Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] Make savedQueryManagement feature explicit in Serverless #208911

Merged
merged 4 commits into from
Jan 31, 2025
Merged

[Security Solution] Make savedQueryManagement feature explicit in Serverless #208911

merged 4 commits into from
Jan 31, 2025
+12 −58

Conversation

semd
Copy link
Contributor

@semd semd commented Jan 30, 2025
edited by kibanamachine
Loading

Summary

Remove the implicit grant of the savedQueryManagement feature with the Security Solution basic feature (ID: siemV2) in Serverless.

This is a follow-up of #202863

Feature siemV2

This change only affects new roles created with the siemV2 feature, introduced recently here.
This change will align the Roles UI in Serverless and ESS, both requiring the savedQueryManagement feature to be explicitly granted to be able to manage saved queries.

Feature siem

Roles using the deprecated siem feature will still implicitly receive the savedQueryManagement feature (via an implicit grant of discover, dashboard, visualize, and maps) + migration to their *v2 features which include savedQueryManagement. So there's no behavior change for existing roles using the old siem feature (no breaking change).

Screenshots

The siem/siemV2 feature toggle:
siem feature

The savedQueryManagement feature toggle:
Saved query feature

@semd semd added release_note:skip Skip the PR/issue when compiling release notes v9.0.0 Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. backport:version Backport to applied version labels v8.18.0 labels Jan 30, 2025
@semd semd self-assigned this Jan 30, 2025
@semd semd requested review from a team as code owners January 30, 2025 11:04
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@SiddharthMantri SiddharthMantri self-requested a review January 30, 2025 14:27
@SiddharthMantri
Copy link
Contributor

SiddharthMantri commented Jan 30, 2025
edited
Loading

Hi @semd - we've noticed an issue when testing this. cc: @azasypkin @jeramysoucy

  • On creating a role that grants feature_siem.all , we would expect to see Saved Query Management granted implicitly for that role and then see that as toggled in the UI. However, this is what we see - Saved Query Management is not granted. ⚠️ Is this expected?
    image

  • If we create a role granting feature_maps.all, we do however see the Saved Query Management privilege being granted:
    image

  • On creating a role that grants feature_siemV2.all, we see the UI working as expected, i.e, Saved Query Management is not granted.
    image

@semd
Copy link
Contributor Author

semd commented Jan 30, 2025

@SiddharthMantri

  • On creating a role that grants feature_siem.all , we would expect to see Saved Query Management granted implicitly for that role and then see that as toggled in the UI. However, this is what we see - Saved Query Management is not granted. ⚠️ Is this expected?

Yes, this is expected with the deprecated siem feature, this feature implicitly grants the savedQueryManagement feature. This means that users will have the privileges to go and manage saved queries, even when they do not have the "Saved Query Management" feature explicitly enabled.

This is exactly what we are trying to prevent for siemV2 in this PR, for siem we don't want to change the behavior because that would become a breaking change.

If we create a role granting feature_maps.all, we do however see the Saved Query Management privilege being granted:

This happens because feature_maps.all is replacedBy to maps_v2 + savedQueryManagement via migration (kibana config deprecation), there's no feature override involved.

For the siem feature, on the other hand, the maps is implicitly granted via override:

kibana/config/serverless.security.yml

Lines 64 to 88 in 0e7c608

siem:
privileges:
### Security's `All` feature privilege should implicitly grant `All` access to Discover, Dashboard, Maps, and
### Visualize features.
all.composedOf:
- feature: "discover"
privileges: [ "all" ]
- feature: "dashboard"
privileges: [ "all" ]
- feature: "visualize"
privileges: [ "all" ]
- feature: "maps"
privileges: [ "all" ]
# Security's `Read` feature privilege should implicitly grant `Read` access to Discover, Dashboard, Maps, and
# Visualize features. Additionally, it should implicitly grant privilege to create short URLs in Discover,
### Dashboard, and Visualize apps.
read.composedOf:
- feature: "discover"
privileges: [ "read" ]
- feature: "dashboard"
privileges: [ "read" ]
- feature: "visualize"
privileges: [ "read" ]
- feature: "maps"
privileges: [ "read" ]

Then maps is converted to maps_v2 + savedQueryManagement, but Roles UI ignores everything granted via override. If you remove the maps_v2.hidden: true you will also see it disabled.
I assume that's the expected behavior because we have the convention to set hidden: true for these features as well. We could discuss that with @azasypkin.

