Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adds Role Based Access-Control to the Alerting & Action plugins based on Kibana Feature Controls #67157

Merged
merged 196 commits into from
Jul 22, 2020

Conversation

gmmorris
Copy link
Contributor

@gmmorris gmmorris commented May 21, 2020

Summary

This PR adds Role Based Access-Control to the Alerting framework & Actions feature using Kibana Feature Controls, addressing most of the Meta issue: #43994

This also closes #62438

This PR includes the following:

  1. Adds alerting specific Security Actions (not to be confused with Alerting Actions) to the security plugin which allows us to assign alerting specific privileges to users of other plugins using the features plugin.
  2. Removes the security wrapper from the savedObjectsClient in AlertsClient and instead plugs in the new AlertsAuthorization which performs the privilege checks on each api call made to the AlertsClient.
  3. Adds privileges in each plugin that is already using the Alerting Framework which mirror (as closely as possible) the existing api-level tag-based privileges and plugs them into the AlertsClient.
  4. Adds feature granted privileges arounds Actions (by relying on Saved Object privileges under the hood) and plugs them into the ActionsClient
  5. Removes the legacy api-level tag-based privilege system from both the Alerts and Action HTTP APIs

DevDocs

This PR allows you to assign privileges to the Alerting framework when defining your feature in Kibana. When registering your feature you can add a list of AlertTypes under your read and all keys of the privileges object, like so:

features.registerFeature({
      id: 'alertsExample',
      name: 'alertsExample',
      app: [],
      privileges: {
        all: {
          alerting: {
            all: ['example.always-firing', 'example.people-in-space'],
          },
        },
        read: {
          alerting: {
            read: ['example.always-firing', 'example.people-in-space'],
          },
        },
      },
    });

What this specifies, in detail, is that:

  1. If a user has been granted the all privilege to the alertsExample feature, then they are also granted all privileges to the example.always-firing and example.people-in-space AlertTypes under the alertsExample consumer
  2. If a user has been granted the read privilege to the alertsExample feature, then they are also granted read privileges to the example.always-firing and example.people-in-space AlertTypes under the alertsExample consumer

That means that an all user will be able to, for example, create an example.always-firing alert with the alertsExample as consumer. This will also automatically grant them the right to create an example.always-firing alert from within alerts management where alerts is the consumer (we special case Alerts management).
What this doesn't grant the user is the ability to create an example.always-firing alert under any other consumer. For that the specific consumer will have to grant the user explicit rights through their privilege system.

For example, if Uptime wanted to allow users to create an example.people-in-space alert inside of the Uptime solution, then they will have to do the following:

features.registerFeature({
      id: 'uptime',
      name: 'Uptime',
      app: [],
      privileges: {
        all: {
          alerting: {
            all: ['xpack.uptime.alerts.actionGroups.tls', 'example.people-in-space'],
          },
        },
        read: {
          alerting: {
            read: ['xpack.uptime.alerts.actionGroups.tls', 'example.people-in-space'],
          },
        },
      },
    });

This, assuming it's added by Uptime, would grant uptime users the privilege to create both their own xpack.uptime.alerts.actionGroups.tls alert and the example.people-in-space alert with uptime as the consumer.

You might ask, will this allow any Uptime user with all privileges to create an example.people-in-space alert? No.
In order to create an example.people-in-space alert the Uptime user needs both all in Uptime and in AlertsExample as we always check whether the user is privileged to execute an operation (create/enable/delete etc.) in both the alert's consumer and its producer.

The one exception to this is when the producer is alerts, which represents a built-in AlertType, in which case we only check for consumer privileges as all users are privileged to create built-in types by definition.

Checklist

Delete any items that are not applicable to this PR.

For maintainers

gmmorris added 28 commits May 21, 2020 11:57
…bana into alerting/consumer-based-rbac

* 'alerting/consumer-based-rbac' of github.com:gmmorris/kibana:
  added rbac in alerting
  fixed unit test
  fixed typing, commented unused authz
  made SO client unsecure in alerting
* master: (26 commits)
  [Console]remove completion for type for filter queries and aggs (elastic#68103)
  [ML] Transforms: Filter aggregation support (elastic#67591)
  [ES UI Shared] Monaco XJSON (elastic#67485)
  [Index Management] Add data streams functionality to indices tab (elastic#67940)
  [Discover] Fix renaming of saved search not displayed in breadcrumb (elastic#67577)
  [SECURITY] Rename siem plugin to security_solution (elastic#67902)
  [Uptime] Fix Telemetry Api flaky test (elastic#67358)
  [Data plugin] Add configuration property to enable / disable autocomplete (elastic#67847)
  remove scripts. prettire update has been done (elastic#68130)
  Closes elastic#68055 by detecting the local Kibana version and using that as (elastic#68198)
  [apm] docs: add deployment annotation example (elastic#67408)
  [ML] Extend population preview chart to show actual and typical value (elastic#67569)
  Refactor index management client integration tests for scalability (elastic#67917)
  Add generator function that creates multiple alerts (elastic#67713)
  chore(NA): remove config arg from os packages (elastic#67871)
  [Reporting] Move code out of Legacy (elastic#67904)
  [Metrics UI] Add overrides to Snapshot API to support alert previews (elastic#68125)
  [Security] [Cases] Manage timeline UI API (elastic#67719)
  [ENDPOINT][INGEST]Task/endpoint ingest update (elastic#67234)
  Fix code coverage for jest, upload merged reports (elastic#68149)
  ...
* master: (57 commits)
  Add app arch team as owner of datemath package (elastic#66880)
  [Observability] Landing page for Observability (elastic#67467)
  [SIEM] Fix timeline buildGlobalQuery (elastic#68320)
  Optimize saved objects getScopedClient and HTTP API (elastic#68221)
  [Maps] Fix mb-style interpolate style rule (elastic#68413)
  update script to always download node (elastic#68421)
  [SECURITY SOLEIL] Fix selection of event type when no siem index signal created (elastic#68291)
  [DOCS] Adds note about configuring File Data Visualizer (elastic#68407)
  [DOCS] Adds link from remote clusters to index patterns (elastic#68406)
  [QA] slack notify on failure (elastic#68126)
  upgrade eslint-plugin-react-hooks from 2.3.0 to 4.0.4 (elastic#68295)
  moving to jira to a gold license (elastic#67178)
  [DOCS] Revises doc on adding data (elastic#68038)
  [APM] Add ThemeProvider to support dark mode (elastic#68242)
  Make welcome screen disabling first action in loginIfPrompted (elastic#68238)
  [QA] Code coverage: unskip tests, collect tests results, exclude bundles from report (elastic#64477)
  [ML] Functional tests - disable flaky regression and classification creation test
  [Alerting] change eventLog ILM requests to absolute URLs (elastic#68331)
  Report page load asset size (elastic#66224)
  [SIEM][CASE] Change SIEM to Security (elastic#68365)
  ...
* master:
  [ML] DFAnalytics results: ensure ml result fields are shown in data grid (elastic#68305)
  [security_solution] enable react-hooks/exhaustive-deps (elastic#68470)
  Closes elastic#66867 by adding missing, requried API params (elastic#68465)
  [Telemetry] collect number of visualization saved in the past 7, 30 and 90 days (elastic#67865)
  [Logs UI] View in context tweaks (elastic#67777)
  Kibana developer examples landing page (elastic#67049)
  Bump decompress package version (elastic#68386)
  fix elastic#66185 (elastic#66186)
  Bump pdfmake package version (elastic#68395)
  Unskip embeddables/adding_children suite (elastic#68111)
  Add embed mode options in the Share UI (elastic#58435)
  Adding key to avoid react warning (elastic#68491)
* master: (37 commits)
  [DOCS] Adds documentation for drilldowns (elastic#68122)
  [Telemetry] telemetry.sendUsageFrom: "server" by default (elastic#68071)
  [ML] Transforms: Support sub-aggregations (elastic#68306)
  Fixed pre-configured docs link points to the wrong page and functional tests configs (elastic#68606)
  [Ingest Manager] Update queries from `stream.*` to `dataset.*` (elastic#68322)
  Enable Watcher by default to fix bug in which Watcher doesn't render in the side nav (elastic#68602)
  Convert Index Templates API routes to snakecase. (elastic#68463)
  [SECURITY SOLUTION] [Detections] Add / Update e2e tests to ensure initial rule runs are successful (elastic#68441)
  [Ingest] OpenAPI spec file (elastic#68323)
  chore(NA): skip apis Endpoint plugin Endpoint policy api (elastic#68638)
  bumping makelogs version to v6.0.0 (elastic#66163)
  [SIEM] Add create template button (elastic#66613)
  Bump websocket-extensions from 0.1.3 to 0.1.4 (elastic#68414)
  [ML] Sample data modules - use event.dataset instead of index name (elastic#68538)
  [ML] Functional tests - fix job validation API test with maxModelMemoryLimit (elastic#68501)
  [ML] Functional tests - stabilize DFA job creation (elastic#68495)
  [TSVB] Allows the user to change the tooltip mode (elastic#67775)
  chore(NA): skip apis Endpoint plugin Endpoint alert API when data is in elasticsearch (elastic#68613)
  chore(NA): skip endpoint Endpoint Alert Page: when es has data and user has navigated to the page (elastic#68596)
  [SIEM][Detection Engine] Converts from joi to use io-ts and moves the types to common  (elastic#68127)
  ...
@legrego legrego self-requested a review July 20, 2020 09:54
@gmmorris
Copy link
Contributor Author

I wasn't able to get as far as I wanted with this review today, but will pick back up on Monday.

Doing some quick testing with user having all access to the Security Solution, and no privileges to the Actions feature. When trying to create an alert within the solution, I'm unable to load the list of available connectors, despite having one configured:

image

image

Hmm this is an interesting one.
This will likely require some dev work on SIEM's side, as they aren't using the flyout (I hadn't realised this) and they're probably better off waiting until this is merged and addressing it then. This is why we decided to wait until after 7.9FF to merge this - giving solutions time to make any small fixes they might need to in response to the change.
cc @dhurley14 - I can guide you through fixing this.

gmmorris added 4 commits July 20, 2020 12:16
* master: (26 commits)
  [SIEM][Detection Engine][Lists] Adds list permissions (elastic#72335)
  [SIEM][Detection Engine][Lists] Adds conflict versioning and io-ts improvements to lists (elastic#72337)
  [Resolver] no longer pass related event stats to process node component (elastic#72435)
  Revert "skip flaky suite (elastic#72146)"
  [Security Solution] Cleanup endpoint telemetry (elastic#71950)
  Unskip dashboard embeddable rendering tests (elastic#71824)
  [ENDPOINT] Added unerolling status for host. (elastic#72303)
  [Alerting][Connectors] Increase the size of the logos (elastic#72419)
  [SECURITY] [Timeline] Raw events not displayed (elastic#72387)
  [ML] Fixes display of regression stop stats if one is NaN (elastic#72412)
  [Ingest Pipelines] Processor Editor Move Tooltip (elastic#72239)
  Fix match phrase and not match phrase comparators (elastic#71850)
  [Plugin Generator] Generate tsconfig and useDefaultBehaviors (elastic#72040)
  [Security Solution][Timeline] Fix timeline styling and createFrom beh… (elastic#72152)
  [Resolver] Selector performance (elastic#72380)
  [Ingest Manager] Set `_meta` in the index.mappings (elastic#72026)
  [Ingest Manager] Do not bumb config revision during config creation (elastic#72270)
  [ML] Adding missing index pattern name to new job wizards (elastic#72400)
  [ML] improve annotation flyout performance (elastic#72299)
  [APM] Testing error rate API and restructuring folders (elastic#72257)
  ...
@gmmorris
Copy link
Contributor Author

cc @dhurley14 - I can guide you through fixing this.

I had a chat with @dhurley14 about this and we'll move forward with merging the code despite this known regression as it'll be easier for the SIEM team to address it once it's merged into master.

Copy link
Member

@pmuellr pmuellr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reviewed the files that have changed since my last review; LGTM

public async create({
action: { actionTypeId, name, config, secrets },
}: CreateOptions): Promise<ActionResult> {
await this.authorization.ensureAuthorized('create', actionTypeId);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

re: Duplicate authorization checks

You can already see some of this now when you peek at our APM results - in practice, I think it's fine for duplicate checks, except where it's really going to hurt, likely in GET requests (viewing alerts in the web UI) and alert function execution. I'm not seeing these take very long in practice, and it's pretty easy to see them from the APM transaction log, so I'm not worried.

gmmorris added 3 commits July 21, 2020 13:58
* master: (28 commits)
  allow some env settings for ingest manager (elastic#72544)
  Add inspector for VEGA (elastic#70941)
  chore(NA): fix grunt task for test:coverage (elastic#72539)
  Archive e2e test results in ES (elastic#72575)
  preserve 401 errors from new es client (elastic#71248)
  [SIEM][Detections] Updates text for severity and risk_score overrides  (elastic#72244)
  fixing error occurences tooltip (elastic#72425)
  use KibanaClient interface instead of Client for new client interface (elastic#72388)
  [APM] Handle ML errors (elastic#72316)
  [Discover] Improve histogram tests (elastic#72235)
  [ftr/webdriver] retry on all errors, use Rx so that timers are canceled (elastic#72540)
  [pre-req] Move .storybook to storybook; standardize files (elastic#72384)
  [Security_Solution][Resolver][Bug]: Restore breadcrumb background (elastic#72538)
  [ML] Fix annotation detector linking & delayed_data(0) (elastic#72468)
  [Security Solution][Exceptions] - Make esTypes and subType available to index patterns (elastic#72336)
  [SIEM] Uses faster wait from testing-library and removes duplicate older wait idiom (elastic#72509)
  Fix long combo box items breaking out of flex item width (elastic#72512)
  [pipeline/commitStatus] update commit status in baseline-capture job (elastic#72366)
  [Security Solution][Resolver] Update the resolver element ref on scroll events if the position of the element has changed within the page (elastic#72461)
  [Maps] auto-fit to data bounds (elastic#72129)
  ...
@apmmachine
Copy link
Contributor

apmmachine commented Jul 21, 2020

💚 Build Succeeded

Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: [Pull request #67157 updated]

  • Start Time: 2020-07-21T14:44:48.551+0000

  • Duration: 24 min 0 sec

Test stats 🧪

Test Results
Failed 0
Passed 9
Skipped 0
Total 9

@gmmorris
Copy link
Contributor Author

re: Duplicate authorization checks

I've now removed the securityWrapper in Actions - we only use it for the SO client we pass to the action itself.

@legrego @pmuellr

Copy link
Member

@legrego legrego left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome work! 🏅 🥇 👏

I don't want to block your merge on this, but I would really like to see a security_only functional test suite within your API integration tests as well. Some users choose to disable Spaces while still securing their cluster, and having assurances that we don't break anything here would be valuable.

x-pack/plugins/actions/server/plugin.ts Outdated Show resolved Hide resolved
@gmmorris
Copy link
Contributor Author

Awesome work! 🏅 🥇 👏

I don't want to block your merge on this, but I would really like to see a security_only functional test suite within your API integration tests as well. Some users choose to disable Spaces while still securing their cluster, and having assurances that we don't break anything here would be valuable.

We agree! :)
It's in the backlog: #49825

gmmorris added 2 commits July 21, 2020 17:29
* master:
  [Security Solution][Timeline] Add Empty view to the Timelines page (elastic#72576)
  [Security Solution][Resolver] Show process detail panel when clicking a process node (elastic#72563)
  Move manifest packageConfig mocks into security_solution plugin (elastic#72527)
  [QA][Code Coverage] Fixup Team Assignment (elastic#72467)
  [docs] remove references to tile map visualization in supported aggregations (elastic#72493)
  [ci][apm-ui] fix argument name for disabling pr comments (elastic#72633)
  Only check that the event ids are the same in arrays (elastic#72624)
  Add doc titles to ES UI apps (elastic#71045)
  Add Upgrade Assistant API integration test to ensure the reindex operation saved object can handle immense error messages (elastic#72347)
  [APM] Disable flaky rum e2e’s (elastic#72614)
  Applying tiny fix from 72532 to main branch (elastic#72533)
  [APM] Update script with new roles/users (elastic#72599)
  [Security Solution] Add margin (elastic#72542)
  Migrated fixed_scroll karma tests to jest (elastic#72258)
  [ML] Handling data recognizer saved object errors (elastic#72447)
  [Monitoring] Fix the messaging around needing TLS enabled (elastic#72310)
  [Task Manager] Batches the update operations in Task Manager  (elastic#71470)
@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Build metrics

@kbn/optimizer bundle module count

id value diff baseline
triggers_actions_ui 152 +1 151

async chunks size

id value diff baseline
infra 3.6MB +14.0B 3.6MB
triggers_actions_ui 709.4KB +6.6KB 702.8KB
total - +6.6KB -

page load bundle size

id value diff baseline
alerts 88.6KB +124.0B 88.5KB
features 13.4KB +65.0B 13.4KB
triggers_actions_ui 266.8KB +2.1KB 264.7KB
total - +2.3KB -

