## Summary
Resolves https://github.com/elastic/kibana/issues/166095.
This updates the API Key management screen to reflect the copy
adjustments described in #166095:
1. Change `Cross-Cluster` to `Cross-cluster`, unless it is mid-sentence
in which case `cross-cluster` should be used.
2. Updated ownership & expiry warnings to use the active voice.
3. Renamed `Personal` API Keys to `User` API Keys.
View docs changes here:
https://kibana_bk_175809.docs-preview.app.elstc.co/diff
Problem: The [Configure security in Kibana](https://www.elastic.co/guide/en/kibana/current/using-kibana-with-security.html) docs page only covers the `xpack.security.encryptionKey` setting for session encryption. Users may not know that encryption for Kibana's reporting and saved objects features also require encryption keys.
Solution: Add a cross-link to the respective encryption key settings for reporting and saved objects
Closes https://github.com/elastic/kibana/issues/162215
## Summary
This PR changes the default session idle timeout for users to 3 days.
## Changes Made
- Updated default `session.idleTimeout` to `3d`.
- Updated tests to expect the new default timeout
- Updated asciidocs to match the above change
## Release notes
Change the default value of `session.idleTimeout` from 8 hours to 3
days.
This PR updates the security audit logs with some cases values. We added
a new operation for retrieving the `categories` of a case and the users
associated with a case.
closes#149338
## Summary
Sets refresh parameter to false in session create, update, and
invalidate. Previously refresh was set to 'wait_for' (or 'true' in the
case of invalidating by query).
### Tests
Several unit tests and functional tests have been updated to reflect the
change in test snapshots and to manually refresh the session index in
order to complete testing. The bulk of the test changes reside in the
[concurrent session limit
suite](66a43be28c/x-pack/test/security_api_integration/tests/session_concurrent_limit/global_limit.ts).
Flaky Test Runner for relevant test suites:
https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/1984
### Documentation
Adds a note to the session-management ascii doc to document a known
limitation of enforcing the concurrent sessions limit...
```
NOTE: Due to the rate at which session information is refreshed, there might be a few seconds where the concurrent session limit is not enforced.
This is something to consider for use cases where it is common to create multiple sessions simultaneously.
```
---------
Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
Closes#147049Closes#149897
Migrates authorization and audit logic from the Saved Objects Repository
to the Saved Objects Security Extension. This is achieved by
implementing action-specific authorization methods within the security
extension. The SO repository is no longer responsible for making any
authorization decisions, but It is still responsible to know how to call
the extension methods. I've tried to make this as straightforward as
possible such that there is a clear ownership delineation between the
repository and the extension, by keeping the interface simple and
(hopefully) obvious.
### Security Extension Interface
New Public Extension Methods:
- authorizeCreate
- authorizeBulkCreate
- authorizeUpdate
- authorizeBulkUpdate
- authorizeDelete
- authorizeBulkDelete
- authorizeGet
- authorizeBulkGet
- authorizeCheckConflicts
- authorizeRemoveReferences
- authorizeOpenPointInTime
- auditClosePointInTime
- authorizeAndRedactMultiNamespaceReferences
- authorizeAndRedactInternalBulkResolve
- authorizeUpdateSpaces
- authorizeFind
- getFindRedactTypeMap
- authorizeDisableLegacyUrlAliases (for secure spaces client)
- auditObjectsForSpaceDeletion (for secure spaces client)
Removed from public interface:
- authorize
- enforceAuthorization
- addAuditEvent
### Tests
- Most test coverage moved from `repository.security_extension.test.ts`
to `saved_objects_security_extension.test.ts`
- `repository.security_extension.test.ts` tests extension call,
parameters, and return
- Updates repository unit tests to check that all security extension
calls are made with the current space when the spaces extension is also
enabled
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
This PR adds a new bulk get attachments API.
```
POST internal/cases/<case_id>/attachments/_bulk_get
{
"ids": ["02441860-9b66-11ed-a8df-f1edb375c327", "2"]
}
```
<details><summary>Example request and response</summary>
Request
```
POST http://localhost:5601/internal/cases/attachments/_bulk_get
{
"ids": ["283a4600-9cfd-11ed-9e3d-c96d764b0e39", "2", "382e97f0-9cfd-11ed-9e3d-c96d764b0e39"]
}
```
Response
```
{
"attachments": [
{
"id": "283a4600-9cfd-11ed-9e3d-c96d764b0e39",
"version": "WzI2MiwxXQ==",
"comment": "Stack comment",
"type": "user",
"owner": "cases",
"created_at": "2023-01-25T22:11:03.398Z",
"created_by": {
"email": null,
"full_name": null,
"username": "elastic",
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"pushed_at": null,
"pushed_by": null,
"updated_at": null,
"updated_by": null
}
],
"errors": [
{
"error": "Not Found",
"message": "Saved object [cases-comments/2] not found",
"status": 404,
"attachmentId": "2"
},
{
"error": "Bad Request",
"message": "Attachment is not attached to case id=248d6aa0-9cfd-11ed-9e3d-c96d764b0e39",
"status": 400,
"attachmentId": "382e97f0-9cfd-11ed-9e3d-c96d764b0e39"
}
]
}
```
</details>
<details><summary>Unauthorized example response</summary>
```
{
"attachments": [],
"errors": [
{
"error": "Forbidden",
"message": "Unauthorized to access attachment with owner: \"securitySolution\"",
"status": 403,
"attachmentId": "382e97f0-9cfd-11ed-9e3d-c96d764b0e39"
}
]
}
```
</details>
## Notable changes
- Created a new internal route for retrieving attachments
- Refactored the attachments service to take the saved object client in
the constructor instead of each method
- Refactored attachments service by moving the get style operations to
their own class
- Refactored the integration utilities file to move the attachment
operations to their own file
- The API will return a 400 if more than 10k ids are requested
---------
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
This PR adds a new authorization log operation for the bulk create
attachments API.
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
This PR adds a new find API for retrieving a subset of the user actions
for a case.
Issue: https://github.com/elastic/kibana/issues/134344
```
GET /api/cases/<case_id>/user_actions/_find
Query Paramaters
{
types?: Array of "assignees" | "comment" | "connector" | "description" | "pushed" | "tags" | "title" | "status" | "settings" | "severity" | "create_case" | "delete_case" | "action" | "alert" | "user" | "attachment"
sortOrder?: "asc" | "desc"
page?: number as a string
perPage?: number as a string
}
```
<details><summary>Example request and response</summary>
Request
```
curl --location --request GET 'http://localhost:5601/api/cases/8df5fe00-96b1-11ed-9341-471c9630b5ec/user_actions/_find?types=create_case&sortOrder=asc' \
--header 'kbn-xsrf: hello' \
--header 'Authorization: Basic ZWxhc3RpYzpjaGFuZ2VtZQ==' \
--data-raw ''
```
Response
```
{
"userActions": [
{
"created_at": "2023-01-17T21:54:45.527Z",
"created_by": {
"username": "elastic",
"full_name": null,
"email": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"owner": "cases",
"action": "create",
"payload": {
"title": "Awesome case",
"tags": [],
"severity": "low",
"description": "super",
"assignees": [],
"connector": {
"name": "none",
"type": ".none",
"fields": null,
"id": "none"
},
"settings": {
"syncAlerts": false
},
"owner": "cases",
"status": "open"
},
"type": "create_case",
"id": "8e121180-96b1-11ed-9341-471c9630b5ec",
"case_id": "8df5fe00-96b1-11ed-9341-471c9630b5ec",
"comment_id": null
}
],
"page": 1,
"perPage": 20,
"total": 1
}
```
</details>
## Notable Changes
- Created the new `_find` route
- Created a new `UserActionFinder` class and moved the find* methods
from the `index.ts` file into there as well as the new find logic
- Extracted the transform logic to its own file since its shared between
multiple files now
- Extracted the user action related integration test functions to the
`user_action.ts` utility file
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: lcawl <lcawley@elastic.co>
## Summary
This PR creates the bulk get cases internal API. The endpoint is needed
for the alerts table to be able to get all cases the alerts are attached
to with one call.
Reference: https://github.com/elastic/kibana/issues/146864
### Request
- ids: (Required, array) An array of IDs of the retrieved cases.
- fields: (Optional, array) The fields to return in the attributes key
of the object response.
```
POST <kibana host>:<port>/internal/cases/_bulk_get
{
"ids": ["case-id-1", "case-id-2", "123", "not-authorized"],
"fields": ["title"]
}
```
### Response
```
{
"cases": [
{
"title": "case1",
"owner": "securitySolution",
"id": "case-id-1",
"version": "WzIzMTU0NSwxNV0="
},
{
"title": "case2",
"owner": "observability",
"id": "case-id-2",
"version": "WzIzMTU0NSwxNV0="
}
],
"errors": [
{
"error": "Not Found",
"message": "Saved object [cases/123] not found",
"status": 404,
"caseId": "123"
},
{
"error": "Forbidden",
"message": "Unauthorized to access case with owner: \"cases\"",
"status": 403,
"caseId": "not-authorized"
}
]
}
```
### Checklist
Delete any items that are not applicable to this PR.
