-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution][Detections] Adds list plugin Saved Objects to Security feature privilege #90895
Conversation
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
Pinging @elastic/security-solution (Team: SecuritySolution) |
Do we want to target 7.11.1 with this change too? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! thanks for the quick fix here :)
@dhurley14, just checked with a few folks on making plugin registration changes like this in a patch release and it was noted that there aren't versioned docs for patch releases and could make for some trouble in the difference in documentation between |
…ate rules and exceptions
@jmikell821, I don't think we currently call out the necessary Kibana Space Privileges in our docs? With this PR those will change (no longer needing |
Hi @spong here's what we say about Kibana Space privileges in the Security docs:
I'd like to make sure all the listed permissions are correct for 7.12 and that we don't have any missing. |
++, sounds good @jmikell821! We'll need to add details around the |
@elasticmachine merge upstream |
@elasticmachine merge upstream |
💚 Build SucceededMetrics [docs]
History
To update your PR or re-run it, just comment with: |
…urity feature privilege (elastic#90895) ## Summary Add's the list plugins Saved Objects (`exception-list` and `exception-list-agnostic`) to the `Security` feature privilege. Resolves elastic#90715 ### Test Instructions Load pre-packaged roles/users, and ensure only those with the Kibana Space privilege `Security:All` have the ability to create/edit rules and exception lists (space-aware/agnostic). Users with `Security:Read` should only be able to view rules/exception lists. Pre-packaged security roles should no longer be granted the `Saved Objects Management` feature privilege, and this feature privilege should no longer be required to use any of the Detections features. To add test users: t1_analyst (`"siem": ["read"]`): ``` bash cd x-pack/plugins/security_solution/server/lib/detection_engine/scripts/ ./roles_users/t1_analyst/post_detections_role.sh roles_users/t1_analyst/detections_role.json ./roles_users/t1_analyst/post_detections_user.sh roles_users/t1_analyst/detections_user.json ``` hunter (`"siem": ["all"]`): ``` bash cd x-pack/plugins/security_solution/server/lib/detection_engine/scripts/ ./roles_users/t1_analyst/post_detections_role.sh roles_users/hunter/detections_role.json ./roles_users/t1_analyst/post_detections_user.sh roles_users/hunter/detections_user.json ``` Note: Be sure to remove these users after testing if using a public cluster. ### Checklist Delete any items that are not applicable to this PR. - [X] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials -- `docs` label added, will work with @jmikell821 on doc changes - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
Backport result
|
…urity feature privilege (#90895) (#91075) ## Summary Add's the list plugins Saved Objects (`exception-list` and `exception-list-agnostic`) to the `Security` feature privilege. Resolves #90715 ### Test Instructions Load pre-packaged roles/users, and ensure only those with the Kibana Space privilege `Security:All` have the ability to create/edit rules and exception lists (space-aware/agnostic). Users with `Security:Read` should only be able to view rules/exception lists. Pre-packaged security roles should no longer be granted the `Saved Objects Management` feature privilege, and this feature privilege should no longer be required to use any of the Detections features. To add test users: t1_analyst (`"siem": ["read"]`): ``` bash cd x-pack/plugins/security_solution/server/lib/detection_engine/scripts/ ./roles_users/t1_analyst/post_detections_role.sh roles_users/t1_analyst/detections_role.json ./roles_users/t1_analyst/post_detections_user.sh roles_users/t1_analyst/detections_user.json ``` hunter (`"siem": ["all"]`): ``` bash cd x-pack/plugins/security_solution/server/lib/detection_engine/scripts/ ./roles_users/t1_analyst/post_detections_role.sh roles_users/hunter/detections_role.json ./roles_users/t1_analyst/post_detections_user.sh roles_users/hunter/detections_user.json ``` Note: Be sure to remove these users after testing if using a public cluster. ### Checklist Delete any items that are not applicable to this PR. - [X] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials -- `docs` label added, will work with @jmikell821 on doc changes - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios Co-authored-by: Garrett Spong <[email protected]>
* master: (44 commits) [APM] Add experimental support for Data Streams (elastic#89650) [Search Session] Control "Kibana / Search Sessions" management section by privileges (elastic#90818) [Lens] Median as default function (elastic#90952) Implement custom global header banner (elastic#87438) [Fleet] Reduce permissions. (elastic#90302) Update dependency @elastic/charts to v24.5.1 (elastic#89822) [Create index pattern] Can't create single character index without wildcard (elastic#90919) [ts/build_ts_refs] add support for --clean flag (elastic#91060) Don't clean when running e2e tests (elastic#91057) Fixes track_total_hits in the body not having an effect when using search strategy (elastic#91068) [Security Solution][Detections] Adds list plugin Saved Objects to Security feature privilege (elastic#90895) Removing the code plugin entirely for 8.0 (elastic#77940) chore(NA): move the instruction to remove yarn global bazelisk package into the first place on install bazel tools (elastic#91026) [jest/ci] remove max-old-space-size override to use 4gb default (elastic#91020) [Fleet] Restrict integration changes for managed policies (elastic#90675) [CI] Fix auto-backport condditions so that it doesn't trigger for other labels (elastic#91042) [DOCS] Uses variable to refer to query profiler (elastic#90976) [App Search] Relevance Tuning logic listeners (elastic#89461) [Metrics UI] Fix saving/loading saved views from URL (elastic#90216) Limit cardinality of transaction.name (elastic#90955) ...
Summary
Add's the list plugins Saved Objects (
exception-list
andexception-list-agnostic
) to theSecurity
feature privilege.Resolves #90715
Test Instructions
Load pre-packaged roles/users, and ensure only those with the Kibana Space privilege
Security:All
have the ability to create/edit rules and exception lists (space-aware/agnostic). Users withSecurity:Read
should only be able to view rules/exception lists. Pre-packaged security roles should no longer be granted theSaved Objects Management
feature privilege, and this feature privilege should no longer be required to use any of the Detections features.To add test users:
t1_analyst (
"siem": ["read"]
):cd x-pack/plugins/security_solution/server/lib/detection_engine/scripts/ ./roles_users/t1_analyst/post_detections_role.sh roles_users/t1_analyst/detections_role.json ./roles_users/t1_analyst/post_detections_user.sh roles_users/t1_analyst/detections_user.json
hunter (
"siem": ["all"]
):cd x-pack/plugins/security_solution/server/lib/detection_engine/scripts/ ./roles_users/t1_analyst/post_detections_role.sh roles_users/hunter/detections_role.json ./roles_users/t1_analyst/post_detections_user.sh roles_users/hunter/detections_user.json
Note: Be sure to remove these users after testing if using a public cluster.
Checklist
Delete any items that are not applicable to this PR.
docs
label added, will work with @jmikell821 on doc changes