[Security Solution][Endpoint] Allow access to Endpoint Metadata for users that might only have READONLY access #106328
Conversation
paul-tavares
added
v8.0.0
release_note:skip
…ice to endpont context start contract
… supplemental data
…iour as prior implementation
|
Pinging @elastic/security-onboarding-and-lifecycle-mgt (Team:Onboarding and Lifecycle Mgt) |
| @@ -58,6 +62,33 @@ export const getLogger = (endpointAppContext: EndpointAppContext): Logger => { | |||
| return endpointAppContext.logFactory.get('metadata'); | |||
| }; | |||
|
|
|||
| const errorHandler = <E extends Error>( | |||
There was a problem hiding this comment.
Generic error handler for all metadata routes. Currently only being used in the GET single endpoint metadata api
botelastic
bot
added
the
Team:Fleet
|
Pinging @elastic/fleet (Team:Fleet) |
x-pack/plugins/security_solution/server/endpoint/services/metadata/endpoint_metadata_service.ts
Show resolved
Hide resolved
…ow-metadata-api-with-readonly-user
…ow-metadata-api-with-readonly-user
…Refactored EndpointMetadataService to use it
|
|
||
| type SavedObjectsClientContractKeys = keyof SavedObjectsClientContract; | ||
|
|
||
| const RESTRICTED_METHODS: readonly SavedObjectsClientContractKeys[] = [ |
There was a problem hiding this comment.
I initially wanted to do "allow" list rather than "deny" list, but found that the SO client attempts to access other internal properties on the client that are not actually exposed via the SavedObjectsClientContract. Some of the methods below I don't even know what they do (openPointINTimeForType??), but since they sounded like to me that they might possibly be mutating type of methods, I block them.
| ) {} | ||
|
|
||
| /** | ||
| * An INTERNAL Saved Object client that is effectively the system user and has all privileges and permissions and |
There was a problem hiding this comment.
Should i remove most of the "warning" around this comment now that we use a restricted so client?
There was a problem hiding this comment.
nah keep it, so new people (or forgetful us in the future) don't accidentally make changes that strip back your read-only-ness. So it's not accidentally grabbed and used elsewhere. Security holes R no joke
x-pack/plugins/security_solution/server/endpoint/utils/create_internal_readonly_so_client.ts
Show resolved
Hide resolved
| methodName: SavedObjectsClientContractKeys, | ||
| receiver: unknown | ||
| ): unknown { | ||
| if (RESTRICTED_METHODS.includes(methodName)) { |
There was a problem hiding this comment.
cool. I think the remaining danger here you already realize is if new writable methods are added to SO client, we'll miss them here. Will just have to keep an eye on changes. Maybe another reason to keep the warning around in full
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
💚 Build SucceededMetrics [docs]
History
To update your PR or re-run it, just comment with: |
paul-tavares
deleted the
task/olm-1504-allow-metadata-api-with-readonly-user
branch
💔 Backport failed
To backport manually run: |
…sers that might only have READONLY access (elastic#106328) * Remove `getScopedSavedObjectsClient()` from server `EndpointAppContextServices` (not used) * new EndpointMetadataService service (handles GET of a single endpoint for now) * ensure `getFleetAgent()` sets the current status for the agent * Replace the Route handler for Get of single endpoint with new call to service * Fleet: change agent service to also calculate and return the agent status via calls from the agent service * Fleet agent generator changed to set a random status * generic `createInternalReadonlySoClient()` with runtime validation for non-readonly methods # Conflicts: # x-pack/plugins/security_solution/server/endpoint/endpoint_app_context_services.ts
|
This was reverted with 3d33710. I suspect there was a timing conflict with #106110. https://kibana-ci.elastic.co/job/elastic+kibana+master/15858/execution/node/398/log/ |
…sers that might only have READONLY access (elastic#106328) * Remove `getScopedSavedObjectsClient()` from server `EndpointAppContextServices` (not used) * new EndpointMetadataService service (handles GET of a single endpoint for now) * ensure `getFleetAgent()` sets the current status for the agent * Replace the Route handler for Get of single endpoint with new call to service * Fleet: change agent service to also calculate and return the agent status via calls from the agent service * Fleet agent generator changed to set a random status * generic `createInternalReadonlySoClient()` with runtime validation for non-readonly methods (cherry picked from commit b6e9d8d)
…sers that might only have READONLY access (elastic#106328) * Remove `getScopedSavedObjectsClient()` from server `EndpointAppContextServices` (not used) * new EndpointMetadataService service (handles GET of a single endpoint for now) * ensure `getFleetAgent()` sets the current status for the agent * Replace the Route handler for Get of single endpoint with new call to service * Fleet: change agent service to also calculate and return the agent status via calls from the agent service * Fleet agent generator changed to set a random status * generic `createInternalReadonlySoClient()` with runtime validation for non-readonly methods
…ta for users that might only have READONLY access (elastic#106328)" This reverts commit b6e9d8d.
Summary
EndpointMetadataServicewas created and methods crated to support theGET metadata/{id}apiTesting:
For API testing:
The following indexes should be added to a role as
readonly:metrics-endpoint.metadata_current_*.fleet-agents*.fleet-actions*Use credentials of a user whose role has only readonly permission to the above indexes and query the
/api/endpoint/metadata/{id}apiFor security solution UI testing:
one will create a role (
t1_analyst) and the other an associated user by the same name.t1_analystt1_analystuser and load some data (ex. run endpoint data loader)Checklist