[Security Solutions] Add PLI authorisation for Cases Connector #161343
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
machadoum
changed the title
machadoum
force-pushed
the
siem-explore-cases-PLI
branch
from
de96153
to
f3db48c
Compare
machadoum
changed the title
machadoum
added
Team:Threat Hunting
machadoum
force-pushed
the
siem-explore-cases-PLI
branch
3 times, most recently
from
c333188
to
11fe904
Compare
|
Pinging @elastic/security-threat-hunting (Team:Threat Hunting) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
Pinging @elastic/response-ops-cases (Feature:Cases) |
machadoum
force-pushed
the
siem-explore-cases-PLI
branch
2 times, most recently
from
6e0689c
to
8b47175
Compare
shahzad31
approved these changes
Jul 24, 2023
machadoum
force-pushed
the
siem-explore-cases-PLI
branch
from
8b47175
to
a5b6a1c
Compare
cnasikas
added
the
Team:ResponseOps
machadoum
force-pushed
the
siem-explore-cases-PLI
branch
from
aa0cacf
to
b69804f
Compare
|
This PR broke main and I had the need to revert it c4557dd |
This was referenced Aug 7, 2023
machadoum
added a commit
to machadoum/kibana
that referenced
this pull request
Aug 7, 2023
…Connector (elastic#161343)"" This reverts commit c4557dd.
This was referenced Aug 7, 2023
crespocarlos
pushed a commit
to crespocarlos/kibana
that referenced
this pull request
Aug 8, 2023
…ic#161343) ## Summary * Create a new capability called `cases_connectors` which will control the access to the cases connector feature. Note that for users to have access to this feature they also need to be authorized for cases feature and actions feature. * Create a new API tag `casesGetConnectorsConfigure` to restrict access to the Get Connectors APIs. ## Authorization For the authorization of users we use a) a new UI capability b) a new API access tag and c) the existing Cases RBAC. The Cases feature privilege in Security solution is constructed based on the configuration provided by the security serverless plugin. The UI capability, the API tag, and the cases operations will be added/removed depending on the configuration. ### UI capability We include the `CASES_CONNECTORS_CAPABILITY` which will be used by the UI to show/hide various UI components responsible for the case connectors feature. ### APIs There are two APIs that use connectors in Cases. The [Get Connectors API](https://www.elastic.co/guide/en/kibana/current/case-apis.html#findCaseConnectors) which returns all supported connectors by Cases and the [Push Case API](https://www.elastic.co/guide/en/kibana/current/case-apis.html#pushCaseDefaultSpace) that push a case to an external service. #### Get Connectors API The Get Connectors API does not interact with any of the cases' saved objects. It uses the `actionsClient`, provided by the actions plugin, to get all connectors and filter out the ones supported by cases. For that reason, an API tag called `GET_CONNECTORS_CONFIGURE_API_TAG` is added to the API to control access. If the user has access to any of the Cases kibana privilege features (Security, Observability, or Stack) it will have access to the API. This is an expected behavior and in the Security serverless project, only one Case feature will be available. #### Push Case API The Push Case API already authorizes users by using the Cases RBAC. The user should have the `push` operation set in the Cases Kibana feature privilege to be able to use the API. ## Permissions <meta charset="utf-8"><b style="font-weight:normal;" id="docs-internal-guid-d1fea174-7fff-4f03-ed2e-9fc3ad3ed789"><div dir="ltr" style="margin-left:0pt;" align="left"> Cases | Actions | Case Connectors | Outcome -- | -- | -- | -- read | all | all | See the connector but cannot edit (current behavior) read | all | none | Hide the connectors in Cases read | read | all | See the connector but cannot edit (current behavior) read | read | none | Hide the connectors in Cases all | all | all | Full access all | all | none | Hide the connectors in Cases all | read | all | See the connector but cannot edit (current behavior) all | read | none | Hide the connectors in Cases </div><br /></b> When the Actions is set to `none` all connector features are hidden ### How to test it? #### ESS * Run ESS and check if it still works as expected for all combinations of cases and actions permissions. #### Serverless * Run Serverless with security essentials (serverless.security.yml) and check if it works as expected for all combinations of cases and actions permissions. ``` xpack.serverless.security.productTypes: [ { product_line: 'security', product_tier: 'essentials' } ] ``` * Run Serverless with security complete (config/serverless.security.yml) and check if it works as expected for all combinations of cases and actions permissions. ``` xpack.serverless.security.productTypes: [ { product_line: 'security', product_tier: 'complete' }, ] ``` ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Christos Nasikas <christos.nasikas@elastic.co>
crespocarlos
pushed a commit
to crespocarlos/kibana
that referenced
this pull request
Aug 8, 2023
elastic#161343)" This reverts commit aa42bcc.