In summary, this feature is causing weird behavior in the Roles UI, as you see, that's what we are trying to fix for the siemV2 feature

SiddharthMantri
SiddharthMantri approved these changes Jan 30, 2025
View reviewed changes
Copy link
Contributor

@SiddharthMantri SiddharthMantri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@semd Thank you for the detailed explanation. I also confirmed with @azasypkin that this is as expected. Everything else looks good to me!

@semd
Copy link
Contributor Author

semd commented Jan 31, 2025

The PR also fixes a bug detected by MKI tests here, related to the deprecated siem feature override, the composed features were not properly migrated to v2 after the override. To fix that we directly grant the v2 features + savedQueryManagement instead of the deprecated ones.

@elasticmachine
Copy link
Contributor

elasticmachine commented Jan 31, 2025
edited
Loading

💛 Build succeeded, but was flaky

  • Buildkite Build
  • Commit: d3b2e31
  • Kibana Serverless Image: docker.elastic.co/kibana-ci/kibana-serverless:pr-208911-d3b2e31e2b9b

Failed CI Steps

Test Failures

  • [job] [logs] Jest Tests #3 / FileDeleteButton isIcon clicking delete button opens the confirmation modal
  • [job] [logs] Jest Tests #3 / FileDeleteButton isIcon clicking delete button opens the confirmation modal

Metrics [docs]

✅ unchanged

History

cc @semd

@semd semd enabled auto-merge (squash) January 31, 2025 14:21
@semd semd merged commit 3d5972a into elastic:main Jan 31, 2025
9 checks passed
@kibanamachine
Copy link
Contributor

Starting backport for target branches: 8.18, 9.0

https://github.com/elastic/kibana/actions/runs/13075186306

kibanamachine pushed a commit to kibanamachine/kibana that referenced this pull request Jan 31, 2025
@semd
[Security Solution] Make savedQueryManagement feature explicit in Ser…
0bc680d 
…verless (elastic#208911)

## Summary

Remove the implicit grant of the `savedQueryManagement` feature with the
Security Solution basic feature (ID: `siemV2`) in Serverless.

This is a follow-up of elastic#202863

### Feature `siemV2`
This change only affects new roles created with the `siemV2` feature,
introduced recently
[here](elastic#201780).
This change will align the Roles UI in Serverless and ESS, both
requiring the `savedQueryManagement` feature to be explicitly granted to
be able to manage saved queries.

### Feature `siem`
Roles using the deprecated `siem` feature will still implicitly receive
the `savedQueryManagement` feature (via an implicit grant of `discover`,
`dashboard`, `visualize`, and `maps`) + migration to their `*v2`
features which include `savedQueryManagement`. So there's no behavior
change for existing roles using the old `siem` feature (no breaking
change).

## Screenshots

The siem/siemV2 feature toggle:
<img width="774" alt="siem feature"
src="https://github.com/user-attachments/assets/2759988a-3cf8-4e1f-9431-16c09cf9d95c"
/>

The savedQueryManagement feature toggle:
<img width="774" alt="Saved query feature"
src="https://github.com/user-attachments/assets/d0145244-f4b8-4577-b91f-93f4dd1f758b"
/>

(cherry picked from commit 3d5972a)
@kibanamachine kibanamachine mentioned this pull request Jan 31, 2025
Merged
@kibanamachine
Copy link
Contributor

💔 Some backports could not be created

Status Branch Result
8.18 Backport failed because of merge conflicts
9.0

Note: Successful backport PRs will be merged automatically after passing CI.

