New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution] Timeline actions displayed for users with Read
authorization
#147544
Comments
Pinging @elastic/security-solution (Team: SecuritySolution) |
Pinging @elastic/security-threat-hunting (Team:Threat Hunting) |
Exporting a timeline should probably still be enabled for users with only read I think. |
## Summary This PR contains fixe for #147544. On Timelines page, a Kibana read-only user was able to see and click on options to create and duplicate timelines. This PR fixes this bug by checking user privilege (have crud access) before showing timeline actions. ## After: User with read only access to kibana security solutions can: 1) select timelines 2) export timelines 3) export timelines in bulk User with crud access to kibana security solutions can: 1) select timelines 2) have the options to modify timelines as before 3) bulk actions include delete timelines and export timelines 4) see and click on 'import', ' Create new timeline', 'Create new timeline template' buttons ### User with read access but not crud access - Have access to export ('Export selected'), cannot see 'Create new timeline' buttons ![image](https://user-images.githubusercontent.com/18648970/209210913-0554bc4c-5c8e-45ae-8e27-54a7e33e3f8e.png) - 'Export selected' in bulk actions ![image](https://user-images.githubusercontent.com/18648970/209210992-f102d8d4-479f-4d0a-84c2-125cc754c5ce.png) ![image](https://user-images.githubusercontent.com/18648970/209021998-fbe0b63d-8dfd-4098-9774-7423899a45e1.png) ### User with full access ![image](https://user-images.githubusercontent.com/18648970/209209755-b5e5ce2b-0af9-42c6-b1cc-64a2675bf19d.png) - 'Export selected' and 'Delete selected' available in bulk actions dropdown ![image](https://user-images.githubusercontent.com/18648970/210408773-0fc5b100-0f57-4526-9c8f-0aba1f1d0e76.png) ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
@MadameSheema, it looks like @christineweng merged the fix for this in #147964, can you please verify on main & the latest BC? Thanks! |
Also changed to |
Sure!! @karanbirsingh-qasource @deepikakeshav-qasource, can you please validate the fix on latest BC? Thanks! :) |
…c#147964) This PR contains fixe for elastic#147544. On Timelines page, a Kibana read-only user was able to see and click on options to create and duplicate timelines. This PR fixes this bug by checking user privilege (have crud access) before showing timeline actions. User with read only access to kibana security solutions can: 1) select timelines 2) export timelines 3) export timelines in bulk User with crud access to kibana security solutions can: 1) select timelines 2) have the options to modify timelines as before 3) bulk actions include delete timelines and export timelines 4) see and click on 'import', ' Create new timeline', 'Create new timeline template' buttons - Have access to export ('Export selected'), cannot see 'Create new timeline' buttons ![image](https://user-images.githubusercontent.com/18648970/209210913-0554bc4c-5c8e-45ae-8e27-54a7e33e3f8e.png) - 'Export selected' in bulk actions ![image](https://user-images.githubusercontent.com/18648970/209210992-f102d8d4-479f-4d0a-84c2-125cc754c5ce.png) ![image](https://user-images.githubusercontent.com/18648970/209021998-fbe0b63d-8dfd-4098-9774-7423899a45e1.png) ![image](https://user-images.githubusercontent.com/18648970/209209755-b5e5ce2b-0af9-42c6-b1cc-64a2675bf19d.png) - 'Export selected' and 'Delete selected' available in bulk actions dropdown ![image](https://user-images.githubusercontent.com/18648970/210408773-0fc5b100-0f57-4526-9c8f-0aba1f1d0e76.png) - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> (cherry picked from commit 3abf705)
…c#147964) ## Summary This PR contains fixe for elastic#147544. On Timelines page, a Kibana read-only user was able to see and click on options to create and duplicate timelines. This PR fixes this bug by checking user privilege (have crud access) before showing timeline actions. ## After: User with read only access to kibana security solutions can: 1) select timelines 2) export timelines 3) export timelines in bulk User with crud access to kibana security solutions can: 1) select timelines 2) have the options to modify timelines as before 3) bulk actions include delete timelines and export timelines 4) see and click on 'import', ' Create new timeline', 'Create new timeline template' buttons ### User with read access but not crud access - Have access to export ('Export selected'), cannot see 'Create new timeline' buttons ![image](https://user-images.githubusercontent.com/18648970/209210913-0554bc4c-5c8e-45ae-8e27-54a7e33e3f8e.png) - 'Export selected' in bulk actions ![image](https://user-images.githubusercontent.com/18648970/209210992-f102d8d4-479f-4d0a-84c2-125cc754c5ce.png) ![image](https://user-images.githubusercontent.com/18648970/209021998-fbe0b63d-8dfd-4098-9774-7423899a45e1.png) ### User with full access ![image](https://user-images.githubusercontent.com/18648970/209209755-b5e5ce2b-0af9-42c6-b1cc-64a2675bf19d.png) - 'Export selected' and 'Delete selected' available in bulk actions dropdown ![image](https://user-images.githubusercontent.com/18648970/210408773-0fc5b100-0f57-4526-9c8f-0aba1f1d0e76.png) ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> (cherry picked from commit 3abf705) # Conflicts: # x-pack/plugins/security_solution/public/timelines/components/open_timeline/open_timeline.test.tsx # x-pack/plugins/security_solution/public/timelines/components/open_timeline/open_timeline.tsx # x-pack/plugins/security_solution/public/timelines/components/open_timeline/timelines_table/actions_columns.tsx
…147964) (#148587) # Backport This will backport the following commits from `main` to `8.6`: - [[Security Solution][Bug] Add privilege check in open timeline (#147964)](#147964) <!--- Backport version: 8.9.4 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"christineweng","email":"18648970+christineweng@users.noreply.github.com"},"sourceCommit":{"committedDate":"2023-01-03T19:21:48Z","message":"[Security Solution][Bug] Add privilege check in open timeline (#147964)\n\n## Summary\r\n\r\nThis PR contains fixe for\r\nhttps://github.com//issues/147544. On Timelines page, a\r\nKibana read-only user was able to see and click on options to create and\r\nduplicate timelines. This PR fixes this bug by checking user privilege\r\n(have crud access) before showing timeline actions.\r\n\r\n## After: \r\nUser with read only access to kibana security solutions can: \r\n1) select timelines\r\n2) export timelines\r\n3) export timelines in bulk\r\n\r\nUser with crud access to kibana security solutions can: \r\n1) select timelines\r\n2) have the options to modify timelines as before\r\n3) bulk actions include delete timelines and export timelines\r\n4) see and click on 'import', ' Create new timeline', 'Create new\r\ntimeline template' buttons\r\n\r\n### User with read access but not crud access\r\n- Have access to export ('Export selected'), cannot see 'Create new\r\ntimeline' buttons\r\n\r\n![image](https://user-images.githubusercontent.com/18648970/209210913-0554bc4c-5c8e-45ae-8e27-54a7e33e3f8e.png)\r\n\r\n- 'Export selected' in bulk actions\r\n\r\n![image](https://user-images.githubusercontent.com/18648970/209210992-f102d8d4-479f-4d0a-84c2-125cc754c5ce.png)\r\n\r\n\r\n![image](https://user-images.githubusercontent.com/18648970/209021998-fbe0b63d-8dfd-4098-9774-7423899a45e1.png)\r\n\r\n### User with full access\r\n\r\n![image](https://user-images.githubusercontent.com/18648970/209209755-b5e5ce2b-0af9-42c6-b1cc-64a2675bf19d.png)\r\n\r\n- 'Export selected' and 'Delete selected' available in bulk actions\r\ndropdown\r\n\r\n![image](https://user-images.githubusercontent.com/18648970/210408773-0fc5b100-0f57-4526-9c8f-0aba1f1d0e76.png)\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\nCo-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>","sha":"3abf705b10926d3c6221504dd5575b97d15c9a31","branchLabelMapping":{"^v8.7.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","backport missing","Team:Threat Hunting","Team: SecuritySolution","Feature:Timeline","Team:Threat Hunting:Investigations","v8.6.0","v8.7.0"],"number":147964,"url":"#147964 Solution][Bug] Add privilege check in open timeline (#147964)\n\n## Summary\r\n\r\nThis PR contains fixe for\r\nhttps://github.com//issues/147544. On Timelines page, a\r\nKibana read-only user was able to see and click on options to create and\r\nduplicate timelines. This PR fixes this bug by checking user privilege\r\n(have crud access) before showing timeline actions.\r\n\r\n## After: \r\nUser with read only access to kibana security solutions can: \r\n1) select timelines\r\n2) export timelines\r\n3) export timelines in bulk\r\n\r\nUser with crud access to kibana security solutions can: \r\n1) select timelines\r\n2) have the options to modify timelines as before\r\n3) bulk actions include delete timelines and export timelines\r\n4) see and click on 'import', ' Create new timeline', 'Create new\r\ntimeline template' buttons\r\n\r\n### User with read access but not crud access\r\n- Have access to export ('Export selected'), cannot see 'Create new\r\ntimeline' buttons\r\n\r\n![image](https://user-images.githubusercontent.com/18648970/209210913-0554bc4c-5c8e-45ae-8e27-54a7e33e3f8e.png)\r\n\r\n- 'Export selected' in bulk actions\r\n\r\n![image](https://user-images.githubusercontent.com/18648970/209210992-f102d8d4-479f-4d0a-84c2-125cc754c5ce.png)\r\n\r\n\r\n![image](https://user-images.githubusercontent.com/18648970/209021998-fbe0b63d-8dfd-4098-9774-7423899a45e1.png)\r\n\r\n### User with full access\r\n\r\n![image](https://user-images.githubusercontent.com/18648970/209209755-b5e5ce2b-0af9-42c6-b1cc-64a2675bf19d.png)\r\n\r\n- 'Export selected' and 'Delete selected' available in bulk actions\r\ndropdown\r\n\r\n![image](https://user-images.githubusercontent.com/18648970/210408773-0fc5b100-0f57-4526-9c8f-0aba1f1d0e76.png)\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\nCo-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>","sha":"3abf705b10926d3c6221504dd5575b97d15c9a31"}},"sourceBranch":"main","suggestedTargetBranches":["8.6"],"targetPullRequestStates":[{"branch":"8.6","label":"v8.6.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.7.0","labelRegex":"^v8.7.0$","isSourceBranch":true,"state":"MERGED","url":"#147964 Solution][Bug] Add privilege check in open timeline (#147964)\n\n## Summary\r\n\r\nThis PR contains fixe for\r\nhttps://github.com//issues/147544. On Timelines page, a\r\nKibana read-only user was able to see and click on options to create and\r\nduplicate timelines. This PR fixes this bug by checking user privilege\r\n(have crud access) before showing timeline actions.\r\n\r\n## After: \r\nUser with read only access to kibana security solutions can: \r\n1) select timelines\r\n2) export timelines\r\n3) export timelines in bulk\r\n\r\nUser with crud access to kibana security solutions can: \r\n1) select timelines\r\n2) have the options to modify timelines as before\r\n3) bulk actions include delete timelines and export timelines\r\n4) see and click on 'import', ' Create new timeline', 'Create new\r\ntimeline template' buttons\r\n\r\n### User with read access but not crud access\r\n- Have access to export ('Export selected'), cannot see 'Create new\r\ntimeline' buttons\r\n\r\n![image](https://user-images.githubusercontent.com/18648970/209210913-0554bc4c-5c8e-45ae-8e27-54a7e33e3f8e.png)\r\n\r\n- 'Export selected' in bulk actions\r\n\r\n![image](https://user-images.githubusercontent.com/18648970/209210992-f102d8d4-479f-4d0a-84c2-125cc754c5ce.png)\r\n\r\n\r\n![image](https://user-images.githubusercontent.com/18648970/209021998-fbe0b63d-8dfd-4098-9774-7423899a45e1.png)\r\n\r\n### User with full access\r\n\r\n![image](https://user-images.githubusercontent.com/18648970/209209755-b5e5ce2b-0af9-42c6-b1cc-64a2675bf19d.png)\r\n\r\n- 'Export selected' and 'Delete selected' available in bulk actions\r\ndropdown\r\n\r\n![image](https://user-images.githubusercontent.com/18648970/210408773-0fc5b100-0f57-4526-9c8f-0aba1f1d0e76.png)\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\nCo-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>","sha":"3abf705b10926d3c6221504dd5575b97d15c9a31"}}]}] BACKPORT--> Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
We have validated this issue on 8.6 BC10 and found the issue still occurring. When user delete the timeline with read authorization, a successful message is displayed but action is not performed. Please look into below observations if we missing something in testing. Build Details:
Screen-Cast: Recording.1.mp4in case above video is not playing please access this link https://drive.google.com/file/d/1RNs6qjHbW6lBAHkM4DYk3yGWP8HXcwpO/view?usp=sharing Authorization Role Configuration |
@michaelolo24 @christineweng can you please take a look at the above? Thanks! |
@MadameSheema observation of this issue over kibana mains. for read access user only export action for timeline is available. |
@MadameSheema @karanbirsingh-qasource this pr didn't make it to BC10, could you check in the next BC and let me know if the issue persists? |
Thanks for the update @christineweng! We are not going to have more BCs since 8.6 has been released today, the fix will be available on 8.6.1. |
we have validated this issue on 8.6.1 BC1 and found that issue to be fixed now. Hence we are closing this issue and adding "QA:Validated" tag to it. thanks!! |
Describe the bug:
Read
authorizationKibana/Elasticsearch Stack version:
Initial setup:
Steps to reproduce:
Timelines
page3 dots
of one of the listed timelinesCurrent behavior:
Expected behavior:
Additional information:
Bulk actions
The text was updated successfully, but these errors were encountered: