[Cloud Security] update serverless roles to support csp index alias

[CohenIdo]

solves:

• https://github.com/elastic/security-team/issues/12819
  Related PR:
• https://github.com/elastic/elasticsearch-controller/pull/1021

Summary

With the upcoming release of the Cloud Security Posture integration, we are introducing a new “Latest” transform along with a new index alias: security_solution-cloud_security_posture.misconfiguration_latest.

In #187435, we began querying this new index alias instead of logs-cloud_security_posture.findings_latest-default.

To maintain the same user experience, this PR updates the pre-defined roles in Serverless, allowing users to view findings and access the dashboard page.

[elasticmachine]

Pinging @elastic/kibana-cloud-security-posture (Team:Cloud Security)

[gergoabraham]

hey @CohenIdo,

could you please do the same additions to these files as well? thanks!

• src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/roles.yml
• x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/roles.yml

(note, i'm not really sure why there are 3 files of these, but added to my todo list to check it sometime)

[CohenIdo]

Thanks for this input @gergoabraham !
Done ✅

[gergoabraham]

thanks for the changes! one line looks missing, but other than that, lgtm!

[gergoabraham]

looks like the detections_admin role below this missed the update

[maxcold]

Two Three questions:

• why do we have only index alias added here but not index pattern itself to cover indexes themselves with suffix like _v1?
• we don't have patterns for 3p indexes added, do we need to add them?
• as we are switching from logs-* to security_solution-* index pattern I'd expect it to be in the same bucket with logs-* and sometimes it's the case but not always. Any reason for that? what is the logic behind picking priviliges?

[maxcold]

we are switching from logs-cloud_security_posture* to this index security_solution-cloud_security_posture.misconfiguration_latest so I'd expect it to be in one bucket with logs-* to keep exactly the same functionality as before. Any reason to have it with .ml-anomalies-* here and only have read provilige while logs-* has both read and write?

[CohenIdo]

Good question.
The logs-cloud_security_posture* index fall under the broader logs-* pattern, which currently has broader privileges assigned to each role.
However, we didn’t explicitly grant those privileges, and they’re not necessary for the current user experience. Now that we’re explicitly configuring permissions, I believe read access should be sufficient.

[maxcold]

discussed in person, agreed that overall having less priviliges is a good idea, but maybe should be implemented as a separate work item as we are close to the FF. It will be safer to keep the same priviliges as before to avoid any unwanted side effects and extensive testing with different roles

[maxcold]

here as well, any reason to not be in the same bucket with logs-* which has only read?

[maxcold]

same here

[maxcold]

same here

[CohenIdo]

why do we have only index alias added here but not index pattern itself to cover indexes themselves with suffix like _v1?
we don't have patterns for 3p indexes added, do we need to add them?

I agree I'll update the code to use security_solution-*.misconfiguration_latest*

as we are switching from logs-* to security_solution-* index pattern I'd expect it to be in the same bucket with logs-* and sometimes it's the case but not always. Any reason for that? what is the logic behind picking priviliges?

Here are my thoughts.

[dmlemeshko]

src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/roles.yml changes LGTM

‼️ Please make sure to port the same privilege changes to controller repo

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 2b2ec80

Metrics [docs]

✅ unchanged

History

• 💚 Build #308896 succeeded 186e472
• 💚 Build #308767 succeeded 875b530
• 💚 Build #308581 succeeded c4fb664