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@gmmorris gmmorris merged commit 4abe864 into elastic:master Jul 22, 2020
gmmorris added a commit to gmmorris/kibana that referenced this pull request Jul 22, 2020
… on Kibana Feature Controls (elastic#67157)

This PR adds _Role Based Access-Control_ to the Alerting framework & Actions feature using  Kibana Feature Controls, addressing most of the Meta issue: elastic#43994

This also closes elastic#62438

This PR includes the following:

1. Adds `alerting` specific Security Actions (not to be confused with Alerting Actions) to the `security` plugin which allows us to assign alerting specific privileges to users of other plugins using the `features` plugin.
2. Removes the security wrapper from the savedObjectsClient in AlertsClient and instead plugs in the new AlertsAuthorization which performs the privilege checks on each api call made to the AlertsClient.
3. Adds privileges in each plugin that is already using the Alerting Framework which mirror (as closely as possible) the existing api-level tag-based privileges and plugs them into the AlertsClient.
4. Adds feature granted privileges arounds Actions (by relying on Saved Object privileges under the hood) and plugs them into the ActionsClient
5. Removes the legacy api-level tag-based privilege system from both the Alerts and Action HTTP APIs
gmmorris added a commit to gmmorris/kibana that referenced this pull request Jul 22, 2020
* master: (34 commits)
  Adds Role Based Access-Control to the Alerting & Action plugins based on Kibana Feature Controls (elastic#67157)
  [Monitoring] Revert direct shipping code (elastic#72505)
  Use server basepath  when creating reporting jobs (elastic#72722)
  Adding api test for transaction_groups /breakdown and /avg_duration_by_browser (elastic#72623)
  [Task Manager] Addresses flaky test introduced by buffered store (elastic#72815)
  [Observability] filter "hasData" api by processor event (elastic#72810)
  do  not pass title as part of tsvb request (elastic#72619)
  [Lens] Legend config (elastic#70619)
  Stabilize closing toast (elastic#72097)
  stabilize failing test (elastic#72086)
  Stabilize filter bar test (elastic#72032)
  Unskip vislib tests (elastic#71452)
  [ML] Fix layout of anomaly chart tooltip for long field values (elastic#72689)
  fix preAuth/preRouting mocks (elastic#72663)
  [Security Solution] Hide KQL bar (all pages) and alerts filters (Detections) when Resolver is full screen (elastic#72788)
  [Uptime] Rename Whitelist to Allowlist in parse_filter_map (elastic#71584)
  [Security Solution] Fixes exception modal not loading content (elastic#72770)
  [Security Solution][Exceptions] - Require non empty entries and non empty string values in exception list items (elastic#72748)
  [Detections] Add validation for Threshold value field (elastic#72611)
  [SIEM][Detection Engine][Lists] Adds version and immutability data structures (elastic#72730)
  ...
gmmorris added a commit that referenced this pull request Jul 22, 2020
… on Kibana Feature Controls (#67157) (#72850)

This PR adds _Role Based Access-Control_ to the Alerting framework & Actions feature using  Kibana Feature Controls, addressing most of the Meta issue: #43994

This also closes #62438

This PR includes the following:

1. Adds `alerting` specific Security Actions (not to be confused with Alerting Actions) to the `security` plugin which allows us to assign alerting specific privileges to users of other plugins using the `features` plugin.
2. Removes the security wrapper from the savedObjectsClient in AlertsClient and instead plugs in the new AlertsAuthorization which performs the privilege checks on each api call made to the AlertsClient.
3. Adds privileges in each plugin that is already using the Alerting Framework which mirror (as closely as possible) the existing api-level tag-based privileges and plugs them into the AlertsClient.
4. Adds feature granted privileges arounds Actions (by relying on Saved Object privileges under the hood) and plugs them into the ActionsClient
5. Removes the legacy api-level tag-based privilege system from both the Alerts and Action HTTP APIs

Co-authored-by: Elastic Machine <[email protected]>
@mikecote mikecote mentioned this pull request Aug 11, 2020
36 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Feature:Alerting release_note:plugin_api_changes Contains a Plugin API changes section for the breaking plugin API changes section. Team:APM All issues that need APM UI Team support Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Team:Uptime - DEPRECATED Synthetics & RUM sub-team of Application Observability v7.10.0 v8.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Kibana privileges should support custom actions for alerting