Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Serverless][Security Solution][Endpoint] Gate endpoint exceptions on rule details and API changes #165613

Merged
merged 89 commits into from
Oct 2, 2023
Merged

[Serverless][Security Solution][Endpoint] Gate endpoint exceptions on rule details and API changes #165613

merged 89 commits into from
Oct 2, 2023

Conversation

ashokaditya
Copy link
Member

@ashokaditya ashokaditya commented Sep 4, 2023
edited
Loading

What this PR changes

Follow up of /pull/164107/

For serverless ES/Kibana, it gates exception list API for endpoint exceptions and restricts endpoint exceptions tab on Endpoint Security rule details based on project PLIs. If no endpoint PLIs, endpoint exceptions should not be accessible.

  • Add upselling to app/security/exceptions/details/endpoint_list page
  • Tests (WIP) - in a follow up PR

How to review

Best to follow along commits for a code review. Below are details to manually test the changes.

  • Setup for Servlerless
    • Run yarn es serverless --kill --clean --license trial -E xpack.security.authc.api_key.enabled=true on a terminal window to start ES.
    • Copy config/serverless.security.yml to config/serverless.security.dev.yml
    • Run yarn serverless-security --no-base-path on another terminal window to start kibana in serverless mode
    • Log in using serverless_security user.

Tests (Serverless)

This needs to be tested with a custom user/role and not elastic_serverless which has superuser role.

  1. PLI configs

{ product_line: 'security', product_tier: 'essentials' } or { product_line: 'security', product_tier: 'complete' }
and
{ product_line: 'endpoint', product_tier: 'essentials' } or { product_line: 'endpoint', product_tier: 'complete' }

  • UX

    1. Navigate to Rules via http://localhost:5601/app/security/rules/. Click on Add Elastic rules.
    2. Select and add Endpoint Security rule.
    3. Click Endpoint Security and navigate to the rules details page, and you should see Endpoint exceptions tab. The tabs visible are Alerts, Endpoint exceptions, Rule exceptions, Execution results.
    4. Navigate to Rules>Shared Exception Lists > Endpoint Security Exception List via app/security/exceptions/details/endpoint_list and you should be able to see the page with any added endpoint exceptions.

  • API requests (with user serverless_security)

    1. should get a status 200 onPOST api/exception_lists/items
    2. should get a status 200 on POST api/exception_lists/_export?id=endpoint_list&list_id=endpoint_list&namespace_type=agnostic&include_expired_exceptions=true
    3. should get a status 200 on PUT api/exception_lists/items
    4. should get a status 200 on DELETE api/exception_lists/items
    5. should get a status 200 on GET api/exception_lists/items/_find?list_id=endpoint_list&namespace_type=agnostic

  1. PLI configs

{ product_line: 'security', product_tier: 'essentials' } or { product_line: 'security', product_tier: 'complete' }

  • UX

    1. Navigate to Rules via http://localhost:5601/app/security/rules/. Click on Add Elastic rules.
    2. Select and add Endpoint Security rule.
    3. Click Endpoint Security and navigate to the rules details page, and you should not see Endpoint exceptions tab. The only tabs visible are Alerts, Rule exceptions, Execution results.
      Screenshot 2023-09-14 at 3 33 24 PM
    4. Navigate to Rules>Shared Exception Lists > Endpoint Security Exception List via app/security/exceptions/details/endpoint_list and you should see an upsell message.
      Screenshot 2023-09-14 at 3 29 14 PM

  • API requests

    1. should get a status 403 onPOST api/exception_lists/items
    2. should get a status 403 on POST api/exception_lists/_export?id=endpoint_list&list_id=endpoint_list&namespace_type=agnostic&include_expired_exceptions=true
    3. should get a status 403 on PUT api/exception_lists/items
    4. should get a status 403 on DELETE api/exception_lists/items
    5. should get a status 403 on GET api/exception_lists/items/_find?list_id=endpoint_list&namespace_type=agnostic

Flaky FTRs
https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/3248
https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/3255

Checklist

Risk Matrix

Delete this section if it is not applicable to this PR.

Before closing this PR, invite QA, stakeholders, and other developers to identify risks that should be tested prior to the change/feature release.

