-
Notifications
You must be signed in to change notification settings - Fork 8.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solutions] Add PLI authorisation for Cases Connector #161343
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
machadoum
changed the title
DRAFT cases PLI
[Security Solutions] Add PLI authorisation for Cases Connectors
Jul 24, 2023
machadoum
force-pushed
the
siem-explore-cases-PLI
branch
from
July 24, 2023 08:58
de96153
to
f3db48c
Compare
machadoum
changed the title
[Security Solutions] Add PLI authorisation for Cases Connectors
[Security Solutions] Add PLI authorisation for Cases Connector
Jul 24, 2023
machadoum
added
Team:Threat Hunting
Security Solution Threat Hunting Team
Feature:Cases
Cases feature
Team:Threat Hunting:Explore
Project:Serverless
Work as part of the Serverless project for its initial release
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
v8.10.0
release_note:skip
Skip the PR/issue when compiling release notes
labels
Jul 24, 2023
machadoum
force-pushed
the
siem-explore-cases-PLI
branch
3 times, most recently
from
July 24, 2023 12:52
c333188
to
11fe904
Compare
Pinging @elastic/security-threat-hunting (Team:Threat Hunting) |
Pinging @elastic/security-solution (Team: SecuritySolution) |
Pinging @elastic/response-ops-cases (Feature:Cases) |
machadoum
force-pushed
the
siem-explore-cases-PLI
branch
2 times, most recently
from
July 24, 2023 14:09
6e0689c
to
8b47175
Compare
shahzad31
approved these changes
Jul 24, 2023
machadoum
force-pushed
the
siem-explore-cases-PLI
branch
from
July 24, 2023 15:33
8b47175
to
a5b6a1c
Compare
cnasikas
added
the
Team:ResponseOps
Label for the ResponseOps team (formerly the Cases and Alerting teams)
label
Jul 25, 2023
machadoum
force-pushed
the
siem-explore-cases-PLI
branch
from
July 27, 2023 10:48
aa0cacf
to
b69804f
Compare
This PR broke main and I had the need to revert it c4557dd |
This was referenced Aug 7, 2023
machadoum
added a commit
to machadoum/kibana
that referenced
this pull request
Aug 7, 2023
…Connector (elastic#161343)"" This reverts commit c4557dd.
This was referenced Aug 7, 2023
crespocarlos
pushed a commit
to crespocarlos/kibana
that referenced
this pull request
Aug 8, 2023
…ic#161343) ## Summary * Create a new capability called `cases_connectors` which will control the access to the cases connector feature. Note that for users to have access to this feature they also need to be authorized for cases feature and actions feature. * Create a new API tag `casesGetConnectorsConfigure` to restrict access to the Get Connectors APIs. ## Authorization For the authorization of users we use a) a new UI capability b) a new API access tag and c) the existing Cases RBAC. The Cases feature privilege in Security solution is constructed based on the configuration provided by the security serverless plugin. The UI capability, the API tag, and the cases operations will be added/removed depending on the configuration. ### UI capability We include the `CASES_CONNECTORS_CAPABILITY` which will be used by the UI to show/hide various UI components responsible for the case connectors feature. ### APIs There are two APIs that use connectors in Cases. The [Get Connectors API](https://www.elastic.co/guide/en/kibana/current/case-apis.html#findCaseConnectors) which returns all supported connectors by Cases and the [Push Case API](https://www.elastic.co/guide/en/kibana/current/case-apis.html#pushCaseDefaultSpace) that push a case to an external service. #### Get Connectors API The Get Connectors API does not interact with any of the cases' saved objects. It uses the `actionsClient`, provided by the actions plugin, to get all connectors and filter out the ones supported by cases. For that reason, an API tag called `GET_CONNECTORS_CONFIGURE_API_TAG` is added to the API to control access. If the user has access to any of the Cases kibana privilege features (Security, Observability, or Stack) it will have access to the API. This is an expected behavior and in the Security serverless project, only one Case feature will be available. #### Push Case API The Push Case API already authorizes users by using the Cases RBAC. The user should have the `push` operation set in the Cases Kibana feature privilege to be able to use the API. ## Permissions <meta charset="utf-8"><b style="font-weight:normal;" id="docs-internal-guid-d1fea174-7fff-4f03-ed2e-9fc3ad3ed789"><div dir="ltr" style="margin-left:0pt;" align="left"> Cases | Actions | Case Connectors | Outcome -- | -- | -- | -- read | all | all | See the connector but cannot edit (current behavior) read | all | none | Hide the connectors in Cases read | read | all | See the connector but cannot edit (current behavior) read | read | none | Hide the connectors in Cases all | all | all | Full access all | all | none | Hide the connectors in Cases all | read | all | See the connector but cannot edit (current behavior) all | read | none | Hide the connectors in Cases </div><br /></b> When the Actions is set to `none` all connector features are hidden ### How to test it? #### ESS * Run ESS and check if it still works as expected for all combinations of cases and actions permissions. #### Serverless * Run Serverless with security essentials (serverless.security.yml) and check if it works as expected for all combinations of cases and actions permissions. ``` xpack.serverless.security.productTypes: [ { product_line: 'security', product_tier: 'essentials' } ] ``` * Run Serverless with security complete (config/serverless.security.yml) and check if it works as expected for all combinations of cases and actions permissions. ``` xpack.serverless.security.productTypes: [ { product_line: 'security', product_tier: 'complete' }, ] ``` ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Christos Nasikas <christos.nasikas@elastic.co>
crespocarlos
pushed a commit
to crespocarlos/kibana
that referenced
this pull request
Aug 8, 2023
elastic#161343)" This reverts commit aa42bcc.
