[Entity Analytics] Restrict management page based on user privileges (#…

…173178) ## Summary Closes #171633 A few changes on the entity analytics management page: - If the user does not have risk engine permissions, disable the Risk engine switch. - If the user does not have risk score read permission, do not show the risk scores preview. - Do not show the risk engine status as "off" while we are loading the status, show "-" instead - Remove privileges accordion from error callout (see below) ### Test steps create a user without risk engine privileges and go to the entity analytics management page. Here is a handy script to create the user `no_risk_engine`, you will need to change your Kibana URL <details> <summary>expand for mkuser.sh</summary> ```bash #!/bin/bash KIBANA_URL="http://elastic:changeme@localhost:5601/mark" curl "$KIBANA_URL/api/security/role/no_risk_engine?createOnly=true" \ -X 'PUT' \ -H 'elastic-api-version: 2023-10-31' \ -H 'kbn-xsrf:hello' \ --user elastic:changeme \ -H 'Content-Type: application/json' \ --data-raw '{"elasticsearch":{"cluster":[],"indices":[{"names":["logs-*"],"privileges":["read"],"field_security":{"grant":["*"],"except":[]}}],"run_as":[]},"kibana":[{"spaces":["*"],"base":[],"feature":{"siem":["all"]}}]}' \ --compressed curl "$KIBANA_URL/internal/security/users/no_risk_engine" \ -X 'POST' \ -H 'elastic-api-version: 2023-10-31' \ -H 'kbn-xsrf:hello' \ --user elastic:changeme \ -H 'Content-Type: application/json' \ --data-raw '{"password":"changeme","username":"no_risk_engine","full_name":"","email":"","roles":["no_risk_engine"]}' \ --compressed% ``` </details> # After <img width="1728" alt="Screenshot 2023-12-13 at 13 51 45" src="https://github.com/elastic/kibana/assets/3315046/9996dfd3-035a-48d9-a331-e60db911a391"> <img width="493" alt="276204977-d808883a-b66b-4f58-9acc-6d977c644741" src="https://github.com/elastic/kibana/assets/3315046/e1cc8971-a66b-48bb-9474-6cc99c9215b4"> # Before <img width="1482" alt="Screenshot 2023-12-13 at 14 08 12" src="https://github.com/elastic/kibana/assets/3315046/85a56a72-4eb8-4677-a55b-8598fec2151d"> --------- Co-authored-by: Jared Burgett <[email protected]> Co-authored-by: Kibana Machine <[email protected]> Co-authored-by: Ryland Herrick <[email protected]> Co-authored-by: Pablo Machado <[email protected]>
elastic · Dec 19, 2023 · cd02e8d · cd02e8d
1 parent 1095cb2
commit cd02e8d
Show file tree

Hide file tree

Showing 12 changed files with 258 additions and 102 deletions.
diff --git a/x-pack/plugins/security_solution/common/entity_analytics/risk_engine/constants.ts b/x-pack/plugins/security_solution/common/entity_analytics/risk_engine/constants.ts
@@ -12,7 +12,9 @@ export const RISK_ENGINE_REQUIRED_ES_CLUSTER_PRIVILEGES = [
   'manage_transform',
 ] as ClusterPrivilege[];
 
