-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Event log authorization on additional saved objects #62668
Comments
Pinging @elastic/kibana-alerting-services (Team:Alerting Services) |
For question 1, I'm thinking we keep it simple and fail the entire request (403). There shouldn't be a scenario the user doesn't have access to actions but has access to alerts. Though, the opposite direction will have issues (actions referencing alerts the user doesn't have access to) but we can defer further changes and re-explore question 1 then. |
I can see arguments for omitting as well once this is used wider than Alerting, which I feel should be out thinking in relation to EventLog. Perhaps we can make this configurable (a strictness level config controlled as a query param) or perhaps a separate API endpoint? |
I'm usually not a fan of omitting just because it would cause weird pagination behaviour in a data table. One page may return 3 events, the next would return 9 events, the next 0 events, etc. |
Another thing to think about is the |
Agreed The solution for this should follow the same authorization mechanism developed in #63961. |
Here's a route I'm trying, which seems promising. Add a new field in the kibana/x-pack/plugins/alerting/server/task_runner/create_execution_handler.ts Lines 92 to 103 in 6bf0e73
Then change the query functionality to only return documents with the requested saved object with the What this means today is that the search for action saved objects will no longer return those alerting executeAction documents, only action execution documents, which don't reference the alert saved object (today). Which is the behavior we want - if you have an alert saved object, you should be able to see what actions it executed. But if you have an action saved object, you won't know what alerts executed it - you will know that it executed though. In general, this This might still not be strict enough - should we restrict who can see action execution? Though the plan would be to add Side note: it's becoming clearer to me that we will likely want some kind of new role to allow more general queries through the event log - for admin-type folks, in secure environments. So I'm not terribly concerned that by default action execution might not be viewable without elevated privileges. The data we store today for alert and action execution is ... not much ... an error message ... but we'd like to store more things like action execution result data, alert state, alert instance state, etc. |
The approach makes sense to me, it will secure things until we need to expose logs referencing saved objects that aren't the primary one (if ever that's the path we go in the future).
I think that's ok, is there any information stored that the user shouldn't see? If not, that's fine. |
resolves elastic#62668 Adds a property named `rel` to the nested saved objects in the event documents, whose value should not be set, or set to `primary`. The query by saved object function changes to only match event documents with that saved objects if it has the `rel: primary` value. This is used to limit searching alerting's executeAction event document with only the alert saved object, and not the action saved object (this document has an alert and action saved object). The alert saved object has the `rel: primary` field set, and the action does not. Previously, those documents were returned with a query of the action saved object.
Yeah, we're fine today, but as soon as we add action/alert executor input/results/etc to the event log, we'll have to revisit. |
👌 that's true, I've made a comment here: #63755 (comment) to keep that in mind. |
resolves #62668 Adds a property named `rel` to the nested saved objects in the event documents, whose value should not be set, or set to `primary`. The query by saved object function changes to only match event documents with that saved objects if it has the `rel: primary` value. This is used to limit searching alerting's executeAction event document with only the alert saved object, and not the action saved object (this document has an alert and action saved object). The alert saved object has the `rel: primary` field set, and the action does not. Previously, those documents were returned with a query of the action saved object.
…ic#64615) resolves elastic#62668 Adds a property named `rel` to the nested saved objects in the event documents, whose value should not be set, or set to `primary`. The query by saved object function changes to only match event documents with that saved objects if it has the `rel: primary` value. This is used to limit searching alerting's executeAction event document with only the alert saved object, and not the action saved object (this document has an alert and action saved object). The alert saved object has the `rel: primary` field set, and the action does not. Previously, those documents were returned with a query of the action saved object.
… (#64866) resolves #62668 Adds a property named `rel` to the nested saved objects in the event documents, whose value should not be set, or set to `primary`. The query by saved object function changes to only match event documents with that saved objects if it has the `rel: primary` value. This is used to limit searching alerting's executeAction event document with only the alert saved object, and not the action saved object (this document has an alert and action saved object). The alert saved object has the `rel: primary` field set, and the action does not. Previously, those documents were returned with a query of the action saved object.
Follow up from: #55640 (comment).
The event log allows to link one event to zero/one/many saved objects. The query API requires a single saved object to be passed in and does authorization checks up front but we may need to handle authorization on the extra saved objects that may be part of an event.
Questions
1. How do we handle event logs with unauthorized access to some saved objects?
2. How do we handle objects that are deleted? We can't see if the user had authorized access to it or not.
The text was updated successfully, but these errors were encountered: