Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] Timeline actions displayed for users with Read authorization #147544

Closed
MadameSheema opened this issue Dec 14, 2022 · 12 comments
Closed

[Security Solution] Timeline actions displayed for users with Read authorization #147544

MadameSheema opened this issue Dec 14, 2022 · 12 comments
Assignees
@michaelolo24 @christineweng
Labels
bug Fixes for quality problems that affect the customer experience fixed impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. QA:Validated Issue has been validated by QA Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Investigations Security Solution Investigations Team Team:Threat Hunting Security Solution Threat Hunting Team v8.6.1 v8.7.0

Comments

@MadameSheema
Copy link
Member

Describe the bug:

  • Timeline actions displayed for users with Read authorization

Kibana/Elasticsearch Stack version:

  • 8.6.0-BC7

Initial setup:

  • To have at least one timeline created on the instance
  • To have a user with read Kibana privileges for the Security Solution application

Steps to reproduce:

  1. With the user with read privileges, navigate to the Timelines page
  2. Click on the 3 dots of one of the listed timelines

Current behavior:

  • All the actions are displayed
  • When the user tries to delete the timeline, a successful message is displayed
  • The action is not performed

Expected behavior:

  • No actions are displayed or are disabled

Additional information:

  • The same behaviour can be reproduced with Bulk actions
  • The same behaviour can be reproduced with Timeline Templates
  • API request and response
Request URL: /api/timeline
Request Method: DELETE
Status Code: 403
@MadameSheema MadameSheema added bug Fixes for quality problems that affect the customer experience triage_needed impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. Team:Threat Hunting Security Solution Threat Hunting Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Investigations Security Solution Investigations Team labels Dec 14, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

@kqualters-elastic
Copy link
Contributor

Exporting a timeline should probably still be enabled for users with only read I think.

@christineweng christineweng mentioned this issue Dec 21, 2022
Merged
1 task
christineweng added a commit that referenced this issue Jan 3, 2023
@christineweng @kibanamachine
[Security Solution][Bug] Add privilege check in open timeline (#147964)
3abf705 
## Summary

This PR contains fixe for
#147544. On Timelines page, a
Kibana read-only user was able to see and click on options to create and
duplicate timelines. This PR fixes this bug by checking user privilege
(have crud access) before showing timeline actions.

## After: 
User with read only access to kibana security solutions can: 
1) select timelines
2) export timelines
3) export timelines in bulk

User with crud access to kibana security solutions can: 
1) select timelines
2) have the options to modify timelines as before
3) bulk actions include delete timelines and export timelines
4) see and click on 'import', ' Create new timeline', 'Create new
timeline template' buttons

### User with read access but not crud access
- Have access to export ('Export selected'), cannot see 'Create new
timeline' buttons

![image](https://user-images.githubusercontent.com/18648970/209210913-0554bc4c-5c8e-45ae-8e27-54a7e33e3f8e.png)

- 'Export selected' in bulk actions

![image](https://user-images.githubusercontent.com/18648970/209210992-f102d8d4-479f-4d0a-84c2-125cc754c5ce.png)


![image](https://user-images.githubusercontent.com/18648970/209021998-fbe0b63d-8dfd-4098-9774-7423899a45e1.png)

### User with full access

![image](https://user-images.githubusercontent.com/18648970/209209755-b5e5ce2b-0af9-42c6-b1cc-64a2675bf19d.png)

- 'Export selected' and 'Delete selected' available in bulk actions
dropdown

![image](https://user-images.githubusercontent.com/18648970/210408773-0fc5b100-0f57-4526-9c8f-0aba1f1d0e76.png)

### Checklist

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
@michaelolo24
Copy link
Contributor

@MadameSheema, it looks like @christineweng merged the fix for this in #147964, can you please verify on main & the latest BC? Thanks!

@michaelolo24 michaelolo24 added fixed impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. and removed impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. labels Jan 9, 2023
@michaelolo24
Copy link
Contributor

Also changed toimpact:medium as the action was not actually carried out even though a successful message was displayed.

@MadameSheema
Copy link
Member Author

Sure!! @karanbirsingh-qasource @deepikakeshav-qasource, can you please validate the fix on latest BC? Thanks! :)

christineweng added a commit to christineweng/kibana that referenced this issue Jan 9, 2023
@christineweng
[Security Solution][Bug] Add privilege check in open timeline (elasti…
aaa57eb 
…c#147964)

This PR contains fixe for
elastic#147544. On Timelines page, a
Kibana read-only user was able to see and click on options to create and
duplicate timelines. This PR fixes this bug by checking user privilege
(have crud access) before showing timeline actions.

User with read only access to kibana security solutions can:
1) select timelines
2) export timelines
3) export timelines in bulk

User with crud access to kibana security solutions can:
1) select timelines
2) have the options to modify timelines as before
3) bulk actions include delete timelines and export timelines
4) see and click on 'import', ' Create new timeline', 'Create new
timeline template' buttons

- Have access to export ('Export selected'), cannot see 'Create new
timeline' buttons

![image](https://user-images.githubusercontent.com/18648970/209210913-0554bc4c-5c8e-45ae-8e27-54a7e33e3f8e.png)

- 'Export selected' in bulk actions

![image](https://user-images.githubusercontent.com/18648970/209210992-f102d8d4-479f-4d0a-84c2-125cc754c5ce.png)

![image](https://user-images.githubusercontent.com/18648970/209021998-fbe0b63d-8dfd-4098-9774-7423899a45e1.png)

![image](https://user-images.githubusercontent.com/18648970/209209755-b5e5ce2b-0af9-42c6-b1cc-64a2675bf19d.png)

- 'Export selected' and 'Delete selected' available in bulk actions
dropdown

![image](https://user-images.githubusercontent.com/18648970/210408773-0fc5b100-0f57-4526-9c8f-0aba1f1d0e76.png)

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
(cherry picked from commit 3abf705)
christineweng added a commit to christineweng/kibana that referenced this issue Jan 9, 2023
@christineweng
[Security Solution][Bug] Add privilege check in open timeline (elasti…
463db46 
…c#147964)

## Summary

This PR contains fixe for
elastic#147544. On Timelines page, a
Kibana read-only user was able to see and click on options to create and
duplicate timelines. This PR fixes this bug by checking user privilege
(have crud access) before showing timeline actions.

## After:
User with read only access to kibana security solutions can:
1) select timelines
2) export timelines
3) export timelines in bulk

User with crud access to kibana security solutions can:
1) select timelines
2) have the options to modify timelines as before
3) bulk actions include delete timelines and export timelines
4) see and click on 'import', ' Create new timeline', 'Create new
timeline template' buttons

### User with read access but not crud access
- Have access to export ('Export selected'), cannot see 'Create new
timeline' buttons

![image](https://user-images.githubusercontent.com/18648970/209210913-0554bc4c-5c8e-45ae-8e27-54a7e33e3f8e.png)

- 'Export selected' in bulk actions

![image](https://user-images.githubusercontent.com/18648970/209210992-f102d8d4-479f-4d0a-84c2-125cc754c5ce.png)

![image](https://user-images.githubusercontent.com/18648970/209021998-fbe0b63d-8dfd-4098-9774-7423899a45e1.png)

### User with full access

![image](https://user-images.githubusercontent.com/18648970/209209755-b5e5ce2b-0af9-42c6-b1cc-64a2675bf19d.png)

- 'Export selected' and 'Delete selected' available in bulk actions
dropdown

![image](https://user-images.githubusercontent.com/18648970/210408773-0fc5b100-0f57-4526-9c8f-0aba1f1d0e76.png)

### Checklist

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
(cherry picked from commit 3abf705)

# Conflicts:
#	x-pack/plugins/security_solution/public/timelines/components/open_timeline/open_timeline.test.tsx
#	x-pack/plugins/security_solution/public/timelines/components/open_timeline/open_timeline.tsx
#	x-pack/plugins/security_solution/public/timelines/components/open_timeline/timelines_table/actions_columns.tsx
christineweng added a commit that referenced this issue Jan 9, 2023
@christineweng @kibanamachine
[8.6] [Security Solution][Bug] Add privilege check in open timeline (#…
d6a4111 
…147964) (#148587)

# Backport

This will backport the following commits from `main` to `8.6`:
- [[Security Solution][Bug] Add privilege check in open timeline
(#147964)](#147964)