+export const RISK_SCORE_INDEX_PATTERN = 'risk-score.risk-score-*';
+
 type RiskEngineIndexPrivilege = 'read' | 'write';
 export const RISK_ENGINE_REQUIRED_ES_INDEX_PRIVILEGES = Object.freeze({
-  'risk-score.risk-score-*': ['read', 'write'] as RiskEngineIndexPrivilege[],
+  [RISK_SCORE_INDEX_PATTERN]: ['read', 'write'] as RiskEngineIndexPrivilege[],
 });
diff --git a/x-pack/plugins/security_solution/public/entity_analytics/common/index.ts b/x-pack/plugins/security_solution/public/entity_analytics/common/index.ts
@@ -0,0 +1,9 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export { userHasRiskEngineReadPermissions } from './user_has_risk_engine_read_permissions';
+export * from './utils';
diff --git a/...ity_solution/public/entity_analytics/common/user_has_risk_engine_read_permissions.test.ts b/...ity_solution/public/entity_analytics/common/user_has_risk_engine_read_permissions.test.ts
@@ -0,0 +1,57 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { userHasRiskEngineReadPermissions } from './user_has_risk_engine_read_permissions';
+
+describe('userHasRiskEngineReadPermissions', () => {
+  it('returns false if isLoading is true', () => {
+    expect(userHasRiskEngineReadPermissions({ isLoading: true })).toEqual(false);
+  });
+  it('returns true if hasAllRequiredPrivileges is true', () => {
+    expect(
+      userHasRiskEngineReadPermissions({ isLoading: false, hasAllRequiredPrivileges: true })
+    ).toEqual(true);
+  });
+  it('returns false if hasAllRequiredPrivileges is false and user is missing read permissions', () => {
+    expect(
+      userHasRiskEngineReadPermissions({
+        isLoading: false,
+        hasAllRequiredPrivileges: false,
+        missingPrivileges: {
+          clusterPrivileges: [],
+          indexPrivileges: [['risk-score.risk-score-*', ['read']]],
+        },
+      })
+    ).toEqual(false);
+  });
+
+  it('returns true if hasAllRequiredPrivileges is false and user is missing read permissions for other index', () => {
+    expect(
+      userHasRiskEngineReadPermissions({
+        isLoading: false,
+        hasAllRequiredPrivileges: false,
+        missingPrivileges: {
+          clusterPrivileges: [],
+          indexPrivileges: [['other-index.other-index-*', ['read']]],
+        },
+      })
+    ).toEqual(true);
+  });
+
+  it('returns true if hasAllRequiredPrivileges is false and user is not missing read permissions', () => {
+    expect(
+      userHasRiskEngineReadPermissions({
+        isLoading: false,
+        hasAllRequiredPrivileges: false,
+        missingPrivileges: {
+          clusterPrivileges: [],
+          indexPrivileges: [['risk-score.risk-score-*', ['write']]],
+        },
+      })
+    ).toEqual(true);
+  });
+});
diff --git a/...security_solution/public/entity_analytics/common/user_has_risk_engine_read_permissions.ts b/...security_solution/public/entity_analytics/common/user_has_risk_engine_read_permissions.ts
@@ -0,0 +1,30 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { RISK_SCORE_INDEX_PATTERN } from '../../../common/entity_analytics/risk_engine';
+import type { RiskEngineMissingPrivilegesResponse } from '../hooks/use_missing_risk_engine_privileges';
+
+export const userHasRiskEngineReadPermissions = (
+  privileges: RiskEngineMissingPrivilegesResponse
+): boolean => {
+  if (privileges.isLoading) {
+    return false;
+  }
+
+  if (privileges.hasAllRequiredPrivileges) {
+    return true;
+  }
+
+  const { indexPrivileges: missingIndexPrivileges } = privileges.missingPrivileges;
+
+  const isMissingReadPrivilege = missingIndexPrivileges.find(
+    ([indexName, indexPrivileges]) =>
+      indexName === RISK_SCORE_INDEX_PATTERN && indexPrivileges.includes('read')
+  );
+
+  return !isMissingReadPrivilege;
+};
diff --git a/...ty_analytics/components/risk_engine_privileges_callout/risk_engine_privileges_callout.tsx b/...ty_analytics/components/risk_engine_privileges_callout/risk_engine_privileges_callout.tsx
@@ -9,15 +9,14 @@ import React from 'react';
 import type { CallOutMessage } from '../../../common/components/callouts';
 import { CallOutSwitcher } from '../../../common/components/callouts';
 import { MissingPrivilegesCallOutBody, MISSING_PRIVILEGES_CALLOUT_TITLE } from './translations';
-import { useMissingPrivileges } from './use_missing_risk_engine_privileges';
-
-export const RiskEnginePrivilegesCallOut = () => {
-  const privileges = useMissingPrivileges();
+import type { RiskEngineMissingPrivilegesResponse } from '../../hooks/use_missing_risk_engine_privileges';
 
+export const RiskEnginePrivilegesCallOut: React.FC<{
+  privileges: RiskEngineMissingPrivilegesResponse;
+}> = ({ privileges }) => {
   if (privileges.isLoading || privileges.hasAllRequiredPrivileges) {
     return null;
   }
-
   const message: CallOutMessage = {
     type: 'primary',
     id: `missing-risk-engine-privileges`,

diff --git a/...lugins/security_solution/public/entity_analytics/components/risk_score_enable_section.tsx b/...lugins/security_solution/public/entity_analytics/components/risk_score_enable_section.tsx
@@ -28,7 +28,6 @@ import {
   EuiCallOut,
   EuiAccordion,
 } from '@elastic/eui';
-import { FormattedMessage } from '@kbn/i18n-react';
 import { LinkAnchor } from '@kbn/security-solution-navigation/links';
 import { SecurityPageName } from '@kbn/security-solution-navigation';
 import * as i18n from '../translations';
@@ -40,6 +39,7 @@ import { RiskEngineStatus, MAX_SPACES_COUNT } from '../../../common/entity_analy
 
 import { RiskInformationFlyout } from '../../explore/components/risk_score/risk_information';
 import { useOnOpenCloseHandler } from '../../helper_hooks';
+import type { RiskEngineMissingPrivilegesResponse } from '../hooks/use_missing_risk_engine_privileges';
 
 const MIN_WIDTH_TO_PREVENT_LABEL_FROM_MOVING = '50px';
 
@@ -64,47 +64,6 @@ const RiskScoreErrorPanel = ({ errors }: { errors: string[] }) => (
           ))}
         </>
       </EuiAccordion>
-
-      <EuiAccordion id="risk-engine-privileges" buttonContent={i18n.CHECK_PRIVILEGES}>
-        <p>
-          {i18n.NEED_TO_HAVE}
-          <ul>
-            <li>
-              <FormattedMessage
-                id="xpack.securitySolution.riskScore.errors.privileges.requiredPrivilege"
-                defaultMessage="{required_privilege} privileges for {index} index"
-                values={{
-                  required_privilege: <b>{'all'}</b>,
-                  index: <b>{'risk-score.risk-score-*'}</b>,
-                }}
-              />
-            </li>
-            <li>
-              <FormattedMessage
-                id="xpack.securitySolution.riskScore.errors.privileges.securityPrivilege"
-                defaultMessage="{security_privileges} security privileges"
-                values={{
-                  security_privileges: (
-                    <span>
-                      <b>{'manage_index_templates'}</b>
-                      {','} <b>{'manage_transform'}</b>
-                    </span>
-                  ),
-                }}
-              />
-            </li>
-            <li>
-              <FormattedMessage
-                id="xpack.securitySolution.riskScore.errors.privileges.kibanaPrivilege"
-                defaultMessage="{kibana_privilege} Kibana privilege"
-                values={{
-                  kibana_privilege: <b>{'Saved Objects Management'}</b>,
-                }}
-              />
-            </li>
-          </ul>
-        </p>
-      </EuiAccordion>
     </EuiCallOut>
   </>
 );
@@ -177,7 +136,59 @@ const RiskScoreUpdateModal = ({
   );
 };
 
