[Security Solution] [Detections] Add "read index" privilege check on rule execution #83134
Conversation
dhurley14
changed the title
dhurley14
force-pushed
the
privilege-check-execution
branch
from
e3bd9d6 to
efa3efc
Compare
…se lines into a util function to be used in create rules and use that check on the UI too
dhurley14
force-pushed
the
privilege-check-execution
branch
from
efa3efc to
b79dd8a
Compare
dhurley14
added
release_note:enhancement
review
Team: SecuritySolution
...plugins/security_solution/server/lib/detection_engine/signals/signal_rule_alert_type.test.ts
Outdated
Show resolved
Hide resolved
| await ruleStatusService.goingToRun(); | ||
|
|
||
| // check if rule has permissions to access given index pattern |
There was a problem hiding this comment.
Is this a TO DO? Would definitely be great to move out for testing too.
There was a problem hiding this comment.
I had written a function in the old multiple timestamps PR (which was closed) that would have been the home for this privilege check as well. Maybe in 7.12 I can bring that function back. I think once we add more types of pre-execution checks we can merge them into a single function to be executed at the top of the rule executor like this privilege check is now.
| @@ -600,7 +625,7 @@ export const signalRulesAlertType = ({ | |||
| `[+] Finished indexing ${result.createdSignalsCount} signals into ${outputIndex}` | |||
| ) | |||
| ); | |||
| if (!hasError) { | |||
| if (!hasError && !wroteStatus) { | |||
There was a problem hiding this comment.
We'll only be reporting success if it checked all indices? Wondering if we should start better documenting/defining what "successful" rule run means. Like in this case if we successfully searched the indices we could, I might expect a success with a warning?
There was a problem hiding this comment.
So, my thinking was if the rule can't search every index pattern provided because it's missing read privileges we would want to say "this partially failed" because we couldn't do everything the rule was written to accomplish https://github.com/elastic/kibana/pull/83134/files/b79dd8abf743a5451c3346f7dd004735b7beb732#diff-bd205efcb13acaf5f9552bd573f21422d37d60c6f2aa03ae7f98d18b95fbc6e4R194. We could re-work the partial failure status to just be a "warning" status maybe? Maybe that would clear things up. What do you think?
There was a problem hiding this comment.
Yea, that makes sense too, if we weren't able to fulfill what the rule is asking. No need to change anything, maybe just an interesting convo to have at a team meeting about how to qualify different states.
…to ANY of the index patterns provided
💚 Build SucceededMetrics [docs]Distributable file count
History
To update your PR or re-run it, just comment with: |
…rule execution (elastic#83134) * adds privilege check in rule execution function, need to abstract these lines into a util function to be used in create rules and use that check on the UI too * fixes tests * cleanup code, adds a unit test * set rule to failure status if the rule does not have read privileges to ANY of the index patterns provided
…rule execution (elastic#83134) * adds privilege check in rule execution function, need to abstract these lines into a util function to be used in create rules and use that check on the UI too * fixes tests * cleanup code, adds a unit test * set rule to failure status if the rule does not have read privileges to ANY of the index patterns provided
…ck on rule execution (#83134) (#86849) * adds privilege check in rule execution function, need to abstract these lines into a util function to be used in create rules and use that check on the UI too * fixes tests * cleanup code, adds a unit test * set rule to failure status if the rule does not have read privileges to ANY of the index patterns provided
…eck on rule execution (#83134) (#86850) * adds privilege check in rule execution function, need to abstract these lines into a util function to be used in create rules and use that check on the UI too * fixes tests * cleanup code, adds a unit test * set rule to failure status if the rule does not have read privileges to ANY of the index patterns provided
Summary
Adds a privilege check on each rule execution to ensure the user who's api key is associated with the rule has read privileges on the index.
Indices for testing
*:*on index patternsmyfa*andsome*. Ensure the rule starts to run successfully. This rule will be using the api key of the superuser you logged in with and will have read privileges to the above index patterns.t1_analystuser herex-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/detections_role.jsonto havereadprivileges for the index pattern"myfa*". Save and execute the following within thedetection_engine/scripts/roles_users/t1_analystdirectory:t1_analystand re-enable the rule (the rule is now running with thet1_analystprivileges). Once the rule completes running it should have the following partial error message on the rule details page.Checklist
Delete any items that are not applicable to this PR.
For maintainers