[Security Solution] Rule with cases connector after downgrading to essentials cannot be edited

elastic / kibana

Your window into the Elastic Stack

https://www.elastic.co/products/kibana

Other

19.71k stars 8.12k forks source link

[Security Solution] Rule with cases connector after downgrading to essentials cannot be edited #189978

Open MadameSheema opened 1 month ago

MadameSheema commented 1 month ago

Originally reported by @dhurley14

Describe the bug:

Rule with cases connector after downgrading to essentials cannot be edited

Preconditions:

To have a rule with cases connector in complete tier
Downgrade to essentials

Steps to reproduce:

Edit the rule with the cases connector

Current behavior:

The cases connector is displayed
When the user edits the rule and clicks on the save button an error is displayed

elasticmachine commented 1 month ago

Pinging @elastic/security-solution (Team: SecuritySolution)

elasticmachine commented 1 month ago

Pinging @elastic/response-ops-cases (Feature:Cases)

elasticmachine commented 1 month ago

Pinging @elastic/security-detection-engine (Team:Detection Engine)

elasticmachine commented 1 month ago

Pinging @elastic/response-ops (Team:ResponseOps)

MadameSheema commented 1 month ago

@cnasikas @yctercero can you please take a look at this issue? Thanks!

yctercero commented 1 month ago

This is likely an issue we'll run into when we break exceptions out into it's own subprivelege as well. We don't have a good way of saying you can edit this portion of the rule schema and not another. @banderror @marshallmain correct me here if I'm wrong, but I think we need to think through how to design such changes.

banderror commented 1 month ago

@yctercero I think the question is, from the product/UX standpoint, what needs to happen with such rules on downgrade to essentials:

Do we want to remove from rules all the actions referencing cases connectors?
Do we want to disable these connectors?
Do we want to let those rules/actions and connectors continue to work?

I guess, in any case, we want the rules to continue to be editable.

When we have this understanding, we could think about what needs to be done technically.

@yctercero Not sure I understand what is being asked with regards to exceptions and RBAC.

yctercero commented 2 weeks ago

@approksiu @ARWNightingale could you please confirm what the intended behavior should be here?

cnasikas commented 2 days ago

When a rule is created an API key is also created and connected to the rule. The API key represents the user that created the rule. This is needed to execute the rule and the actions under the user's permission. When someone edits a rule, the API key is updated to represent the user who updated the rule. So, if we let the user update the rule without having access to cases the case action will start to fail due to permission errors. As @yctercero said we do not have a way to have different permissions per portions of the rule's schema. The downgrade scenario is interesting though because it means that no user has access to cases. Does the rule fail either way by downgrading to essentials?