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
### For maintainers
- [x] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
Follow up to #147526 which had to be reverted.
Resolves#127481
## Release notes
Include IP address in audit log
## Testing
1. Start Elasticsearch with trial license: `yarn es snapshot --license
trial`
2. Update `kibana.dev.yaml`:
```yaml
xpack.security.audit.enabled: true
xpack.security.audit.appender:
type: console
layout:
type: json
```
3. Observe audit logs in console when interacting with Kibana:
```json
{
"@timestamp": "2022-12-13T15:50:42.236+00:00",
"message": "User is requesting [/dev/internal/security/me] endpoint",
"client": {
"ip": "127.0.0.1"
},
"http": {
"request": {
"headers": {
"x-forwarded-for": "1.1.1.1, 127.0.0.1"
}
}
}
}
```
Note: You will see the `x-forwarded-for` field populated when running
Kibana in development mode (`yarn start`) since Kibana runs behind a
development proxy.
Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Reverts elastic/kibana#147526
Reverting due to errors when using `FakeRequest`:
```
TypeError: Cannot read properties of undefined (reading 'remoteAddress')
at KibanaSocket.get remoteAddress [as remoteAddress] (/Users/shahzad-16/elastic/kibana/node_modules/@kbn/core-http-router-server-internal/target_node/src/socket.js:25:24)
at Object.log (/Users/shahzad-16/elastic/kibana/x-pack/plugins/security/server/audit/audit_service.ts:95:32)
at runMicrotasks (<anonymous>)
at processTicksAndRejections (node:internal/process/task_queues:96:5)
Terminating process...
server crashed with status code 1
```
Resolves#127481
## Release notes
Include IP address in audit log
## Testing
1. Update `kibana.dev.yaml`:
```yaml
xpack.security.audit.enabled: true
xpack.security.audit.appender:
type: console
layout:
type: json
```
2. Observe audit logs in console when interacting with Kibana:
```json
{
"@timestamp": "2022-12-13T15:50:42.236+00:00",
"message": "User is requesting [/dev/internal/security/me] endpoint",
"client": {
"ip": "127.0.0.1"
},
"http": {
"request": {
"headers": {
"x-forwarded-for": "1.1.1.1, 127.0.0.1"
}
}
}
}
```
Note: You will see the `x-forwarded-for` field populated when running
Kibana in development mode (`yarn start`) since Kibana runs behind a
development proxy.
Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
## Summary
API keys can now be updated via the API Keys Management screen
## Release Note
API Keys can now be updated with new Role Descriptors and Metadata via
the API Keys Management screen.
## Testing Instructions
Login as `elastic`
Navigate to Roles and create a new role with the `read_security` cluster
privilege:
<img width="962" alt="Screen Shot 2022-11-30 at 9 42 31 AM"
src="https://user-images.githubusercontent.com/21210601/204826868-a8f6bf03-acf8-404c-90c8-e2b9ab62dc11.png">
Create a new user and assign that new role, `viewer`, and
`kibana_admin`:
<img width="936" alt="Screen Shot 2022-11-30 at 9 43 10 AM"
src="https://user-images.githubusercontent.com/21210601/204827030-e5f97f8e-6676-4c18-8a46-f6afee87ba12.png">
Navigate to Dev Tools and run the following:
```json
POST /_security/api_key/grant
{
"grant_type": "password",
"username" : "elastic",
"password" : "changeme",
"run_as": "elastic",
"api_key" : {
"name": "test-expired-key",
"expiration": "1ms"
}
}
POST /_security/api_key/grant
{
"grant_type": "password",
"username" : "elastic",
"password" : "changeme",
"run_as": "test_user",
"api_key" : {
"name": "test-user-key",
"expiration": "1d"
}
}
```
The first command will create an API key for the `elastic` user that
expires immediately.
The second command will create an API key for `test_user`.
Navigate to the API Key page, click the name column links to see a
readonly view for the 2 previously created keys as users cannot update
an API key that belongs to another user nor an API key that is expired.
Create a new API key:
<img width="632" alt="Screen Shot 2022-11-30 at 9 44 52 AM"
src="https://user-images.githubusercontent.com/21210601/204829114-672c6583-8801-4af0-bfa8-64ae1072ef46.png">
Click the name link for the newly created API key to see the Update API
key flyout.
Update the fields and click submit:
<img width="642" alt="Screen Shot 2022-11-30 at 9 45 59 AM"
src="https://user-images.githubusercontent.com/21210601/204829914-9fb1f8e6-8b3f-4acc-b63f-d7e4a0906727.png">
If the update was successful:
<img width="904" alt="Screen Shot 2022-11-30 at 9 46 42 AM"
src="https://user-images.githubusercontent.com/21210601/204830133-1dcb083b-f945-4980-9e91-19081c224b55.png">
Now click the name link again for the updated key and click submit
without making changes. You should see a warning:
<img width="895" alt="Screen Shot 2022-11-30 at 9 46 52 AM"
src="https://user-images.githubusercontent.com/21210601/204830570-2ca5e2e0-19b6-43ce-b7e4-ae594be6a86b.png">
Logout the `elastic` user and login as `test_user`
Navigate to API Keys and click the existing API Key to see a readonly
view flyout:
<img width="639" alt="Screen Shot 2022-11-30 at 9 58 25 AM"
src="https://user-images.githubusercontent.com/21210601/204832019-640ecd2e-4bcb-402b-a164-e8b8eb9f8848.png">
Thanks for reviewing!
Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* Adding deprecation warning for Interactive Users using ApiKeys
* Fixing unit test verbiage
* Update docs/user/security/authentication/index.asciidoc
Co-authored-by: Larry Gregory <lgregorydev@gmail.com>
* Update docs/user/security/api-keys/index.asciidoc
Co-authored-by: Larry Gregory <lgregorydev@gmail.com>
* Changing capitalization on 'keys' to avoid confusion with the UI API Keys
* Update docs/user/security/api-keys/index.asciidoc
Co-authored-by: Larry Gregory <lgregorydev@gmail.com>
* Update docs/user/security/authentication/index.asciidoc
Co-authored-by: Larry Gregory <lgregorydev@gmail.com>
* Changing the logging message and unit test descriptions based on PR review feedback
* Update x-pack/plugins/security/server/routes/analytics/authentication_type.test.ts
Co-authored-by: Aleh Zasypkin <aleh.zasypkin@gmail.com>
* Update x-pack/plugins/security/server/routes/analytics/authentication_type.ts
Co-authored-by: Aleh Zasypkin <aleh.zasypkin@gmail.com>
* Update x-pack/plugins/security/server/routes/analytics/authentication_type.ts
Co-authored-by: Aleh Zasypkin <aleh.zasypkin@gmail.com>
* Removing unnecessary whitespace
* Fixing spelling in unit test assertion
Co-authored-by: Larry Gregory <lgregorydev@gmail.com>
Co-authored-by: Aleh Zasypkin <aleh.zasypkin@gmail.com>
* wip
* wip
* Reverting changes not related to event log aggregation
* Reverting changes not related to event log aggregation
* Updating event log client find to take array of sort options
* Updating tests and adding basic aggregation function
* Adding tests
* Fixing functional test
* Fixing functional test
* Revert "Reverting changes not related to event log aggregation"
This reverts commit 939340e252.
* Revert "Reverting changes not related to event log aggregation"
This reverts commit 40a93a4b3c.
* Getting aggregation and parsing aggregation results
* Cleanup
* Changing api to internal
* Fixing types
* PR feedback
* omg types
* types and optional accessors
* Adding fn to calculate num executions based on date range
* Fleshing out rules client function and tests
* http api
* Cleanup
* Adding schedule delay
* Limit to 1000 logs
* Fixing security tests
* Fixing unit tests
* Validating numExecutions
* Changing sort input format
* Adding more sort fields
* Fixing unit tests
* Adding functional tests
* Adding sort to terms aggregation
* Fixing functional test
* Adding audit event for rule GET
* Adding audit event for rule execution log GET
* PR feedback
* Adding gap policy and using static num buckets
* Fixing checks
* Fixing checks
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* [DOCS] Fixes inconsistency with role management link
* Update docs/redirects.asciidoc
Co-authored-by: Lisa Cawley <lcawley@elastic.co>
Co-authored-by: Lisa Cawley <lcawley@elastic.co>
* [DOCS] Update security configuration for security ON by default
* Incorporating reviewer feedback + fixing a link
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
