[Security Solution][Endpoint] Add ability for users to release an isolated host in serverless tiers where Response Actions are not available
#163616
Conversation
paul-tavares
added
release_note:skip
| // of the response actions with exception of `release`. Sole access to `release` is something | ||
| // that is supported for a user in a license downgrade scenario, and in that case we don't want | ||
| // to allow access to Response Console. | ||
| authz.canAccessResponseConsole = |
There was a problem hiding this comment.
enables Response Console access if the user has Authz to any response action with the exception of un-isolate. Users that have only permission to unisolate occurs when the Kibana license is downgraded or in serverless when running a non Endpoint Complete tier. It will allow users to continue to release their isolated hosts if any.
Also - this change here will ensure that as we add more response actions, that access to Response console will continue to pick those up and enable this option.
| ] | ||
| ); | ||
| return hostIsolationAction; | ||
| return canIsolateHost || (isHostIsolated && canUnIsolateHost) ? menuItems : []; |
There was a problem hiding this comment.
This fixes a bug were before it was not showing release in a downgrade scenario.
| id: 'host_isolation_all', | ||
| includeIn: 'none', | ||
| name: 'All', | ||
| savedObject: { | ||
| all: [], | ||
| read: [], | ||
| }, | ||
| // FYI: The current set of values below (`api`, `ui`) cover only `release` response action. |
There was a problem hiding this comment.
I'm hopping that tidbits of info like this can help along understanding how the framework around loading different privileges into existing Sub-Features
…ss PLI testing" This reverts commit 58d3121
….essentials (already in base tier)
…less-access-to-isolate-release # Conflicts: # x-pack/test_serverless/functional/test_suites/security/cypress/e2e/endpoint_management/roles/complete_with_endpoint_roles.cy.ts # x-pack/test_serverless/functional/test_suites/security/cypress/e2e/endpoint_management/roles/essentials_with_endpoint.roles.cy.ts
|
Pinging @elastic/security-defend-workflows (Team:Defend Workflows) |
paul-tavares
requested review from
tomsonpl
and removed request for
dasansol92
There was a problem hiding this comment.
well-commented. Thanks for that, there is a good amount of overlap with licenses and privileges and enabled things that make a complex situation here.
pointed out some typos that were in test names only. All the 'unisolate' or 'release' strings in the code were correct. Though maybe we should make them string constants more so there is no chance of typos
| it(`should not allow access to Response Action: ${actionName}`, () => { | ||
| ensureResponseActionAuthzAccess('none', actionName, username, password); | ||
| }); | ||
| } | ||
|
|
||
| it('should have access to `unisoalte` api', () => { |
| ensureResponseActionAuthzAccess('none', actionName, username, password); | ||
| }); | ||
| } | ||
|
|
||
| it('should have access to `unisoalte` api', () => { |
| it(`should not allow access to Response Action: ${actionName}`, () => { | ||
| ensureResponseActionAuthzAccess('none', actionName, username, password); | ||
| }); | ||
| } | ||
|
|
||
| it('should have access to `unisoalte` api', () => { |
…less-access-to-isolate-release
| @@ -122,6 +124,20 @@ export const calculateEndpointAuthz = ( | |||
| canWriteEventFilters, | |||
| canReadEventFilters, | |||
| }; | |||
|
|
|||
| // Response console is only accessible when is license is Enterprise and user has access to any | |||
| // of the response actions with exception of `release`. Sole access to `release` is something | |||
There was a problem hiding this comment.
nit: ... with the exception to ...
| @@ -122,6 +124,20 @@ export const calculateEndpointAuthz = ( | |||
| canWriteEventFilters, | |||
| canReadEventFilters, | |||
| }; | |||
|
|
|||
| // Response console is only accessible when is license is Enterprise and user has access to any | |||
|
|
||
| // Response console is only accessible when is license is Enterprise and user has access to any | ||
| // of the response actions with exception of `release`. Sole access to `release` is something | ||
| // that is supported for a user in a license downgrade scenario, and in that case we don't want |
There was a problem hiding this comment.
nit: ...in that case, we...
| Object.values(omit(RESPONSE_CONSOLE_ACTION_COMMANDS_TO_REQUIRED_AUTHZ, 'release')).some( | ||
| (responseActionAuthzKey) => { | ||
| return authz[responseActionAuthzKey]; | ||
| } | ||
| ); |
| agentStatus, | ||
| capabilities, | ||
| } = useHostIsolationStatus({ | ||
| agentId, | ||
| }); | ||
|
|
||
| const isolationSupported = useMemo(() => { | ||
| const doesHostSupportIsolation = useMemo(() => { |
| const isolateHostHandler = useCallback(() => { | ||
| closePopover(); | ||
| if (isolationStatus === false) { | ||
| if (isHostIsolated === false) { |
…less-access-to-isolate-release
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]Async chunks
Page load bundle
History
To update your PR or re-run it, just comment with: |
…solated host in serverless tiers where Response Actions are not available (#163616) ## Summary - Fixes the loading of the Host Isolation sub-feature control into kibana - should always be loaded and includes only the `release` privilege in it - Fixes the "Take action" menu items for Host Isolation (displayed in alert details) to ensure `release` is displayed when host is isolated and user has `release` privilege only - Endpoint Response console will now NOT be available to users who only have `release` response action (this is a downgrade scenario where the user is still allowed to `release` isolated hosts)
Summary
releaseprivilege in itreleaseis displayed when host is isolated and user hasreleaseprivilege onlyreleaseresponse action (this is a downgrade scenario where the user is still allowed toreleaseisolated hosts)