[Security Solution][Serverless] Create all Security sub-features #172348
Comments
semd
added
Team:Threat Hunting
|
Pinging @elastic/security-threat-hunting (Team:Threat Hunting) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
@yctercero Since "Alert management" functionalities work differently and they check the alerts index privilege to enable/disable features, we can probably accomplish the desired behavior by setting the correct index privilege to the predefined roles. So we won't need a sub-feature for them. |
|
@semd per our sync, we can remove Dashboards and Explore pages from the requirement list as they would be consistently available. |
|
@semd what about Benchmark Rules / Findings? |
|
@approksiu I don't see the |
|
Hey @semd ! I just wanted to confirm that we do not need the alerts subfeature for Serverless GA as it is a data stream that can be managed through index privileges, correct? If this is the case, then we will concentrate on exceptions and rules subfeature and introduce alerts kibana privilege further down the line when needed. |
|
Updated the description with https://github.com/elastic/security-team/issues/8799 and closed https://github.com/elastic/security-team/issues/8193 /cc @xcrzx |
|
The work on changing Kibana-level privileges for rules, exceptions, value lists, and alerts was put on hold yesterday. The corresponding tickets are:
After research done by @xcrzx and @e40pud and trying to implement this new RBAC, we identified substantial risks we didn't want to be dealing with if we were to release this in Serverless before Public Ungated Preview:
After multiple discussions between @xcrzx @e40pud @approksiu @yctercero @banderror @peluja1012 @marshallmain @YulNaumenko @MikePaquette, we got a green light from Product and we're putting this on hold until a migration mechanism is developed by the Kibana Security team. An internal document from @approksiu contains more info. We will proceed with the option 2.1 described in it. |
Summary
When "custom roles" are available in serverless, and without a role migration mechanism, extracting a new sub-feature will result in users assigned to custom roles losing authorization for the feature. This is a known issue that the Platform Security team is aware of.
We will be able to migrate roles eventually, but since then, and after "serverless custom roles" are GA, we won't be able to extract sub-features without causing breaking changes on the Security RBAC.
At the same time, to achieve the desired feature granularity for the serverless predefined roles, we need to extract functionalities into sub-features. Right now the authorization for many of those functionalities is still granted by the general Security Kibana feature.
So, to avoid having to deal with this problem later, we should extract all sub-features we need before custom roles start to be created.
How to extract sub-features
The sub-features we need to create are defined by the Security predefined roles specification.
Each of them needs to have a config on the Security ProductFeatures framework at:
https://github.com/elastic/kibana/blob/main/x-pack/packages/security-solution/features/src/security/kibana_sub_features.ts
It is also important to define the new sub-features with the correct
includeInproperty, referencingallorreadmain features, like theendpointExceptionsdoes:kibana/x-pack/packages/security-solution/features/src/security/kibana_sub_features.ts
Lines 554 to 601 in 1f8c816
After defining the sub-feature we need to add it to the Kibana Features config on the serverless plugin:
kibana/x-pack/plugins/security_solution_serverless/server/product_features/security_product_features_config.ts
Lines 48 to 50 in a66d42b
And configure the predefined roles to include the new privilege (docs)
On the ESS side, we don't want to configure the new sub-feature to avoid breaking existing custom roles. We need to enable the new privilege with the main Security feature, without configuring the new sub-feature:
kibana/x-pack/plugins/security_solution_ess/server/product_features/security_product_features_config.ts
Lines 47 to 49 in a66d42b
Tip
We can take the
endpointExceptionssub-feature implementation as an example for the other onesSub-feature checks in the application
Adding the config will make the sub-features exist in the Kibana features registry, so when custom roles start being created they will be aware of all sub-features, avoiding the need to migrate roles later on.
However, without implementing the checks in the application code, assigning those new sub-features to a custom role will have no effect, authorization will still be given by the general Security feature.
There's no need to implement all the checks in the code at the same time, it can be done separately. But it will need to be done to make the sub-features assignments work properly.
Predefined roles features (at the time of writing)
externalexternalexternalexternalexternalSecurity DashboardsExplore pagesTimeline- https://github.com/elastic/security-team/issues/7998externalexternalexternalThe text was updated successfully, but these errors were encountered: