Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution][Detections] Adds list plugin Saved Objects to Security feature privilege #90895

Merged
merged 5 commits into from
Feb 11, 2021

Conversation

spong
Copy link
Member

@spong spong commented Feb 10, 2021

Summary

Add's the list plugins Saved Objects (exception-list and exception-list-agnostic) to the Security feature privilege.

Resolves #90715

Test Instructions

Load pre-packaged roles/users, and ensure only those with the Kibana Space privilege Security:All have the ability to create/edit rules and exception lists (space-aware/agnostic). Users with Security:Read should only be able to view rules/exception lists. Pre-packaged security roles should no longer be granted the Saved Objects Management feature privilege, and this feature privilege should no longer be required to use any of the Detections features.

To add test users:

t1_analyst ("siem": ["read"]):

cd x-pack/plugins/security_solution/server/lib/detection_engine/scripts/
./roles_users/t1_analyst/post_detections_role.sh roles_users/t1_analyst/detections_role.json
./roles_users/t1_analyst/post_detections_user.sh roles_users/t1_analyst/detections_user.json

hunter ("siem": ["all"]):

cd x-pack/plugins/security_solution/server/lib/detection_engine/scripts/
./roles_users/t1_analyst/post_detections_role.sh roles_users/hunter/detections_role.json
./roles_users/t1_analyst/post_detections_user.sh roles_users/hunter/detections_user.json

Note: Be sure to remove these users after testing if using a public cluster.

Checklist

Delete any items that are not applicable to this PR.

@spong spong added bug Fixes for quality problems that affect the customer experience v8.0.0 Feature:Detection Rules Security Solution rules and Detection Engine v7.12.0 Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Feature:Rule Exceptions Security Solution Detection Rule Exceptions area labels Feb 10, 2021
@spong spong requested a review from a team February 10, 2021 00:44
@spong spong self-assigned this Feb 10, 2021
@spong spong requested a review from a team as a code owner February 10, 2021 00:44
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@spong spong added the release_note:skip Skip the PR/issue when compiling release notes label Feb 10, 2021
@dhurley14
Copy link
Contributor

Do we want to target 7.11.1 with this change too?

@spong spong added the v7.11.1 label Feb 10, 2021
Copy link
Contributor

@dhurley14 dhurley14 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! thanks for the quick fix here :)

@spong
Copy link
Member Author

spong commented Feb 10, 2021

Do we want to target 7.11.1 with this change too?

@dhurley14, just checked with a few folks on making plugin registration changes like this in a patch release and it was noted that there aren't versioned docs for patch releases and could make for some trouble in the difference in documentation between 7.11.0/7.11.1. So going to just target 7.12, and we can update the documentation for that release going forward.

@spong spong removed the v7.11.1 label Feb 10, 2021
@spong
Copy link
Member Author

spong commented Feb 10, 2021

@jmikell821, I don't think we currently call out the necessary Kibana Space Privileges in our docs? With this PR those will change (no longer needing Saved Objects Management). Perhaps we can have a section in the detections pre-req docs that detail the the different permutations used within the Security app? Happy to sync on getting those together, just ping me 🙂.

@spong spong added docs auto-backport Deprecated - use backport:version if exact versions are needed labels Feb 10, 2021
@spong spong enabled auto-merge (squash) February 10, 2021 21:26
@jmikell821
Copy link
Contributor

@jmikell821, I don't think we currently call out the necessary Kibana Space Privileges in our docs? With this PR those will change (no longer needing Saved Objects Management). Perhaps we can have a section in the detections pre-req docs that detail the the different permutations used within the Security app? Happy to sync on getting those together, just ping me 🙂.

Hi @spong here's what we say about Kibana Space privileges in the Security docs:

To use Elastic Security, you must have at least:
Read privilege for the Security feature in the Kibana space (see Spaces).
Read and view_index_metadata privileges for all Elastic Security indices, such as filebeat-, packetbeat-, logs-, and endgame- indices.

I'd like to make sure all the listed permissions are correct for 7.12 and that we don't have any missing.

@spong
Copy link
Member Author

spong commented Feb 10, 2021

Hi @spong here's what we say about Kibana Space privileges in the Security docs:

To use Elastic Security, you must have at least:
Read privilege for the Security feature in the Kibana space (see Spaces).
Read and view_index_metadata privileges for all Elastic Security indices, such as filebeat-, packetbeat-, logs-, and endgame- indices.

I'd like to make sure all the listed permissions are correct for 7.12 and that we don't have any missing.

++, sounds good @jmikell821! We'll need to add details around the Actions and Connectors and Stack Alerts feature privileges to round out our documentation (asking for more information on the intricacies between the two from the alerting team now :).

@spong
Copy link
Member Author

spong commented Feb 11, 2021

@elasticmachine merge upstream

@spong
Copy link
Member Author

spong commented Feb 11, 2021

@elasticmachine merge upstream

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

✅ unchanged

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@spong spong merged commit b11b8b8 into elastic:master Feb 11, 2021
kibanamachine pushed a commit to kibanamachine/kibana that referenced this pull request Feb 11, 2021
…urity feature privilege (elastic#90895)

## Summary

Add's the list plugins Saved Objects (`exception-list` and `exception-list-agnostic`) to the `Security` feature privilege.

Resolves elastic#90715

### Test Instructions
Load pre-packaged roles/users, and ensure only those with the Kibana Space privilege `Security:All` have the ability to create/edit rules and exception lists (space-aware/agnostic). Users with `Security:Read` should only be able to view rules/exception lists. Pre-packaged security roles should no longer be granted the `Saved Objects Management` feature privilege, and this feature privilege should no longer be required to use any of the Detections features.

To add test users:

t1_analyst (`"siem": ["read"]`):
``` bash
cd x-pack/plugins/security_solution/server/lib/detection_engine/scripts/
./roles_users/t1_analyst/post_detections_role.sh roles_users/t1_analyst/detections_role.json
./roles_users/t1_analyst/post_detections_user.sh roles_users/t1_analyst/detections_user.json
```

hunter (`"siem": ["all"]`):
``` bash
cd x-pack/plugins/security_solution/server/lib/detection_engine/scripts/
./roles_users/t1_analyst/post_detections_role.sh roles_users/hunter/detections_role.json
./roles_users/t1_analyst/post_detections_user.sh roles_users/hunter/detections_user.json
```

Note: Be sure to remove these users after testing if using a public cluster.

### Checklist

Delete any items that are not applicable to this PR.

- [X] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials -- `docs` label added, will work with @jmikell821 on doc changes
- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
@kibanamachine
Copy link
Contributor

Backport result

{"level":"info","message":"POST https://api.github.com/graphql (status: 200)"}
{"level":"info","message":"POST https://api.github.com/graphql (status: 200)"}
{"meta":{"labels":["Feature:Detection Rules","Feature:Rule Exceptions","Team: SecuritySolution","Team:Detections and Resp","auto-backport","bug","docs","release_note:skip","v7.12.0","v8.0.0"],"branchLabelMapping":{"^v8.0.0$":"master","^v7.12.0$":"7.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"},"existingTargetPullRequests":[]},"level":"info","message":"Inputs when calculating target branches:"}
{"meta":["7.x"],"level":"info","message":"Target branches inferred from labels:"}
{"meta":{"killed":false,"code":2,"signal":null,"cmd":"git remote rm kibanamachine","stdout":"","stderr":"error: No such remote: 'kibanamachine'\n"},"level":"info","message":"exec error 'git remote rm kibanamachine':"}
{"meta":{"killed":false,"code":2,"signal":null,"cmd":"git remote rm elastic","stdout":"","stderr":"error: No such remote: 'elastic'\n"},"level":"info","message":"exec error 'git remote rm elastic':"}
{"level":"info","message":"Backporting [{\"sourceBranch\":\"master\",\"targetBranchesFromLabels\":[\"7.x\"],\"sha\":\"b11b8b8c9b69bc0bb2c54f388d7bbae0737c297b\",\"formattedMessage\":\"[Security Solution][Detections] Adds list plugin Saved Objects to Security feature privilege (#90895)\",\"originalMessage\":\"[Security Solution][Detections] Adds list plugin Saved Objects to Security feature privilege (#90895)\\n\\n## Summary\\r\\n\\r\\nAdd's the list plugins Saved Objects (`exception-list` and `exception-list-agnostic`) to the `Security` feature privilege.\\r\\n\\r\\nResolves https://github.com/elastic/kibana/issues/90715\\r\\n\\r\\n### Test Instructions\\r\\nLoad pre-packaged roles/users, and ensure only those with the Kibana Space privilege `Security:All` have the ability to create/edit rules and exception lists (space-aware/agnostic). Users with `Security:Read` should only be able to view rules/exception lists. Pre-packaged security roles should no longer be granted the `Saved Objects Management` feature privilege, and this feature privilege should no longer be required to use any of the Detections features.\\r\\n\\r\\nTo add test users:\\r\\n\\r\\nt1_analyst (`\\\"siem\\\": [\\\"read\\\"]`):\\r\\n``` bash\\r\\ncd x-pack/plugins/security_solution/server/lib/detection_engine/scripts/\\r\\n./roles_users/t1_analyst/post_detections_role.sh roles_users/t1_analyst/detections_role.json\\r\\n./roles_users/t1_analyst/post_detections_user.sh roles_users/t1_analyst/detections_user.json\\r\\n```\\r\\n\\r\\nhunter (`\\\"siem\\\": [\\\"all\\\"]`):\\r\\n``` bash\\r\\ncd x-pack/plugins/security_solution/server/lib/detection_engine/scripts/\\r\\n./roles_users/t1_analyst/post_detections_role.sh roles_users/hunter/detections_role.json\\r\\n./roles_users/t1_analyst/post_detections_user.sh roles_users/hunter/detections_user.json\\r\\n```\\r\\n\\r\\nNote: Be sure to remove these users after testing if using a public cluster.\\r\\n\\r\\n### Checklist\\r\\n\\r\\nDelete any items that are not applicable to this PR.\\r\\n\\r\\n- [X] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials -- `docs` label added, will work with @jmikell821 on doc changes\\r\\n- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios\",\"pullNumber\":90895,\"existingTargetPullRequests\":[]}] to 7.x"}

