-
Notifications
You must be signed in to change notification settings - Fork 25k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Granting kibana_system reserved role access to "all" privileges to .alerts* and .siem-signals* index #72181
Granting kibana_system reserved role access to "all" privileges to .alerts* and .siem-signals* index #72181
Conversation
Pinging @elastic/es-security (Team:Security) |
@@ -37,6 +37,8 @@ | |||
import java.util.stream.Collectors; | |||
|
|||
public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListener<RoleRetrievalResult>> { | |||
public static final String LEGACY_ALERTS_INDEX = ".siem-signals*"; | |||
public static final String ALERTS_INDEX = ".alerts*"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The write target for the rule registry currently is prefixed with .kibana, or rather .${kibana.index}
. This is needed to support legacy multi-tenancy. If we don't do this, we'll run into weird things where rules or other saved objects are stored in different Kibana instances but end up writing to the same Elasticsearch index, which could lead to conflicts.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Or not being able to find the rule from an alert because it is in a different space. However, that is probably also an issue with cross-cluster search, or with deleted rules even, so maybe making the index configurable and dealing with missing rules in code/UX would be acceptable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay so we really only need to have the change for .siem-signals
since .kibana.{alerts}
will be covered by the kibana system user's role privileges for the index pattern .kibana*
correct?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we decide to use the internal user, yes, but I think that we are not sure of that yet (unfortunately). If we don't, it would be up to the user to bootstrap the needed templates/indices/alias though we can think of ways to do that for them, eg by using Fleet or something clever with require_alias when bulk indexing.
1a9c353
to
d676a8a
Compare
d676a8a
to
c44e163
Compare
c44e163
to
bad1737
Compare
@@ -37,6 +37,10 @@ | |||
import java.util.stream.Collectors; | |||
|
|||
public class ReservedRolesStore implements BiConsumer<Set<String>, ActionListener<RoleRetrievalResult>> { | |||
public static final String LEGACY_ALERTS_INDEX = ".siem-signals*"; | |||
public static final String LEGACY_ALERTS_INDEX_CCS = "*:.siem-signals*"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I had trouble determining if the additional CCS index pattern is necessary considering all
privileges for .siem-signals
and .alerts
grants CCS privileges. Looking for feedback here from people in-the-know.
public static final String LEGACY_ALERTS_INDEX = ".siem-signals*"; | ||
public static final String LEGACY_ALERTS_INDEX_CCS = "*:.siem-signals*"; | ||
public static final String ALERTS_INDEX = ".alerts*"; | ||
public static final String ALERTS_INDEX_CCS = "*:.alerts*"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The CCS patterns here and above don't work with our authz model for CCS.
TLDR: You shouldn't specify CCS patterns.
When the kibana_system
reaches cross cluster, it is the remote cluster that performs the authorization there.
So, if on the local cluster node, the kibana user issues a search request for remote_cluster:.alerts_tenant1
, that's automatically authorized locally, but the receiving remote node, part of remote_cluster
, performs authorization using the local role definition.
ReservedRolesStore.LEGACY_ALERTS_INDEX, | ||
ReservedRolesStore.ALERTS_INDEX, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ReservedRolesStore.LEGACY_ALERTS_INDEX, | |
ReservedRolesStore.ALERTS_INDEX, | |
ReservedRolesStore.LEGACY_ALERTS_INDEX + randomAlphaOfLength(randomIntBetween(0, 13)), | |
ReservedRolesStore.ALERTS_INDEX + randomAlphaOfLength(randomIntBetween(0, 13)), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please remove the CCS pattern, and it should be OK.
LGTM after removing the CCS pattern. |
da076ef
to
11e31f4
Compare
11e31f4
to
bfe416a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
…#72181) Co-authored-by: Devin W. Hurley <[email protected]>
…ernal.alerts* (#76624) **Parent ticket:** elastic/kibana#101016 **Related to:** #72181 ## Summary Similar to the previous PR (#72181), we'd like to add privileges to a new set of indices to the `kibana_system` role. The reason for that is we need to have different naming schemes for alerts-as-data index aliases and backing indices pointing to these aliases, which in turn is needed to support backwards compatibility, migrations and reindexing in the future. We didn't want to prefix the backing indices with `.kibana-`, so we're adding a new `.internal.alerts` prefix. Prefixing with `.kibana-` would make them system indices, which means they would not be supposed to be read by end users, which is not what we want. `.internal` could become a universal prefix for hidden Kibana indices, but at this point I don't feel confident enough to generalise prematurely.
…ernal.alerts* (elastic#76624) **Parent ticket:** elastic/kibana#101016 **Related to:** elastic#72181 ## Summary Similar to the previous PR (elastic#72181), we'd like to add privileges to a new set of indices to the `kibana_system` role. The reason for that is we need to have different naming schemes for alerts-as-data index aliases and backing indices pointing to these aliases, which in turn is needed to support backwards compatibility, migrations and reindexing in the future. We didn't want to prefix the backing indices with `.kibana-`, so we're adding a new `.internal.alerts` prefix. Prefixing with `.kibana-` would make them system indices, which means they would not be supposed to be read by end users, which is not what we want. `.internal` could become a universal prefix for hidden Kibana indices, but at this point I don't feel confident enough to generalise prematurely.
…ernal.alerts* (#76624) (#76635) **Parent ticket:** elastic/kibana#101016 **Related to:** #72181 ## Summary Similar to the previous PR (#72181), we'd like to add privileges to a new set of indices to the `kibana_system` role. The reason for that is we need to have different naming schemes for alerts-as-data index aliases and backing indices pointing to these aliases, which in turn is needed to support backwards compatibility, migrations and reindexing in the future. We didn't want to prefix the backing indices with `.kibana-`, so we're adding a new `.internal.alerts` prefix. Prefixing with `.kibana-` would make them system indices, which means they would not be supposed to be read by end users, which is not what we want. `.internal` could become a universal prefix for hidden Kibana indices, but at this point I don't feel confident enough to generalise prematurely. Co-authored-by: Georgii Gorbachev <[email protected]>
The RAC team is storing alerts as data in the
.alerts*
and.siem-signals*
(legacy) indices, which the Kibana user needs access to in order to CRUD alerts.Ref: elastic/kibana#95721
drake: elastic/kibana#94502