bryce-b
pushed a commit
to bryce-b/kibana
that referenced
this pull request
Aug 9, 2023
…ic#161343) ## Summary * Create a new capability called `cases_connectors` which will control the access to the cases connector feature. Note that for users to have access to this feature they also need to be authorized for cases feature and actions feature. * Create a new API tag `casesGetConnectorsConfigure` to restrict access to the Get Connectors APIs. ## Authorization For the authorization of users we use a) a new UI capability b) a new API access tag and c) the existing Cases RBAC. The Cases feature privilege in Security solution is constructed based on the configuration provided by the security serverless plugin. The UI capability, the API tag, and the cases operations will be added/removed depending on the configuration. ### UI capability We include the `CASES_CONNECTORS_CAPABILITY` which will be used by the UI to show/hide various UI components responsible for the case connectors feature. ### APIs There are two APIs that use connectors in Cases. The [Get Connectors API](https://www.elastic.co/guide/en/kibana/current/case-apis.html#findCaseConnectors) which returns all supported connectors by Cases and the [Push Case API](https://www.elastic.co/guide/en/kibana/current/case-apis.html#pushCaseDefaultSpace) that push a case to an external service. #### Get Connectors API The Get Connectors API does not interact with any of the cases' saved objects. It uses the `actionsClient`, provided by the actions plugin, to get all connectors and filter out the ones supported by cases. For that reason, an API tag called `GET_CONNECTORS_CONFIGURE_API_TAG` is added to the API to control access. If the user has access to any of the Cases kibana privilege features (Security, Observability, or Stack) it will have access to the API. This is an expected behavior and in the Security serverless project, only one Case feature will be available. #### Push Case API The Push Case API already authorizes users by using the Cases RBAC. The user should have the `push` operation set in the Cases Kibana feature privilege to be able to use the API. ## Permissions <meta charset="utf-8"><b style="font-weight:normal;" id="docs-internal-guid-d1fea174-7fff-4f03-ed2e-9fc3ad3ed789"><div dir="ltr" style="margin-left:0pt;" align="left"> Cases | Actions | Case Connectors | Outcome -- | -- | -- | -- read | all | all | See the connector but cannot edit (current behavior) read | all | none | Hide the connectors in Cases read | read | all | See the connector but cannot edit (current behavior) read | read | none | Hide the connectors in Cases all | all | all | Full access all | all | none | Hide the connectors in Cases all | read | all | See the connector but cannot edit (current behavior) all | read | none | Hide the connectors in Cases </div><br /></b> When the Actions is set to `none` all connector features are hidden ### How to test it? #### ESS * Run ESS and check if it still works as expected for all combinations of cases and actions permissions. #### Serverless * Run Serverless with security essentials (serverless.security.yml) and check if it works as expected for all combinations of cases and actions permissions. ``` xpack.serverless.security.productTypes: [ { product_line: 'security', product_tier: 'essentials' } ] ``` * Run Serverless with security complete (config/serverless.security.yml) and check if it works as expected for all combinations of cases and actions permissions. ``` xpack.serverless.security.productTypes: [ { product_line: 'security', product_tier: 'complete' }, ] ``` ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Christos Nasikas <christos.nasikas@elastic.co>
bryce-b
pushed a commit
to bryce-b/kibana
that referenced
this pull request
Aug 9, 2023
elastic#161343)" This reverts commit aa42bcc.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
cases_connectorswhich will control the access to the cases connector feature. Note that for users to have access to this feature they also need to be authorized for cases feature and actions feature.casesGetConnectorsConfigureto restrict access to the Get Connectors APIs.Authorization
For the authorization of users we use a) a new UI capability b) a new API access tag and c) the existing Cases RBAC. The Cases feature privilege in Security solution is constructed based on the configuration provided by the security serverless plugin. The UI capability, the API tag, and the cases operations will be added/removed depending on the configuration.
UI capability
We include the
CASES_CONNECTORS_CAPABILITYwhich will be used by the UI to show/hide various UI components responsible for the case connectors feature.APIs
There are two APIs that use connectors in Cases. The Get Connectors API which returns all supported connectors by Cases and the Push Case API that push a case to an external service.
Get Connectors API
The Get Connectors API does not interact with any of the cases' saved objects. It uses the
actionsClient, provided by the actions plugin, to get all connectors and filter out the ones supported by cases. For that reason, an API tag calledGET_CONNECTORS_CONFIGURE_API_TAGis added to the API to control access. If the user has access to any of the Cases kibana privilege features (Security, Observability, or Stack) it will have access to the API. This is an expected behavior and in the Security serverless project, only one Case feature will be available.Push Case API
The Push Case API already authorizes users by using the Cases RBAC. The user should have the
pushoperation set in the Cases Kibana feature privilege to be able to use the API.Permissions
When the Actions is set to
noneall connector features are hiddenHow to test it?
ESS
Serverless
Checklist
Delete any items that are not applicable to this PR.