Manual backport

To create the backport manually run:

node scripts/backport --pr 208911

Questions ?

Please refer to the Backport tool documentation

@semd semd removed v8.18.0 backport:version Backport to applied version labels labels Jan 31, 2025
@semd semd added the backport:skip This commit does not require backporting label Jan 31, 2025
kibanamachine added a commit that referenced this pull request Jan 31, 2025
@kibanamachine @semd
[9.0] [Security Solution] Make savedQueryManagement feature explicit …
4e434ec 
…in Serverless (#208911) (#209127)

# Backport

This will backport the following commits from `main` to `9.0`:
- [[Security Solution] Make savedQueryManagement feature explicit in
Serverless (#208911)](#208911)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Sergi
Massaneda","email":"sergi.massaneda@elastic.co"},"sourceCommit":{"committedDate":"2025-01-31T14:56:06Z","message":"[Security
Solution] Make savedQueryManagement feature explicit in Serverless
(#208911)\n\n## Summary\r\n\r\nRemove the implicit grant of the
`savedQueryManagement` feature with the\r\nSecurity Solution basic
feature (ID: `siemV2`) in Serverless.\r\n\r\n\r\nThis is a follow-up of
https://github.com/elastic/kibana/pull/202863\r\n\r\n### Feature
`siemV2`\r\nThis change only affects new roles created with the `siemV2`
feature,\r\nintroduced
recently\r\n[here](https://github.com/elastic/kibana/pull/201780).\r\nThis
change will align the Roles UI in Serverless and ESS, both\r\nrequiring
the `savedQueryManagement` feature to be explicitly granted to\r\nbe
able to manage saved queries.\r\n\r\n### Feature `siem`\r\nRoles using
the deprecated `siem` feature will still implicitly receive\r\nthe
`savedQueryManagement` feature (via an implicit grant of
`discover`,\r\n`dashboard`, `visualize`, and `maps`) + migration to
their `*v2`\r\nfeatures which include `savedQueryManagement`. So there's
no behavior\r\nchange for existing roles using the old `siem` feature
(no breaking\r\nchange).\r\n\r\n## Screenshots\r\n\r\nThe siem/siemV2
feature toggle:\r\n<img width=\"774\" alt=\"siem
feature\"\r\nsrc=\"https://github.com/user-attachments/assets/2759988a-3cf8-4e1f-9431-16c09cf9d95c\"\r\n/>\r\n\r\nThe
savedQueryManagement feature toggle:\r\n<img width=\"774\" alt=\"Saved
query
feature\"\r\nsrc=\"https://github.com/user-attachments/assets/d0145244-f4b8-4577-b91f-93f4dd1f758b\"\r\n/>","sha":"3d5972aa0f2650a1ac94b3485ea91c26d68a131f","branchLabelMapping":{"^v9.1.0$":"main","^v8.19.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:
SecuritySolution","ci:build-serverless-image","backport:version","v8.18.0","v9.1.0"],"title":"[Security
Solution] Make savedQueryManagement feature explicit in
Serverless","number":208911,"url":"https://github.com/elastic/kibana/pull/208911","mergeCommit":{"message":"[Security
Solution] Make savedQueryManagement feature explicit in Serverless
(#208911)\n\n## Summary\r\n\r\nRemove the implicit grant of the
`savedQueryManagement` feature with the\r\nSecurity Solution basic
feature (ID: `siemV2`) in Serverless.\r\n\r\n\r\nThis is a follow-up of
https://github.com/elastic/kibana/pull/202863\r\n\r\n### Feature
`siemV2`\r\nThis change only affects new roles created with the `siemV2`
feature,\r\nintroduced
recently\r\n[here](https://github.com/elastic/kibana/pull/201780).\r\nThis
change will align the Roles UI in Serverless and ESS, both\r\nrequiring