-export const RiskScoreEnableSection = () => {
+const RiskEngineHealth: React.FC<{ currentRiskEngineStatus?: RiskEngineStatus | null }> = ({
+  currentRiskEngineStatus,
+}) => {
+  if (!currentRiskEngineStatus) {
+    return <EuiHealth color="subdued">{'-'}</EuiHealth>;
+  }
+  if (currentRiskEngineStatus === RiskEngineStatus.ENABLED) {
+    return <EuiHealth color="success">{i18n.RISK_SCORE_MODULE_STATUS_ON}</EuiHealth>;
+  }
+  return <EuiHealth color="subdued">{i18n.RISK_SCORE_MODULE_STATUS_OFF}</EuiHealth>;
+};
+
+const RiskEngineStatusRow: React.FC<{
+  currentRiskEngineStatus?: RiskEngineStatus | null;
+  onSwitchClick: () => void;
+  isLoading: boolean;
+  privileges: RiskEngineMissingPrivilegesResponse;
+}> = ({ currentRiskEngineStatus, onSwitchClick, isLoading, privileges }) => {
+  const userHasRequiredPrivileges =
+    'hasAllRequiredPrivileges' in privileges && privileges.hasAllRequiredPrivileges;
+  const btnIsDisabled = !currentRiskEngineStatus || isLoading || !userHasRequiredPrivileges;
+
+  return (
+    <EuiFlexGroup gutterSize="s" alignItems={'center'}>
+      {isLoading && (
+        <EuiFlexItem>
+          <EuiLoadingSpinner data-test-subj="risk-score-status-loading" size="m" />
+        </EuiFlexItem>
+      )}
+      <EuiFlexItem
+        css={{ minWidth: MIN_WIDTH_TO_PREVENT_LABEL_FROM_MOVING }}
+        data-test-subj="risk-score-status"
+      >
+        <RiskEngineHealth currentRiskEngineStatus={currentRiskEngineStatus} />
+      </EuiFlexItem>
+      <EuiFlexItem>
+        <EuiSwitch
+          label={''}
+          data-test-subj="risk-score-switch"
+          checked={currentRiskEngineStatus === RiskEngineStatus.ENABLED}
+          onChange={onSwitchClick}
+          compressed
+          disabled={btnIsDisabled}
+          aria-describedby={'switchRiskModule'}
+        />
+      </EuiFlexItem>
+    </EuiFlexGroup>
+  );
+};
+
+export const RiskScoreEnableSection: React.FC<{
+  privileges: RiskEngineMissingPrivilegesResponse;
+}> = ({ privileges }) => {
   const [isModalVisible, setIsModalVisible] = useState(false);
   const { data: riskEngineStatus, isFetching: isStatusLoading } = useRiskEngineStatus();
   const initRiskEngineMutation = useInitRiskEngineMutation({
@@ -200,13 +211,13 @@ export const RiskScoreEnableSection = () => {
     initRiskEngineMutation.isLoading ||
     enableRiskEngineMutation.isLoading ||
     disableRiskEngineMutation.isLoading ||
+    privileges.isLoading ||
     isStatusLoading;
 
   const isUpdateAvailable = riskEngineStatus?.isUpdateAvailable;
-  const btnIsDisabled = !currentRiskEngineStatus || isLoading;
 
   const onSwitchClick = () => {
-    if (btnIsDisabled) {
+    if (!currentRiskEngineStatus || isLoading) {
       return;
     }
 
@@ -295,34 +306,12 @@ export const RiskScoreEnableSection = () => {
                 </EuiFlexGroup>
               )}
               {!isUpdateAvailable && (
-                <EuiFlexGroup gutterSize="s" alignItems={'center'}>
-                  <EuiFlexItem>
-                    {isLoading && (
-                      <EuiLoadingSpinner data-test-subj="risk-score-status-loading" size="m" />
-                    )}
-                  </EuiFlexItem>
-                  <EuiFlexItem
-                    css={{ minWidth: MIN_WIDTH_TO_PREVENT_LABEL_FROM_MOVING }}
-                    data-test-subj="risk-score-status"
-                  >
-                    {currentRiskEngineStatus === RiskEngineStatus.ENABLED ? (
-                      <EuiHealth color="success">{i18n.RISK_SCORE_MODULE_STATUS_ON}</EuiHealth>
-                    ) : (
-                      <EuiHealth color="subdued">{i18n.RISK_SCORE_MODULE_STATUS_OFF}</EuiHealth>
-                    )}
-                  </EuiFlexItem>
-                  <EuiFlexItem>
-                    <EuiSwitch
-                      label={''}
-                      data-test-subj="risk-score-switch"
-                      checked={currentRiskEngineStatus === RiskEngineStatus.ENABLED}
-                      onChange={onSwitchClick}
-                      compressed
-                      disabled={btnIsDisabled}
-                      aria-describedby={'switchRiskModule'}
-                    />
-                  </EuiFlexItem>
-                </EuiFlexGroup>
+                <RiskEngineStatusRow
+                  currentRiskEngineStatus={currentRiskEngineStatus}
+                  onSwitchClick={onSwitchClick}
+                  isLoading={isLoading}
+                  privileges={privileges}
+                />
               )}
             </EuiFlexItem>
           </EuiFlexGroup>