[8.x][ResponseOps] Upgrade assistant - cleanup alerting RBAC exception code (#203030)

Resolves https://github.com/elastic/response-ops-team/issues/250 ## Summary Adds a deprecation to the upgrade assistant to warn users that the legacy RBAC exemption code will be removed in 9.0 and provide mitigation steps. ### Checklist - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### To verify 1. Start Kibana 2. Save this rule that has `versionApiKeyLastmodified: pre-7.10.0` to an .ndjson file and import. ``` {"attributes":{"actions":[{"actionRef":"system_action:system-connector-.system-log-example","actionTypeId":".system-log-example","params":{"message":"Alerts have been triggered."},"uuid":"f714d779-acc4-471d-8838-2b14df5ced01"}],"alertDelay":{"active":1},"alertTypeId":"example.always-firing","apiKey":null,"apiKeyCreatedByUser":null,"apiKeyOwner":null,"consumer":"alerts","createdAt":"2024-12-06T19:00:29.433Z","createdBy":"elastic","enabled":false,"executionStatus":{"error":null,"lastExecutionDate":"2024-12-06T19:55:20.506Z","status":"pending","warning":null},"lastRun":{"alertsCount":{"active":5,"ignored":0,"new":5,"recovered":5},"outcome":"succeeded","outcomeMsg":null,"outcomeOrder":0,"warning":null},"legacyId":null,"meta":{"versionApiKeyLastmodified":"pre-7.10.0"},"monitoring":{"run":{"calculated_metrics":{"p50":640,"p95":1092,"p99":1121,"success_ratio":1},"history":[],"last_run":{"metrics":{"duration":951,"gap_duration_s":null,"total_alerts_created":null,"total_alerts_detected":null,"total_indexing_duration_ms":null,"total_search_duration_ms":null},"timestamp":"2024-12-06T19:54:58.676Z"}}},"muteAll":false,"mutedInstanceIds":[],"name":"legacy-rule","nextRun":"2024-12-06T19:55:58.467Z","notifyWhen":null,"params":{},"revision":1,"running":false,"schedule":{"interval":"1m"},"scheduledTaskId":null,"snoozeSchedule":[],"tags":[],"throttle":null,"updatedAt":"2024-12-06T19:38:30.530Z","updatedBy":"elastic"},"coreMigrationVersion":"8.8.0","created_at":"2024-12-06T19:38:30.531Z","id":"2449a0be-cb40-40da-89f6-2f16972c8d1b","managed":false,"references":[],"type":"alert","typeMigrationVersion":"10.3.0","updated_at":"2024-12-06T19:38:30.531Z","version":"WzMxNSwxXQ=="} {"excludedObjects":[],"excludedObjectsCount":0,"exportedCount":1,"missingRefCount":0,"missingReferences":[]} ``` 4. Check the [deprecation page](http://localhost:5601/app/management/stack/upgrade_assistant/kibana_deprecations) to verify that the legacy RBAC exemption deprecation is registered. 5. Edit the rule and save 6. Repeat step 3 and verify that the deprecation warning has been resolved. --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Lisa Cawley <lcawley@elastic.co>
2025-04-24 01:38:56 -04:00 · 2024-12-10 20:20:25 -08:00 · 2024-12-10 20:20:25 -08:00 · 7b7dd4ef52
commit 7b7dd4ef52
parent c4658e76d9
8 changed files with 233 additions and 1 deletions
--- a/docs/upgrade-notes.asciidoc
+++ b/docs/upgrade-notes.asciidoc
@ -334,6 +334,56 @@ The `xpack.actions.enabled` setting has been removed. For more information, refe
 Before you upgrade to 8.0.0, remove `xpack.actions.enabled` from kibana.yml.
 ====

+[discrete]
+[[breaking-legacy-rbac]]
+.[Alerting] Legacy RBAC exemption (9.0.0)
+[%collapsible]
+====
+*Details* +
+The legacy role-based action control exemption for alerting rules has been removed in version 9.0.0.
+
+*Impact* +
+Any alerting rules that rely on the legacy exemption will fail to trigger actions for alerts starting
+from version 9.0.0.
+
+*Action* +
+To identify the affected rules run the following query in *{dev-tools-app}*:
+
+[source,js]
+----------------------------------
+GET .kibana*/_search
+{
+  "runtime_mappings": {
+    "apiKeyVersion": {
+      "type": "keyword",
+      "script": {
+        "source": "def alert = params._source['alert']; if (alert != null) { def meta = alert.meta; if (meta != null) { emit(meta.versionApiKeyLastmodified); } else { emit('');}}"
+      }
+    }
+  },
+  "size": 10000,
+  "query": {
+    "bool": {
+      "filter": [
+        {
+          "term": {
+            "type": "alert"
+          }
+        },
+        {
+          "term": {
+            "apiKeyVersion": "pre-7.10.0"
+          }
+        }
+      ]
+    }
+  },
+  "_source": ["alert.name", "namespaces"]
+}
+----------------------------------
+
+To use normal RBAC authorization, edit each affected rule to update the API key.
+====

 // Data views

--- a/src/platform/packages/shared/kbn-doc-links/src/get_doc_links.ts
+++ b/src/platform/packages/shared/kbn-doc-links/src/get_doc_links.ts
@ -678,6 +678,7 @@ export const getDocLinks = ({ kibanaBranch, buildFlavor }: GetDocLinkOptions): D
      teamsAction: `${KIBANA_DOCS}teams-action-type.html#configuring-teams`,
      connectors: `${KIBANA_DOCS}action-types.html`,
      legacyRuleApiDeprecations: `${KIBANA_DOCS}breaking-changes-summary.html#breaking-201550`,
+      legacyRbacExemption: `${KIBANA_DOCS}breaking-changes-summary.html#breaking-legacy-rbac`,
    },
    taskManager: {
      healthMonitoring: `${KIBANA_DOCS}task-manager-health-monitoring.html`,
--- a/src/platform/packages/shared/kbn-doc-links/src/types.ts
+++ b/src/platform/packages/shared/kbn-doc-links/src/types.ts
@ -479,6 +479,7 @@ export interface DocLinks {
    teamsAction: string;
    connectors: string;
    legacyRuleApiDeprecations: string;
+    legacyRbacExemption: string;
  }>;
  readonly taskManager: Readonly<{
    healthMonitoring: string;
--- a/x-pack/plugins/alerting/server/deprecations/index.ts
+++ b/x-pack/plugins/alerting/server/deprecations/index.ts
@ -0,0 +1,16 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+import { CoreSetup } from '@kbn/core/server';
+import { getLegacyRbacDeprecationsInfo } from './legacy_rbac';
+
+export const registerDeprecations = ({ core }: { core: CoreSetup }) => {
+  core.deprecations.registerDeprecations({
+    getDeprecations: async (context) => {
+      return [...(await getLegacyRbacDeprecationsInfo(context, core.docLinks))];
+    },
+  });
+};
--- a/x-pack/plugins/alerting/server/deprecations/legacy_rbac.test.ts
+++ b/x-pack/plugins/alerting/server/deprecations/legacy_rbac.test.ts
@ -0,0 +1,79 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { GetDeprecationsContext } from '@kbn/core/server';
+import { elasticsearchClientMock } from '@kbn/core-elasticsearch-client-server-mocks';
+import { SearchHit } from '@kbn/es-types';
+import { docLinksServiceMock } from '@kbn/core-doc-links-server-mocks';
+import { getLegacyRbacDeprecationsInfo } from './legacy_rbac';
+
+let context: GetDeprecationsContext;
+const esClient = elasticsearchClientMock.createScopedClusterClient();
+const docsLinks = docLinksServiceMock.createSetupContract();
+
+describe('getLegacyRbacDeprecationsInfo', () => {
+  beforeEach(async () => {
+    context = { esClient } as unknown as GetDeprecationsContext;
+  });
+
+  afterEach(() => {
+    jest.resetAllMocks();
+  });
+
+  test('does not return deprecations when there is no legacyRBACExemption usage', async () => {
+    esClient.asCurrentUser.search.mockResponse({
+      took: 1,
+      timed_out: false,
+      _shards: {
+        total: 1,
+        successful: 1,
+        skipped: 0,
+        failed: 0,
+      },
+      hits: {
+        hits: [],
+      },
+    });
+    expect(await getLegacyRbacDeprecationsInfo(context, docsLinks)).toMatchInlineSnapshot(
+      `Array []`
+    );
+  });
+
+  test('does return deprecations when there is legacyRBACExemption usage', async () => {
+    esClient.asCurrentUser.search.mockResponse({
+      took: 1,
+      timed_out: false,
+      _shards: {
+        total: 1,
+        successful: 1,
+        skipped: 0,
+        failed: 0,
+      },
+      hits: {
+        hits: [{} as SearchHit<unknown>],
+      },
+    });
+
+    expect(await getLegacyRbacDeprecationsInfo(context, docsLinks)).toMatchInlineSnapshot(`
+      Array [
+        Object {
+          "correctiveActions": Object {
+            "manualSteps": Array [
+              "To identify the affected rules run the query in Dev Tools that is linked under Learn more.",
+              "To use normal RBAC authorization, update the API key by editing the rule.",
+            ],
+          },
+          "deprecationType": "feature",
+          "documentationUrl": "https://www.elastic.co/guide/en/kibana/test-branch/breaking-changes-summary.html#breaking-legacy-rbac",
+          "level": "warning",
+          "message": "The legacy role-based action control exemption for alerting rules has been removed in future versions. This cluster has alerting rules triggering actions that rely on the legacy exemption. The rules will fail to trigger actions for alerts.",
