Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ML] Adding capabilities checks to shared functions #70069

Merged
merged 15 commits into from
Jul 1, 2020
Merged

[ML] Adding capabilities checks to shared functions #70069

merged 15 commits into from
Jul 1, 2020

Conversation

jgowdyelastic
Copy link
Member

@jgowdyelastic jgowdyelastic commented Jun 26, 2020
edited
Loading

Adds capabilities checks to all shared ML functions.
Checks are the same as the kibana endpoint equivalents. e.g.
/api/ml/results/anomalies_table_data and getAnomaliesTableData both require canGetJobs.
All plugins calling our shared functions now need to supply a request object.

Note, due to limitations in alerting, the functions called by SIEM (jobsSummary and mlAnomalySearch) currently have their capabilities checks disabled.
Once alerting can supply a real request object, these checks can be reinstated.

Functional tests will be added in a follow up PR.

Note, also include some small refactoring to replace ILegacyScopedClusterClient with LegacyAPICaller

@jgowdyelastic
Copy link
Member Author

@elasticmachine merge upstream

@jgowdyelastic jgowdyelastic self-assigned this Jun 29, 2020
@jgowdyelastic jgowdyelastic added :ml apm:test-plan-7.8.0 Feature:Security/Spaces Platform Security - Spaces feature non-issue Indicates to automation that a pull request should not appear in the release notes release_note:skip Skip the PR/issue when compiling release notes review v7.9.0 v7.8.0 and removed apm:test-plan-7.8.0 labels Jun 29, 2020
@jgowdyelastic jgowdyelastic marked this pull request as ready for review June 29, 2020 13:33
@jgowdyelastic jgowdyelastic requested review from a team as code owners June 29, 2020 13:33
@elasticmachine
Copy link
Contributor

Pinging @elastic/ml-ui (:ml)

@botelastic botelastic bot added the Team:APM All issues that need APM UI Team support label Jun 29, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/apm-ui (Team:apm)

@jgowdyelastic jgowdyelastic mentioned this pull request Jun 29, 2020
Closed
26 tasks
@jgowdyelastic jgowdyelastic force-pushed the adding-capabilities-checks-to-shared-functions branch from 9ab59b5 to 41b1d6e Compare June 30, 2020 10:36
smith
smith approved these changes Jun 30, 2020
View reviewed changes
Copy link
Contributor

@smith smith left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

APM changes look good.

@jgowdyelastic jgowdyelastic requested a review from rylnd June 30, 2020 20:39
rylnd
rylnd approved these changes Jun 30, 2020
View reviewed changes
Copy link
Contributor

@rylnd rylnd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security Solution changes LGTM; I was able to generate signals from anomalies via an ML Detections rule.

walterra
walterra reviewed Jul 1, 2020
View reviewed changes
Copy link
Contributor

@walterra walterra left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good overall, just added a question about await without try/catch blocks and a types.

x-pack/plugins/ml/server/lib/capabilities/check_capabilities.ts Outdated
export type HasMlCapabilities = (capabilities: MlCapabilitiesKey[]) => void;

export function hasMlCapabilitiesProvider(resolveMlCapabilities: ResolveMlCapabilities) {
return (request: KibanaRequest) => {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a way you could make use of the HasMlCapabilities type to enforce it? Looking at the code like this I'm unsure why the type HasMlCapabilities is a function without async and the return function in the provider uses async.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HasMlCapabilities should really return Promise<void> here. i'll update it.
I'll also add HasMlCapabilities as the return type of this returned function to make it more explicit.

x-pack/plugins/ml/server/shared_services/providers/anomaly_detectors.ts Show resolved Hide resolved
weltenwort
weltenwort approved these changes Jul 1, 2020
View reviewed changes
Copy link
Member

@weltenwort weltenwort left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems to work for the infra plugin where the checks are not disabled. 👍

weltenwort
weltenwort approved these changes Jul 1, 2020
View reviewed changes
x-pack/plugins/ml/server/lib/capabilities/check_capabilities.ts Outdated
}

if (capabilities.every((c) => mlCapabilities![c] === true) === false) {
throw Error('Insufficient privileges to access feature');
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was wondering if we could use a custom Error subclass here to enable the routes to translate it into a 403 instead of 500 error. 🤔

We're doing something like that in the infra plugin here:

kibana/x-pack/plugins/infra/server/lib/log_analysis/errors.ts

Lines 16 to 21 in e8cf08f

export class NoLogAnalysisMlJobError extends Error {
constructor(message?: string) {
super(message);
Object.setPrototypeOf(this, new.target.prototype);
}
}

Alternatively, a custom marker attribute on the Error subclass could also be used for identification.

What do you think?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, I like this idea.
added in fbac69f

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

awesome, thank you ❤️

@weltenwort weltenwort mentioned this pull request Jul 1, 2020
Closed
@jgowdyelastic
Copy link
Member Author

@elasticmachine merge upstream

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Build metrics

✅ unchanged

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

darnautov
darnautov approved these changes Jul 1, 2020
View reviewed changes
Copy link
Contributor

@darnautov darnautov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jgowdyelastic jgowdyelastic merged commit eafd2af into elastic:master Jul 1, 2020
@jgowdyelastic jgowdyelastic deleted the adding-capabilities-checks-to-shared-functions branch July 1, 2020 16:45
@jgowdyelastic jgowdyelastic mentioned this pull request Jul 1, 2020
Merged
jgowdyelastic added a commit to jgowdyelastic/kibana that referenced this pull request Jul 1, 2020
@jgowdyelastic @elasticmachine
[ML] Adding capabilities checks to shared functions (elastic#70069)
5842348 
* [ML] Adding capabilities checks to shared functions

* small refactor

* disabling capabilities checks for functions called by SIEM alerting

* testing git

* removing comment

* using constant for ml app id

* tiny type clean up

* removing check in ml_capabilities

* fixing types

* removing capabilities checks from ml_capabilities endpoint

* updating types

* better error handling

* improving capabilities check

* adding custom errors

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
jgowdyelastic added a commit that referenced this pull request Jul 1, 2020
@jgowdyelastic @elasticmachine
[ML] Adding capabilities checks to shared functions (#70069) (#70479)
4acd700 
* [ML] Adding capabilities checks to shared functions

* small refactor

* disabling capabilities checks for functions called by SIEM alerting

* testing git

* removing comment

* using constant for ml app id

* tiny type clean up

* removing check in ml_capabilities

* fixing types

* removing capabilities checks from ml_capabilities endpoint

* updating types

* better error handling

* improving capabilities check

* adding custom errors

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
@Kerry350 Kerry350 mentioned this pull request Aug 6, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@peteharverson peteharverson peteharverson approved these changes

@weltenwort weltenwort weltenwort approved these changes

@walterra walterra walterra left review comments

@darnautov darnautov darnautov approved these changes

@rylnd rylnd rylnd approved these changes

@smith smith smith approved these changes

@alvarezmelissa87 alvarezmelissa87 Awaiting requested review from alvarezmelissa87

Assignees

@jgowdyelastic jgowdyelastic

Labels
Feature:Security/Spaces Platform Security - Spaces feature :ml non-issue Indicates to automation that a pull request should not appear in the release notes release_note:skip Skip the PR/issue when compiling release notes review Team:APM All issues that need APM UI Team support v7.9.0 v8.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
9 participants
@jgowdyelastic @elasticmachine @kibanamachine @smith @walterra @rylnd @weltenwort @darnautov @peteharverson