Adds Role Based Access-Control to the Alerting & Action plugins based on Kibana Feature Controls (#67157)

This PR adds _Role Based Access-Control_ to the Alerting framework & Actions feature using Kibana Feature Controls, addressing most of the Meta issue: https://github.com/elastic/kibana/issues/43994 This also closes https://github.com/elastic/kibana/issues/62438 This PR includes the following: 1. Adds `alerting` specific Security Actions (not to be confused with Alerting Actions) to the `security` plugin which allows us to assign alerting specific privileges to users of other plugins using the `features` plugin. 2. Removes the security wrapper from the savedObjectsClient in AlertsClient and instead plugs in the new AlertsAuthorization which performs the privilege checks on each api call made to the AlertsClient. 3. Adds privileges in each plugin that is already using the Alerting Framework which mirror (as closely as possible) the existing api-level tag-based privileges and plugs them into the AlertsClient. 4. Adds feature granted privileges arounds Actions (by relying on Saved Object privileges under the hood) and plugs them into the ActionsClient 5. Removes the legacy api-level tag-based privilege system from both the Alerts and Action HTTP APIs
2025-04-24 17:59:23 -04:00 · 2020-07-22 14:45:57 +01:00 · 2020-07-22 14:45:57 +01:00 · 4abe864f10
commit 4abe864f10
parent 670520a253
226 changed files with 10844 additions and 1704 deletions
--- a/x-pack/plugins/features/common/feature.ts
+++ b/x-pack/plugins/features/common/feature.ts
@ -94,6 +94,13 @@ export interface FeatureConfig {
   */
  catalogue?: readonly string[];

+  /**
+   * If your feature grants access to specific Alert Types, you can specify them here to control visibility based on the current space.
+   * Include both Alert Types registered by the feature and external Alert Types such as built-in
+   * Alert Types and Alert Types provided by other features to which you wish to grant access.
+   */
+  alerting?: readonly string[];
+
  /**
   * Feature privilege definition.
   *
@ -179,6 +186,10 @@ export class Feature {
    return this.config.privileges;
  }

+  public get alerting() {
+    return this.config.alerting;
+  }
+
  public get excludeFromBasePrivileges() {
    return this.config.excludeFromBasePrivileges ?? false;
  }
--- a/x-pack/plugins/features/common/feature_kibana_privileges.ts
+++ b/x-pack/plugins/features/common/feature_kibana_privileges.ts
@ -75,6 +75,34 @@ export interface FeatureKibanaPrivileges {
   */
  app?: readonly string[];

+  /**
+   * If your feature requires access to specific Alert Types, then specify your access needs here.
+   * Include both Alert Types registered by the feature and external Alert Types such as built-in
+   * Alert Types and Alert Types provided by other features to which you wish to grant access.
+   */
+  alerting?: {
+    /**
+     * List of alert types which users should have full read/write access to when granted this privilege.
+     * @example
+     * ```ts
+     *  {
+     *    all: ['my-alert-type-within-my-feature']
+     *  }
+     * ```
+     */
+    all?: readonly string[];
+
+    /**
+     * List of alert types which users should have read-only access to when granted this privilege.
+     * @example
+     * ```ts
+     *  {
+     *    read: ['my-alert-type']
+     *  }
+     * ```
+     */
+    read?: readonly string[];
+  };
  /**
   * If your feature requires access to specific saved objects, then specify your access needs here.
   */