When forming the risk matrix, consider some of the following examples and how they may potentially impact the change:

Risk Probability Severity Mitigation/Notes
Multiple Spaces—unexpected behavior in non-default Kibana Space. Low High Integration tests will verify that all features are still supported in non-default Kibana Space and when user switches between spaces.
Multiple nodes—Elasticsearch polling might have race conditions when multiple Kibana nodes are polling for the same tasks. High Low Tasks are idempotent, so executing them multiple times will not result in logical error, but will degrade performance. To test for this case we add plenty of unit tests around this logic and document manual testing procedure.
Code should gracefully handle cases when feature X or plugin Y are disabled. Medium High Unit tests will verify that any feature flag or plugin combination still results in our service operational.
See more potential risk examples

For maintainers

@ashokaditya ashokaditya self-assigned this Sep 4, 2023
@ashokaditya ashokaditya added v8.11.0 release_note:enhancement Team:Defend Workflows “EDR Workflows” sub-team of Security Solution OLM Sprint labels Sep 4, 2023
@ashokaditya ashokaditya force-pushed the task/dw-gate-endpoint-exceptions-via-serverless-pli-7223 branch from 68c2808 to 126ce01 Compare September 5, 2023 09:07
@ashokaditya
Copy link
Member Author

@elasticmachin a merge upstream

@ashokaditya ashokaditya force-pushed the task/dw-gate-endpoint-exceptions-via-serverless-pli-7223 branch from 898cfa4 to 088c76a Compare September 12, 2023 13:18
@ashokaditya ashokaditya force-pushed the task/dw-gate-endpoint-exceptions-via-serverless-pli-7223 branch from 62b6bd7 to fa1e8eb Compare September 13, 2023 09:16
@ashokaditya ashokaditya force-pushed the task/dw-gate-endpoint-exceptions-via-serverless-pli-7223 branch from f6c7f36 to c03a8ed Compare September 14, 2023 09:58
@ashokaditya ashokaditya force-pushed the task/dw-gate-endpoint-exceptions-via-serverless-pli-7223 branch from 37b70bf to bc87d99 Compare September 14, 2023 12:21
banderror
banderror reviewed Sep 29, 2023
View reviewed changes
Copy link
Contributor

@banderror banderror left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @ashokaditya, thank you for implementing these PLI checks. From the Rule Management side, we don't really own the exceptions functionality, so I was primarily looking into the diff and overall code of the Rule Details page. I have a few suggestions for relatively simple refactoring that could improve code ownership for endpoint exceptions.

I will do some basic testing based on the PR description, thank you for providing these instructions.

...e_details_ui/pages/rule_details/hooks/use_get_endpoint_exceptions_unavailablle_component.tsx Outdated Show resolved Hide resolved
...e_details_ui/pages/rule_details/hooks/use_get_endpoint_exceptions_unavailablle_component.tsx Outdated Show resolved Hide resolved
...ugins/security_solution/public/detection_engine/rule_details_ui/pages/rule_details/index.tsx Outdated Show resolved Hide resolved
...olution/public/detection_engine/rule_details_ui/pages/rule_details/use_rule_details_tabs.tsx Outdated Show resolved Hide resolved
@banderror
Copy link
Contributor

I did some testing of the changes on the Rule Details page and it LGTM 👍

@ashokaditya I wasn't able to run Serverless Kibana using the provided instructions in the description. That's probably my lack of knowledge of how to run Kibana in Serverless. I had to comment out everything in kibana.dev.yml and log in as elastic_serverless. How do we login as serverless_security?

The Endpoint exceptions tab on the Rule Details page worked fine with the following config:

xpack.securitySolutionServerless.productTypes:
  [
    { product_line: 'security', product_tier: 'complete' },
    # { product_line: 'endpoint', product_tier: 'complete' },
  ]

I was able to open this "tab" using its direct URL, but it showed that I should upgrade to Endpoint Essentials. The tab itself was hidden 👍

Screenshot 2023-09-29 at 19 53 28

Nit: the UI is slightly different for the endpoint list page

Screenshot 2023-09-29 at 19 55 06

@ashokaditya
refactor
35d0a11 
review suggestions @banderror
@ashokaditya
Copy link
Member Author

Thanks for the review @banderror. I've managed to refactor as you suggested. Here are some thoughts on testing locally.

I did some testing of the changes on the Rule Details page and it LGTM 👍

@ashokaditya I wasn't able to run Serverless Kibana using the provided instructions in the description. That's probably my lack of knowledge of how to run Kibana in Serverless. I had to comment out everything in kibana.dev.yml and log in as elastic_serverless. How do we login as serverless_security?

You tested it the correct way @banderror. elastic_serverless is actually superuser so one needs to test APIs with custom user/roles (which is still being worked on by the core team to allow devs to do this easily).

For now, I'm testing this locally by

  1. Running ES snapshot/ESS kibana,
  2. Add Endpoint Security rule
  3. Add some endpoint exceptions using exception_list API with elastic:changeme,
  4. Creating roles/users using APIs (PUT api/security/role/:rolename, POST /internal/security/users/:username) and then, while the ES snapshot is running,
  5. I switch to serverless kibana with yarn serverless-security --no-base-path and the log in with the created custom user(with the custom role).

Note: To be able to do the above switch one also needs to comment out this block

I know this is tedious for manual testing, but it works reliably for now. Feel free to try it out if you like.

The Endpoint exceptions tab on the Rule Details page worked fine with the following config:

xpack.securitySolutionServerless.productTypes:
  [
    { product_line: 'security', product_tier: 'complete' },
    # { product_line: 'endpoint', product_tier: 'complete' },
  ]

Superb 👍🏼.

I was able to open this "tab" using its direct URL, but it showed that I should upgrade to Endpoint Essentials. The tab itself was hidden 👍

Excellent. This is expected.

Nit: the UI is slightly different for the endpoint list page

Quite right! We will update this later along with the text info. These changes only affect the serverless UX anyway.

@ashokaditya ashokaditya requested a review from banderror October 2, 2023 06:55
banderror
banderror approved these changes Oct 2, 2023
View reviewed changes
Copy link
Contributor

@banderror banderror left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for addressing my comments @ashokaditya, LGTM 👍

@ashokaditya ashokaditya enabled auto-merge (squash) October 2, 2023 09:30
@ashokaditya ashokaditya disabled auto-merge October 2, 2023 09:31
@kibana-ci
Copy link
Collaborator

💚 Build Succeeded

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id before after diff
securitySolution 4604 4607 +3
securitySolutionServerless 436 438 +2
total +5

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id before after diff
fleet 1082 1083 +1

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 13.0MB 13.0MB +2.3KB
securitySolutionServerless 290.0KB 304.7KB +14.7KB
total +16.9KB

Public APIs missing exports

Total count of every type that is part of your API that should be exported but is not. This will cause broken links in the API documentation system. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats exports for more detailed information.

id before after diff
fleet 41 42 +1

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id before after diff
fleet 146.3KB 146.7KB +451.0B
securitySolutionServerless 42.1KB 42.5KB +410.0B
total +861.0B
Unknown metric groups

API count

id before after diff
fleet 1200 1201 +1

async chunk count

id before after diff
securitySolutionServerless 45 47 +2

ESLint disabled line counts

id before after diff
securitySolutionServerless 39 40 +1

Total ESLint disabled count

id before after diff
securitySolutionServerless 39 40 +1

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @ashokaditya

@ashokaditya ashokaditya merged commit a8de031 into elastic:main Oct 2, 2023
@kibanamachine kibanamachine added the backport:skip This commit does not require backporting label Oct 2, 2023
@ashokaditya ashokaditya deleted the task/dw-gate-endpoint-exceptions-via-serverless-pli-7223 branch October 2, 2023 13:52
This was referenced Nov 9, 2023
Closed
Closed
@ashokaditya ashokaditya mentioned this pull request Nov 16, 2023
Merged
1 task
kibanamachine pushed a commit to kibanamachine/kibana that referenced this pull request Nov 22, 2023
@ashokaditya
[Serverless][Security Solution][Endpoint] use useListPrivileges hoo…
cfd58ef 
…k to check access to`.lists-*` (elastic#171412)

## Summary

Instead of using `useListsConfig` this PR uses `useListPrivileges` to
verify access to `.lists-*` index pattern.

follow up of elastic/pull/165613
related elastic/pull/170671 (closed in favour of this)
fixes elastic/issues/169268

### Checklist

- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

---------

Co-authored-by: Kibana Machine <[email protected]>
(cherry picked from commit 8c3322e)
rshen91 pushed a commit to rshen91/kibana that referenced this pull request Nov 22, 2023
@ashokaditya @kibanamachine
[Serverless][Security Solution][Endpoint] use useListPrivileges hoo…
8c3322e 
…k to check access to`.lists-*` (elastic#171412)

## Summary

Instead of using `useListsConfig` this PR uses `useListPrivileges` to
verify access to `.lists-*` index pattern.

follow up of elastic/pull/165613
related elastic/pull/170671 (closed in favour of this)
fixes elastic/issues/169268

### Checklist

- [ ] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

---------

Co-authored-by: Kibana Machine <[email protected]>
janmonschke pushed a commit to janmonschke/kibana that referenced this pull request Nov 23, 2023
@kibanamachine @ashokaditya
[8.11] [Serverless][Security Solution][Endpoint] Remove use of hooks …
ab8d894 
…to check access to`.lists-*` for endpoint exceptions access (elastic#171412) (elastic#171794)

# Backport

This will backport the following commits from `main` to `8.11`:
- [[Serverless][Security Solution][Endpoint] Remove use of hooks to
check access to`.lists-*` for endpoint exceptions access
(elastic#171412)](elastic#171412)

<!--- Backport version: 8.9.7 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT
[{"author":{"name":"Ash","email":"[email protected]"},"sourceCommit":{"committedDate":"2023-11-22T19:10:50Z","message":"[Serverless][Security
Solution][Endpoint] Remove use of hooks to check access to`.lists-*` for
endpoint exceptions access (elastic#171412)\n\n## Summary\r\n\r\nInstead of
using `useListsConfig` this PR uses `useListPrivileges` to\r\nverify
access to `.lists-*` index pattern.\r\n\r\nfollow up of
elastic/pull/165613\r\nrelated elastic/pull/170671 (closed
in favour of this)\r\nfixes elastic/issues/169268\r\n\r\n###
Checklist\r\n\r\n- [ ] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: Kibana Machine
<[email protected]>","sha":"8c3322ed44ccfbc4e91e0e9ef31f77b79c549cb8","branchLabelMapping":{"^v8.12.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","OLM
Sprint","v8.11.0","v8.12.0","v8.11.1"],"number":171412,"url":"https://github.com/elastic/kibana/pull/171412","mergeCommit":{"message":"[Serverless][Security
Solution][Endpoint] Remove use of hooks to check access to`.lists-*` for
endpoint exceptions access (elastic#171412)\n\n## Summary\r\n\r\nInstead of
using `useListsConfig` this PR uses `useListPrivileges` to\r\nverify
access to `.lists-*` index pattern.\r\n\r\nfollow up of
elastic/pull/165613\r\nrelated elastic/pull/170671 (closed
in favour of this)\r\nfixes elastic/issues/169268\r\n\r\n###
Checklist\r\n\r\n- [ ] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: Kibana Machine
<[email protected]>","sha":"8c3322ed44ccfbc4e91e0e9ef31f77b79c549cb8"}},"sourceBranch":"main","suggestedTargetBranches":["8.11"],"targetPullRequestStates":[{"branch":"8.11","label":"v8.11.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.12.0","labelRegex":"^v8.12.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/171412","number":171412,"mergeCommit":{"message":"[Serverless][Security
Solution][Endpoint] Remove use of hooks to check access to`.lists-*` for
endpoint exceptions access (elastic#171412)\n\n## Summary\r\n\r\nInstead of
using `useListsConfig` this PR uses `useListPrivileges` to\r\nverify
access to `.lists-*` index pattern.\r\n\r\nfollow up of
elastic/pull/165613\r\nrelated elastic/pull/170671 (closed
in favour of this)\r\nfixes elastic/issues/169268\r\n\r\n###
Checklist\r\n\r\n- [ ] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: Kibana Machine
<[email protected]>","sha":"8c3322ed44ccfbc4e91e0e9ef31f77b79c549cb8"}}]}]
BACKPORT-->

Co-authored-by: Ash <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@paul-tavares paul-tavares paul-tavares approved these changes

@juliaElastic juliaElastic juliaElastic approved these changes

@semd semd semd approved these changes

@michaelolo24 michaelolo24 michaelolo24 approved these changes

@banderror banderror banderror approved these changes

@dhurley14 dhurley14 dhurley14 approved these changes

@dasansol92 dasansol92 Awaiting requested review from dasansol92

Assignees

@ashokaditya ashokaditya

Labels
backport:skip This commit does not require backporting OLM Sprint release_note:enhancement Team:Defend Workflows “EDR Workflows” sub-team of Security Solution Team:Fleet Team label for Observability Data Collection Fleet team v8.11.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.