[Osquery] Make Osquery All with All base privillege (#130523)

2025-04-24 09:48:58 -04:00 · 2022-05-17 08:22:18 +02:00 · 2022-05-17 08:22:18 +02:00 · e9c1c3932b
commit e9c1c3932b
parent 25e567eab1
12 changed files with 115 additions and 11 deletions
--- a/x-pack/plugins/osquery/cypress/integration/roles/admin.spec.ts
+++ b/x-pack/plugins/osquery/cypress/integration/roles/admin.spec.ts
@ -0,0 +1,27 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { login } from '../../tasks/login';
+import { navigateTo } from '../../tasks/navigation';
+import { ROLES } from '../../test';
+import { checkResults, inputQuery, selectAllAgents, submitQuery } from '../../tasks/live_query';
+
+describe('Admin', () => {
+  beforeEach(() => {
+    login(ROLES.admin);
+    navigateTo('/app/osquery');
+  });
+
+  it('should be able to run live query with BASE All permissions', () => {
+    cy.contains('New live query').click();
+    selectAllAgents();
+    inputQuery('select * from uptime; ');
+    cy.wait(500);
+    submitQuery();
+    checkResults();
+  });
+});
--- a/x-pack/plugins/osquery/cypress/test/index.ts
+++ b/x-pack/plugins/osquery/cypress/test/index.ts
@ -15,5 +15,6 @@ export enum ROLES {
  rule_author = 'rule_author',
  platform_engineer = 'platform_engineer',
  detections_admin = 'detections_admin',
+  admin = 'admin', // base: ['all']
  alert_test = 'alert_test',
 }
--- a/x-pack/plugins/osquery/scripts/roles_users/admin/delete_user.sh
+++ b/x-pack/plugins/osquery/scripts/roles_users/admin/delete_user.sh
@ -0,0 +1,11 @@
+
+#
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+#
+
+curl -v -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\
+ -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \
+-XDELETE ${ELASTICSEARCH_URL}/_security/user/admin
--- a/x-pack/plugins/osquery/scripts/roles_users/admin/get_role.sh
+++ b/x-pack/plugins/osquery/scripts/roles_users/admin/get_role.sh
@ -0,0 +1,11 @@
+
+#
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+#
+
+curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\
+ -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \
+-XGET ${KIBANA_URL}/api/security/role/admin | jq -S .
--- a/x-pack/plugins/osquery/scripts/roles_users/admin/index.ts
+++ b/x-pack/plugins/osquery/scripts/roles_users/admin/index.ts
@ -0,0 +1,11 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import * as adminUser from './user.json';
+import * as adminRole from './role.json';
+
+export { adminUser, adminRole };
--- a/x-pack/plugins/osquery/scripts/roles_users/admin/post_role.sh
+++ b/x-pack/plugins/osquery/scripts/roles_users/admin/post_role.sh
@ -0,0 +1,14 @@
+
+#
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+#
+
+ROLE_CONFIG=(${@:-./detections_role.json})
+
+curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\
+ -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \
+-XPUT ${KIBANA_URL}/api/security/role/admin \
+-d @${ROLE_CONFIG}
--- a/x-pack/plugins/osquery/scripts/roles_users/admin/post_user.sh
+++ b/x-pack/plugins/osquery/scripts/roles_users/admin/post_user.sh
@ -0,0 +1,14 @@
+
+#
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+#
+
+USER=(${@:-./detections_user.json})
+
+curl -H 'Content-Type: application/json' -H 'kbn-xsrf: 123'\
+ -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \
+ ${ELASTICSEARCH_URL}/_security/user/admin \
+-d @${USER}
--- a/x-pack/plugins/osquery/scripts/roles_users/admin/role.json
+++ b/x-pack/plugins/osquery/scripts/roles_users/admin/role.json
@ -0,0 +1,17 @@
+{
+  "elasticsearch": {
+    "indices": [
+      {
+        "names": ["logs-osquery_manager*"],
+        "privileges": ["read"]
+      }
+    ]
+  },
+  "kibana": [
+    {
+      "base": ["all"],
+      "spaces": ["*"]
+    }
+  ]
+}
+
--- a/x-pack/plugins/osquery/scripts/roles_users/admin/user.json
+++ b/x-pack/plugins/osquery/scripts/roles_users/admin/user.json
@ -0,0 +1,6 @@
+{
+  "password": "changeme",
+  "roles": ["admin"],
+  "full_name": "Admin",
+  "email": "osquery@example.com"
+}
--- a/x-pack/plugins/osquery/server/plugin.ts
+++ b/x-pack/plugins/osquery/server/plugin.ts
@ -45,7 +45,6 @@ const registerFeatures = (features: SetupPlugins['features']) => {
    app: [PLUGIN_ID, 'kibana'],
    catalogue: [PLUGIN_ID],
    order: 2300,
-    excludeFromBasePrivileges: true,
    privileges: {
      all: {
        api: [`${PLUGIN_ID}-read`, `${PLUGIN_ID}-write`],
--- a/x-pack/test/ui_capabilities/security_and_spaces/tests/catalogue.ts
+++ b/x-pack/test/ui_capabilities/security_and_spaces/tests/catalogue.ts
@ -50,9 +50,7 @@ export default function catalogueTests({ getService }: FtrProviderContext) {
            const expected = mapValues(
              uiCapabilities.value!.catalogue,
              (enabled, catalogueId) =>
-                catalogueId !== 'monitoring' &&
-                catalogueId !== 'osquery' &&
-                !esFeatureExceptions.includes(catalogueId)
+                catalogueId !== 'monitoring' && !esFeatureExceptions.includes(catalogueId)
            );
            expect(uiCapabilities.value!.catalogue).to.eql(expected);
            break;
@ -69,7 +67,6 @@ export default function catalogueTests({ getService }: FtrProviderContext) {
              'appSearch',
              'workplaceSearch',
              'spaces',
-              'osquery',
              ...esFeatureExceptions,
            ];
            const expected = mapValues(
@ -94,7 +91,6 @@ export default function catalogueTests({ getService }: FtrProviderContext) {
              'appSearch',
              'workplaceSearch',
              'spaces',
-              'osquery',
              ...esFeatureExceptions,
            ];
            const expected = mapValues(
--- a/x-pack/test/ui_capabilities/security_and_spaces/tests/nav_links.ts
+++ b/x-pack/test/ui_capabilities/security_and_spaces/tests/nav_links.ts
@ -41,9 +41,7 @@ export default function navLinksTests({ getService }: FtrProviderContext) {
          case 'dual_privileges_all at everything_space':
            expect(uiCapabilities.success).to.be(true);
            expect(uiCapabilities.value).to.have.property('navLinks');
-            expect(uiCapabilities.value!.navLinks).to.eql(
-              navLinksBuilder.except('monitoring', 'osquery')
-            );
+            expect(uiCapabilities.value!.navLinks).to.eql(navLinksBuilder.except('monitoring'));
            break;
          case 'everything_space_all at everything_space':
          case 'global_read at everything_space':
@ -57,8 +55,7 @@ export default function navLinksTests({ getService }: FtrProviderContext) {
                'enterpriseSearch',
                'enterpriseSearchContent',
                'appSearch',
-                'workplaceSearch',
-                'osquery'
+                'workplaceSearch'
              )
            );
            break;