<!--- Backport version: 8.9.4 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT
[{"author":{"name":"christineweng","email":"18648970+christineweng@users.noreply.github.com"},"sourceCommit":{"committedDate":"2023-01-03T19:21:48Z","message":"[Security
Solution][Bug] Add privilege check in open timeline (#147964)\n\n##
Summary\r\n\r\nThis PR contains fixe
for\r\nhttps://github.com//issues/147544. On Timelines
page, a\r\nKibana read-only user was able to see and click on options to
create and\r\nduplicate timelines. This PR fixes this bug by checking
user privilege\r\n(have crud access) before showing timeline
actions.\r\n\r\n## After: \r\nUser with read only access to kibana
security solutions can: \r\n1) select timelines\r\n2) export
timelines\r\n3) export timelines in bulk\r\n\r\nUser with crud access to
kibana security solutions can: \r\n1) select timelines\r\n2) have the
options to modify timelines as before\r\n3) bulk actions include delete
timelines and export timelines\r\n4) see and click on 'import', ' Create
new timeline', 'Create new\r\ntimeline template' buttons\r\n\r\n### User
with read access but not crud access\r\n- Have access to export ('Export
selected'), cannot see 'Create new\r\ntimeline'
buttons\r\n\r\n![image](https://user-images.githubusercontent.com/18648970/209210913-0554bc4c-5c8e-45ae-8e27-54a7e33e3f8e.png)\r\n\r\n-
'Export selected' in bulk
actions\r\n\r\n![image](https://user-images.githubusercontent.com/18648970/209210992-f102d8d4-479f-4d0a-84c2-125cc754c5ce.png)\r\n\r\n\r\n![image](https://user-images.githubusercontent.com/18648970/209021998-fbe0b63d-8dfd-4098-9774-7423899a45e1.png)\r\n\r\n###
User with full
access\r\n\r\n![image](https://user-images.githubusercontent.com/18648970/209209755-b5e5ce2b-0af9-42c6-b1cc-64a2675bf19d.png)\r\n\r\n-
'Export selected' and 'Delete selected' available in bulk
actions\r\ndropdown\r\n\r\n![image](https://user-images.githubusercontent.com/18648970/210408773-0fc5b100-0f57-4526-9c8f-0aba1f1d0e76.png)\r\n\r\n###
Checklist\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios\r\n\r\nCo-authored-by: Kibana Machine
<42973632+kibanamachine@users.noreply.github.com>","sha":"3abf705b10926d3c6221504dd5575b97d15c9a31","branchLabelMapping":{"^v8.7.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","backport
missing","Team:Threat Hunting","Team:
SecuritySolution","Feature:Timeline","Team:Threat
Hunting:Investigations","v8.6.0","v8.7.0"],"number":147964,"url":"#147964
Solution][Bug] Add privilege check in open timeline (#147964)\n\n##
Summary\r\n\r\nThis PR contains fixe
for\r\nhttps://github.com//issues/147544. On Timelines
page, a\r\nKibana read-only user was able to see and click on options to
create and\r\nduplicate timelines. This PR fixes this bug by checking
user privilege\r\n(have crud access) before showing timeline
actions.\r\n\r\n## After: \r\nUser with read only access to kibana
security solutions can: \r\n1) select timelines\r\n2) export
timelines\r\n3) export timelines in bulk\r\n\r\nUser with crud access to
kibana security solutions can: \r\n1) select timelines\r\n2) have the
options to modify timelines as before\r\n3) bulk actions include delete
timelines and export timelines\r\n4) see and click on 'import', ' Create
new timeline', 'Create new\r\ntimeline template' buttons\r\n\r\n### User
with read access but not crud access\r\n- Have access to export ('Export
selected'), cannot see 'Create new\r\ntimeline'
buttons\r\n\r\n![image](https://user-images.githubusercontent.com/18648970/209210913-0554bc4c-5c8e-45ae-8e27-54a7e33e3f8e.png)\r\n\r\n-
'Export selected' in bulk
actions\r\n\r\n![image](https://user-images.githubusercontent.com/18648970/209210992-f102d8d4-479f-4d0a-84c2-125cc754c5ce.png)\r\n\r\n\r\n![image](https://user-images.githubusercontent.com/18648970/209021998-fbe0b63d-8dfd-4098-9774-7423899a45e1.png)\r\n\r\n###
User with full
access\r\n\r\n![image](https://user-images.githubusercontent.com/18648970/209209755-b5e5ce2b-0af9-42c6-b1cc-64a2675bf19d.png)\r\n\r\n-
'Export selected' and 'Delete selected' available in bulk
actions\r\ndropdown\r\n\r\n![image](https://user-images.githubusercontent.com/18648970/210408773-0fc5b100-0f57-4526-9c8f-0aba1f1d0e76.png)\r\n\r\n###
Checklist\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios\r\n\r\nCo-authored-by: Kibana Machine
<42973632+kibanamachine@users.noreply.github.com>","sha":"3abf705b10926d3c6221504dd5575b97d15c9a31"}},"sourceBranch":"main","suggestedTargetBranches":["8.6"],"targetPullRequestStates":[{"branch":"8.6","label":"v8.6.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.7.0","labelRegex":"^v8.7.0$","isSourceBranch":true,"state":"MERGED","url":"#147964
Solution][Bug] Add privilege check in open timeline (#147964)\n\n##
Summary\r\n\r\nThis PR contains fixe
for\r\nhttps://github.com//issues/147544. On Timelines
page, a\r\nKibana read-only user was able to see and click on options to
create and\r\nduplicate timelines. This PR fixes this bug by checking
user privilege\r\n(have crud access) before showing timeline
actions.\r\n\r\n## After: \r\nUser with read only access to kibana
security solutions can: \r\n1) select timelines\r\n2) export
timelines\r\n3) export timelines in bulk\r\n\r\nUser with crud access to
kibana security solutions can: \r\n1) select timelines\r\n2) have the
options to modify timelines as before\r\n3) bulk actions include delete
timelines and export timelines\r\n4) see and click on 'import', ' Create
new timeline', 'Create new\r\ntimeline template' buttons\r\n\r\n### User
with read access but not crud access\r\n- Have access to export ('Export
selected'), cannot see 'Create new\r\ntimeline'
buttons\r\n\r\n![image](https://user-images.githubusercontent.com/18648970/209210913-0554bc4c-5c8e-45ae-8e27-54a7e33e3f8e.png)\r\n\r\n-
'Export selected' in bulk
actions\r\n\r\n![image](https://user-images.githubusercontent.com/18648970/209210992-f102d8d4-479f-4d0a-84c2-125cc754c5ce.png)\r\n\r\n\r\n![image](https://user-images.githubusercontent.com/18648970/209021998-fbe0b63d-8dfd-4098-9774-7423899a45e1.png)\r\n\r\n###
User with full
access\r\n\r\n![image](https://user-images.githubusercontent.com/18648970/209209755-b5e5ce2b-0af9-42c6-b1cc-64a2675bf19d.png)\r\n\r\n-
'Export selected' and 'Delete selected' available in bulk
actions\r\ndropdown\r\n\r\n![image](https://user-images.githubusercontent.com/18648970/210408773-0fc5b100-0f57-4526-9c8f-0aba1f1d0e76.png)\r\n\r\n###
Checklist\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common
scenarios\r\n\r\nCo-authored-by: Kibana Machine
<42973632+kibanamachine@users.noreply.github.com>","sha":"3abf705b10926d3c6221504dd5575b97d15c9a31"}}]}]
BACKPORT-->

