Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[ML] Adding capabilities checks to shared functions #70069

Conversation

jgowdyelastic
Copy link
Member

@jgowdyelastic jgowdyelastic commented Jun 26, 2020

Adds capabilities checks to all shared ML functions.
Checks are the same as the kibana endpoint equivalents. e.g.
/api/ml/results/anomalies_table_data and getAnomaliesTableData both require canGetJobs.
All plugins calling our shared functions now need to supply a request object.

Note, due to limitations in alerting, the functions called by SIEM (jobsSummary and mlAnomalySearch) currently have their capabilities checks disabled.
Once alerting can supply a real request object, these checks can be reinstated.

Functional tests will be added in a follow up PR.

Note, also include some small refactoring to replace ILegacyScopedClusterClient with LegacyAPICaller

@jgowdyelastic
Copy link
Member Author

@elasticmachine merge upstream

@jgowdyelastic jgowdyelastic self-assigned this Jun 29, 2020
@jgowdyelastic jgowdyelastic added :ml apm:test-plan-7.8.0 Feature:Security/Spaces Platform Security - Spaces feature non-issue Indicates to automation that a pull request should not appear in the release notes release_note:skip Skip the PR/issue when compiling release notes review v7.9.0 v7.8.0 and removed apm:test-plan-7.8.0 labels Jun 29, 2020
@jgowdyelastic jgowdyelastic marked this pull request as ready for review June 29, 2020 13:33
@jgowdyelastic jgowdyelastic requested review from a team as code owners June 29, 2020 13:33
@elasticmachine
Copy link
Contributor

Pinging @elastic/ml-ui (:ml)

@botelastic botelastic bot added the Team:APM All issues that need APM UI Team support label Jun 29, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/apm-ui (Team:apm)

@jgowdyelastic jgowdyelastic force-pushed the adding-capabilities-checks-to-shared-functions branch from 9ab59b5 to 41b1d6e Compare June 30, 2020 10:36
Copy link
Contributor

@smith smith left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

APM changes look good.

@jgowdyelastic jgowdyelastic requested a review from rylnd June 30, 2020 20:39
Copy link
Contributor

@rylnd rylnd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security Solution changes LGTM; I was able to generate signals from anomalies via an ML Detections rule.

Copy link
Contributor

@walterra walterra left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good overall, just added a question about await without try/catch blocks and a types.

export type HasMlCapabilities = (capabilities: MlCapabilitiesKey[]) => void;

export function hasMlCapabilitiesProvider(resolveMlCapabilities: ResolveMlCapabilities) {
return (request: KibanaRequest) => {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a way you could make use of the HasMlCapabilities type to enforce it? Looking at the code like this I'm unsure why the type HasMlCapabilities is a function without async and the return function in the provider uses async.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HasMlCapabilities should really return Promise<void> here. i'll update it.
I'll also add HasMlCapabilities as the return type of this returned function to make it more explicit.

Copy link
Member

@weltenwort weltenwort left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems to work for the infra plugin where the checks are not disabled. 👍

}

if (capabilities.every((c) => mlCapabilities![c] === true) === false) {
throw Error('Insufficient privileges to access feature');
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was wondering if we could use a custom Error subclass here to enable the routes to translate it into a 403 instead of 500 error. 🤔

We're doing something like that in the infra plugin here:

export class NoLogAnalysisMlJobError extends Error {
constructor(message?: string) {
super(message);
Object.setPrototypeOf(this, new.target.prototype);
}
}

Alternatively, a custom marker attribute on the Error subclass could also be used for identification.

What do you think?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, I like this idea.
added in fbac69f

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

awesome, thank you ❤️

@jgowdyelastic
Copy link
Member Author

@elasticmachine merge upstream

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Build metrics

✅ unchanged

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

Copy link
Contributor

@darnautov darnautov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jgowdyelastic jgowdyelastic merged commit eafd2af into elastic:master Jul 1, 2020
@jgowdyelastic jgowdyelastic deleted the adding-capabilities-checks-to-shared-functions branch July 1, 2020 16:45
jgowdyelastic added a commit to jgowdyelastic/kibana that referenced this pull request Jul 1, 2020
* [ML] Adding capabilities checks to shared functions

* small refactor

* disabling capabilities checks for functions called by SIEM alerting

* testing git

* removing comment

* using constant for ml app id

* tiny type clean up

* removing check in ml_capabilities

* fixing types

* removing capabilities checks from ml_capabilities endpoint

* updating types

* better error handling

* improving capabilities check

* adding custom errors

Co-authored-by: Elastic Machine <[email protected]>
jgowdyelastic added a commit that referenced this pull request Jul 1, 2020
* [ML] Adding capabilities checks to shared functions

* small refactor

* disabling capabilities checks for functions called by SIEM alerting

* testing git

* removing comment

* using constant for ml app id

* tiny type clean up

* removing check in ml_capabilities

* fixing types

* removing capabilities checks from ml_capabilities endpoint

* updating types

* better error handling

* improving capabilities check

* adding custom errors

Co-authored-by: Elastic Machine <[email protected]>

Co-authored-by: Elastic Machine <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Feature:Security/Spaces Platform Security - Spaces feature :ml non-issue Indicates to automation that a pull request should not appear in the release notes release_note:skip Skip the PR/issue when compiling release notes review Team:APM All issues that need APM UI Team support v7.9.0 v8.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants