-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove alerting / actions from features UI in security #51121
Comments
Pinging @elastic/kibana-stack-services (Team:Stack Services) |
A few notes on making changes for solution teams:
|
This is an interesting one. If the alerting plugin exposes the index threshold alert type and an application (for example SIEM) wants to use it, the alert should belong to SIEM. If ever a user goes through our UIs to create a threshold alert (as you mentioned), this is where it gets interesting. If ever there's a privilege that allowed the user to get to the management UIs, I think it should piggy back on that. Otherwise, I wonder if there's a "everyone has access" privilege to give the alert. Maybe this revives the conversation about feature controls not only belonging to each application but also a generic "Alerts" feature control that would turn on / off alerting everywhere for a user + handle the user defined alerts at the same time. On the action side, regardless where you're creating an action from, I think it would only work if you have access to the application exposing the action type. The same would apply to users adding actions to their alerts, they can only add actions created for applications they have access to. Thinking of it, I think actions would have to stay as a feature control to satisfy the requirement of "only admins should setup the actions" while everyone else has read access. This leaves the sub features question for another day (ex blacklist IP). I put lots of questions here but I think we'll have to figure this out for 7.6 if we want an easy migration once feature controls lands (ex: 7.7). See #51120 as the preparation we should do for 7.6. |
cc @kobelb ^^ |
I agree.
It's possible to do this, but I wouldn't recommend giving everyone access to a specific alert. Users will inevitably want to control who can create free-form threshold alerts.
The "feature" which allows the user to create free-form alerts doesn't have to also grant the user access to alerting in all of the various applications.
I thought actions were going to be re-used between applications? Are they actually going to be application specific? |
Regarding actions - I agree that actions should be exposed as a feature control, though in 7.6 we could (for now) just include these privileges under the Stack Monitoring role. There is otherwise no real benefit in exposing them in 7.6 (SIEM will not be using them, and alerts will not be exposed otherwise ). There is ongoing discussion in #51784 about security concerns with actions and whitelisting - so limiting action access behind a built-in role for now might be a good thing. For user-defined alerts, I think it's fair in 7.6 if we can only access it with SIEM 'all' feature privilege. And maybe further we need a config setting to turn it on - It means we can expose it and test in a limited way without having to worry about migrations? After 7.6 I agree with @kobelb that we can make a "free-form alerts" feature that is tied to types defined in the alert plugin only and can only be created in specific places like the management UI view.
@kobelb for the foreseeable future they will be re-used. Most notification style actions, and even more complex actions like case management are re-usable across apps. Certain (notional) types of "response" actions such as blacklisting an IP might only make sense in certain apps though, which is what @mikecote is referring to I believe. They don't exist today, but we anticipate it might happen. |
++ agreed, I think we'll be ok migrating user-defined alerts down the road and have it behind feature flag for now.
Yeah, the blacklisting IP scenario is what I was referring to. I was trying to build a picture of what information we need to store to allow feature controls to do their thing (#51120). Though I think we'll postpone that issue for now and try to summarize later within #43994. |
Solution teams should grant alerting access accordingly for 7.6.
The text was updated successfully, but these errors were encountered: