github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 01:38:56 -04:00
Code Issues Projects Releases Packages Wiki Activity

[Security Solution][Endpoint] Add new "Global Artifact Management" RBAC privilege in support of spaces (#210426)

Browse source 
## Summary

- Adds a new kibana feature privilege to the `Security > Endpoint`
grouping for "Manage Global Artifacts"
- new privilege is behind the following feature flag:
`endpointManagementSpaceAwarenessEnabled`
- new privilege is not yet being used in this PR. Subsequent PRs that
will introduce space awareness changes for endpoint management will
leverage this new privilege
- Fixes the `All` and `Read` labels to ensure they can be localized
(`i18n`)
This commit is contained in:
Paul Tavares 2025-02-13 10:08:29 -05:00 committed by GitHub
parent e176c84449
commit 10e2d9e7e9
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 94 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

1
x-pack/solutions/security/packages/features/src/product_features_keys.ts
View file

@ -169,6 +169,7 @@ export enum SecuritySubFeatureId {
hostIsolationExceptionsBasic = 'hostIsolationExceptionsBasicSubFeature',
blocklist = 'blocklistSubFeature',
eventFilters = 'eventFiltersSubFeature',
globalArtifactManagement = 'globalArtifactManagementSubFeature',
policyManagement = 'policyManagementSubFeature',
responseActionsHistory = 'responseActionsHistorySubFeature',
workflowInsights = 'workflowInsightsSubFeature',

1
x-pack/solutions/security/packages/features/src/security/product_feature_config.ts
View file

@ -83,6 +83,7 @@ export const securityDefaultProductFeaturesConfig: DefaultSecurityProductFeature
SecuritySubFeatureId.trustedApplications,
SecuritySubFeatureId.blocklist,
SecuritySubFeatureId.eventFilters,
SecuritySubFeatureId.globalArtifactManagement,
],
},

110
x-pack/solutions/security/packages/features/src/security/v2_features/kibana_sub_features.ts
View file

