github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-23 09:19:04 -04:00
Code Issues Projects Releases Packages Wiki Activity
kibana/x-pack/test/session_view
History
Exact
Jan Monschke 8e02172e2e
[8.x] [SecuritySolution] Breaking out timeline & note privileges (#201780) (#207367) 
# Backport

This will backport the following commits from `main` to `8.x`:
- [[SecuritySolution] Breaking out timeline & note privileges
(#201780)](https://github.com/elastic/kibana/pull/201780)

<!--- Backport version: 9.6.4 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT [{"author":{"name":"Jan
Monschke","email":"jan.monschke@elastic.co"},"sourceCommit":{"committedDate":"2025-01-20T13:09:16Z","message":"[SecuritySolution]
Breaking out timeline & note privileges (#201780)\n\n## Summary\n\nEpic:
https://github.com/elastic/security-team/issues/7998\n\nIn this PR we're
breaking out the `timeline` and `notes` features into\ntheir own feature
privilege definition. Previously, access to both\nfeatures was granted
implicitly through the `siem` feature. However, we\nfound that this
level of access control is not sufficient for all\nclients who wanted a
more fine-grained way to grant access to parts of\nsecurity
solution.\n\nIn order to break out `timeline` and `notes` from `siem`,
we had to\ndeprecate it feature privilege definition for. That is why
you'll find\nplenty of changes of `siem` to `siemV2` in this PR. We're
making use of\nthe feature privilege's `replacedBy` functionality,
allowing for a\nseamless migration of deprecated roles.\n\nThis means
that roles that previously granted `siem.all` are now
granted\n`siemV2.all`, `timeline.all` and `notes.all` (same for
`*.read`).\nExisting users are not impacted and should all still have
the correct\naccess. We added tests to make sure this is working as
expected.\n\nAlongside the `ui` privileges, this PR also adds dedicated
API tags.\nThose tags haven been added to the new and previous version
of the\nprivilege definitions to allow for a clean
migration:\n\n```mermaid\nflowchart LR\n subgraph v1\n A(siem) -->
Y(all)\n A --> X(read)\n Y -->|api| W(timeline_write / timeline_read /
notes_read / notes_write)\n X -->|api| V(timeline_read /notes_read)\n
end\n\n subgraph v2\n A-->|replacedBy| C[siemV2]\n A-->|replacedBy|
E[timeline]\n A-->|replacedBy| G[notes]\n \n\n E --> L(all)\n E -->
M(read)\n L -->|api| N(timeline_write / timeline_read)\n M -->|api|
P(timeline_read)\n\n G --> Q(all)\n G --> I(read)\n\n Q -->|api|
R(notes_write / notes_read)\n I -->|api| S(notes_read)\n end\n```\n\n###
Visual changes\n\n#### Hidden/disabled elements\n\nMost of the changes
are happening \"under\" the hood and are only\nexpressed in case a user
has a role with `timeline.none` or\n`notes.none`. This would hide and/or
disable elements that would usually\nallow them to interact with either
timeline or the notes feature (within\ntimeline or the event flyout
currently).\n\nAs an example, this is how the hover actions look for a
user with and\nwithout timeline access:\n\n| With timeline access |
Without timeline access |\n| --- | --- |\n| <img width=\"616\"
alt=\"Screenshot 2024-12-18 at 17 22
49\"\nsrc=\"https://github.com/user-attachments/assets/a767fbb5-49c8-422a-817e-23e7fe1f0042\"\n/>
| <img width=\"724\" alt=\"Screenshot 2024-12-18 at 17 23
29\"\nsrc=\"https://github.com/user-attachments/assets/3490306a-d1c3-41aa-af5b-05a1dd804b47\"\n/>
|\n\n#### Roles\n\nAnother visible change of this PR is the addition of
`Timeline` and\n`Notes` in the edit-role screen:\n\n| Before | After
|\n| ------- | ------ |\n| <img width=\"746\" alt=\"Screenshot
2024-12-12 at 16 31
43\"\nsrc=\"https://github.com/user-attachments/assets/20a80dd4-c214-48a5-8c6e-3dc19c0cbc43\"\n/>
| <img width=\"738\" alt=\"Screenshot 2024-12-12 at 16 32
53\"\nsrc=\"https://github.com/user-attachments/assets/afb1eab4-1729-4c4e-9f51-fddabc32b1dd\"\n/>
|\n\nWe made sure that for migrated roles that hard `security.all`
selected,\nthis screen correctly shows `security.all`, `timeline.all`
and\n`notes.all` after the privilege migration.\n\n#### Timeline
toast\n\nThere are tons of places in security solution where
`Investigate / Add\nto timeline` are shown. We did our best to disable
all of these actions\nbut there is no guarantee that this PR catches all
the places where we\nlink to timeline (actions). One layer of extra
protection is that the\nAPI endpoints don't give access to timelines to
users without the\ncorrect privileges. Another one is a Redux middleware
that makes sure\ntimelines cannot be shown in missed cases. The
following toast will be\nshown instead of the timeline:\n\n<img
width=\"354\" alt=\"Screenshot 2024-12-19 at 10 34
23\"\nsrc=\"https://github.com/user-attachments/assets/1304005e-2753-4268-b6e7-bd7e22d8a1e3\"\n/>\n\n###
Changes to predefined security roles\n\nAll predefined security roles
have been updated to grant the new\nprivileges (in ESS and serverless).
In accordance with the migration,\nall roles with `siem.all` have been
assigned `siemV2.all`,\n`timeline.all` and `notes.all` (and `*.read`
respectively).\n\n### Checklist\n\nCheck the PR satisfies following
conditions. \n\nReviewers should verify this PR satisfies this list as
well.\n\n- [x] Any text added follows [EUI's
writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\nsentence case text and includes
[i18n\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\n-
[x] [Unit or
functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere
updated or added to match the most common scenarios\n- [x] This was
checked for breaking HTTP API changes, and any breaking\nchanges have
been approved by the breaking-change committee.
The\n`release_note:breaking` label should be applied in these
situations.\n\n---------\n\nCo-authored-by: kibanamachine
<42973632+kibanamachine@users.noreply.github.com>\nCo-authored-by:
PhilippeOberti <philippe.oberti@elastic.co>\nCo-authored-by: Steph
Milovic
<stephanie.milovic@elastic.co>","sha":"1b167d9dc23a9e0e8e47992a37563ca89ccf3c7d","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:Fleet","v9.0.0","release_note:feature","Team:Threat
Hunting:Investigations","backport:prev-minor","ci:cloud-deploy","ci:project-persist-deployment","v8.18.0"],"title":"[SecuritySolution]
Breaking out timeline & note
privileges","number":201780,"url":"https://github.com/elastic/kibana/pull/201780","mergeCommit":{"message":"[SecuritySolution]
Breaking out timeline & note privileges (#201780)\n\n## Summary\n\nEpic:
https://github.com/elastic/security-team/issues/7998\n\nIn this PR we're
breaking out the `timeline` and `notes` features into\ntheir own feature
privilege definition. Previously, access to both\nfeatures was granted
implicitly through the `siem` feature. However, we\nfound that this
level of access control is not sufficient for all\nclients who wanted a
more fine-grained way to grant access to parts of\nsecurity
solution.\n\nIn order to break out `timeline` and `notes` from `siem`,
we had to\ndeprecate it feature privilege definition for. That is why
you'll find\nplenty of changes of `siem` to `siemV2` in this PR. We're
making use of\nthe feature privilege's `replacedBy` functionality,
allowing for a\nseamless migration of deprecated roles.\n\nThis means
that roles that previously granted `siem.all` are now
granted\n`siemV2.all`, `timeline.all` and `notes.all` (same for
`*.read`).\nExisting users are not impacted and should all still have
the correct\naccess. We added tests to make sure this is working as
expected.\n\nAlongside the `ui` privileges, this PR also adds dedicated
API tags.\nThose tags haven been added to the new and previous version
of the\nprivilege definitions to allow for a clean
migration:\n\n```mermaid\nflowchart LR\n subgraph v1\n A(siem) -->
Y(all)\n A --> X(read)\n Y -->|api| W(timeline_write / timeline_read /
notes_read / notes_write)\n X -->|api| V(timeline_read /notes_read)\n
end\n\n subgraph v2\n A-->|replacedBy| C[siemV2]\n A-->|replacedBy|
E[timeline]\n A-->|replacedBy| G[notes]\n \n\n E --> L(all)\n E -->
M(read)\n L -->|api| N(timeline_write / timeline_read)\n M -->|api|
P(timeline_read)\n\n G --> Q(all)\n G --> I(read)\n\n Q -->|api|
R(notes_write / notes_read)\n I -->|api| S(notes_read)\n end\n```\n\n###
Visual changes\n\n#### Hidden/disabled elements\n\nMost of the changes
are happening \"under\" the hood and are only\nexpressed in case a user
has a role with `timeline.none` or\n`notes.none`. This would hide and/or
disable elements that would usually\nallow them to interact with either
timeline or the notes feature (within\ntimeline or the event flyout
currently).\n\nAs an example, this is how the hover actions look for a
user with and\nwithout timeline access:\n\n| With timeline access |
Without timeline access |\n| --- | --- |\n| <img width=\"616\"
alt=\"Screenshot 2024-12-18 at 17 22
49\"\nsrc=\"https://github.com/user-attachments/assets/a767fbb5-49c8-422a-817e-23e7fe1f0042\"\n/>
| <img width=\"724\" alt=\"Screenshot 2024-12-18 at 17 23
29\"\nsrc=\"https://github.com/user-attachments/assets/3490306a-d1c3-41aa-af5b-05a1dd804b47\"\n/>
