[Security Solution] Allow only users with 'all' privileges to install and upgrade prebuilt rules #161454
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jpdjere
added
8.9 candidate
bug
jpdjere
force-pushed
the
write-access-perform-install-update-endpoints
branch
from
cf4398f to
263282a
Compare
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
jpdjere
added
the
release_note:skip
|
We also need to disable install buttons on the Add Rules screen:
|
|
We also need to disable the upgrade buttons on the Update Rules screen:
|
xcrzx
force-pushed
the
write-access-perform-install-update-endpoints
branch
from
e1a401b to
f2006a1
Compare
xcrzx
approved these changes
Jul 10, 2023
💚 Build Succeeded
Metrics [docs]Async chunks
Unknown metric groupsESLint disabled line counts
Total ESLint disabled count
History
To update your PR or re-run it, just comment with: cc @jpdjere |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Jul 10, 2023
… and upgrade prebuilt rules (elastic#161454) Fixes: elastic#161443 ## Summary ### When user doesn't have write permission: - Disables "Add Elastic rules" button and removes Rule Updates tab  - Disables buttons to individually install rules, install selected rules and install all rules  - Disables buttons to individually upgrade rules, upgrade selected rules and upgrade all rules  ### `_perform` endpoints - Returns 403 when installing all rules or specific rules   - Returns 403 when upgrading all rules or specific rules   ### Checklist Delete any items that are not applicable to this PR. - [ ] Any UI touched in this PR is usable by keyboard only (learn more about [keyboard accessibility](https://webaim.org/techniques/keyboard/)) - [ ] Any UI touched in this PR does not create any new axe failures (run axe in browser: [FF](https://addons.mozilla.org/en-US/firefox/addon/axe-devtools/), [Chrome](https://chrome.google.com/webstore/detail/axe-web-accessibility-tes/lhdoppojpmngadmnindnejefpokejbdd?hl=en-US)) - [ ] This renders correctly on smaller devices using a responsive layout. (You can test this [in your browser](https://www.browserstack.com/guide/responsive-testing-on-local-server)) - [ ] This was checked for [cross-browser compatibility](https://www.elastic.co/support/matrix#matrix_browsers) ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: Dmitrii <dmitrii.shevchenko@elastic.co> (cherry picked from commit 31b28a0)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Jul 10, 2023
…nstall and upgrade prebuilt rules (#161454) (#161555) # Backport This will backport the following commits from `main` to `8.9`: - [[Security Solution] Allow only users with 'all' privileges to install and upgrade prebuilt rules (#161454)](#161454) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Juan Pablo Djeredjian","email":"jpdjeredjian@gmail.com"},"sourceCommit":{"committedDate":"2023-07-10T14:35:17Z","message":"[Security Solution] Allow only users with 'all' privileges to install and upgrade prebuilt rules (#161454)\n\nFixes: https://github.com/elastic/kibana/issues/161443\r\n\r\n## Summary\r\n\r\n### When user doesn't have write permission:\r\n- Disables \"Add Elastic rules\" button and removes Rule Updates tab\r\n\r\n\r\n\r\n- Disables buttons to individually install rules, install selected rules\r\nand install all rules\r\n\r\n\r\n\r\n- Disables buttons to individually upgrade rules, upgrade selected rules\r\nand upgrade all rules\r\n\r\n\r\n\r\n### `_perform` endpoints\r\n- Returns 403 when installing all rules or specific rules\r\n\r\n\r\n\r\n\r\n\r\n- Returns 403 when upgrading all rules or specific rules\r\n\r\n\r\n\r\n\r\n\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [ ] Any UI touched in this PR is usable by keyboard only (learn more\r\nabout [keyboard accessibility](https://webaim.org/techniques/keyboard/))\r\n- [ ] Any UI touched in this PR does not create any new axe failures\r\n(run axe in browser:\r\n[FF](https://addons.mozilla.org/en-US/firefox/addon/axe-devtools/),\r\n[Chrome](https://chrome.google.com/webstore/detail/axe-web-accessibility-tes/lhdoppojpmngadmnindnejefpokejbdd?hl=en-US))\r\n- [ ] This renders correctly on smaller devices using a responsive\r\nlayout. (You can test this [in your\r\nbrowser](https://www.browserstack.com/guide/responsive-testing-on-local-server))\r\n- [ ] This was checked for [cross-browser\r\ncompatibility](https://www.elastic.co/support/matrix#matrix_browsers)\r\n\r\n\r\n### For maintainers\r\n\r\n- [ ] This was checked for breaking API changes and was [labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n---------\r\n\r\nCo-authored-by: Dmitrii <dmitrii.shevchenko@elastic.co>","sha":"31b28a06606d4f5b1fe10173859c44fb9fce3b10","branchLabelMapping":{"^v8.10.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","blocker","release_note:skip","impact:critical","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rule Management","Feature:Prebuilt Detection Rules","8.9 candidate","v8.9.0","v8.10.0"],"number":161454,"url":"https://github.com/elastic/kibana/pull/161454","mergeCommit":{"message":"[Security Solution] Allow only users with 'all' privileges to install and upgrade prebuilt rules (#161454)\n\nFixes: https://github.com/elastic/kibana/issues/161443\r\n\r\n## Summary\r\n\r\n### When user doesn't have write permission:\r\n- Disables \"Add Elastic rules\" button and removes Rule Updates tab\r\n\r\n\r\n\r\n- Disables buttons to individually install rules, install selected rules\r\nand install all rules\r\n\r\n\r\n\r\n- Disables buttons to individually upgrade rules, upgrade selected rules\r\nand upgrade all rules\r\n\r\n\r\n\r\n### `_perform` endpoints\r\n- Returns 403 when installing all rules or specific rules\r\n\r\n\r\n\r\n\r\n\r\n- Returns 403 when upgrading all rules or specific rules\r\n\r\n\r\n\r\n\r\n\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [ ] Any UI touched in this PR is usable by keyboard only (learn more\r\nabout [keyboard accessibility](https://webaim.org/techniques/keyboard/))\r\n- [ ] Any UI touched in this PR does not create any new axe failures\r\n(run axe in browser:\r\n[FF](https://addons.mozilla.org/en-US/firefox/addon/axe-devtools/),\r\n[Chrome](https://chrome.google.com/webstore/detail/axe-web-accessibility-tes/lhdoppojpmngadmnindnejefpokejbdd?hl=en-US))\r\n- [ ] This renders correctly on smaller devices using a responsive\r\nlayout. (You can test this [in your\r\nbrowser](https://www.browserstack.com/guide/responsive-testing-on-local-server))\r\n- [ ] This was checked for [cross-browser\r\ncompatibility](https://www.elastic.co/support/matrix#matrix_browsers)\r\n\r\n\r\n### For maintainers\r\n\r\n- [ ] This was checked for breaking API changes and was [labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n---------\r\n\r\nCo-authored-by: Dmitrii <dmitrii.shevchenko@elastic.co>","sha":"31b28a06606d4f5b1fe10173859c44fb9fce3b10"}},"sourceBranch":"main","suggestedTargetBranches":["8.9"],"targetPullRequestStates":[{"branch":"8.9","label":"v8.9.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.10.0","labelRegex":"^v8.10.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/161454","number":161454,"mergeCommit":{"message":"[Security Solution] Allow only users with 'all' privileges to install and upgrade prebuilt rules (#161454)\n\nFixes: https://github.com/elastic/kibana/issues/161443\r\n\r\n## Summary\r\n\r\n### When user doesn't have write permission:\r\n- Disables \"Add Elastic rules\" button and removes Rule Updates tab\r\n\r\n\r\n\r\n- Disables buttons to individually install rules, install selected rules\r\nand install all rules\r\n\r\n\r\n\r\n- Disables buttons to individually upgrade rules, upgrade selected rules\r\nand upgrade all rules\r\n\r\n\r\n\r\n### `_perform` endpoints\r\n- Returns 403 when installing all rules or specific rules\r\n\r\n\r\n\r\n\r\n\r\n- Returns 403 when upgrading all rules or specific rules\r\n\r\n\r\n\r\n\r\n\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [ ] Any UI touched in this PR is usable by keyboard only (learn more\r\nabout [keyboard accessibility](https://webaim.org/techniques/keyboard/))\r\n- [ ] Any UI touched in this PR does not create any new axe failures\r\n(run axe in browser:\r\n[FF](https://addons.mozilla.org/en-US/firefox/addon/axe-devtools/),\r\n[Chrome](https://chrome.google.com/webstore/detail/axe-web-accessibility-tes/lhdoppojpmngadmnindnejefpokejbdd?hl=en-US))\r\n- [ ] This renders correctly on smaller devices using a responsive\r\nlayout. (You can test this [in your\r\nbrowser](https://www.browserstack.com/guide/responsive-testing-on-local-server))\r\n- [ ] This was checked for [cross-browser\r\ncompatibility](https://www.elastic.co/support/matrix#matrix_browsers)\r\n\r\n\r\n### For maintainers\r\n\r\n- [ ] This was checked for breaking API changes and was [labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\n---------\r\n\r\nCo-authored-by: Dmitrii <dmitrii.shevchenko@elastic.co>","sha":"31b28a06606d4f5b1fe10173859c44fb9fce3b10"}}]}] BACKPORT--> Co-authored-by: Juan Pablo Djeredjian <jpdjeredjian@gmail.com>
xcrzx
added a commit
that referenced
this pull request
Jul 11, 2023
…d update (#161641) **Related to: #161443, #161454 ## Summary The `access:securitySolution-all` access level prevents a properly configured role from installing or updating detection rules. This PR aligns the access level for the `installation/_perform` and `upgrade/_perform` endpoints with the rest of the detection engine APIs. ### Test instructions Configure a role with the following permissions: ```json { "test": { "cluster": [], "indices": [ { "names": [ ".alerts-security.alerts-default", ".lists-default", ".items-default" ], "privileges": [ "read", "write", "view_index_metadata", "maintenance" ], "field_security": { "grant": [ "*" ] }, "allow_restricted_indices": false } ], "applications": [ { "application": "kibana-.kibana", "privileges": [ "feature_siem.all" ], "resources": [ "*" ] } ], "run_as": [], "metadata": {}, "transient_metadata": { "enabled": true } } } ``` Call the upgrade/install APIs on behalf of that role to see that no 403 is returned: ```sh curl --location 'http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform' \ --header 'Content-Type: application/json' \ --header 'Accept: application/json' \ --data '{ "mode": "ALL_RULES" }' curl --location 'http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/upgrade/_perform' \ --header 'Content-Type: application/json' \ --header 'Accept: application/json' \ --data '{ "mode": "ALL_RULES" }' ```
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Jul 11, 2023
…d update (elastic#161641) **Related to: elastic#161443, elastic#161454 ## Summary The `access:securitySolution-all` access level prevents a properly configured role from installing or updating detection rules. This PR aligns the access level for the `installation/_perform` and `upgrade/_perform` endpoints with the rest of the detection engine APIs. ### Test instructions Configure a role with the following permissions: ```json { "test": { "cluster": [], "indices": [ { "names": [ ".alerts-security.alerts-default", ".lists-default", ".items-default" ], "privileges": [ "read", "write", "view_index_metadata", "maintenance" ], "field_security": { "grant": [ "*" ] }, "allow_restricted_indices": false } ], "applications": [ { "application": "kibana-.kibana", "privileges": [ "feature_siem.all" ], "resources": [ "*" ] } ], "run_as": [], "metadata": {}, "transient_metadata": { "enabled": true } } } ``` Call the upgrade/install APIs on behalf of that role to see that no 403 is returned: ```sh curl --location 'http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform' \ --header 'Content-Type: application/json' \ --header 'Accept: application/json' \ --data '{ "mode": "ALL_RULES" }' curl --location 'http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/upgrade/_perform' \ --header 'Content-Type: application/json' \ --header 'Accept: application/json' \ --data '{ "mode": "ALL_RULES" }' ``` (cherry picked from commit a5627be)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes: #161443
Summary
When user doesn't have write permission:
Disables "Add Elastic rules" button and removes Rule Updates tab
Disables buttons to individually install rules, install selected rules and install all rules
Disables buttons to individually upgrade rules, upgrade selected rules and upgrade all rules
_performendpointsReturns 403 when installing all rules or specific rules
Returns 403 when upgrading all rules or specific rules
Checklist
Delete any items that are not applicable to this PR.
For maintainers