Backporting to 7.x:
{"level":"info","message":"Backporting via filesystem"}
{"level":"info","message":"Creating PR with title: \"[7.x] [Security Solution][Detections] Adds list plugin Saved Objects to Security feature privilege (#90895)\". kibanamachine:backport/7.x/pr-90895 -> 7.x"}
{"level":"info","message":"POST /repos/elastic/kibana/pulls - 201 in 1133ms"}
{"level":"info","message":"Adding assignees to #91075: spong"}
{"level":"info","message":"POST /repos/elastic/kibana/issues/91075/assignees - 201 in 504ms"}
{"level":"info","message":"Adding labels: backport"}
{"level":"info","message":"POST /repos/elastic/kibana/issues/91075/labels - 200 in 382ms"}
View pull request: https://github.com/elastic/kibana/pull/91075

spong added a commit that referenced this pull request Feb 11, 2021
…urity feature privilege (#90895) (#91075)

## Summary

Add's the list plugins Saved Objects (`exception-list` and `exception-list-agnostic`) to the `Security` feature privilege.

Resolves #90715

### Test Instructions
Load pre-packaged roles/users, and ensure only those with the Kibana Space privilege `Security:All` have the ability to create/edit rules and exception lists (space-aware/agnostic). Users with `Security:Read` should only be able to view rules/exception lists. Pre-packaged security roles should no longer be granted the `Saved Objects Management` feature privilege, and this feature privilege should no longer be required to use any of the Detections features.

To add test users:

t1_analyst (`"siem": ["read"]`):
``` bash
cd x-pack/plugins/security_solution/server/lib/detection_engine/scripts/
./roles_users/t1_analyst/post_detections_role.sh roles_users/t1_analyst/detections_role.json
./roles_users/t1_analyst/post_detections_user.sh roles_users/t1_analyst/detections_user.json
```

hunter (`"siem": ["all"]`):
``` bash
cd x-pack/plugins/security_solution/server/lib/detection_engine/scripts/
./roles_users/t1_analyst/post_detections_role.sh roles_users/hunter/detections_role.json
./roles_users/t1_analyst/post_detections_user.sh roles_users/hunter/detections_user.json
```

Note: Be sure to remove these users after testing if using a public cluster.

### Checklist

Delete any items that are not applicable to this PR.

- [X] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials -- `docs` label added, will work with @jmikell821 on doc changes
- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios

Co-authored-by: Garrett Spong <[email protected]>
gmmorris added a commit to gmmorris/kibana that referenced this pull request Feb 11, 2021
* master: (44 commits)
  [APM] Add experimental support for Data Streams (elastic#89650)
  [Search Session] Control "Kibana / Search Sessions" management section by privileges (elastic#90818)
  [Lens] Median as default function (elastic#90952)
  Implement custom global header banner (elastic#87438)
  [Fleet] Reduce permissions. (elastic#90302)
  Update dependency @elastic/charts to v24.5.1 (elastic#89822)
  [Create index pattern] Can't create single character index without wildcard (elastic#90919)
  [ts/build_ts_refs] add support for --clean flag (elastic#91060)
  Don't clean when running e2e tests (elastic#91057)
  Fixes track_total_hits in the body not having an effect when using search strategy (elastic#91068)
  [Security Solution][Detections] Adds list plugin Saved Objects to Security feature privilege (elastic#90895)
  Removing the code plugin entirely for 8.0 (elastic#77940)
  chore(NA): move the instruction to remove yarn global bazelisk package into the first place on install bazel tools (elastic#91026)
  [jest/ci] remove max-old-space-size override to use 4gb default (elastic#91020)
  [Fleet] Restrict integration changes for managed policies (elastic#90675)
  [CI] Fix auto-backport condditions so that it doesn't trigger for other labels (elastic#91042)
  [DOCS] Uses variable to refer to query profiler (elastic#90976)
  [App Search] Relevance Tuning logic listeners (elastic#89461)
  [Metrics UI] Fix saving/loading saved views from URL (elastic#90216)
  Limit cardinality of transaction.name (elastic#90955)
  ...
@spong spong deleted the add-list-so-feature-privilege branch February 11, 2021 23:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
auto-backport Deprecated - use backport:version if exact versions are needed bug Fixes for quality problems that affect the customer experience docs Feature:Detection Rules Security Solution rules and Detection Engine Feature:Rule Exceptions Security Solution Detection Rule Exceptions area release_note:skip Skip the PR/issue when compiling release notes Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v7.12.0 v8.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Security Solution][Detections] Saved Objects Management privilege unnecessarily required to create rule
5 participants