[ResponseOps] alerting privs missing read:getActionErrorLog #158957
Assignees
Labels
bug
Fixes for quality problems that affect the customer experience
Feature:Alerting
Team:ResponseOps
Label for the ResponseOps team (formerly the Cases and Alerting teams)
Comments
pmuellr
added
bug
|
Pinging @elastic/response-ops (Team:ResponseOps) |
github-project-automation
bot
moved this to Awaiting Triage
in AppEx: ResponseOps - Rules & Alerts Management
XavierM
moved this from Awaiting Triage
to Todo
in AppEx: ResponseOps - Rules & Alerts Management
|
I don't think there's any work-around for this, right? What's interesting is that it works for super user, so I'm wondering how the auth works on that vs specific feature controls. Basically, I'm wondering if there is some other minimal set of feature control that we could add to the role to get this to work. |
XavierM
moved this from Todo
to Up for grabs
in AppEx: ResponseOps - Rules & Alerts Management
umbopepato
added a commit
to umbopepato/kibana
that referenced
this issue
Sep 18, 2023
github-project-automation
bot
moved this from Up for grabs
to Done
in AppEx: ResponseOps - Rules & Alerts Management
umbopepato
added a commit
that referenced
this issue
Sep 22, 2023
Closes #158957 ## Summary Adds the missing `getActionErrorLog` privilege. With the updated privileges, users with a custom Role including full access to "Actions and Connectors", "Rule Settings" and "Stack Rules" can successfully inspect errored actions' logs:  ## To Test - Create a Role with `All` privileges granted in `Actions and Connectors`, `Rules Settings`, `Stack Rules` (under Kibana > Management) and assign it to a user - Log in with that user - Create a rule with a failing action (i.e. an Email Connector with wrong addresses) - Wait for the rule to execute (or execute it manually) - In the rule page, under `History` click the number under `Errored actions` in one of the rows of the logs table - Check that error logs are visible in the flyout
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this issue
Sep 22, 2023
Closes elastic#158957 ## Summary Adds the missing `getActionErrorLog` privilege. With the updated privileges, users with a custom Role including full access to "Actions and Connectors", "Rule Settings" and "Stack Rules" can successfully inspect errored actions' logs:  ## To Test - Create a Role with `All` privileges granted in `Actions and Connectors`, `Rules Settings`, `Stack Rules` (under Kibana > Management) and assign it to a user - Log in with that user - Create a rule with a failing action (i.e. an Email Connector with wrong addresses) - Wait for the rule to execute (or execute it manually) - In the rule page, under `History` click the number under `Errored actions` in one of the rows of the logs table - Check that error logs are visible in the flyout (cherry picked from commit 0eda41a)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this issue
Sep 22, 2023
Closes elastic#158957 ## Summary Adds the missing `getActionErrorLog` privilege. With the updated privileges, users with a custom Role including full access to "Actions and Connectors", "Rule Settings" and "Stack Rules" can successfully inspect errored actions' logs:  ## To Test - Create a Role with `All` privileges granted in `Actions and Connectors`, `Rules Settings`, `Stack Rules` (under Kibana > Management) and assign it to a user - Log in with that user - Create a rule with a failing action (i.e. an Email Connector with wrong addresses) - Wait for the rule to execute (or execute it manually) - In the rule page, under `History` click the number under `Errored actions` in one of the rows of the logs table - Check that error logs are visible in the flyout (cherry picked from commit 0eda41a)
kibanamachine
added a commit
that referenced
this issue
Sep 22, 2023
…) (#167001) # Backport This will backport the following commits from `main` to `8.10`: - [[RAM] Add missing privilege to alerting read operations (#166603)](#166603) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Umberto Pepato","email":"[email protected]"},"sourceCommit":{"committedDate":"2023-09-22T07:23:13Z","message":"[RAM] Add missing privilege to alerting read operations (#166603)\n\nCloses #158957\r\n\r\n## Summary\r\n\r\nAdds the missing `getActionErrorLog` privilege. With the updated\r\nprivileges, users with a custom Role including full access to \"Actions\r\nand Connectors\", \"Rule Settings\" and \"Stack Rules\" can successfully\r\ninspect errored actions' logs:\r\n\r\n\r\n\r\n## To Test\r\n\r\n- Create a Role with `All` privileges granted in `Actions and\r\nConnectors`, `Rules Settings`, `Stack Rules` (under Kibana > Management)\r\nand assign it to a user\r\n- Log in with that user\r\n- Create a rule with a failing action (i.e. an Email Connector with\r\nwrong addresses)\r\n- Wait for the rule to execute (or execute it manually)\r\n- In the rule page, under `History` click the number under `Errored\r\nactions` in one of the rows of the logs table\r\n- Check that error logs are visible in the flyout","sha":"0eda41a46da91ba3b4fd90a8478e1aecb03154f0","branchLabelMapping":{"^v8.11.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","Team:ResponseOps","v8.10.0","v8.11.0","v8.9.3"],"number":166603,"url":"https://github.com/elastic/kibana/pull/166603","mergeCommit":{"message":"[RAM] Add missing privilege to alerting read operations (#166603)\n\nCloses #158957\r\n\r\n## Summary\r\n\r\nAdds the missing `getActionErrorLog` privilege. With the updated\r\nprivileges, users with a custom Role including full access to \"Actions\r\nand Connectors\", \"Rule Settings\" and \"Stack Rules\" can successfully\r\ninspect errored actions' logs:\r\n\r\n\r\n\r\n## To Test\r\n\r\n- Create a Role with `All` privileges granted in `Actions and\r\nConnectors`, `Rules Settings`, `Stack Rules` (under Kibana > Management)\r\nand assign it to a user\r\n- Log in with that user\r\n- Create a rule with a failing action (i.e. an Email Connector with\r\nwrong addresses)\r\n- Wait for the rule to execute (or execute it manually)\r\n- In the rule page, under `History` click the number under `Errored\r\nactions` in one of the rows of the logs table\r\n- Check that error logs are visible in the flyout","sha":"0eda41a46da91ba3b4fd90a8478e1aecb03154f0"}},"sourceBranch":"main","suggestedTargetBranches":["8.10","8.9"],"targetPullRequestStates":[{"branch":"8.10","label":"v8.10.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.11.0","labelRegex":"^v8.11.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/166603","number":166603,"mergeCommit":{"message":"[RAM] Add missing privilege to alerting read operations (#166603)\n\nCloses #158957\r\n\r\n## Summary\r\n\r\nAdds the missing `getActionErrorLog` privilege. With the updated\r\nprivileges, users with a custom Role including full access to \"Actions\r\nand Connectors\", \"Rule Settings\" and \"Stack Rules\" can successfully\r\ninspect errored actions' logs:\r\n\r\n\r\n\r\n## To Test\r\n\r\n- Create a Role with `All` privileges granted in `Actions and\r\nConnectors`, `Rules Settings`, `Stack Rules` (under Kibana > Management)\r\nand assign it to a user\r\n- Log in with that user\r\n- Create a rule with a failing action (i.e. an Email Connector with\r\nwrong addresses)\r\n- Wait for the rule to execute (or execute it manually)\r\n- In the rule page, under `History` click the number under `Errored\r\nactions` in one of the rows of the logs table\r\n- Check that error logs are visible in the flyout","sha":"0eda41a46da91ba3b4fd90a8478e1aecb03154f0"}},{"branch":"8.9","label":"v8.9.3","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Umberto Pepato <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In the following code, we're missing
getActionErrorLog:kibana/x-pack/plugins/security/server/authorization/privileges/feature_privilege_builder/alerting.ts
Lines 19 to 30 in e2e03ca
It's defined here:
kibana/x-pack/plugins/alerting/server/authorization/alerting_authorization.ts
Lines 29 to 39 in e2e03ca
Found this from a support issue. User was unable to view the error logs of an action when having ALL privileges for "Actions and Connectors", "Rule Settings" and "Stack Rules". Super user can see them.
Once I added the string to the
readOperations, I was able to view the error logs.The text was updated successfully, but these errors were encountered: