github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 17:59:23 -04:00
Code Issues Projects Releases Packages Wiki Activity

[Security Solution] adds users + roles for security serverless projects to kibana (#168420)

Browse source 
## Summary

* Allows local testing of serverless security roles

* Fixes roles set in roles.yml file used in yarn es serverless.

* Adds users + roles for security serverless projects to be used
directly

---------

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
This commit is contained in:
Devin W. Hurley 2023-10-10 12:43:29 -04:00 committed by GitHub
parent 20fe8e4153
commit 1fb81fbe1d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 213 additions and 387 deletions
Download patch file Download diff file Expand all files Collapse all files

13
packages/kbn-es/src/serverless_resources/README.md
View file

@ -1,4 +1,5 @@
# Elasticsearch Serverless Resources
The resources in this directory are used for seeding Elasticsearch Serverless images with users, roles and tokens for SSL and authentication. Serverless requires file realm authentication, so we will bind mount them into the containers at `/usr/share/elasticsearch/config/`.
## Users
@ -14,22 +15,23 @@ password: changeme
### Adding users
1. Add the `user:encrypted_password` to `users` file. The encrypted password for `elastic_serverless` is `changeme` if you want to reuse the value.
1. Set the new user's roles in `users_roles` file.
1. Add the user:encrypted_password to `users` file. The encrypted password for `elastic_serverless` is `changeme` if you want to reuse the value.
1. Set the new user's roles in `users_roles` file in the format of `role:username`
1. Add the username to `operator_users.yml` in the array for file realm users.
## Service Account and Tokens
This section for Service Accounts was originally from the [ES Serverless repository](https://github.com/elastic/elasticsearch-serverless/blob/main/serverless-build-tools/src/main/resources/README.service_tokens.md).
The "service_tokens" file contains this line:
```
elastic/kibana/kibana-dev:$2a$10$mY2RuGROhk56vLNh.Mgwue98BnkdQPlTR.yGh38ao5jhPJobvuBCq
elastic/fleet-server/fleet-server-dev:$2a$10$tgMX7U09G/EVTP8F/O4zHewhA3DXdv7iM5F2vny9TC6zw77RrutyG
```
That line defines a single service token
- For the `elastic/kibana` service account
- The token is named `kibana-dev`
- The token's secret is hashed using bcrypt (`$2a$`) using `10` rounds
@ -43,19 +45,18 @@ That produces an encoded token of: `AAEAAWVsYXN0aWMva2liYW5hL2tpYmFuYS1kZXY6VVVV
Yes, the secret was specially chosen to produce an encoded value that can be more easily recognised in development.
If a node is configured to use this `service_tokens` file, then you can authenticate to it with
```
curl -H "Authorization: Bearer AAEAAWVsYXN0aWMva2liYW5hL2tpYmFuYS1kZXY6VVVVVVVVTEstKiBaNA" http://localhost:9200/_security/_authenticate
```
The name of the token (`kibana-dev`) is important because the `operator_users.yml` file designates that token as an operator and allows us to seed a serverless cluster with this token.
## Overriding resources
The files found in this directory can be overwritten with customized versions by using the `--resources` option of the `yarn es serverless` command.
Assuming a customized `users` and `users_roles` are located in `/tmp/my_es/` directory and executing the below command from the root of Kibana, here is an example:
```shell
yarn es serverless --resources=/tmp/my_es/users --resources=/tmp/my_es/users_roles
yarn es serverless --resources=/tmp/my_es/users --resources=/tmp/my_es/users_roles
```

40
packages/kbn-es/src/serverless_resources/operator_users.yml
View file

@ -1,14 +1,28 @@
operator:
- usernames: ["elastic_serverless", "system_indices_superuser", "soc_manager"]
realm_type: "file"
auth_type: "realm"
- usernames: [ "elastic/kibana" ]
realm_type: "_service_account"
auth_type: "token"
token_source: "file"
token_names: [ "kibana-dev" ]
- usernames: [ "elastic/fleet-server" ]
realm_type: "_service_account"
auth_type: "token"
token_source: "file"
token_names: [ "fleet-server-dev" ]
- usernames:
[
'elastic_serverless',
'system_indices_superuser',
't1_analyst',
't2_analyst',
't3_analyst',
'threat_intelligence_analyst',
'rule_author',
'soc_manager',
'detections_admin',
'platform_engineer',
'endpoint_operations_analyst',
'endpoint_policy_manager',
]
realm_type: 'file'
auth_type: 'realm'
- usernames: ['elastic/kibana']
realm_type: '_service_account'
auth_type: 'token'
token_source: 'file'
token_names: ['kibana-dev']
- usernames: ['elastic/fleet-server']
realm_type: '_service_account'
auth_type: 'token'
token_source: 'file'
token_names: ['fleet-server-dev']

526
packages/kbn-es/src/serverless_resources/roles.yml
View file

@ -1,14 +1,14 @@
system_indices_superuser:
cluster: ['all']
cluster: ["all"]
indices:
- names: ['*']
privileges: ['all']
- names: ["*"]
privileges: ["all"]
allow_restricted_indices: true
applications:
- application: '*'
privileges: ['*']
resources: ['*']
run_as: ['*']
- application: "*"
privileges: ["*"]
resources: ["*"]
run_as: ["*"]
# -----
# Source: https://github.com/elastic/project-controller/blob/main/internal/project/observability/config/roles.yml
@ -94,9 +94,7 @@ editor:
- "*"
run_as: []
# -----
# Source: https://github.com/elastic/project-controller/blob/main/internal/project/security/config/roles.yml
# -----
# source: https://github.com/elastic/project-controller/blob/main/internal/project/security/config/roles.yml
t1_analyst:
cluster:
indices:
@ -122,36 +120,17 @@ t1_analyst:
privileges:
- read
applications:
- application: ml
- application: "kibana-.kibana"
privileges:
- read
resources: "*"
- application: siem
privileges:
- read
- read_alerts
- endpoint_list_read
resources: "*"
- application: securitySolutionCases
privileges:
- read
resources: "*"
- application: actions
privileges:
- read
resources: "*"
- application: builtInAlerts
privileges:
- read
resources: "*"
- application: spaces
privileges:
- all
resources: "*"
- application: osquery
privileges:
- read
- run_saved_queries
- feature_ml.read
- feature_siem.read
- feature_siem.read_alerts
- feature_siem.endpoint_list_read
- feature_securitySolutionCases.read
- feature_actions.read
- feature_builtInAlerts.read
- feature_osquery.read
- feature_osquery.run_saved_queries
resources: "*"
t2_analyst:
@ -181,36 +160,17 @@ t2_analyst:
privileges:
- read
applications:
- application: ml
- application: "kibana-.kibana"
privileges:
- read
resources: "*"
- application: siem
privileges:
- read
- read_alerts
- endpoint_list_read
resources: "*"
- application: securitySolutionCases
privileges:
- all
resources: "*"
- application: actions
privileges:
- read
resources: "*"
- application: builtInAlerts
privileges:
- read
resources: "*"
- application: spaces
privileges:
- all
resources: "*"
- application: osquery
privileges:
- read
- run_saved_queries
- feature_ml.read
- feature_siem.read
- feature_siem.read_alerts
- feature_siem.endpoint_list_read
- feature_securitySolutionCases.all
- feature_actions.read
- feature_builtInAlerts.read
- feature_osquery.read
- feature_osquery.run_saved_queries
resources: "*"
t3_analyst:
@ -247,45 +207,26 @@ t3_analyst:
privileges:
- read
applications:
- application: ml
- application: "kibana-.kibana"
privileges:
- read
resources: "*"
- application: siem
privileges:
- all
- read_alerts
- crud_alerts
- endpoint_list_all
- trusted_applications_all
- event_filters_all
- host_isolation_exceptions_all
- blocklist_all
- policy_management_read # Elastic Defend Policy Management
- host_isolation_all
- process_operations_all
- actions_log_management_all # Response actions history
- file_operations_all
resources: "*"
- application: securitySolutionCases
privileges:
- all
resources: "*"
- application: actions
privileges:
- read
resources: "*"
- application: builtInAlerts
privileges:
- all
resources: "*"
- application: osquery
privileges:
- all
resources: "*"
- application: spaces
privileges:
- all
- feature_ml.read
- feature_siem.all
- feature_siem.read_alerts
- feature_siem.crud_alerts
- feature_siem.endpoint_list_all
- feature_siem.trusted_applications_all
- feature_siem.event_filters_all
- feature_siem.host_isolation_exceptions_all
- feature_siem.blocklist_all
- feature_siem.policy_management_read # Elastic Defend Policy Management
- feature_siem.host_isolation_all
- feature_siem.process_operations_all
- feature_siem.actions_log_management_all # Response actions history
- feature_siem.file_operations_all
- feature_securitySolutionCases.all
- feature_actions.read
- feature_builtInAlerts.all
- feature_osquery.all
resources: "*"
threat_intelligence_analyst:
@ -318,36 +259,17 @@ threat_intelligence_analyst:
privileges:
- read
applications:
- application: ml
- application: "kibana-.kibana"
privileges:
- read
resources: "*"
- application: siem
privileges:
- read
- read_alerts
- endpoint_list_read
- blocklist_all
resources: "*"
- application: securitySolutionCases
privileges:
- all
resources: "*"
- application: actions
privileges:
- read
resources: "*"
- application: builtInAlerts
privileges:
- read
resources: "*"
- application: spaces
privileges:
- all
resources: "*"
- application: osquery
privileges:
- all
- feature_ml.read
- feature_siem.read
- feature_siem.read_alerts
- feature_siem.endpoint_list_read
- feature_siem.blocklist_all
- feature_securitySolutionCases.all
- feature_actions.read
- feature_builtInAlerts.read
- feature_osquery.all
resources: "*"
rule_author:
@ -388,38 +310,23 @@ rule_author:
privileges:
- read
applications:
- application: ml
- application: "kibana-.kibana"
privileges:
- read
resources: "*"
- application: siem
privileges:
- all
- read_alerts
- crud_alerts
- policy_management_all
- endpoint_list_all
- trusted_applications_all
- event_filters_all
- host_isolation_exceptions_read
- blocklist_all
- actions_log_management_read
resources: "*"
- application: securitySolutionCases
privileges:
- all
resources: "*"
- application: actions
privileges:
- read
resources: "*"
- application: builtInAlerts
privileges:
- all
resources: "*"
- application: spaces
privileges:
- all
- feature_ml.read
- feature_siem.all
- feature_siem.read_alerts
- feature_siem.crud_alerts
- feature_siem.policy_management_all
- feature_siem.endpoint_list_all
- feature_siem.trusted_applications_all
- feature_siem.event_filters_all
- feature_siem.host_isolation_exceptions_read
- feature_siem.blocklist_all # Elastic Defend Policy Management
- feature_siem.actions_log_management_read
- feature_securitySolutionCases.all
- feature_actions.read
- feature_builtInAlerts.all
- feature_osquery.all
resources: "*"
soc_manager:
@ -459,50 +366,27 @@ soc_manager:
privileges:
- read
applications:
- application: ml
- application: "kibana-.kibana"
privileges:
- read
resources: "*"
- application: siem
privileges:
- all
- read_alerts
- crud_alerts
- policy_management_all
- endpoint_list_all
- trusted_applications_all
- event_filters_all
- host_isolation_exceptions_all
- blocklist_all
- host_isolation_all
- process_operations_all
- actions_log_management_all
- file_operations_all
- execute_operations_all
resources: "*"
- application: securitySolutionCases
privileges:
- all
resources: "*"
- application: actions
privileges:
- all
resources: "*"
- application: builtInAlerts
privileges:
- all
resources: "*"
- application: spaces
privileges:
- all
resources: "*"
- application: osquery
privileges:
- all
resources: "*"
- application: savedObjectsManagement
privileges:
- all
- feature_ml.read
- feature_siem.all
- feature_siem.read_alerts
- feature_siem.crud_alerts
- feature_siem.policy_management_all
- feature_siem.endpoint_list_all
- feature_siem.trusted_applications_all
- feature_siem.event_filters_all
- feature_siem.host_isolation_exceptions_all
- feature_siem.blocklist_all
- feature_siem.host_isolation_all
- feature_siem.process_operations_all
- feature_siem.actions_log_management_all
- feature_siem.file_operations_all
- feature_siem.execute_operations_all
- feature_securitySolutionCases.all
- feature_actions.all
- feature_builtInAlerts.all
- feature_osquery.all
resources: "*"
detections_admin:
@ -534,35 +418,16 @@ detections_admin:
privileges:
- read
applications:
- application: ml
- application: "kibana-.kibana"
privileges:
- all
resources: "*"
- application: siem
privileges:
- all
- read_alerts
- crud_alerts
resources: "*"
- application: securitySolutionCases
privileges:
- all
resources: "*"
- application: actions
privileges:
- read
resources: "*"
- application: builtInAlerts
privileges:
- all
resources: "*"
- application: dev_tools
privileges:
- all
resources: "*"
- application: spaces
privileges:
- all
- feature_ml.all
- feature_siem.all
- feature_siem.read_alerts
- feature_siem.crud_alerts
- feature_securitySolutionCases.all
- feature_actions.all
- feature_builtInAlerts.all
- feature_dev_tools.all
resources: "*"
platform_engineer:
@ -587,50 +452,25 @@ platform_engineer:
privileges:
- all
applications:
- application: ml
- application: "kibana-.kibana"
privileges:
- all
resources: "*"
- application: siem
privileges:
- all
- read_alerts
- crud_alerts
- policy_management_all
- endpoint_list_all
- trusted_applications_all
- event_filters_all
- host_isolation_exceptions_all
- blocklist_all
- actions_log_management_read
resources: "*"
- application: securitySolutionCases
privileges:
- all
resources: "*"
- application: actions
privileges:
- all
resources: "*"
- application: builtInAlerts
privileges:
- all
resources: "*"
- application: fleet
privileges:
- all
resources: "*"
- application: fleetv2
privileges:
- all
resources: "*"
- application: spaces
privileges:
- all
resources: "*"
- application: osquery
privileges:
- all
- feature_ml.all
- feature_siem.all
- feature_siem.read_alerts
- feature_siem.crud_alerts
- feature_siem.policy_management_all
- feature_siem.endpoint_list_all
- feature_siem.trusted_applications_all
- feature_siem.event_filters_all
- feature_siem.host_isolation_exceptions_all
- feature_siem.blocklist_all # Elastic Defend Policy Management
- feature_siem.actions_log_management_read
- feature_securitySolutionCases.all
- feature_actions.all
- feature_builtInAlerts.all
- feature_fleet.all
- feature_fleetv2.all
- feature_osquery.all
resources: "*"
endpoint_operations_analyst:
@ -664,53 +504,28 @@ endpoint_operations_analyst:
- read
- write
applications:
- application: ml
- application: "kibana-.kibana"
privileges:
- read
resources: "*"
- application: siem
privileges:
- all
- read_alerts
- policy_management_all
- endpoint_list_all
- trusted_applications_all
- event_filters_all
- host_isolation_exceptions_all
- blocklist_all
- host_isolation_all
- process_operations_all
- actions_log_management_all # Response History
- file_operations_all
- execute_operations_all # Execute
resources: "*"
- application: securitySolutionCases
privileges:
- all
resources: "*"
- application: actions
privileges:
- all
resources: "*"
- application: builtInAlerts
privileges:
- all
resources: "*"
- application: osquery
privileges:
- all
resources: "*"
- application: fleet
privileges:
- all
resources: "*"
- application: fleetv2
privileges:
- all
resources: "*"
- application: spaces
privileges:
- all
- feature_ml.read
- feature_siem.all
- feature_siem.read_alerts
- feature_siem.policy_management_all
- feature_siem.endpoint_list_all
- feature_siem.trusted_applications_all
- feature_siem.event_filters_all
- feature_siem.host_isolation_exceptions_all
- feature_siem.blocklist_all
- feature_siem.host_isolation_all
- feature_siem.process_operations_all
- feature_siem.actions_log_management_all # Response History
- feature_siem.file_operations_all
- feature_siem.execute_operations_all # Execute
- feature_securitySolutionCases.all
- feature_actions.all
- feature_builtInAlerts.all
- feature_osquery.all
- feature_fleet.all
- feature_fleetv2.all
resources: "*"
endpoint_policy_manager:
@ -745,47 +560,22 @@ endpoint_policy_manager:
- write
- manage
applications:
- application: ml
- application: "kibana-.kibana"
privileges:
- read
resources: "*"
- application: siem
privileges:
- all
- read_alerts
- crud_alerts
- policy_management_all
- trusted_applications_all
- event_filters_all
- host_isolation_exceptions_all
- blocklist_all
- endpoint_list_all
resources: "*"
- application: securitySolutionCases
privileges:
- all
resources: "*"
- application: actions
privileges:
- all
resources: "*"
- application: builtInAlerts
privileges:
- all
resources: "*"
- application: osquery
privileges:
- all
resources: "*"
- application: fleet
privileges:
- all
resources: "*"
- application: fleetv2
privileges:
- all
resources: "*"
- application: spaces
privileges:
- all
- feature_ml.all
- feature_siem.all
- feature_siem.read_alerts
- feature_siem.crud_alerts
- feature_siem.policy_management_all
- feature_siem.endpoint_list_all
- feature_siem.trusted_applications_all
- feature_siem.event_filters_all
- feature_siem.host_isolation_exceptions_all
- feature_siem.blocklist_all # Elastic Defend Policy Management
- feature_securitySolutionCases.all
- feature_actions.all
- feature_builtInAlerts.all
- feature_osquery.all
- feature_fleet.all
- feature_fleetv2.all
resources: "*"

11
packages/kbn-es/src/serverless_resources/users
View file

@ -1,3 +1,14 @@
elastic_serverless:$2a$10$nN6sRtQl2KX9Gn8kV/.NpOLSk6Jwn8TehEDnZ7aaAgzyl/dy5PYzW
system_indices_superuser:$2a$10$nN6sRtQl2KX9Gn8kV/.NpOLSk6Jwn8TehEDnZ7aaAgzyl/dy5PYzW
t1_analyst:$2a$10$nN6sRtQl2KX9Gn8kV/.NpOLSk6Jwn8TehEDnZ7aaAgzyl/dy5PYzW
t2_analyst:$2a$10$nN6sRtQl2KX9Gn8kV/.NpOLSk6Jwn8TehEDnZ7aaAgzyl/dy5PYzW
t3_analyst:$2a$10$nN6sRtQl2KX9Gn8kV/.NpOLSk6Jwn8TehEDnZ7aaAgzyl/dy5PYzW
threat_intelligence_analyst:$2a$10$nN6sRtQl2KX9Gn8kV/.NpOLSk6Jwn8TehEDnZ7aaAgzyl/dy5PYzW
rule_author:$2a$10$nN6sRtQl2KX9Gn8kV/.NpOLSk6Jwn8TehEDnZ7aaAgzyl/dy5PYzW
soc_manager:$2a$10$nN6sRtQl2KX9Gn8kV/.NpOLSk6Jwn8TehEDnZ7aaAgzyl/dy5PYzW
detections_admin:$2a$10$nN6sRtQl2KX9Gn8kV/.NpOLSk6Jwn8TehEDnZ7aaAgzyl/dy5PYzW
platform_engineer:$2a$10$nN6sRtQl2KX9Gn8kV/.NpOLSk6Jwn8TehEDnZ7aaAgzyl/dy5PYzW
endpoint_operations_analyst:$2a$10$nN6sRtQl2KX9Gn8kV/.NpOLSk6Jwn8TehEDnZ7aaAgzyl/dy5PYzW
endpoint_policy_manager:$2a$10$nN6sRtQl2KX9Gn8kV/.NpOLSk6Jwn8TehEDnZ7aaAgzyl/dy5PYzW

10
packages/kbn-es/src/serverless_resources/users_roles
View file

@ -1,3 +1,13 @@
superuser:elastic_serverless
system_indices_superuser:system_indices_superuser
t1_analyst:t1_analyst
t2_analyst:t2_analyst
t3_analyst:t3_analyst
threat_intelligence_analyst:threat_intelligence_analyst
rule_author:rule_author
soc_manager:soc_manager
detections_admin:detections_admin
platform_engineer:platform_engineer
endpoint_operations_analyst:endpoint_operations_analyst
endpoint_policy_manager:endpoint_policy_manager