[Cloud Security] user with access to indexes documented in the public docs can't access CSPM Findings and Dashboard

[maxcold]

Kibana version:
8.13.2

Elasticsearch version:
8.13.2

Server OS version:

Browser version:

Browser OS version:

Original install method (e.g. download page, yum, from source, etc.):
ESS

Describe the bug:
A user with access to Kibana Security and read privileges for ES indexes described in https://www.elastic.co/guide/en/security/8.12/cspm-get-started.html don't have access to the Misconfiguration Findings and to CSP dashboard

Steps to reproduce:

1. Have an env with ingested CSPM data, eg. AWS CSPM integration installed.
2. Make sure the data is present in the logs-cloud_security_posture.findings-* and in the logs-cloud_security_posture.findings_latest-* indexes
3. Create a new role with all privileges for all spaces in Kibana and with read privileges for logs-cloud_security_posture.findings-*, logs-cloud_security_posture.findings_latest-* and logs-cloud_security_posture.scores-* indexes/data streams
4. Navigate to Dashboard -> Cloud Security Posture or to Findings -> Misconfigurations

On the dashboard you will see Internal Server Error 500: An error occurred while trying to fetch csp settings: Unable to get cloud-security-posture-settings, 403 erorr

Expected behavior:
no error, dashboard and findings page should display the data

Screenshots (if relevant):

Errors in browser console (if relevant):

Provide logs and/or server output (if relevant):

Any additional context:
This most likely is due to the changes introduced in 8.13 around benchmark rules with a new Saved Objected implemented to store the rules settings
More context from @kfirpeled

here you can see that encryptedSavedObjects is based on user’s credentials
and here it is being used to read the settings. The fault here that I would fix is that cspContext should not determine client or internal user usage. Either provide a proper name for each client with a suffix or allow it to be picked each usage, like esClient

@elastic/kibana-cloud-security-posture

[kfirpeled]

@CohenIdo please make sure we have an FTR that reproduce this issue and passes once this is fixed

[kfirpeled]

@CohenIdo since there's no workaround to this issue. It means that any user that isn't an admin can't use cloud security.
This is a critical issue. So lets find a solution asap. And as for the FTR, you can do that right after we will push the fix.

[CohenIdo]

The problem was resolved by linking the permissions for the cloud security feature to 'cloud-security-posture-settings' saved object.

• [Cloud Security] Fix authorization issue #183630

My.Movie.2.mp4

I will create a follow-up task for having FTRs.

[kfirpeled]

Thanks for the quick fix!

@CohenIdo we can keep the same task open for the FTRs, if that helps

Can this be backported for 8.13 as well?

[CohenIdo]

This morning, I encountered an unexpected issue.
On Thursday, I observed a message indicating that the backport was created successfully on the pull request itself:

I anticipated that the fix would be included in the backport on Friday, and I confirmed this expectation with the Kibana release owner, who agreed with me.

However, this morning, when I checked the latest BC, I was surprised to find it missing.
Upon investigation, I discovered that the backport PR didn't merge due to a CI failure.

[CohenIdo]

@CohenIdo we can keep the same task open for the FTRs, if that helps

@kfirpeled, I've initiated a follow-up task to manage prioritization alongside another higher-priority task in this sprint.

• https://github.com/elastic/security-team/issues/9518

[CohenIdo]

8.14 backport PR merged:

• [8.14] [Cloud Security] Fix authorization issue #183642
  8.13 backport PR:
• [8.13] [Cloud Security] Fix authorization issue #183799

[CohenIdo]

Verified on 8.14.0 SNAPSHOT
commit sha: ed7758ff72688babbffbc95a3f047354dedb7add

auth-verify.mp4