Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[8.9] [Security Solution] Fix endpoint permissions for rule installation and update (#161641) #161649

Merged
merged 1 commit into from
Jul 11, 2023
Merged

[8.9] [Security Solution] Fix endpoint permissions for rule installation and update (#161641) #161649

merged 1 commit into from
Jul 11, 2023

Conversation

kibanamachine
Copy link
Contributor

Backport

This will backport the following commits from main to 8.9:

Questions ?

Please refer to the Backport tool documentation

@xcrzx
[Security Solution] Fix endpoint permissions for rule installation an…
1769026 
…d update (elastic#161641)

**Related to: elastic#161443,
elastic#161454

## Summary

The `access:securitySolution-all` access level prevents a properly
configured role from installing or updating detection rules. This PR
aligns the access level for the `installation/_perform` and
`upgrade/_perform` endpoints with the rest of the detection engine APIs.

### Test instructions

Configure a role with the following permissions:

```json
{
  "test": {
    "cluster": [],
    "indices": [
      {
        "names": [
          ".alerts-security.alerts-default",
          ".lists-default",
          ".items-default"
        ],
        "privileges": [
          "read",
          "write",
          "view_index_metadata",
          "maintenance"
        ],
        "field_security": {
          "grant": [
            "*"
          ]
        },
        "allow_restricted_indices": false
      }
    ],
    "applications": [
      {
        "application": "kibana-.kibana",
        "privileges": [
          "feature_siem.all"
        ],
        "resources": [
          "*"
        ]
      }
    ],
    "run_as": [],
    "metadata": {},
    "transient_metadata": {
      "enabled": true
    }
  }
}
```

Call the upgrade/install APIs on behalf of that role to see that no 403
is returned:

```sh
curl --location 'http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/installation/_perform' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--data '{
    "mode": "ALL_RULES"
}'

curl --location 'http://localhost:5601/kbn/internal/detection_engine/prebuilt_rules/upgrade/_perform' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--data '{
    "mode": "ALL_RULES"
}'
```

(cherry picked from commit a5627be)
@kibanamachine kibanamachine enabled auto-merge (squash) July 11, 2023 13:13
@kibanamachine kibanamachine mentioned this pull request Jul 11, 2023
Merged
@kibana-ci
Copy link
Collaborator

💛 Build succeeded, but was flaky

Failed CI Steps

Test Failures

  • [job] [logs] Investigations - Security Solution Tests #4 / Alerts generated by building block rules Alerts should be visible on the Rule Detail page and not visible on the Overview page

Metrics [docs]

Unknown metric groups

ESLint disabled line counts

id before after diff
enterpriseSearch 13 15 +2
securitySolution 415 419 +4
total +6

Total ESLint disabled count

id before after diff
enterpriseSearch 14 16 +2
securitySolution 496 500 +4
total +6

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @xcrzx

@kibanamachine kibanamachine merged commit 29376ed into elastic:8.9 Jul 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

Assignees

@xcrzx xcrzx

Labels
backport
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kibanamachine @kibana-ci @xcrzx