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
@karanbirsingh-qasource
Copy link

Hi @MadameSheema

We have validated this issue on 8.6 BC10 and found the issue still occurring. When user delete the timeline with read authorization, a successful message is displayed but action is not performed.

Please look into below observations if we missing something in testing.

Build Details:

Version: 8.6.0 BC10
Commit: d3a625ef4a6e611a5b3233a1ce5cbe8ef429eb47
Build: 58852

Screen-Cast:

Recording.1.mp4

in case above video is not playing please access this link https://drive.google.com/file/d/1RNs6qjHbW6lBAHkM4DYk3yGWP8HXcwpO/view?usp=sharing

Authorization Role Configuration

image

@MadameSheema
Copy link
Member Author

@michaelolo24 @christineweng can you please take a look at the above? Thanks!

@karanbirsingh-qasource
Copy link

@MadameSheema observation of this issue over kibana mains. for read access user only export action for timeline is available.

image

@christineweng
Copy link
Contributor

@MadameSheema @karanbirsingh-qasource this pr didn't make it to BC10, could you check in the next BC and let me know if the issue persists?

@MadameSheema
Copy link
Member Author

Thanks for the update @christineweng! We are not going to have more BCs since 8.6 has been released today, the fix will be available on 8.6.1.

@karanbirsingh-qasource
Copy link

Hi @MadameSheema

we have validated this issue on 8.6.1 BC1 and found that issue to be fixed now.

Snap-Shot:
image

Hence we are closing this issue and adding "QA:Validated" tag to it.

thanks!!

@karanbirsingh-qasource karanbirsingh-qasource added the QA:Validated Issue has been validated by QA label Jan 23, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@michaelolo24 michaelolo24

@christineweng christineweng

Labels
bug Fixes for quality problems that affect the customer experience fixed impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. QA:Validated Issue has been validated by QA Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Investigations Security Solution Investigations Team Team:Threat Hunting Security Solution Threat Hunting Team v8.6.1 v8.7.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@elasticmachine @michaelolo24 @MadameSheema @christineweng @kqualters-elastic @karanbirsingh-qasource