all"
],
"field_security": {
"grant": [
"*"
],
"except": []
},
"allow_restricted_indices": false
}
],
"applications": [
{
"application": "kibana-.kibana",
"privileges": [
"feature_filesManagement.all",
"feature_indexPatterns.all",
"feature_advancedSettings.all",
"feature_dev_tools.all",
"feature_securitySolutionCases.all",
"feature_siem.all",
"feature_discover.all",
"feature_dashboard.all",
"feature_canvas.all",
"feature_maps.all",
"feature_ml.all",
"feature_graph.all",
"feature_visualize.all",
"feature_filesSharedImage.all",
"feature_savedObjectsManagement.all",
"feature_savedObjectsTagging.all",
"feature_osquery.all",
"feature_actions.all",
"feature_generalCases.all",
"feature_guidedOnboardingFeature.all",
"feature_rulesSettings.all",
"feature_stackAlerts.all",
"feature_fleetv2.all",
"feature_fleet.all",
"feature_maintenanceWindow.all",
"feature_logs.all",
"feature_infrastructure.all",
"feature_apm.all",
"feature_uptime.all",
"feature_observabilityCases.all",
"feature_slo.all"
],
"resources": [
"*"
]
}
],
"run_as": [],
"metadata": {},
"transient_metadata": {
"enabled": true
}
}
PUT /_security/role/maintenance_window_read
PUT /_security/role/maintenance_window_read
{
"cluster": [
"all"
],
"indices": [
{
"names": [
"*"
],
"privileges": [
"all"
],
"field_security": {
"grant": [
"*"
],
"except": []
},
"allow_restricted_indices": false
}
],
"applications": [
{
"application": "kibana-.kibana",
"privileges": [
"feature_filesManagement.all",
"feature_indexPatterns.all",
"feature_advancedSettings.all",
"feature_dev_tools.all",
"feature_securitySolutionCases.all",
"feature_siem.all",
"feature_discover.all",
"feature_dashboard.all",
"feature_canvas.all",
"feature_maps.all",
"feature_ml.all",
"feature_graph.all",
"feature_visualize.all",
"feature_filesSharedImage.all",
"feature_savedObjectsManagement.all",
"feature_savedObjectsTagging.all",
"feature_osquery.all",
"feature_actions.all",
"feature_generalCases.all",
"feature_guidedOnboardingFeature.all",
"feature_rulesSettings.all",
"feature_stackAlerts.all",
"feature_fleetv2.all",
"feature_fleet.all",
"feature_maintenanceWindow.read",
"feature_logs.all",
"feature_infrastructure.all",
"feature_apm.all",
"feature_uptime.all",
"feature_observabilityCases.all",
"feature_slo.all"
],
"resources": [
"*"
]
}
],
"run_as": [],
"metadata": {},
"transient_metadata": {
"enabled": true
}
}
PUT /_security/role/maintenance_window_none
PUT /_security/role/maintenance_window_none
{
"cluster": [
"all"
],
"indices": [
{
"names": [
"*"
],
"privileges": [
"all"
],
"field_security": {
"grant": [
"*"
],
"except": []
},
"allow_restricted_indices": false
}
],
"applications": [
{
"application": "kibana-.kibana",
"privileges": [
"feature_filesManagement.all",
"feature_indexPatterns.all",
"feature_advancedSettings.all",
"feature_dev_tools.all",
"feature_securitySolutionCases.all",
"feature_siem.all",
"feature_discover.all",
"feature_dashboard.all",
"feature_canvas.all",
"feature_maps.all",
"feature_ml.all",
"feature_graph.all",
"feature_visualize.all",
"feature_filesSharedImage.all",
"feature_savedObjectsManagement.all",
"feature_savedObjectsTagging.all",
"feature_osquery.all",
"feature_actions.all",
"feature_generalCases.all",
"feature_guidedOnboardingFeature.all",
"feature_rulesSettings.all",
"feature_stackAlerts.all",
"feature_fleetv2.all",
"feature_fleet.all",
"feature_maintenanceWindow.none",
"feature_logs.all",
"feature_infrastructure.all",
"feature_apm.all",
"feature_uptime.all",
"feature_observabilityCases.all",
"feature_slo.all"
],
"resources": [
"*"
]
}
],
"run_as": [],
"metadata": {},
"transient_metadata": {
"enabled": true
}
}
Create a new maintenance_user
(assigned all three roles), create an active maintenance window, then remove one role at a time testing each:
POST /_security/user/maintenance_user (ALL)
POST /_security/user/maintenance_user
{
"username": "maintenance_user",
"password": "changeme",
"roles": [
"maintenance_window_all",
"maintenance_window_read",
"maintenance_window_none"
],
"full_name": "Main",
"email": "Tenance",
"metadata": {},
"enabled": true
}
PUT /_security/user/maintenance_user (READ)
PUT /_security/user/maintenance_user
{
"username": "maintenance_user",
"roles": [
"maintenance_window_read",
"maintenance_window_none"
],
"full_name": "Main",
"email": "Tenance",
"metadata": {},
"enabled": true
}
PUT /_security/user/maintenance_user (NONE)
PUT /_security/user/maintenance_user
{
"username": "maintenance_user",
"roles": [
"maintenance_window_none"
],
"full_name": "Main",
"email": "Tenance",
"metadata": {},
"enabled": true
}
Each scenario worked as expected from within the Security App Rules Page when an active maintenance was configured. all
/read
privileges showed the maintenance callout, and none
did not.
Also tested the API direct via GET kbn:/internal/alerting/rules/maintenance_window/_active
in Dev tools, and all
/read
returned the window as expected, and none
returned a 403 Forbidden
.
@@ -54,6 +60,18 @@ describe('MaintenanceWindowCallout', () => { | |||
|
|||
appToastsMock = useAppToastsMock.create(); | |||
(useAppToasts as jest.Mock).mockReturnValue(appToastsMock); | |||
(useKibana as jest.Mock).mockReturnValue({ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: extract to mock so it can be imported ala the toasts mock above
let appToastsMock: jest.Mocked<ReturnType<typeof useAppToastsMock.create>>;
const { | ||
application: { capabilities }, | ||
} = useKibana().services; | ||
|
||
const isMaintenanceWindowDisabled = | ||
!capabilities[MAINTENANCE_WINDOW_FEATURE_ID].show && | ||
!capabilities[MAINTENANCE_WINDOW_FEATURE_ID].save; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: encapsulate in useFetchActiveMaintenanceWindows
as capabilities aren't needed elsewhere here and it keeps the hook self-contained
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@XavierM I've looked through the changes and it LGTM. I also tested it locally and it works as expected 👍
I left only one nit comment.
..._management_ui/components/maintenance_window_callout/use_fetch_active_maintenance_windows.ts
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, verified each role behaved as expected.
…tenance-capabilities-ui
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. I tested the read-only role, and the edit popover no longer shows up, I tested the no privilege role, and nothing shows up in the sidebar.
I just have 1 comment, up to you if we want to fix it here or somewhere else.
@@ -28,9 +28,14 @@ import { CenterJustifiedSpinner } from './components/center_justified_spinner'; | |||
import { ExperimentalBadge } from './components/page_header'; | |||
import { useLicense } from '../../hooks/use_license'; | |||
import { LicensePrompt } from './components/license_prompt'; | |||
import { MAINTENANCE_WINDOW_FEATURE_ID } from '../../../common'; | |||
|
|||
export const MaintenanceWindowsPage = React.memo(() => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't catch this earlier, and it's a bit unrelated to privileges, but I think we should rename this file to MaintenanceWindowsPage
instead of index
, since it's not really an index file, same for the test.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
will do that in follow up PR
💚 Build Succeeded
Metrics [docs]Async chunks
Unknown metric groupsESLint disabled line counts
Total ESLint disabled count
History
To update your PR or re-run it, just comment with: |
## Summary We will have three scenarios with kibana privileges ### NONE Kibana privileges form maintenance window: <img width="680" alt="image" src="https://user-images.githubusercontent.com/189600/235188523-acaff7de-54d4-4991-a014-05c0f449738c.png"> `The expected result is to not see maintenance window at all` <img width="1481" alt="image" src="https://user-images.githubusercontent.com/189600/235188658-6a53b463-4856-42c7-916e-aa8e6d7e326b.png"> ### READ Kibana privileges form maintenance window: <img width="677" alt="image" src="https://user-images.githubusercontent.com/189600/235188908-623d32ac-39a7-484e-bd5c-f858e04d16b2.png"> `The expected result is to only see the table with window maintenance and you can not edit them` <img width="1487" alt="image" src="https://user-images.githubusercontent.com/189600/235189169-f71422bf-6394-4574-87fb-14c653ca1e79.png"> <img width="1484" alt="image" src="https://user-images.githubusercontent.com/189600/235192048-149519ba-0505-46e3-b737-2703560eb3d6.png"> ### ALL Kibana privileges form maintenance window: <img width="668" alt="image" src="https://user-images.githubusercontent.com/189600/235189384-e71d9138-221c-4024-91bb-2ae32da1bd3b.png"> `The expected result is to be able to create/edit/etc on any maintenance windows` <img width="1484" alt="image" src="https://user-images.githubusercontent.com/189600/235189974-e36c1e65-0586-4840-ace5-32caf06455c6.png"> <img width="1481" alt="image" src="https://user-images.githubusercontent.com/189600/235192269-0f8d1922-d48f-494c-9979-2288bf142286.png"> ### Checklist Delete any items that are not applicable to this PR. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: kibanamachine <[email protected]> (cherry picked from commit 3c9da2c)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
) # Backport This will backport the following commits from `main` to `8.8`: - [[RAM] Apply maintenance windows privilege to UI (#156191)](#156191) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Xavier Mouligneau","email":"[email protected]"},"sourceCommit":{"committedDate":"2023-05-02T13:47:29Z","message":"[RAM] Apply maintenance windows privilege to UI (#156191)\n\n## Summary\r\n\r\nWe will have three scenarios with kibana privileges\r\n\r\n### NONE\r\nKibana privileges form maintenance window:\r\n<img width=\"680\" alt=\"image\"\r\nsrc=\"https://user-images.githubusercontent.com/189600/235188523-acaff7de-54d4-4991-a014-05c0f449738c.png\">\r\n\r\n`The expected result is to not see maintenance window at all`\r\n\r\n<img width=\"1481\" alt=\"image\"\r\nsrc=\"https://user-images.githubusercontent.com/189600/235188658-6a53b463-4856-42c7-916e-aa8e6d7e326b.png\">\r\n\r\n### READ\r\nKibana privileges form maintenance window:\r\n<img width=\"677\" alt=\"image\"\r\nsrc=\"https://user-images.githubusercontent.com/189600/235188908-623d32ac-39a7-484e-bd5c-f858e04d16b2.png\">\r\n\r\n`The expected result is to only see the table with window maintenance\r\nand you can not edit them`\r\n\r\n<img width=\"1487\" alt=\"image\"\r\nsrc=\"https://user-images.githubusercontent.com/189600/235189169-f71422bf-6394-4574-87fb-14c653ca1e79.png\">\r\n<img width=\"1484\" alt=\"image\"\r\nsrc=\"https://user-images.githubusercontent.com/189600/235192048-149519ba-0505-46e3-b737-2703560eb3d6.png\">\r\n\r\n\r\n### ALL\r\nKibana privileges form maintenance window:\r\n<img width=\"668\" alt=\"image\"\r\nsrc=\"https://user-images.githubusercontent.com/189600/235189384-e71d9138-221c-4024-91bb-2ae32da1bd3b.png\">\r\n\r\n`The expected result is to be able to create/edit/etc on any maintenance\r\nwindows`\r\n\r\n<img width=\"1484\" alt=\"image\"\r\nsrc=\"https://user-images.githubusercontent.com/189600/235189974-e36c1e65-0586-4840-ace5-32caf06455c6.png\">\r\n<img width=\"1481\" alt=\"image\"\r\nsrc=\"https://user-images.githubusercontent.com/189600/235192269-0f8d1922-d48f-494c-9979-2288bf142286.png\">\r\n\r\n\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [x] Any text added follows [EUI's writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\r\nsentence case text and includes [i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <[email protected]>","sha":"3c9da2cd296f9e23b5052e8bf624ddd062bcbcd0","branchLabelMapping":{"^v8.9.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:skip","impact:high","Team:ResponseOps","v8.8.0","v8.9.0"],"number":156191,"url":"https://github.com/elastic/kibana/pull/156191","mergeCommit":{"message":"[RAM] Apply maintenance windows privilege to UI (#156191)\n\n## Summary\r\n\r\nWe will have three scenarios with kibana privileges\r\n\r\n### NONE\r\nKibana privileges form maintenance window:\r\n<img width=\"680\" alt=\"image\"\r\nsrc=\"https://user-images.githubusercontent.com/189600/235188523-acaff7de-54d4-4991-a014-05c0f449738c.png\">\r\n\r\n`The expected result is to not see maintenance window at all`\r\n\r\n<img width=\"1481\" alt=\"image\"\r\nsrc=\"https://user-images.githubusercontent.com/189600/235188658-6a53b463-4856-42c7-916e-aa8e6d7e326b.png\">\r\n\r\n### READ\r\nKibana privileges form maintenance window:\r\n<img width=\"677\" alt=\"image\"\r\nsrc=\"https://user-images.githubusercontent.com/189600/235188908-623d32ac-39a7-484e-bd5c-f858e04d16b2.png\">\r\n\r\n`The expected result is to only see the table with window maintenance\r\nand you can not edit them`\r\n\r\n<img width=\"1487\" alt=\"image\"\r\nsrc=\"https://user-images.githubusercontent.com/189600/235189169-f71422bf-6394-4574-87fb-14c653ca1e79.png\">\r\n<img width=\"1484\" alt=\"image\"\r\nsrc=\"https://user-images.githubusercontent.com/189600/235192048-149519ba-0505-46e3-b737-2703560eb3d6.png\">\r\n\r\n\r\n### ALL\r\nKibana privileges form maintenance window:\r\n<img width=\"668\" alt=\"image\"\r\nsrc=\"https://user-images.githubusercontent.com/189600/235189384-e71d9138-221c-4024-91bb-2ae32da1bd3b.png\">\r\n\r\n`The expected result is to be able to create/edit/etc on any maintenance\r\nwindows`\r\n\r\n<img width=\"1484\" alt=\"image\"\r\nsrc=\"https://user-images.githubusercontent.com/189600/235189974-e36c1e65-0586-4840-ace5-32caf06455c6.png\">\r\n<img width=\"1481\" alt=\"image\"\r\nsrc=\"https://user-images.githubusercontent.com/189600/235192269-0f8d1922-d48f-494c-9979-2288bf142286.png\">\r\n\r\n\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [x] Any text added follows [EUI's writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\r\nsentence case text and includes [i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <[email protected]>","sha":"3c9da2cd296f9e23b5052e8bf624ddd062bcbcd0"}},"sourceBranch":"main","suggestedTargetBranches":["8.8"],"targetPullRequestStates":[{"branch":"8.8","label":"v8.8.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.9.0","labelRegex":"^v8.9.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/156191","number":156191,"mergeCommit":{"message":"[RAM] Apply maintenance windows privilege to UI (#156191)\n\n## Summary\r\n\r\nWe will have three scenarios with kibana privileges\r\n\r\n### NONE\r\nKibana privileges form maintenance window:\r\n<img width=\"680\" alt=\"image\"\r\nsrc=\"https://user-images.githubusercontent.com/189600/235188523-acaff7de-54d4-4991-a014-05c0f449738c.png\">\r\n\r\n`The expected result is to not see maintenance window at all`\r\n\r\n<img width=\"1481\" alt=\"image\"\r\nsrc=\"https://user-images.githubusercontent.com/189600/235188658-6a53b463-4856-42c7-916e-aa8e6d7e326b.png\">\r\n\r\n### READ\r\nKibana privileges form maintenance window:\r\n<img width=\"677\" alt=\"image\"\r\nsrc=\"https://user-images.githubusercontent.com/189600/235188908-623d32ac-39a7-484e-bd5c-f858e04d16b2.png\">\r\n\r\n`The expected result is to only see the table with window maintenance\r\nand you can not edit them`\r\n\r\n<img width=\"1487\" alt=\"image\"\r\nsrc=\"https://user-images.githubusercontent.com/189600/235189169-f71422bf-6394-4574-87fb-14c653ca1e79.png\">\r\n<img width=\"1484\" alt=\"image\"\r\nsrc=\"https://user-images.githubusercontent.com/189600/235192048-149519ba-0505-46e3-b737-2703560eb3d6.png\">\r\n\r\n\r\n### ALL\r\nKibana privileges form maintenance window:\r\n<img width=\"668\" alt=\"image\"\r\nsrc=\"https://user-images.githubusercontent.com/189600/235189384-e71d9138-221c-4024-91bb-2ae32da1bd3b.png\">\r\n\r\n`The expected result is to be able to create/edit/etc on any maintenance\r\nwindows`\r\n\r\n<img width=\"1484\" alt=\"image\"\r\nsrc=\"https://user-images.githubusercontent.com/189600/235189974-e36c1e65-0586-4840-ace5-32caf06455c6.png\">\r\n<img width=\"1481\" alt=\"image\"\r\nsrc=\"https://user-images.githubusercontent.com/189600/235192269-0f8d1922-d48f-494c-9979-2288bf142286.png\">\r\n\r\n\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [x] Any text added follows [EUI's writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\r\nsentence case text and includes [i18n\r\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <[email protected]>","sha":"3c9da2cd296f9e23b5052e8bf624ddd062bcbcd0"}}]}] BACKPORT--> Co-authored-by: Xavier Mouligneau <[email protected]>
Summary
We will have three scenarios with kibana privileges
NONE
Kibana privileges form maintenance window:
The expected result is to not see maintenance window at all
READ
Kibana privileges form maintenance window:
The expected result is to only see the table with window maintenance and you can not edit them
ALL
Kibana privileges form maintenance window:
The expected result is to be able to create/edit/etc on any maintenance windows
Checklist
Delete any items that are not applicable to this PR.