Closes#147049Closes#149897
Migrates authorization and audit logic from the Saved Objects Repository
to the Saved Objects Security Extension. This is achieved by
implementing action-specific authorization methods within the security
extension. The SO repository is no longer responsible for making any
authorization decisions, but It is still responsible to know how to call
the extension methods. I've tried to make this as straightforward as
possible such that there is a clear ownership delineation between the
repository and the extension, by keeping the interface simple and
(hopefully) obvious.
### Security Extension Interface
New Public Extension Methods:
- authorizeCreate
- authorizeBulkCreate
- authorizeUpdate
- authorizeBulkUpdate
- authorizeDelete
- authorizeBulkDelete
- authorizeGet
- authorizeBulkGet
- authorizeCheckConflicts
- authorizeRemoveReferences
- authorizeOpenPointInTime
- auditClosePointInTime
- authorizeAndRedactMultiNamespaceReferences
- authorizeAndRedactInternalBulkResolve
- authorizeUpdateSpaces
- authorizeFind
- getFindRedactTypeMap
- authorizeDisableLegacyUrlAliases (for secure spaces client)
- auditObjectsForSpaceDeletion (for secure spaces client)
Removed from public interface:
- authorize
- enforceAuthorization
- addAuditEvent
### Tests
- Most test coverage moved from `repository.security_extension.test.ts`
to `saved_objects_security_extension.test.ts`
- `repository.security_extension.test.ts` tests extension call,
parameters, and return
- Updates repository unit tests to check that all security extension
calls are made with the current space when the spaces extension is also
enabled
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
Resolves: #150209
This PR intends to add the available `Action variables` of the new
`Summary of alerts` actions.
Note: Alert-as-data exposes more data. Please let me know if any needs
to be added/removed.
A better list of available fields:
https://github.com/elastic/kibana/blob/main/x-pack/plugins/rule_registry/README.md
---------
Co-authored-by: lcawl <lcawley@elastic.co>
Closes#113928
## Summary
- Adds 'xpack.security.authc.providers' to the list of settings that
must be the same across all Kibana instances behind a load balancer.
- Adds a warning block explaining why the authentication providers need
to match, and an additional configuration case where this applies
(Kibana instances that are backed by the same ES instance and share the
same kibana.index).
This PR adds a new bulk get attachments API.
```
POST internal/cases/<case_id>/attachments/_bulk_get
{
"ids": ["02441860-9b66-11ed-a8df-f1edb375c327", "2"]
}
```
<details><summary>Example request and response</summary>
Request
```
POST http://localhost:5601/internal/cases/attachments/_bulk_get
{
"ids": ["283a4600-9cfd-11ed-9e3d-c96d764b0e39", "2", "382e97f0-9cfd-11ed-9e3d-c96d764b0e39"]
}
```
Response
```
{
"attachments": [
{
"id": "283a4600-9cfd-11ed-9e3d-c96d764b0e39",
"version": "WzI2MiwxXQ==",
"comment": "Stack comment",
"type": "user",
"owner": "cases",
"created_at": "2023-01-25T22:11:03.398Z",
"created_by": {
"email": null,
"full_name": null,
"username": "elastic",
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"pushed_at": null,
"pushed_by": null,
"updated_at": null,
"updated_by": null
}
],
"errors": [
{
"error": "Not Found",
"message": "Saved object [cases-comments/2] not found",
"status": 404,
"attachmentId": "2"
},
{
"error": "Bad Request",
"message": "Attachment is not attached to case id=248d6aa0-9cfd-11ed-9e3d-c96d764b0e39",
"status": 400,
"attachmentId": "382e97f0-9cfd-11ed-9e3d-c96d764b0e39"
}
]
}
```
</details>
<details><summary>Unauthorized example response</summary>
```
{
"attachments": [],
"errors": [
{
"error": "Forbidden",
"message": "Unauthorized to access attachment with owner: \"securitySolution\"",
"status": 403,
"attachmentId": "382e97f0-9cfd-11ed-9e3d-c96d764b0e39"
}
]
}
```
</details>
## Notable changes
- Created a new internal route for retrieving attachments
- Refactored the attachments service to take the saved object client in
the constructor instead of each method
- Refactored attachments service by moving the get style operations to
their own class
- Refactored the integration utilities file to move the attachment
operations to their own file
- The API will return a 400 if more than 10k ids are requested
---------
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
This PR adds a new authorization log operation for the bulk create
attachments API.
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
This PR adds a new find API for retrieving a subset of the user actions
for a case.
Issue: https://github.com/elastic/kibana/issues/134344
```
GET /api/cases/<case_id>/user_actions/_find
Query Paramaters
{
types?: Array of "assignees" | "comment" | "connector" | "description" | "pushed" | "tags" | "title" | "status" | "settings" | "severity" | "create_case" | "delete_case" | "action" | "alert" | "user" | "attachment"
sortOrder?: "asc" | "desc"
page?: number as a string
perPage?: number as a string
}
```
<details><summary>Example request and response</summary>
Request
```
curl --location --request GET 'http://localhost:5601/api/cases/8df5fe00-96b1-11ed-9341-471c9630b5ec/user_actions/_find?types=create_case&sortOrder=asc' \
--header 'kbn-xsrf: hello' \
--header 'Authorization: Basic ZWxhc3RpYzpjaGFuZ2VtZQ==' \
--data-raw ''
```
Response
```
{
"userActions": [
{
"created_at": "2023-01-17T21:54:45.527Z",
"created_by": {
"username": "elastic",
"full_name": null,
"email": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"owner": "cases",
"action": "create",
"payload": {
"title": "Awesome case",
"tags": [],
"severity": "low",
"description": "super",
"assignees": [],
"connector": {
"name": "none",
"type": ".none",
"fields": null,
"id": "none"
},
"settings": {
"syncAlerts": false
},
"owner": "cases",
"status": "open"
},
"type": "create_case",
"id": "8e121180-96b1-11ed-9341-471c9630b5ec",
"case_id": "8df5fe00-96b1-11ed-9341-471c9630b5ec",
"comment_id": null
}
],
"page": 1,
"perPage": 20,
"total": 1
}
```
</details>
## Notable Changes
- Created the new `_find` route
- Created a new `UserActionFinder` class and moved the find* methods
from the `index.ts` file into there as well as the new find logic
- Extracted the transform logic to its own file since its shared between
multiple files now
- Extracted the user action related integration test functions to the
`user_action.ts` utility file
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: lcawl <lcawley@elastic.co>
## Summary
This PR creates the bulk get cases internal API. The endpoint is needed
for the alerts table to be able to get all cases the alerts are attached
to with one call.
Reference: https://github.com/elastic/kibana/issues/146864
### Request
- ids: (Required, array) An array of IDs of the retrieved cases.
- fields: (Optional, array) The fields to return in the attributes key
of the object response.
```
POST <kibana host>:<port>/internal/cases/_bulk_get
{
"ids": ["case-id-1", "case-id-2", "123", "not-authorized"],
"fields": ["title"]
}
```
### Response
```
{
"cases": [
{
"title": "case1",
"owner": "securitySolution",
"id": "case-id-1",
"version": "WzIzMTU0NSwxNV0="
},
{
"title": "case2",
"owner": "observability",
"id": "case-id-2",
"version": "WzIzMTU0NSwxNV0="
}
],
"errors": [
{
"error": "Not Found",
"message": "Saved object [cases/123] not found",
"status": 404,
"caseId": "123"
},
{
"error": "Forbidden",
"message": "Unauthorized to access case with owner: \"cases\"",
"status": 403,
"caseId": "not-authorized"
}
]
}
```
### Checklist
Delete any items that are not applicable to this PR.
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
### For maintainers
- [x] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
- Adds CentOS to the list of exceptions to the default value. CentOS,
Debian, and Red Hat Linux use `true`, but all other OS use `false`.
Previously, CentOS was not documented.
- Adds note regarding Chrome crash in the troubleshooting doc.
Follow up to #147526 which had to be reverted.