the `savedQueryManagement` feature to be explicitly granted to\r\nbe
able to manage saved queries.\r\n\r\n### Feature `siem`\r\nRoles using
the deprecated `siem` feature will still implicitly receive\r\nthe
`savedQueryManagement` feature (via an implicit grant of
`discover`,\r\n`dashboard`, `visualize`, and `maps`) + migration to
their `*v2`\r\nfeatures which include `savedQueryManagement`. So there's
no behavior\r\nchange for existing roles using the old `siem` feature
(no breaking\r\nchange).\r\n\r\n## Screenshots\r\n\r\nThe siem/siemV2
feature toggle:\r\n<img width=\"774\" alt=\"siem
feature\"\r\nsrc=\"https://github.com/user-attachments/assets/2759988a-3cf8-4e1f-9431-16c09cf9d95c\"\r\n/>\r\n\r\nThe
savedQueryManagement feature toggle:\r\n<img width=\"774\" alt=\"Saved
query
feature\"\r\nsrc=\"https://github.com/user-attachments/assets/d0145244-f4b8-4577-b91f-93f4dd1f758b\"\r\n/>","sha":"3d5972aa0f2650a1ac94b3485ea91c26d68a131f"}},"sourceBranch":"main","suggestedTargetBranches":["9.0","8.18"],"targetPullRequestStates":[{"branch":"9.0","label":"v9.0.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.18","label":"v8.18.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/208911","number":208911,"mergeCommit":{"message":"[Security
Solution] Make savedQueryManagement feature explicit in Serverless
(#208911)\n\n## Summary\r\n\r\nRemove the implicit grant of the
`savedQueryManagement` feature with the\r\nSecurity Solution basic
feature (ID: `siemV2`) in Serverless.\r\n\r\n\r\nThis is a follow-up of
https://github.com/elastic/kibana/pull/202863\r\n\r\n### Feature
`siemV2`\r\nThis change only affects new roles created with the `siemV2`
feature,\r\nintroduced
recently\r\n[here](https://github.com/elastic/kibana/pull/201780).\r\nThis
change will align the Roles UI in Serverless and ESS, both\r\nrequiring
the `savedQueryManagement` feature to be explicitly granted to\r\nbe
able to manage saved queries.\r\n\r\n### Feature `siem`\r\nRoles using
the deprecated `siem` feature will still implicitly receive\r\nthe
`savedQueryManagement` feature (via an implicit grant of
`discover`,\r\n`dashboard`, `visualize`, and `maps`) + migration to
their `*v2`\r\nfeatures which include `savedQueryManagement`. So there's
no behavior\r\nchange for existing roles using the old `siem` feature
(no breaking\r\nchange).\r\n\r\n## Screenshots\r\n\r\nThe siem/siemV2
feature toggle:\r\n<img width=\"774\" alt=\"siem
feature\"\r\nsrc=\"https://github.com/user-attachments/assets/2759988a-3cf8-4e1f-9431-16c09cf9d95c\"\r\n/>\r\n\r\nThe
savedQueryManagement feature toggle:\r\n<img width=\"774\" alt=\"Saved
query
feature\"\r\nsrc=\"https://github.com/user-attachments/assets/d0145244-f4b8-4577-b91f-93f4dd1f758b\"\r\n/>","sha":"3d5972aa0f2650a1ac94b3485ea91c26d68a131f"}}]}]
BACKPORT-->

Co-authored-by: Sergi Massaneda <sergi.massaneda@elastic.co>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SiddharthMantri SiddharthMantri SiddharthMantri approved these changes

@gsoldevila gsoldevila gsoldevila approved these changes

Assignees

@semd semd

Labels
backport:skip This commit does not require backporting ci:build-serverless-image release_note:skip Skip the PR/issue when compiling release notes Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v9.0.0 v9.1.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@semd @elasticmachine @SiddharthMantri @kibanamachine @gsoldevila @pheyos