|\n\n#### Roles\n\nAnother visible change of this PR is the addition of
`Timeline` and\n`Notes` in the edit-role screen:\n\n| Before | After
|\n| ------- | ------ |\n| <img width=\"746\" alt=\"Screenshot
2024-12-12 at 16 31
43\"\nsrc=\"https://github.com/user-attachments/assets/20a80dd4-c214-48a5-8c6e-3dc19c0cbc43\"\n/>
| <img width=\"738\" alt=\"Screenshot 2024-12-12 at 16 32
53\"\nsrc=\"https://github.com/user-attachments/assets/afb1eab4-1729-4c4e-9f51-fddabc32b1dd\"\n/>
|\n\nWe made sure that for migrated roles that hard `security.all`
selected,\nthis screen correctly shows `security.all`, `timeline.all`
and\n`notes.all` after the privilege migration.\n\n#### Timeline
toast\n\nThere are tons of places in security solution where
`Investigate / Add\nto timeline` are shown. We did our best to disable
all of these actions\nbut there is no guarantee that this PR catches all
the places where we\nlink to timeline (actions). One layer of extra
protection is that the\nAPI endpoints don't give access to timelines to
users without the\ncorrect privileges. Another one is a Redux middleware
that makes sure\ntimelines cannot be shown in missed cases. The
following toast will be\nshown instead of the timeline:\n\n<img
width=\"354\" alt=\"Screenshot 2024-12-19 at 10 34
23\"\nsrc=\"https://github.com/user-attachments/assets/1304005e-2753-4268-b6e7-bd7e22d8a1e3\"\n/>\n\n###
Changes to predefined security roles\n\nAll predefined security roles
have been updated to grant the new\nprivileges (in ESS and serverless).
In accordance with the migration,\nall roles with `siem.all` have been
assigned `siemV2.all`,\n`timeline.all` and `notes.all` (and `*.read`
respectively).\n\n### Checklist\n\nCheck the PR satisfies following
conditions. \n\nReviewers should verify this PR satisfies this list as
well.\n\n- [x] Any text added follows [EUI's
writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\nsentence case text and includes
[i18n\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\n-
[x] [Unit or
functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere
updated or added to match the most common scenarios\n- [x] This was
checked for breaking HTTP API changes, and any breaking\nchanges have
been approved by the breaking-change committee.
The\n`release_note:breaking` label should be applied in these
situations.\n\n---------\n\nCo-authored-by: kibanamachine
<42973632+kibanamachine@users.noreply.github.com>\nCo-authored-by:
PhilippeOberti <philippe.oberti@elastic.co>\nCo-authored-by: Steph
Milovic
<stephanie.milovic@elastic.co>","sha":"1b167d9dc23a9e0e8e47992a37563ca89ccf3c7d"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/201780","number":201780,"mergeCommit":{"message":"[SecuritySolution]
Breaking out timeline & note privileges (#201780)\n\n## Summary\n\nEpic:
https://github.com/elastic/security-team/issues/7998\n\nIn this PR we're
breaking out the `timeline` and `notes` features into\ntheir own feature
privilege definition. Previously, access to both\nfeatures was granted
implicitly through the `siem` feature. However, we\nfound that this
level of access control is not sufficient for all\nclients who wanted a
more fine-grained way to grant access to parts of\nsecurity
solution.\n\nIn order to break out `timeline` and `notes` from `siem`,
we had to\ndeprecate it feature privilege definition for. That is why
you'll find\nplenty of changes of `siem` to `siemV2` in this PR. We're
making use of\nthe feature privilege's `replacedBy` functionality,
allowing for a\nseamless migration of deprecated roles.\n\nThis means
that roles that previously granted `siem.all` are now
granted\n`siemV2.all`, `timeline.all` and `notes.all` (same for
`*.read`).\nExisting users are not impacted and should all still have
the correct\naccess. We added tests to make sure this is working as
expected.\n\nAlongside the `ui` privileges, this PR also adds dedicated
API tags.\nThose tags haven been added to the new and previous version
of the\nprivilege definitions to allow for a clean
migration:\n\n```mermaid\nflowchart LR\n subgraph v1\n A(siem) -->
Y(all)\n A --> X(read)\n Y -->|api| W(timeline_write / timeline_read /
notes_read / notes_write)\n X -->|api| V(timeline_read /notes_read)\n
end\n\n subgraph v2\n A-->|replacedBy| C[siemV2]\n A-->|replacedBy|
E[timeline]\n A-->|replacedBy| G[notes]\n \n\n E --> L(all)\n E -->
M(read)\n L -->|api| N(timeline_write / timeline_read)\n M -->|api|
P(timeline_read)\n\n G --> Q(all)\n G --> I(read)\n\n Q -->|api|
R(notes_write / notes_read)\n I -->|api| S(notes_read)\n end\n```\n\n###
Visual changes\n\n#### Hidden/disabled elements\n\nMost of the changes
are happening \"under\" the hood and are only\nexpressed in case a user
has a role with `timeline.none` or\n`notes.none`. This would hide and/or
disable elements that would usually\nallow them to interact with either
timeline or the notes feature (within\ntimeline or the event flyout
currently).\n\nAs an example, this is how the hover actions look for a
user with and\nwithout timeline access:\n\n| With timeline access |
Without timeline access |\n| --- | --- |\n| <img width=\"616\"
alt=\"Screenshot 2024-12-18 at 17 22
49\"\nsrc=\"https://github.com/user-attachments/assets/a767fbb5-49c8-422a-817e-23e7fe1f0042\"\n/>
| <img width=\"724\" alt=\"Screenshot 2024-12-18 at 17 23
29\"\nsrc=\"https://github.com/user-attachments/assets/3490306a-d1c3-41aa-af5b-05a1dd804b47\"\n/>
|\n\n#### Roles\n\nAnother visible change of this PR is the addition of
`Timeline` and\n`Notes` in the edit-role screen:\n\n| Before | After
|\n| ------- | ------ |\n| <img width=\"746\" alt=\"Screenshot
2024-12-12 at 16 31
43\"\nsrc=\"https://github.com/user-attachments/assets/20a80dd4-c214-48a5-8c6e-3dc19c0cbc43\"\n/>
| <img width=\"738\" alt=\"Screenshot 2024-12-12 at 16 32
53\"\nsrc=\"https://github.com/user-attachments/assets/afb1eab4-1729-4c4e-9f51-fddabc32b1dd\"\n/>
|\n\nWe made sure that for migrated roles that hard `security.all`
selected,\nthis screen correctly shows `security.all`, `timeline.all`
and\n`notes.all` after the privilege migration.\n\n#### Timeline
toast\n\nThere are tons of places in security solution where
`Investigate / Add\nto timeline` are shown. We did our best to disable
all of these actions\nbut there is no guarantee that this PR catches all
the places where we\nlink to timeline (actions). One layer of extra
protection is that the\nAPI endpoints don't give access to timelines to
users without the\ncorrect privileges. Another one is a Redux middleware
that makes sure\ntimelines cannot be shown in missed cases. The
following toast will be\nshown instead of the timeline:\n\n<img
width=\"354\" alt=\"Screenshot 2024-12-19 at 10 34
23\"\nsrc=\"https://github.com/user-attachments/assets/1304005e-2753-4268-b6e7-bd7e22d8a1e3\"\n/>\n\n###
Changes to predefined security roles\n\nAll predefined security roles
have been updated to grant the new\nprivileges (in ESS and serverless).
In accordance with the migration,\nall roles with `siem.all` have been
assigned `siemV2.all`,\n`timeline.all` and `notes.all` (and `*.read`
respectively).\n\n### Checklist\n\nCheck the PR satisfies following
conditions. \n\nReviewers should verify this PR satisfies this list as
well.\n\n- [x] Any text added follows [EUI's
writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing),
uses\nsentence case text and includes
[i18n\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\n-
[x] [Unit or
functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere
updated or added to match the most common scenarios\n- [x] This was
checked for breaking HTTP API changes, and any breaking\nchanges have
been approved by the breaking-change committee.
The\n`release_note:breaking` label should be applied in these
situations.\n\n---------\n\nCo-authored-by: kibanamachine
<42973632+kibanamachine@users.noreply.github.com>\nCo-authored-by:
PhilippeOberti <philippe.oberti@elastic.co>\nCo-authored-by: Steph
Milovic
<stephanie.milovic@elastic.co>","sha":"1b167d9dc23a9e0e8e47992a37563ca89ccf3c7d"}},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->
2025-01-22 11:20:34 +00:00
..
basic [8.x] [SecuritySolution] Breaking out timeline & note privileges (#201780) (#207367) 2025-01-22 11:20:34 +00:00
common