@ -17,6 +17,21 @@ import { SecuritySubFeatureId } from '../../product_features_keys';
import { APP_ID } from '../../constants';
import type { SecurityFeatureParams } from '../types';
const TRANSLATIONS = Object.freeze({
all: i18n.translate(
'securitySolutionPackages.features.featureRegistry.subFeatures.allPrivilegeName',
{
defaultMessage: 'All',
}
),
read: i18n.translate(
'securitySolutionPackages.features.featureRegistry.subFeatures.readPrivilegeName',
{
defaultMessage: 'Read',
}
),
});
const endpointListSubFeature = (): SubFeatureConfig => ({
requireAllSpaces: true,
privilegesTooltip: i18n.translate(
@ -46,7 +61,7 @@ const endpointListSubFeature = (): SubFeatureConfig => ({
api: [`${APP_ID}-writeEndpointList`, `${APP_ID}-readEndpointList`],
id: 'endpoint_list_all',
includeIn: 'none',
name: 'All',
name: TRANSLATIONS.all,
savedObject: {
all: [],
read: [],
@ -57,7 +72,7 @@ const endpointListSubFeature = (): SubFeatureConfig => ({
api: [`${APP_ID}-readEndpointList`],
id: 'endpoint_list_read',
includeIn: 'none',
name: 'Read',
name: TRANSLATIONS.read,
savedObject: {
all: [],
read: [],
@ -104,7 +119,7 @@ const trustedApplicationsSubFeature = (): SubFeatureConfig => ({
],
id: 'trusted_applications_all',
includeIn: 'none',
name: 'All',
name: TRANSLATIONS.all,
savedObject: {
all: [EXCEPTION_LIST_NAMESPACE_AGNOSTIC],
read: [],
@ -115,7 +130,7 @@ const trustedApplicationsSubFeature = (): SubFeatureConfig => ({
api: ['lists-read', 'lists-summary', `${APP_ID}-readTrustedApplications`],
id: 'trusted_applications_read',
includeIn: 'none',
name: 'Read',
name: TRANSLATIONS.read,
savedObject: {
all: [],
read: [],
@ -161,7 +176,7 @@ const hostIsolationExceptionsBasicSubFeature = (): SubFeatureConfig => ({
],
id: 'host_isolation_exceptions_all',
includeIn: 'none',
name: 'All',
name: TRANSLATIONS.all,
savedObject: {
all: [EXCEPTION_LIST_NAMESPACE_AGNOSTIC],
read: [],
@ -172,7 +187,7 @@ const hostIsolationExceptionsBasicSubFeature = (): SubFeatureConfig => ({
api: ['lists-read', 'lists-summary', `${APP_ID}-readHostIsolationExceptions`],
id: 'host_isolation_exceptions_read',
includeIn: 'none',
name: 'Read',
name: TRANSLATIONS.read,
savedObject: {
all: [],
read: [],
@ -215,7 +230,7 @@ const blocklistSubFeature = (): SubFeatureConfig => ({
],
id: 'blocklist_all',
includeIn: 'none',
name: 'All',
name: TRANSLATIONS.all,
savedObject: {
all: [EXCEPTION_LIST_NAMESPACE_AGNOSTIC],
read: [],
@ -226,7 +241,7 @@ const blocklistSubFeature = (): SubFeatureConfig => ({
api: ['lists-read', 'lists-summary', `${APP_ID}-readBlocklist`],
id: 'blocklist_read',
includeIn: 'none',
name: 'Read',
name: TRANSLATIONS.read,
savedObject: {
all: [],
read: [],
@ -272,7 +287,7 @@ const eventFiltersSubFeature = (): SubFeatureConfig => ({
],
id: 'event_filters_all',
includeIn: 'none',
name: 'All',
name: TRANSLATIONS.all,
savedObject: {
all: [EXCEPTION_LIST_NAMESPACE_AGNOSTIC],
read: [],
@ -283,7 +298,7 @@ const eventFiltersSubFeature = (): SubFeatureConfig => ({
api: ['lists-read', 'lists-summary', `${APP_ID}-readEventFilters`],
id: 'event_filters_read',
includeIn: 'none',
name: 'Read',
name: TRANSLATIONS.read,
savedObject: {
all: [],
read: [],
@ -323,7 +338,7 @@ const policyManagementSubFeature = (): SubFeatureConfig => ({
api: [`${APP_ID}-writePolicyManagement`, `${APP_ID}-readPolicyManagement`],
id: 'policy_management_all',
includeIn: 'none',
name: 'All',
name: TRANSLATIONS.all,
savedObject: {
all: ['policy-settings-protection-updates-note'],
read: [],
@ -334,7 +349,7 @@ const policyManagementSubFeature = (): SubFeatureConfig => ({
api: [`${APP_ID}-readPolicyManagement`],
id: 'policy_management_read',
includeIn: 'none',
name: 'Read',
name: TRANSLATIONS.read,
savedObject: {
all: [],
read: ['policy-settings-protection-updates-note'],
@ -374,7 +389,7 @@ const responseActionsHistorySubFeature = (): SubFeatureConfig => ({
api: [`${APP_ID}-writeActionsLogManagement`, `${APP_ID}-readActionsLogManagement`],
id: 'actions_log_management_all',
includeIn: 'none',
name: 'All',
name: TRANSLATIONS.all,
savedObject: {
all: [],
read: [],
@ -385,7 +400,7 @@ const responseActionsHistorySubFeature = (): SubFeatureConfig => ({
api: [`${APP_ID}-readActionsLogManagement`],
id: 'actions_log_management_read',
includeIn: 'none',
name: 'Read',
name: TRANSLATIONS.read,
savedObject: {
all: [],
read: [],
@ -422,7 +437,7 @@ const hostIsolationSubFeature = (): SubFeatureConfig => ({
api: [`${APP_ID}-writeHostIsolationRelease`],
id: 'host_isolation_all',
includeIn: 'none',
name: 'All',
name: TRANSLATIONS.all,
