Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Actions] System actions authorization #161341

Merged
merged 55 commits into from
Jul 20, 2023
Merged

[Actions] System actions authorization #161341

merged 55 commits into from
Jul 20, 2023

Conversation

cnasikas
Copy link
Member

@cnasikas cnasikas commented Jul 6, 2023
edited
Loading

Summary

This PR adds the ability for system actions to be able to define their own Kibana privileges that need to be authorized before execution.

Depends on: #160983

Checklist

Delete any items that are not applicable to this PR.

For maintainers

cnasikas and others added 30 commits June 28, 2023 10:51
@cnasikas
Add isSystemAction to ActionResult type and default it to false
1352e52
@cnasikas
Disallow registering system actions
09b82f6
@cnasikas
Add test
dc1a2c8
@cnasikas
Fix alerting types
bb7e9a5
@cnasikas
Fix integration tests
774b389
@cnasikas
Fix triggers_actions_ui types
83ee747
@cnasikas
Fix cases types
d2b8e67
@cnasikas
Fix cases tests
31f1f39
@cnasikas
Fix integration tests
85ca6a4
@cnasikas
Fix cases tests
b070bd9
@kibanamachine
Merge branch 'main' into system_actions_registration
a8e7143
@cnasikas
Fix types from other plugins
b50a3e0
@cnasikas
Merge branch 'system_actions_registration' of github.com:cnasikas/kib…
ee5df7b 
…ana into system_actions_registration
@cnasikas
Rename preconfiguredConnectors to inMemoryConnectors
1caf874
@cnasikas
Create system actions
2aabeed
@cnasikas
Prevent create/update/delete of system actions
3cf469a
@cnasikas
Fix types
8c1246c
@cnasikas
Merge branch 'main' into load_system_actions_in_memory
0d7aea1
@cnasikas
Fix types
52ef0e5
@cnasikas
Remove cases from basic
d763161
@cnasikas
Convert preconfigured to in-memory
5c3245e
@cnasikas
Merge branch 'main' into load_system_actions_in_memory
31bc750
@cnasikas
Get in-memory connectors after they have been created in the route co…
d35a7f9 
…ntext
@cnasikas
Register test system action in integration tests
34ee2ab
@cnasikas
Add integration tests
86b279c
@cnasikas
Fix i18n
57b4d3a
@cnasikas
Fix types
a162163
@cnasikas
Fix integration test
2ea3c9c
@cnasikas
Fixes
7362b97
@cnasikas
Merge branch 'main' into load_system_actions_in_memory
cbaeb1f
@cnasikas cnasikas marked this pull request as ready for review July 11, 2023 09:20
@cnasikas cnasikas requested a review from a team as a code owner July 11, 2023 09:20
@elasticmachine
Copy link
Contributor

Pinging @elastic/response-ops (Team:ResponseOps)

cnasikas
cnasikas commented Jul 11, 2023
View reviewed changes
x-pack/plugins/actions/server/action_type_registry.ts Outdated
*/
public getSystemActionKibanaPrivileges(
actionTypeId: string,
metadata?: Record<string, unknown>
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See https://github.com/elastic/kibana/pull/161341/files#r1257471094

cnasikas
cnasikas commented Jul 11, 2023
View reviewed changes
x-pack/plugins/actions/server/actions_client.ts
@@ -730,7 +745,8 @@ export class ActionsClient {
(await getAuthorizationModeBySource(this.unsecuredSavedObjectsClient, source)) ===
AuthorizationMode.RBAC
) {
await this.authorization.ensureAuthorized('execute');
const additionalPrivileges = this.getSystemActionKibanaPrivileges(actionId, params);
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Authorize system actions if needed.

cnasikas
cnasikas commented Jul 11, 2023
View reviewed changes
x-pack/plugins/actions/server/authorization/actions_authorization.ts
execute: (authorization) => [
authorization.actions.savedObject.get(ACTION_SAVED_OBJECT_TYPE, 'get'),
authorization.actions.savedObject.get(ACTION_TASK_PARAMS_SAVED_OBJECT_TYPE, 'create'),
],
list: (authorization) => authorization.actions.savedObject.get(ACTION_SAVED_OBJECT_TYPE, 'find'),
list: (authorization) => [
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Return only string[]

cnasikas
cnasikas commented Jul 11, 2023
View reviewed changes
x-pack/test/alerting_api_integration/security_and_spaces/scenarios.ts
kibana: [
{
feature: {
generalCases: ['all'],
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you want me to register a feature in x-pack/test/alerting_api_integration/common/plugins/actions_simulators/server/plugin.ts and use it instead of using Cases let me know.

@cnasikas cnasikas mentioned this pull request Jul 11, 2023
Merged
2 tasks
ymao1
ymao1 approved these changes Jul 19, 2023
View reviewed changes
Copy link
Contributor

@ymao1 ymao1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@cnasikas cnasikas enabled auto-merge (squash) July 20, 2023 09:16
@kibana-ci
Copy link
Collaborator

kibana-ci commented Jul 20, 2023
edited
Loading

💔 Build Failed

Failed CI Steps

Test Failures

  • [job] [logs] Serverless Observability Tests / serverless observability UI navigation active sidenav section is auto opened on load

Metrics [docs]

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id before after diff
actions 267 269 +2
Unknown metric groups

API count

id before after diff
actions 272 275 +3

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @cnasikas

@cnasikas cnasikas merged commit 2943fc9 into elastic:main Jul 20, 2023
@cnasikas cnasikas deleted the system_actions_rbac branch July 20, 2023 10:41
@kibanamachine kibanamachine added the backport:skip This commit does not require backporting label Jul 20, 2023
cnasikas added a commit that referenced this pull request Jul 28, 2023
@cnasikas @kibanamachine
[Actions] System actions enhancements (#161340)
f8a1600 
## Summary

This PR:
- Handles the references for system actions in the rule
- Forbids the creation of system actions through the `kibana.yml`
- Adds telemetry for system actions
- Allow system action types to be disabled from the `kibana.yml`

Depends on: #160983,
#161341

### Checklist

Delete any items that are not applicable to this PR.

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

### For maintainers

- [x] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)

---------

Co-authored-by: Kibana Machine <[email protected]>
@Dosant Dosant mentioned this pull request Jul 31, 2023
Closed
ThomThomson pushed a commit to ThomThomson/kibana that referenced this pull request Aug 1, 2023
@cnasikas @kibanamachine
[Actions] System actions authorization (elastic#161341)
fc71fba 
## Summary

This PR adds the ability for system actions to be able to define their
own Kibana privileges that need to be authorized before execution.

Depends on: elastic#160983

### Checklist

Delete any items that are not applicable to this PR.

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

### For maintainers

- [x] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)

---------

Co-authored-by: Kibana Machine <[email protected]>
ThomThomson pushed a commit to ThomThomson/kibana that referenced this pull request Aug 1, 2023
@cnasikas @kibanamachine
[Actions] System actions enhancements (elastic#161340)
96fd477 
## Summary

This PR:
- Handles the references for system actions in the rule
- Forbids the creation of system actions through the `kibana.yml`
- Adds telemetry for system actions
- Allow system action types to be disabled from the `kibana.yml`

Depends on: elastic#160983,
elastic#161341

### Checklist

Delete any items that are not applicable to this PR.

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

### For maintainers

- [x] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)

---------

Co-authored-by: Kibana Machine <[email protected]>
@cnasikas cnasikas mentioned this pull request Dec 1, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ymao1 ymao1 ymao1 approved these changes

Assignees

@cnasikas cnasikas

Labels
backport:skip This commit does not require backporting Feature:Actions/Framework Issues related to the Actions Framework Feature:Actions release_note:skip Skip the PR/issue when compiling release notes Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) v8.10.0
Projects
No open projects
AppEx: ResponseOps - Execution & Connectors
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@cnasikas @elasticmachine @kibana-ci @ymao1 @kibanamachine