Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RAC] integrating rbac search strategy with alert table #107242

Merged
merged 8 commits into from Aug 6, 2021
Merged

[RAC] integrating rbac search strategy with alert table #107242

merged 8 commits into from Aug 6, 2021

Conversation

XavierM
Copy link
Contributor

@XavierM XavierM commented Jul 29, 2021

Summary

We are integrating alert search strategy with RBAC on top of alert tables for security solution and o11y.

@XavierM XavierM added v8.0.0 release_note:skip Skip the PR/issue when compiling release notes Team:Detections and Resp Security Detection Response Team Team:Threat Hunting Security Solution Threat Hunting Team auto-backport Deprecated: Automatically backport this PR after it's merged Feature:RAC label obsolete v7.15.0 labels Jul 29, 2021
@XavierM XavierM requested a review from a team as a code owner July 29, 2021 21:37
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@XavierM XavierM enabled auto-merge (squash) July 29, 2021 21:40
yctercero
yctercero approved these changes Jul 30, 2021
View reviewed changes
Copy link
Contributor

@yctercero yctercero left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Think there's still a types issue, but other than that lgtm. Thanks for integrating!

This was referenced Jul 30, 2021
Closed
Closed
@weltenwort weltenwort mentioned this pull request Aug 2, 2021
Closed
weltenwort
weltenwort requested changes Aug 2, 2021
View reviewed changes
Copy link
Member

@weltenwort weltenwort left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for jumping in to fix this omission from the original RBAC PR 🙏

It works a bit differently from what I expected, though. I created alerts to test this and they showed up depending on whether I created them from the respective solution UI or the rules and connectors UI in the stack management section. Inspecting the code it seems the search strategy is filtering for kibana.rac.alert.owner. That field contains "logs", "apm" and so on when the alert was created through the solution UI, but "alerts" when created through the rules and connections UI.

I would have expected it to check kibana.rac.alert.producer, which corresponds to the rule type's owner. Why should there be a difference in whether it shows up in the alerts table depending on the place where the user created it?

Another aspect that made me wonder is why addition of a client-side request param (the event type) was needed to make the search strategy honor the users' capabilities. Couldn't this easily be tempered with by the user? I guess it has been designed like that for a reason, but I wanted to bring it up just in case. 😇

x-pack/plugins/observability/public/pages/alerts/alerts_table_t_grid.tsx Outdated Show resolved Hide resolved
x-pack/plugins/timelines/common/search_strategy/timeline/events/index.ts Show resolved Hide resolved
x-pack/plugins/timelines/public/container/index.tsx Outdated Show resolved Hide resolved
x-pack/plugins/observability/public/pages/alerts/alerts_table_t_grid.tsx Outdated Show resolved Hide resolved
@yctercero
Copy link
Contributor

Thanks for jumping in to fix this omission from the original RBAC PR 🙏

We wanted to keep these two things separate so hadn't added it to the original PR.

It works a bit differently from what I expected, though. I created alerts to test this and they showed up depending on whether I created them from the respective solution UI or the rules and connectors UI in the stack management section. Inspecting the code it seems the search strategy is filtering for kibana.rac.alert.owner. That field contains "logs", "apm" and so on when the alert was created through the solution UI, but "alerts" when created through the rules and connections UI.

We have a meeting set up for this I believe. @oatkiller is this going to be discussed as part of the breakout? We should include alerting folks in there as well. The owner field is set to be renamed to consumer, I'm not sure that it should be filtered by producer. We allow a consumer of the search strategy to specify which consumers to display.

I would have expected it to check kibana.rac.alert.producer, which corresponds to the rule type's owner. Why should there be a difference in whether it shows up in the alerts table depending on the place where the user created it?

Another aspect that made me wonder is why addition of a client-side request param (the event type) was needed to make the search strategy honor the users' capabilities. Couldn't this easily be tempered with by the user? I guess it has been designed like that for a reason, but I wanted to bring it up just in case. 😇

We added this because the logic for each is different. We have to use internal kibana user to query alerts and the asCurrentUser for non alerts. For the current release we aren't looking to create some sort of merged solution where we query each separately and merge and instead need to specify what we want. If you set the entity type to ALL it will query with asCurrentUser and the user will need to have ES privileges to the alerts index. This is mostly relevant for timeline which I don't think observability is using?

@weltenwort
Copy link
Member

We wanted to keep these two things separate so hadn't added it to the original PR.

I can understand that - where can we see potential other follow-up tasks so we don't miss anything?

If you set the entity type to ALL it will query with asCurrentUser and the user will need to have ES privileges to the alerts index.

That's a good point. It escaped my attention that the two branches use different clients.

This is mostly relevant for timeline which I don't think observability is using?

Not sure what you mean by that. Due to the implementation of the t-grid data fetching we're using the timeline search strategy and Xavier's addition of the entityType parameter caused the execution to take the branch that uses the internal user. My concern was that the choice about which client to use is based on the browser-supplied parameter, which potentially opens the door for requests that exploit an inconsistency in the branch conditions. Not that I see one right now, but it feels risky to me in security-critical code. 😇

weltenwort
weltenwort reviewed Aug 4, 2021
View reviewed changes
Copy link
Member

@weltenwort weltenwort left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After talking to @XavierM I double-checked how the authorization matches up with what the user sees in the generic rule UI and the observability alerts table:

alerts table
image

rules UI
image

As mentioned before, this difference seems to stem from the usage of the "owner" (to renamed "consumer") field.

@jasonrhodes
Copy link
Member

I think it's possible that a 7.15-friendly solution to this for now would be to make sure that the kibana.alert.consumers field is stored as an array, and the "producer" value from the alerting framework is added there for now, and when we decide exactly how we want this to work for rule sharing, we'll be able to add more values to that array later. Would that work for the RBAC filtering still, with minimal adjustments?

@weltenwort
Copy link
Member

@jasonrhodes Assuming the result would be as intended, wouldn't it make more sense to achieve this by filtering on consumer OR producer in the RBAC filter? This wouldn't impact the indexed documents and would thereby be easier to adjust in future releases.

@jasonrhodes
Copy link
Member

I'm thinking that in the future, we will want to have consumers be an array (and represent the consumers of these alerts, rather than the consumer of the rule, I think). In that way, I'd expect both the rule producer and the rule consumer to want to consume these alerts by default, and that later we may want to give users the option to remove one or the other (and add others, even). So the array with some default values feels like a future-proof solution to me.

@yctercero
Copy link
Contributor

I'm thinking that in the future, we will want to have consumers be an array (and represent the consumers of these alerts, rather than the consumer of the rule, I think). In that way, I'd expect both the rule producer and the rule consumer to want to consume these alerts by default, and that later we may want to give users the option to remove one or the other (and add others, even). So the array with some default values feels like a future-proof solution to me.

I really don't think it makes sense to store an array of who should consume alerts in the data structure. I agree with @weltenwort that the functionality can be achieved with the existing solution. These fields are meant to denote authorization, not viewability preferences. I think that's the job of the query constructor (ie: us right now) to generate a query to filter as needed.

weltenwort
weltenwort approved these changes Aug 5, 2021
View reviewed changes
Copy link
Member

@weltenwort weltenwort left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM in light of what we discussed via a different channel today 👍 thanks for putting in the effort!

@yctercero yctercero disabled auto-merge August 5, 2021 18:56
@yctercero yctercero enabled auto-merge (squash) August 5, 2021 20:56
michaelolo24
michaelolo24 approved these changes Aug 5, 2021
View reviewed changes
Copy link
Contributor

@michaelolo24 michaelolo24 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@yctercero
Copy link
Contributor

@elasticmachine merge upstream

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id before after diff
observability 261 262 +1
timelines 241 242 +1
total +2

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
observability 510.2KB 511.2KB +1.1KB
securitySolution 6.5MB 6.5MB -4.0B
timelines 272.0KB 273.1KB +1.1KB
total +2.2KB

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id before after diff
infra 149.5KB 149.5KB -4.0B
timelines 298.3KB 298.3KB -65.0B
uptime 35.1KB 35.1KB -4.0B
total -73.0B
Unknown metric groups

API count

id before after diff
timelines 927 928 +1

API count missing comments

id before after diff
timelines 807 808 +1

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@yctercero yctercero merged commit 923eca0 into elastic:master Aug 6, 2021
@kibanamachine kibanamachine mentioned this pull request Aug 6, 2021
Merged
kibanamachine pushed a commit to kibanamachine/kibana that referenced this pull request Aug 6, 2021
@XavierM @kibanamachine
[RAC] integrating rbac search strategy with alert table (elastic#107242)
7ddfe07 
### Summary

We are integrating alert search strategy with RBAC on top of alert tables for security solution and o11y.
@kibanamachine
Copy link
Contributor

💚 Backport successful

Status Branch Result
7.x

This backport PR will be merged automatically after passing CI.

kibanamachine added a commit that referenced this pull request Aug 6, 2021
@kibanamachine @XavierM
[RAC] integrating rbac search strategy with alert table (#107242) (#1…
b1117dc 
…07822)

### Summary

We are integrating alert search strategy with RBAC on top of alert tables for security solution and o11y.

Co-authored-by: Xavier Mouligneau <189600+XavierM@users.noreply.github.com>
streamich pushed a commit to vadimkibana/kibana that referenced this pull request Aug 8, 2021
@XavierM @vadimkibana
[RAC] integrating rbac search strategy with alert table (elastic#107242)
4be18e2 
### Summary

We are integrating alert search strategy with RBAC on top of alert tables for security solution and o11y.
jloleysens added a commit to jloleysens/kibana that referenced this pull request Aug 9, 2021
@jloleysens
Merge branch 'master' of github.com:elastic/kibana into reporting/new…
699d458 
…-png-pdf-report-type

* 'master' of github.com:elastic/kibana: (392 commits)
  update linting doc (elastic#105748)
  [APM] Various improvements from elastic#104851 (elastic#107726)
  Update dependency @elastic/charts to v33.2.0 (master) (elastic#107842)
  Fix default route link on kibana homepage (elastic#107809)
  [APM] Invalidate trackPageview on route change (elastic#107741)
  Service map backend links (elastic#107317)
  [index patterns] index pattern create modal (elastic#101853)
  [RAC] integrating rbac search strategy with alert table (elastic#107242)
  [Security Solution] Siem signals -> alerts as data field and index aliases (elastic#106049)
  [Metrics UI] Add checkbox to optionally drop partial buckets (elastic#107676)
  [Metrics UI] Fix metric threshold preview regression (elastic#107674)
  Disable Product check in @elastic/elasticsearch-js (elastic#107642)
  [App Search] Migrate Crawler Status Indicator, Crawler Status Banner, and Crawl Request polling (elastic#107603)
  [Security Solution, Lists] Replace legacy imports from 'elasticsearch' package (elastic#107226)
  [maps] asset tracking tutorial (elastic#104552)
  [scripts/build_ts_refs] when using `--clean` initialize caches (elastic#107777)
  Upgrade EUI to v36.1.0 (elastic#107231)
  [RAC] [TGrid] Implements cell actions in the TGrid (elastic#107771)
  Realign cypress/ccs_integration with cypress/integration (elastic#107743)
  Allow optional OSS to X-Pack dependencies (elastic#107432)
  ...

# Conflicts:
#	x-pack/examples/reporting_example/public/application.tsx
#	x-pack/examples/reporting_example/public/components/app.tsx
#	x-pack/plugins/canvas/public/services/legacy/stubs/reporting.ts
#	x-pack/plugins/reporting/common/types.ts
#	x-pack/plugins/reporting/public/lib/reporting_api_client/context.tsx
#	x-pack/plugins/reporting/public/management/mount_management_section.tsx
#	x-pack/plugins/reporting/public/management/report_listing.test.tsx
#	x-pack/plugins/reporting/public/plugin.ts
#	x-pack/plugins/reporting/public/share_context_menu/register_pdf_png_reporting.tsx
#	x-pack/plugins/reporting/server/export_types/printable_pdf/execute_job/index.ts
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yctercero yctercero yctercero approved these changes

@dominiqueclarke dominiqueclarke dominiqueclarke left review comments

@weltenwort weltenwort weltenwort approved these changes

@michaelolo24 michaelolo24 michaelolo24 approved these changes

Assignees
No one assigned
Labels
auto-backport Deprecated: Automatically backport this PR after it's merged Feature:RAC label obsolete release_note:skip Skip the PR/issue when compiling release notes Team:Detections and Resp Security Detection Response Team Team:Threat Hunting Security Solution Threat Hunting Team v7.15.0 v8.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
8 participants
@XavierM @elasticmachine @yctercero @weltenwort @jasonrhodes @kibanamachine @dominiqueclarke @michaelolo24