+          "title": "Legacy RBAC exemption",
+        },
+      ]
+    `);
+  });
+});
--- a/x-pack/plugins/alerting/server/deprecations/legacy_rbac.ts
+++ b/x-pack/plugins/alerting/server/deprecations/legacy_rbac.ts
@ -0,0 +1,79 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { DeprecationsDetails } from '@kbn/core-deprecations-common';
+import { GetDeprecationsContext } from '@kbn/core-deprecations-server';
+import { i18n } from '@kbn/i18n';
+import { DocLinksServiceSetup } from '@kbn/core/server';
+
+export const getLegacyRbacDeprecationsInfo = async (
+  { esClient }: GetDeprecationsContext,
+  docLinks: DocLinksServiceSetup
+): Promise<DeprecationsDetails[]> => {
+  const { hits: legacyRBACExemptions } = await esClient.asCurrentUser.search({
+    index: '.kibana*',
+    body: {
+      runtime_mappings: {
+        apiKeyVersion: {
+          type: 'keyword',
+          script: {
+            source:
+              "def alert = params._source['alert']; if (alert != null) { def meta = alert.meta; if (meta != null) { emit(meta.versionApiKeyLastmodified); } else { emit('');}}",
+          },
+        },
+      },
+      size: 10000,
+      query: {
+        bool: {
+          filter: [
+            {
+              term: {
+                type: 'alert',
+              },
+            },
+            {
+              term: {
+                apiKeyVersion: 'pre-7.10.0',
+              },
+            },
+          ],
+        },
+      },
+      _source: ['alert.name', 'namespaces'],
+    },
+  });
+
+  if (legacyRBACExemptions.hits.length) {
+    return [
+      {
+        title: i18n.translate('xpack.alerting.deprecations.legacyRbacExemption.title', {
+          defaultMessage: 'Legacy RBAC exemption',
+        }),
+        level: 'warning',
+        deprecationType: 'feature',
+        message: i18n.translate('xpack.alerting.deprecations.legacyRbacExemption.message', {
+          defaultMessage:
+            'The legacy role-based action control exemption for alerting rules has been removed in future versions. This cluster has alerting rules triggering actions that rely on the legacy exemption. The rules will fail to trigger actions for alerts.',
+        }),
+        correctiveActions: {
+          manualSteps: [
+            i18n.translate('xpack.alerting.deprecations.legacyRbacExemption.manualStepOne', {
+              defaultMessage:
+                'To identify the affected rules run the query in Dev Tools that is linked under Learn more.',
+            }),
+            i18n.translate('xpack.alerting.deprecations.legacyRbacExemption.manualStepTwo', {
+              defaultMessage:
+                'To use normal RBAC authorization, update the API key by editing the rule.',
+            }),
+          ],
+        },
+        documentationUrl: docLinks.links.alerting.legacyRbacExemption,
+      },
+    ];
+  }
+  return [];
+};
--- a/x-pack/plugins/alerting/server/plugin.ts
+++ b/x-pack/plugins/alerting/server/plugin.ts
@ -116,6 +116,7 @@ import { DataStreamAdapter, getDataStreamAdapter } from './alerts_service/lib/da
 import { createGetAlertIndicesAliasFn, GetAlertIndicesAlias } from './lib';
 import { BackfillClient } from './backfill_client/backfill_client';
 import { MaintenanceWindowsService } from './task_runner/maintenance_windows';
+import { registerDeprecations } from './deprecations';

 export const EVENT_LOG_PROVIDER = 'alerting';
 export const EVENT_LOG_ACTIONS = {
@ -410,6 +411,8 @@ export class AlertingPlugin {
      docLinks: core.docLinks,
    });

+    registerDeprecations({ core });
+
    return {
      registerConnectorAdapter: <
        RuleActionParams extends ConnectorAdapterParams = ConnectorAdapterParams,
--- a/x-pack/plugins/alerting/tsconfig.json
+++ b/x-pack/plugins/alerting/tsconfig.json
@ -76,7 +76,10 @@
    "@kbn/core-saved-objects-base-server-internal",
    "@kbn/core-security-server-mocks",
    "@kbn/response-ops-rule-params",
-    "@kbn/core-http-server-utils"
+    "@kbn/core-http-server-utils",
+    "@kbn/core-deprecations-common",
+    "@kbn/core-deprecations-server",
+    "@kbn/es-types"
  ],
  "exclude": [
    "target/**/*"