[SecuritySolution] Alerts and Rules page error with readonly user

semd commented 1 month ago

Summary

An odd error happens when opening the Alerts or Rules page for the first time (a clean instance) with a user who has only Read access to Security.

Description

The page opens and enters a loop of error requests to:

POST /api/lists/index -> 403 Forbidden GET /api/lists/index -> 404 Not Found (Error: data stream .lists-default and data stream .items-default does not exist)

https://github.com/user-attachments/assets/591988d1-ce59-4e11-b5cc-f224623bb2e3

To reproduce

Create a new instance (I tested that creating a Serverless project in QA)
Open kibana directly to create a custom role, without accessing Alerts or Rules page, define a role with:

Cluster privileges: all Index privileges: * -> all Kibana Privileges: All features of all apps to All except for Security: Read

Then, create a new user and assign it the new custom role.
Using the new readonly user I opened the Alerts page to see the errors.

Accessing with a user with write privileges solves the problem

When accessing the Alerts page with a privileged user the error stops happening, and the Alerts page behaves as expected with the readonly user as well:

Possible cause

The .lists-<spaceId> and .items-<spaceId> data streams may not be created when the readonly user accesses the Alerts/Rules page for the first time, and this user is not able to create them, then the app enters an infinite loop trying to create and retrieve data from those indices.

When a user with write privileges enters the page the indices are created and the error is not reproducible anymore.

elasticmachine commented 1 month ago

Pinging @elastic/security-solution (Team: SecuritySolution)

elasticmachine commented 1 month ago

Pinging @elastic/security-detection-engine (Team:Detection Engine)

elastic / kibana