bryce-b
pushed a commit
to bryce-b/kibana
that referenced
this pull request
Aug 9, 2023
…ic#161343) ## Summary * Create a new capability called `cases_connectors` which will control the access to the cases connector feature. Note that for users to have access to this feature they also need to be authorized for cases feature and actions feature. * Create a new API tag `casesGetConnectorsConfigure` to restrict access to the Get Connectors APIs. ## Authorization For the authorization of users we use a) a new UI capability b) a new API access tag and c) the existing Cases RBAC. The Cases feature privilege in Security solution is constructed based on the configuration provided by the security serverless plugin. The UI capability, the API tag, and the cases operations will be added/removed depending on the configuration. ### UI capability We include the `CASES_CONNECTORS_CAPABILITY` which will be used by the UI to show/hide various UI components responsible for the case connectors feature. ### APIs There are two APIs that use connectors in Cases. The [Get Connectors API](https://www.elastic.co/guide/en/kibana/current/case-apis.html#findCaseConnectors) which returns all supported connectors by Cases and the [Push Case API](https://www.elastic.co/guide/en/kibana/current/case-apis.html#pushCaseDefaultSpace) that push a case to an external service. #### Get Connectors API The Get Connectors API does not interact with any of the cases' saved objects. It uses the `actionsClient`, provided by the actions plugin, to get all connectors and filter out the ones supported by cases. For that reason, an API tag called `GET_CONNECTORS_CONFIGURE_API_TAG` is added to the API to control access. If the user has access to any of the Cases kibana privilege features (Security, Observability, or Stack) it will have access to the API. This is an expected behavior and in the Security serverless project, only one Case feature will be available. #### Push Case API The Push Case API already authorizes users by using the Cases RBAC. The user should have the `push` operation set in the Cases Kibana feature privilege to be able to use the API. ## Permissions <meta charset="utf-8"><b style="font-weight:normal;" id="docs-internal-guid-d1fea174-7fff-4f03-ed2e-9fc3ad3ed789"><div dir="ltr" style="margin-left:0pt;" align="left"> Cases | Actions | Case Connectors | Outcome -- | -- | -- | -- read | all | all | See the connector but cannot edit (current behavior) read | all | none | Hide the connectors in Cases read | read | all | See the connector but cannot edit (current behavior) read | read | none | Hide the connectors in Cases all | all | all | Full access all | all | none | Hide the connectors in Cases all | read | all | See the connector but cannot edit (current behavior) all | read | none | Hide the connectors in Cases </div><br /></b> When the Actions is set to `none` all connector features are hidden ### How to test it? #### ESS * Run ESS and check if it still works as expected for all combinations of cases and actions permissions. #### Serverless * Run Serverless with security essentials (serverless.security.yml) and check if it works as expected for all combinations of cases and actions permissions. ``` xpack.serverless.security.productTypes: [ { product_line: 'security', product_tier: 'essentials' } ] ``` * Run Serverless with security complete (config/serverless.security.yml) and check if it works as expected for all combinations of cases and actions permissions. ``` xpack.serverless.security.productTypes: [ { product_line: 'security', product_tier: 'complete' }, ] ``` ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Christos Nasikas <christos.nasikas@elastic.co>
bryce-b
pushed a commit
to bryce-b/kibana
that referenced
this pull request
Aug 9, 2023
elastic#161343)" This reverts commit aa42bcc.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
backport:skip
This commit does not require backporting
ci:cloud-deploy
Create or update a Cloud deployment
Feature:Cases
Cases feature
Project:Serverless
Work as part of the Serverless project for its initial release
release_note:skip
Skip the PR/issue when compiling release notes
reverted
Team:ResponseOps
Label for the ResponseOps team (formerly the Cases and Alerting teams)
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Team:Threat Hunting:Explore
Team:Threat Hunting
Security Solution Threat Hunting Team
v8.10.0
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
cases_connectors
which will control the access to the cases connector feature. Note that for users to have access to this feature they also need to be authorized for cases feature and actions feature.casesGetConnectorsConfigure
to restrict access to the Get Connectors APIs.Authorization
For the authorization of users we use a) a new UI capability b) a new API access tag and c) the existing Cases RBAC. The Cases feature privilege in Security solution is constructed based on the configuration provided by the security serverless plugin. The UI capability, the API tag, and the cases operations will be added/removed depending on the configuration.
UI capability
We include the
CASES_CONNECTORS_CAPABILITY
which will be used by the UI to show/hide various UI components responsible for the case connectors feature.APIs
There are two APIs that use connectors in Cases. The Get Connectors API which returns all supported connectors by Cases and the Push Case API that push a case to an external service.
Get Connectors API
The Get Connectors API does not interact with any of the cases' saved objects. It uses the
actionsClient
, provided by the actions plugin, to get all connectors and filter out the ones supported by cases. For that reason, an API tag calledGET_CONNECTORS_CONFIGURE_API_TAG
is added to the API to control access. If the user has access to any of the Cases kibana privilege features (Security, Observability, or Stack) it will have access to the API. This is an expected behavior and in the Security serverless project, only one Case feature will be available.Push Case API
The Push Case API already authorizes users by using the Cases RBAC. The user should have the
push
operation set in the Cases Kibana feature privilege to be able to use the API.Permissions
When the Actions is set to
none
all connector features are hiddenHow to test it?
ESS
Serverless
Checklist
Delete any items that are not applicable to this PR.