elasticmachine
commented
10 months ago Pinging @elastic/security-threat-hunting (Team:Threat Hunting)
Open semd opened 10 months ago
elasticmachine
commented
10 months ago Pinging @elastic/security-threat-hunting (Team:Threat Hunting)
elasticmachine
commented
10 months ago Pinging @elastic/security-solution (Team: SecuritySolution)
semd
commented
10 months ago @yctercero Since "Alert management" functionalities work differently and they check the alerts index privilege to enable/disable features, we can probably accomplish the desired behavior by setting the correct index privilege to the predefined roles. So we won't need a sub-feature for them.
paulewing
commented
9 months ago @semd per our sync, we can remove Dashboards and Explore pages from the requirement list as they would be consistently available.
approksiu
commented
8 months ago @semd what about Benchmark Rules / Findings?
semd
commented
7 months ago @approksiu I don't see the Benchmark Rules / Findings feature in the predefined roles spreadsheet. Do you think it should be included?
yctercero
commented
7 months ago Hey @semd ! I just wanted to confirm that we do not need the alerts subfeature for Serverless GA as it is a data stream that can be managed through index privileges, correct? If this is the case, then we will concentrate on exceptions and rules subfeature and introduce alerts kibana privilege further down the line when needed.
cc @banderror @peluja1012 @paulewing @approksiu
banderror
commented
7 months ago Updated the description with https://github.com/elastic/security-team/issues/8799 and closed https://github.com/elastic/security-team/issues/8193 /cc @xcrzx
banderror
commented
6 months ago The work on changing Kibana-level privileges for rules, exceptions, value lists, and alerts was put on hold yesterday. The corresponding tickets are:
After research done by @xcrzx and @e40pud and trying to implement this new RBAC, we identified substantial risks we didn't want to be dealing with if we were to release this in Serverless before Public Ungated Preview:
After multiple discussions between @xcrzx @e40pud @approksiu @yctercero @banderror @peluja1012 @marshallmain @YulNaumenko @MikePaquette, we got a green light from Product and we're putting this on hold until a migration mechanism is developed by the Kibana Security team.
An internal document from @approksiu contains more info. We will proceed with the option 2.1 described in it.
Summary
When "custom roles" are available in serverless, and without a role migration mechanism, extracting a new sub-feature will result in users assigned to custom roles losing authorization for the feature. This is a known issue that the Platform Security team is aware of.
We will be able to migrate roles eventually, but since then, and after "serverless custom roles" are GA, we won't be able to extract sub-features without causing breaking changes on the Security RBAC.
At the same time, to achieve the desired feature granularity for the serverless predefined roles, we need to extract functionalities into sub-features. Right now the authorization for many of those functionalities is still granted by the general Security Kibana feature.
So, to avoid having to deal with this problem later, we should extract all sub-features we need before custom roles start to be created.
How to extract sub-features
The sub-features we need to create are defined by the Security predefined roles specification.
Each of them needs to have a config on the Security ProductFeatures framework at:
https://github.com/elastic/kibana/blob/main/x-pack/packages/security-solution/features/src/security/kibana_sub_features.ts
It is also important to define the new sub-features with the correct
includeInproperty, referencingallorreadmain features, like theendpointExceptionsdoes:https://github.com/elastic/kibana/blob/1f8c816901fa286b842ac652b0fce86608d01202/x-pack/packages/security-solution/features/src/security/kibana_sub_features.ts#L554-L601
After defining the sub-feature we need to add it to the Kibana Features config on the serverless plugin:
https://github.com/elastic/kibana/blob/a66d42b50ceb9209bc67935cf4a6fbb9c5202888/x-pack/plugins/security_solution_serverless/server/product_features/security_product_features_config.ts#L48-L50
And configure the predefined roles to include the new privilege (docs)
On the ESS side, we don't want to configure the new sub-feature to avoid breaking existing custom roles. We need to enable the new privilege with the main Security feature, without configuring the new sub-feature:
https://github.com/elastic/kibana/blob/a66d42b50ceb9209bc67935cf4a6fbb9c5202888/x-pack/plugins/security_solution_ess/server/product_features/security_product_features_config.ts#L47-L49
Sub-feature checks in the application
Adding the config will make the sub-features exist in the Kibana features registry, so when custom roles start being created they will be aware of all sub-features, avoiding the need to migrate roles later on.
However, without implementing the checks in the application code, assigning those new sub-features to a custom role will have no effect, authorization will still be given by the general Security feature.
There's no need to implement all the checks in the code at the same time, it can be done separately. But it will need to be done to make the sub-features assignments work properly.
Predefined roles features (at the time of writing)
externalexternalexternalexternalexternalSecurity DashboardsExplore pagesTimeline- https://github.com/elastic/security-team/issues/7998externalexternalexternal