> [!TIP]
> looks huge, but
> - 5,402 lines snapshot tests
> - 714 lines yaml files
## Summary
This PR adds a new feature version `siemV3` with the required role
migrations, in order to enable the new privilege
`global_artifact_management_all` for users where needed.
### What's in the PR?
- Required changes around security role migration from `siemV2` to
`siemV3`
- Improvements by parameterizing `siemV3` in lots of places, to ease
future role migrations by decreasing the occurrences that have to be
changed.
- A new function called `baseFeatureConfigModifier()` in
`ProductFeaturesConfig`: now product features have the ability to modify
the base Kibana feature. de05a3b167
- Product feature `endpointArtifactManagement` is split to
ESS/Serverless counterparts, and adds role migrations to the base Kibana
config using `baseFeatureConfigModifier()`
(1c31f56b43). This solves 2 problems:
- Different migrations are needed for ESS and Serverless.
- The product feature `endpointArtifactManagement`, and hence the
privilege `global_artifact_management_all` is not available on all
serverless tiers (see [these
fails](https://buildkite.com/elastic/kibana-pull-request/builds/310534/summary/annotations?jid=019788c8-d03e-44e7-867f-ff1557f9e894#019788c8-d03e-44e7-867f-ff1557f9e894/256-4872)),
therefore the migration needed to be separated from the base Kibana
feature config.
- (note: these changes were safeguarded by the role migration tests and
snapshot tests)
- Security / **Global Artifact Management** [space awareness]:
- moves the sub-privilege out of feature flag, in order to be able to
target it for role migrations
- adds a 'Coming soon' test to the privilege
- `endpointManagementSpaceAwarenessEnabled:false`
<img width="500" alt="image"
src="https://github.com/user-attachments/assets/fdfd5fc7-7f7d-4210-96c9-09e2357530c0"
/>
- `endpointManagementSpaceAwarenessEnabled:true`
<img width="500" alt="image"
src="https://github.com/user-attachments/assets/f8361a4c-da6e-416c-b728-5788eb1a053e"
/>
- role migration is added: in short, any artifact ALL privilege causes
the new Global Artifact Management ALL privilege to be added
(https://github.com/elastic/security-team/issues/11717)
- predefined roles are updated locally
(note: in elasticsearch-controller, it'll be updated after this PR is
merged and deployed,
https://github.com/elastic/elasticsearch-controller/pull/1010)
- tests!
- testing the migration itself: b8d90d085f
and 309abb30a8
- snapshot test with deprecated features:
https://github.com/elastic/kibana/pull/219566/files#diff-ed11536475a7a6f0a835cbc950c3b7405093058ad42bab30cf06f41ed21561a3
- some functional tests enabled for deprecated features:
4b4f49ea3d
## Global Artifact Management role migrations
```mermaid
flowchart LR
subgraph siemV2[siem/siemV2]
none1[none]
end
subgraph siemV3
none2[none]
end
none1 --> none2
```
```mermaid
flowchart LR
subgraph siemV2[siem/siemV2]
read1[read]
end
subgraph siemV3
read2[read]
end
read1 --> read2
```
```mermaid
flowchart LR
classDef serverless stroke:blue,stroke-dasharray: 5 5
subgraph siemV2[siem/siemV2]
subgraph minread1[minimal_read]
minread1_subs["`trusted_applications_read
event_filters_read
blocklist_read
host_isolation_exceptions_read`"]
minall1_subs["`trusted_applications_all
event_filters_all
blocklist_all
host_isolation_exceptions_all`"]
eer1["`endpoint_exceptions_read
(only serverless)`"]:::serverless
eea1["`endpoint_exceptions_all
(only serverless)`"]:::serverless
end
end
subgraph siemV3
subgraph minread2[minimal_read]
minread2_subs["`trusted_applications_read
event_filters_read
blocklist_read
host_isolation_exceptions_read`"]
minall2_subs["`trusted_applications_all
event_filters_all
blocklist_all
host_isolation_exceptions_all`"]
eer2["`endpoint_exceptions_read
(only serverless)`"]:::serverless
eea2["`endpoint_exceptions_all
(only serverless)`"]:::serverless
g2[global_artifact_management_all]
end
end
minread1 --> minread2
minread1_subs -->|each to his own| minread2_subs
minall1_subs -->|global for any of these| g2
minall1_subs -->|each to his own| minall2_subs
eer1 -->|only serverless| eer2
eea1 -->|only serverless| eea2
eea1 -->|only serverless| g2
linkStyle 4,5,6 stroke:#00f,color:blue
```
notes for above:
- `global_artifact_management_all` have to be added for **any** artifact
write privilege (trusted apps, event filters, blocklists, host isolation
exceptions)
- on serverless, there is a separate endpoint exceptions privilege, it
counts as an artifact
```mermaid
flowchart LR
subgraph siemV2[siem/siemV2]
all1[all]
end
subgraph siemV3
subgraph minall2[minimal_all]
g1[global_artifact_management_all]
end
end
all1 -->|keep access to the included Endpoint Exceptions ALL| g1
all1 -->|enable sub-feature toggle| minall2
```
notes for above:
both on serverless and ESS, Endpoint Exceptions are included in ALL,
hence the migration
> [!note]
> `siem` sub-privileges are not included in READ/ALL parent privileges.
The user needs to enable them one-by-one after enabling the sub-feature
privileges toggle. So Endpoint Exception here is an exception. In any
sense of the word.
```mermaid
flowchart LR
classDef serverless stroke:blue,stroke-dasharray: 5 5
subgraph siemV2[siem/siemV2]
subgraph minall1[minimal_all]
minread1_subs["`trusted_applications_read
event_filters_read
blocklist_read
host_isolation_exceptions_read`"]
minall1_subs["`trusted_applications_all
event_filters_all
blocklist_all
host_isolation_exceptions_all`"]
eer1["`endpoint_exceptions_read
(only serverless)`"]:::serverless
eea1["`endpoint_exceptions_all
(only serverless)`"]:::serverless
end
end
subgraph siemV3
subgraph minall2[minimal_all]
minread2_subs["`trusted_applications_read
event_filters_read
blocklist_read
host_isolation_exceptions_read`"]
minall2_subs["`trusted_applications_all
event_filters_all
blocklist_all
host_isolation_exceptions_all`"]
g2[global_artifact_management_all]
eer2["`endpoint_exceptions_read
(only serverless)`"]:::serverless
eea2["`endpoint_exceptions_all
(only serverless)`"]:::serverless
end
end
minall1 -->|only on ESS to keep access to the included Endpoint Exceptions ALL| g2
minall1 --> minall2
minread1_subs -->|each to his own| minread2_subs
minall1_subs -->|global for any of these| g2
minall1_subs -->|each to his own| minall2_subs
eer1 -->|only serverless| eer2
eea1 -->|only serverless| eea2
eea1 -->|only serverless| g2
linkStyle 5,6,7 stroke:#00f,color:#00f
linkStyle 0 stroke:#0a0,color:#0a0
```
notes for above:
when sub-feature privileges are enabled,
- on ESS endpoint exceptions are still automatically included, that's
why we need to add global access
- on serverless, endpoint exceptions are controlled by the sub-feature
privilege (just like all other artifact privileges, see the note above)
## Background
- Previous role migration PR:
https://github.com/elastic/kibana/pull/201780
- Role migration description:
https://github.com/elastic/kibana/pull/186800
### Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)
- [ ]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [ ] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
3b6a0dcd1e