Resolves#127481
## Release notes
Include IP address in audit log
## Testing
1. Start Elasticsearch with trial license: `yarn es snapshot --license
trial`
2. Update `kibana.dev.yaml`:
```yaml
xpack.security.audit.enabled: true
xpack.security.audit.appender:
type: console
layout:
type: json
```
3. Observe audit logs in console when interacting with Kibana:
```json
{
"@timestamp": "2022-12-13T15:50:42.236+00:00",
"message": "User is requesting [/dev/internal/security/me] endpoint",
"client": {
"ip": "127.0.0.1"
},
"http": {
"request": {
"headers": {
"x-forwarded-for": "1.1.1.1, 127.0.0.1"
}
}
}
}
```
Note: You will see the `x-forwarded-for` field populated when running
Kibana in development mode (`yarn start`) since Kibana runs behind a
development proxy.
Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Reverts elastic/kibana#147526
Reverting due to errors when using `FakeRequest`:
```
TypeError: Cannot read properties of undefined (reading 'remoteAddress')
at KibanaSocket.get remoteAddress [as remoteAddress] (/Users/shahzad-16/elastic/kibana/node_modules/@kbn/core-http-router-server-internal/target_node/src/socket.js:25:24)
at Object.log (/Users/shahzad-16/elastic/kibana/x-pack/plugins/security/server/audit/audit_service.ts:95:32)
at runMicrotasks (<anonymous>)
at processTicksAndRejections (node:internal/process/task_queues:96:5)
Terminating process...
server crashed with status code 1
```
Resolves#127481
## Release notes
Include IP address in audit log
## Testing
1. Update `kibana.dev.yaml`:
```yaml
xpack.security.audit.enabled: true
xpack.security.audit.appender:
type: console
layout:
type: json
```
2. Observe audit logs in console when interacting with Kibana:
```json
{
"@timestamp": "2022-12-13T15:50:42.236+00:00",
"message": "User is requesting [/dev/internal/security/me] endpoint",
"client": {
"ip": "127.0.0.1"
},
"http": {
"request": {
"headers": {
"x-forwarded-for": "1.1.1.1, 127.0.0.1"
}
}
}
}
```
Note: You will see the `x-forwarded-for` field populated when running
Kibana in development mode (`yarn start`) since Kibana runs behind a
development proxy.
Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
Resolves https://github.com/elastic/kibana/issues/89481
## Summary
Adds group by options to the ES query rule type, both DSL and KQL
options. This is the same limited group by options that are offered in
the index threshold rule type so I used the same UI components and rule
parameter names. I moved some aggregation building code to `common` so
they could be reused. All existing ES query rules are migrated to be
`count over all` rules.
## To Verify
* Create the following types of rules and verify they work as expected.
Verify for both DSL query and KQL query
* `count over all` rule - this should run the same as before, where it
counts the number of documents that matches the query and applies the
threshold condition to that value. `{{context.hits}}` is all the
documents that match the query if the threshold condition is met.
* `<metric> over all` rule - this calculates the specific aggregation
metric and applies the threshold condition to the aggregated metric (for
example, `avg event.duration`). `{{context.hits}}` is all the documents
that match the query if the threshold condition is met.
* `count over top N terms` - this will apply a term aggregation to the
query and matches the threshold condition to each term bucket (for
example, `count over top 10 event.action` will apply the threshold
condition to the count of documents within each `event.action` bucket).
`{{context.hits}}` is the result of the top hits aggregation within each
term bucket if the threshold condition is met for that bucket.
* `<metric> over top N terms` - this will apply a term aggregation and a
metric sub-aggregation to the query and matches the threshold condition
to the metric value within each term bucket (for example, `avg
event.duration over top 10 event.action` will apply the threshold
condition to the average value of `event.duration` within each
`event.action` bucket). `{{context.hits}}` is the result of the top hits
aggregation within each term bucket if the threshold condition is met
for that bucket.
* Verify the migration by creating a DSL and KQL query in an older
version of Kibana and then upgrading to this PR. The rules should still
continue running successfully.
### Checklist
- [x]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Lisa Cawley <lcawley@elastic.co>
## Summary
API keys can now be updated via the API Keys Management screen
## Release Note
API Keys can now be updated with new Role Descriptors and Metadata via
the API Keys Management screen.
## Testing Instructions
Login as `elastic`
Navigate to Roles and create a new role with the `read_security` cluster
privilege:
<img width="962" alt="Screen Shot 2022-11-30 at 9 42 31 AM"
src="https://user-images.githubusercontent.com/21210601/204826868-a8f6bf03-acf8-404c-90c8-e2b9ab62dc11.png">
Create a new user and assign that new role, `viewer`, and
`kibana_admin`:
<img width="936" alt="Screen Shot 2022-11-30 at 9 43 10 AM"
src="https://user-images.githubusercontent.com/21210601/204827030-e5f97f8e-6676-4c18-8a46-f6afee87ba12.png">
Navigate to Dev Tools and run the following:
```json
POST /_security/api_key/grant
{
"grant_type": "password",
"username" : "elastic",
"password" : "changeme",
"run_as": "elastic",
"api_key" : {
"name": "test-expired-key",
"expiration": "1ms"
}
}
POST /_security/api_key/grant
{
"grant_type": "password",
"username" : "elastic",
"password" : "changeme",
"run_as": "test_user",
"api_key" : {
"name": "test-user-key",
"expiration": "1d"
}
}
```
The first command will create an API key for the `elastic` user that
expires immediately.
The second command will create an API key for `test_user`.
Navigate to the API Key page, click the name column links to see a
readonly view for the 2 previously created keys as users cannot update
an API key that belongs to another user nor an API key that is expired.
Create a new API key:
<img width="632" alt="Screen Shot 2022-11-30 at 9 44 52 AM"
src="https://user-images.githubusercontent.com/21210601/204829114-672c6583-8801-4af0-bfa8-64ae1072ef46.png">
Click the name link for the newly created API key to see the Update API
key flyout.
Update the fields and click submit:
<img width="642" alt="Screen Shot 2022-11-30 at 9 45 59 AM"
src="https://user-images.githubusercontent.com/21210601/204829914-9fb1f8e6-8b3f-4acc-b63f-d7e4a0906727.png">
If the update was successful:
<img width="904" alt="Screen Shot 2022-11-30 at 9 46 42 AM"
src="https://user-images.githubusercontent.com/21210601/204830133-1dcb083b-f945-4980-9e91-19081c224b55.png">
Now click the name link again for the updated key and click submit
without making changes. You should see a warning:
<img width="895" alt="Screen Shot 2022-11-30 at 9 46 52 AM"
src="https://user-images.githubusercontent.com/21210601/204830570-2ca5e2e0-19b6-43ce-b7e4-ae594be6a86b.png">
Logout the `elastic` user and login as `test_user`
Navigate to API Keys and click the existing API Key to see a readonly
view flyout:
<img width="639" alt="Screen Shot 2022-11-30 at 9 58 25 AM"
src="https://user-images.githubusercontent.com/21210601/204832019-640ecd2e-4bcb-402b-a164-e8b8eb9f8848.png">
Thanks for reviewing!
Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
👋 howdy, team!
## Summary
Doc request https://github.com/elastic/kibana/issues/131271 is still a
high pain point, the hope of this PR is to
- provide direct doc link to the `{{context}}` paragraph (currently
scroll-hidden under an image)
- append common info requests, how to
- see all variables (during exploration)
- loop through `context`, esp. related to rule search response
### Checklist
Delete any items that are not applicable to this PR. ✓
### Risk Matrix
Delete this section if it is not applicable to this PR. ✓
### For maintainers
- [x] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
In DevTools, if you go to run `kbn:/s/foo/api/MY_REQUEST` then IF default space you effectively run `KIBANA/s/foo/api/MY_REQUEST` BUT IF non-default space e.g. `admin` you end up running `KIBANA/s/admin/s/foo/api/MY_REQUEST` which is invalid.
This is not pointed out in Dev Tools and since this page updated to the emphasize the DevTools example, this is tripping up more users who think it should work via this page.
Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* Allowing _source in ES query DSL
* Adding functional test
* Adding to doc
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
