Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ResponseOps] Decouple rule producer/consumer settings from Kibana feature ID #181559

Open
xcrzx opened this issue Apr 24, 2024 · 5 comments
Open

[ResponseOps] Decouple rule producer/consumer settings from Kibana feature ID #181559

xcrzx opened this issue Apr 24, 2024 · 5 comments
Labels
Feature:Alerting/RulesFramework Issues related to the Alerting Rules Framework Feature:Alerting Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)

Comments

@xcrzx
Copy link
Contributor

xcrzx commented Apr 24, 2024
edited by banderror

Blocker for: https://github.com/elastic/security-team/issues/9533 (internal), https://github.com/elastic/security-team/issues/8799 (internal)

Summary

As part of the RBAC changes in the Security Solution (see this issue for more details), we need to extract rule management into a standalone Kibana product feature.

This involves transferring security rule types from the siem feature (current configuration here) to a new ruleManagement feature. This will require changing the producer and consumer rule settings to a new value, as feature IDs currently serve as the producer/consumer identifiers.

As we discussed previously, migrating rules is not an option (see this comment). Therefore, we need to find out how to make the Alerting RBAC work with the new feature ID while keeping the current rule producer/consumer siem value.
@xcrzx xcrzx added the Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) label Apr 24, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/response-ops (Team:ResponseOps)

@cnasikas cnasikas added Feature:Alerting Feature:Alerting/RulesFramework Issues related to the Alerting Rules Framework labels Apr 25, 2024
@marshallmain
Copy link
Contributor

As we discussed previously, migrating rules is not an option.

@xcrzx Can you add more details about why migrating rules is not an option? Either a summary in this ticket or a link to where a reader can find more information.

@xcrzx
Copy link
Contributor Author

xcrzx commented May 24, 2024

@marshallmain The producer/consumer fields are used for RBAC, and migrating them without downtime is not possible in Serverless. The upgrade process in Serverless works in such a way that there might be several Kibanas of different versions running simultaneously, all consuming data from a single Elasticsearch cluster. When a newer version of Kibana starts up, it begins migrating saved objects, including changing the producer/consumer fields in this case. As a result, older versions of Kibana will encounter access errors when attempting to read the migrated data.

@banderror
Copy link
Contributor

Hey @cnasikas, I was told today in a sync meeting with the ResponseOps team that this is going to be taken into work around the 8.16 release cycle, but without a commitment to ship in 8.16. Just double-checking here to confirm.

@cnasikas
Copy link
Member

Hey @banderror, this is correct. I am still working on a POC (#181559) for this. We are confident that is feasible but we need to finalize some edge cases. I will post our findings on the issue soon. The next step is to make it production-ready but as you said without a commitment to ship in 8.16.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Feature:Alerting/RulesFramework Issues related to the Alerting Rules Framework Feature:Alerting Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@xcrzx @banderror @cnasikas @elasticmachine @marshallmain