github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 01:38:56 -04:00
Code Issues Projects Releases Packages Wiki Activity

[8.18] Add manage_ingest_pipeline privilege check to Risk Engine enablement (#215544) (#215894)

Browse source 
# Backport

This will backport the following commits from `main` to `8.18`:
- [Add manage_ingest_pipeline privilege check to Risk Engine enablement
(#215544)](https://github.com/elastic/kibana/pull/215544)

<!--- Backport version: 9.6.6 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT [{"author":{"name":"Charlotte Alexandra
Wilson","email":"CAWilson94@users.noreply.github.com"},"sourceCommit":{"committedDate":"2025-03-25T14:20:31Z","message":"Add
manage_ingest_pipeline privilege check to Risk Engine enablement
(#215544)\n\n## Summary\n\nThis PR adds the \"manage_ingest_pipeline\"
cluster privilege to\nRISK_ENGINE_REQUIRED_ES_CLUSTER_PRIVILEGES.\n\nThe
Entity Analytics Enablement modal now displays a warning when the\nuser
lacks this privilege and prevents Risk Engine installation,
as\nrequired.\n\n### Screenshots \n\n#### Enablement Modal
(installing/enabling)\n\n![Screenshot 2025-03-21 at 17
15\n15](https://github.com/user-attachments/assets/c5aba4b7-0850-4714-9df6-aee53e7b10df)\n\n####
Risk Management Page
\n\n\n![image](https://github.com/user-attachments/assets/5d9e7039-a316-4b72-91f3-31eef5dc8a3d)","sha":"a296d08990e62ab4d28cdcc382e8592826eb815e","branchLabelMapping":{"^v9.1.0$":"main","^v8.19.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:fix","v9.0.0","Team:
SecuritySolution","Theme: entity_analytics","Team:Entity
Analytics","backport:version","v8.18.0","v9.1.0","v8.19.0"],"title":"Add
manage_ingest_pipeline privilege check to Risk Engine
enablement","number":215544,"url":"https://github.com/elastic/kibana/pull/215544","mergeCommit":{"message":"Add
manage_ingest_pipeline privilege check to Risk Engine enablement
(#215544)\n\n## Summary\n\nThis PR adds the \"manage_ingest_pipeline\"
cluster privilege to\nRISK_ENGINE_REQUIRED_ES_CLUSTER_PRIVILEGES.\n\nThe
Entity Analytics Enablement modal now displays a warning when the\nuser
lacks this privilege and prevents Risk Engine installation,
as\nrequired.\n\n### Screenshots \n\n#### Enablement Modal
(installing/enabling)\n\n![Screenshot 2025-03-21 at 17
15\n15](https://github.com/user-attachments/assets/c5aba4b7-0850-4714-9df6-aee53e7b10df)\n\n####
Risk Management Page
\n\n\n![image](https://github.com/user-attachments/assets/5d9e7039-a316-4b72-91f3-31eef5dc8a3d)","sha":"a296d08990e62ab4d28cdcc382e8592826eb815e"}},"sourceBranch":"main","suggestedTargetBranches":["9.0","8.18","8.x"],"targetPullRequestStates":[{"branch":"9.0","label":"v9.0.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.18","label":"v8.18.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/215544","number":215544,"mergeCommit":{"message":"Add
manage_ingest_pipeline privilege check to Risk Engine enablement
(#215544)\n\n## Summary\n\nThis PR adds the \"manage_ingest_pipeline\"
cluster privilege to\nRISK_ENGINE_REQUIRED_ES_CLUSTER_PRIVILEGES.\n\nThe
Entity Analytics Enablement modal now displays a warning when the\nuser
lacks this privilege and prevents Risk Engine installation,
as\nrequired.\n\n### Screenshots \n\n#### Enablement Modal
(installing/enabling)\n\n![Screenshot 2025-03-21 at 17
15\n15](https://github.com/user-attachments/assets/c5aba4b7-0850-4714-9df6-aee53e7b10df)\n\n####
Risk Management Page
\n\n\n![image](https://github.com/user-attachments/assets/5d9e7039-a316-4b72-91f3-31eef5dc8a3d)","sha":"a296d08990e62ab4d28cdcc382e8592826eb815e"}},{"branch":"8.x","label":"v8.19.0","branchLabelMappingKey":"^v8.19.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Charlotte Alexandra Wilson <CAWilson94@users.noreply.github.com>
This commit is contained in:
Kibana Machine 2025-03-25 17:12:01 +01:00 committed by GitHub
parent f80661b483
commit 8028491ee2
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
5 changed files with 27 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

7
x-pack/solutions/security/plugins/security_solution/common/entity_analytics/risk_engine/constants.ts
View file

@ -20,11 +20,14 @@ export const RISK_ENGINE_CLEANUP_URL = `${PUBLIC_RISK_ENGINE_URL}/dangerously_de
export const RISK_ENGINE_CONFIGURE_SO_URL =
`${PUBLIC_RISK_ENGINE_URL}/saved_object/configure` as const;
type ClusterPrivilege = 'manage_index_templates' | 'manage_transform';
type ClusterPrivilege = 'manage_index_templates' | 'manage_transform' | 'manage_ingest_pipelines';
// These are the required privileges to install the risk engine - enabling and running require less privileges
// However, we check the full set for simplicity, since the UI does not distinguish between installing and enabling
export const RISK_ENGINE_REQUIRED_ES_CLUSTER_PRIVILEGES = [
'manage_index_templates',
'manage_transform',
] as ClusterPrivilege[];
'manage_ingest_pipelines',
] satisfies ClusterPrivilege[];
export const RISK_SCORE_INDEX_PATTERN = 'risk-score.risk-score-*';

4
x-pack/solutions/security/plugins/security_solution/common/entity_analytics/risk_engine/privileges.test.ts
View file

@ -15,6 +15,7 @@ describe('getMissingRiskEnginePrivileges', () => {
cluster: {
manage_index_templates: false,
manage_transform: false,
manage_ingest_pipelines: false,
},
index: {
'risk-score.risk-score-*': {
@ -28,7 +29,7 @@ describe('getMissingRiskEnginePrivileges', () => {
const missingPrivileges = getMissingRiskEnginePrivileges(noClusterPrivileges);
expect(missingPrivileges).toEqual({
clusterPrivileges: ['manage_index_templates', 'manage_transform'],
clusterPrivileges: ['manage_index_templates', 'manage_transform', 'manage_ingest_pipelines'],
indexPrivileges: [],
});
});
@ -39,6 +40,7 @@ describe('getMissingRiskEnginePrivileges', () => {
cluster: {
manage_index_templates: true,
manage_transform: true,
manage_ingest_pipelines: true,
},
index: {
'risk-score.risk-score-*': {

7
x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/risk_engine/risk_engine_privileges.test.ts
View file

@ -16,6 +16,7 @@ describe('_getMissingPrivilegesMessage', () => {
cluster: {
manage_index_templates: false,
manage_transform: false,
manage_ingest_pipelines: false,
},
index: {
'risk-score.risk-score-*': {
@ -31,7 +32,7 @@ describe('_getMissingPrivilegesMessage', () => {
const result = _getMissingPrivilegesMessage(noClusterPrivileges);
expect(result).toMatchInlineSnapshot(
`"User is missing risk engine privileges. Missing cluster privileges: manage_index_templates, manage_transform."`
`"User is missing risk engine privileges. Missing cluster privileges: manage_index_templates, manage_transform, manage_ingest_pipelines."`
);
});
@ -42,6 +43,7 @@ describe('_getMissingPrivilegesMessage', () => {
cluster: {
manage_index_templates: true,
manage_transform: true,
manage_ingest_pipelines: true,
},
index: {
'risk-score.risk-score-*': {
@ -68,6 +70,7 @@ describe('_getMissingPrivilegesMessage', () => {
cluster: {
manage_index_templates: false,
manage_transform: false,
manage_ingest_pipelines: false,
},
index: {
'risk-score.risk-score-*': {
@ -83,7 +86,7 @@ describe('_getMissingPrivilegesMessage', () => {
const result = _getMissingPrivilegesMessage(noClusterOrIndexPrivileges);
expect(result).toMatchInlineSnapshot(
`"User is missing risk engine privileges. Missing index privileges for index \\"risk-score.risk-score-*\\": read, write. Missing cluster privileges: manage_index_templates, manage_transform."`
`"User is missing risk engine privileges. Missing index privileges for index \\"risk-score.risk-score-*\\": read, write. Missing cluster privileges: manage_index_templates, manage_transform, manage_ingest_pipelines."`
);
});
});

2
x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/risk_engine/routes/delete.test.ts
View file

@ -178,7 +178,7 @@ describe('risk engine cleanup route', () => {
expect(response.status).toBe(403);
expect(response.body).toEqual({
message:
'User is missing risk engine privileges. Missing cluster privileges: manage_index_templates, manage_transform.',
'User is missing risk engine privileges. Missing cluster privileges: manage_index_templates, manage_transform, manage_ingest_pipelines.',
status_code: 403,
});
});

13
x-pack/test/security_solution_api_integration/test_suites/entity_analytics/risk_engine/trial_license_complete_tier/risk_engine_privileges.ts
View file

@ -39,6 +39,14 @@ const ROLES = [
},
},
},
{
name: 'manage_ingest_pipelines',
privileges: {
elasticsearch: {
cluster: ['manage_ingest_pipelines'],
},
},
},
{
name: 'risk_score_index_read',
privileges: {
@ -113,6 +121,7 @@ export default ({ getService }: FtrProviderContext) => {
cluster: {
manage_index_templates: true,
manage_transform: true,
manage_ingest_pipelines: true,
},
index: {
'risk-score.risk-score-*': {
@ -132,6 +141,7 @@ export default ({ getService }: FtrProviderContext) => {
cluster: {
manage_index_templates: true,
manage_transform: true,
manage_ingest_pipelines: true,
},
index: {
'risk-score.risk-score-*': {
@ -151,6 +161,7 @@ export default ({ getService }: FtrProviderContext) => {
cluster: {
manage_index_templates: true,
manage_transform: true,
manage_ingest_pipelines: true,
},
index: {
'risk-score.risk-score-*': {
@ -170,6 +181,7 @@ export default ({ getService }: FtrProviderContext) => {
cluster: {
manage_index_templates: true,
manage_transform: false,
manage_ingest_pipelines: true,
},
index: {
'risk-score.risk-score-*': {
@ -189,6 +201,7 @@ export default ({ getService }: FtrProviderContext) => {
cluster: {
manage_index_templates: false,
manage_transform: true,
manage_ingest_pipelines: true,
},
index: {
'risk-score.risk-score-*': {