savedObject: {
all: [],
read: [],
@ -462,7 +477,7 @@ const processOperationsSubFeature = (): SubFeatureConfig => ({
api: [`${APP_ID}-writeProcessOperations`],
id: 'process_operations_all',
includeIn: 'none',
name: 'All',
name: TRANSLATIONS.all,
savedObject: {
all: [],
read: [],
@ -501,7 +516,7 @@ const fileOperationsSubFeature = (): SubFeatureConfig => ({
api: [`${APP_ID}-writeFileOperations`],
id: 'file_operations_all',
includeIn: 'none',
name: 'All',
name: TRANSLATIONS.all,
savedObject: {
all: [],
read: [],
@ -543,7 +558,7 @@ const executeActionSubFeature = (): SubFeatureConfig => ({
api: [`${APP_ID}-writeExecuteOperations`],
id: 'execute_operations_all',
includeIn: 'none',
name: 'All',
name: TRANSLATIONS.all,
savedObject: {
all: [],
read: [],
@ -584,7 +599,7 @@ const scanActionSubFeature = (): SubFeatureConfig => ({
api: [`${APP_ID}-writeScanOperations`],
id: 'scan_operations_all',
includeIn: 'none',
name: 'All',
name: TRANSLATIONS.all,
savedObject: {
all: [],
read: [],
@ -625,7 +640,7 @@ const workflowInsightsSubFeature = (): SubFeatureConfig => ({
api: [`${APP_ID}-writeWorkflowInsights`, `${APP_ID}-readWorkflowInsights`],
id: 'workflow_insights_all',
includeIn: 'none',
name: 'All',
name: TRANSLATIONS.all,
savedObject: {
all: [],
read: [],
@ -636,7 +651,7 @@ const workflowInsightsSubFeature = (): SubFeatureConfig => ({
api: [`${APP_ID}-readWorkflowInsights`],
id: 'workflow_insights_read',
includeIn: 'none',
name: 'Read',
name: TRANSLATIONS.read,
savedObject: {
all: [],
read: [],
@ -675,7 +690,7 @@ const endpointExceptionsSubFeature = (): SubFeatureConfig => ({
{
id: 'endpoint_exceptions_all',
includeIn: 'all',
name: 'All',
name: TRANSLATIONS.all,
savedObject: {
all: [],
read: [],
@ -685,7 +700,7 @@ const endpointExceptionsSubFeature = (): SubFeatureConfig => ({
{
id: 'endpoint_exceptions_read',
includeIn: 'read',
name: 'Read',
name: TRANSLATIONS.read,
savedObject: {
all: [],
read: [],
@ -697,6 +712,44 @@ const endpointExceptionsSubFeature = (): SubFeatureConfig => ({
],
});
const globalArtifactManagementSubFeature = (): SubFeatureConfig => ({
requireAllSpaces: false,
privilegesTooltip: undefined,
name: i18n.translate(
'securitySolutionPackages.features.featureRegistry.subFeatures.globalArtifactManagement',
{
defaultMessage: 'Global Artifact Management',
}
),
description: i18n.translate(
'securitySolutionPackages.features.featureRegistry.subFeatures.globalArtifactManagement.description',
{
defaultMessage:
'Manage global assignment of endpoint artifacts (e.g., Trusted Applications, Event Filters) ' +
'across all policies. This privilege controls global assignment rights only; privileges for each ' +
'artifact type are required for full artifact management.',
}
),
privilegeGroups: [
{
groupType: 'mutually_exclusive',
privileges: [
{
api: [`${APP_ID}-writeGlobalArtifacts`],
id: 'global_artifact_management_all',
includeIn: 'none',
name: TRANSLATIONS.all,
savedObject: {
all: [],
read: [],
},
ui: ['writeGlobalArtifacts'],
},
],
},
],
});
/**
* Sub-features that will always be available for Security
* regardless of the product type.
@ -728,6 +781,16 @@ export const getSecurityV2SubFeaturesMap = ({
SecuritySubFeatureId.endpointExceptions,
enableSpaceAwarenessIfNeeded(endpointExceptionsSubFeature()),
],
...((experimentalFeatures.endpointManagementSpaceAwarenessEnabled
? [
[
SecuritySubFeatureId.globalArtifactManagement,
enableSpaceAwarenessIfNeeded(globalArtifactManagementSubFeature()),
],
]
: []) as Array<[SecuritySubFeatureId, SubFeatureConfig]>),
[
SecuritySubFeatureId.trustedApplications,
enableSpaceAwarenessIfNeeded(trustedApplicationsSubFeature()),
@ -738,6 +801,7 @@ export const getSecurityV2SubFeaturesMap = ({
],
[SecuritySubFeatureId.blocklist, enableSpaceAwarenessIfNeeded(blocklistSubFeature())],
[SecuritySubFeatureId.eventFilters, enableSpaceAwarenessIfNeeded(eventFiltersSubFeature())],
[
SecuritySubFeatureId.policyManagement,
enableSpaceAwarenessIfNeeded(policyManagementSubFeature()),

5
x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac_with_space_awareness.cy.ts
View file

@ -107,6 +107,7 @@ describe(
'Host Isolation ExceptionsNone',
'BlocklistNone',
'Event FiltersNone',
'Global Artifact ManagementNone',
'Elastic Defend Policy ManagementNone',
'Response Actions HistoryNone',
'Host IsolationAll',
@ -124,5 +125,9 @@ describe(
);
});
});
it('should include new Global Artifact Management privilege', () => {
cy.getByTestSubj('securitySolution_siemV2_global_artifact_management').should('exist');
});
}
);