github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-25 10:23:14 -04:00
Code Issues Projects Releases Packages Wiki Activity
kibana/x-pack/test_serverless/api_integration
History
Exact
Vitalii Dmyterko 847be917a6
[Security Solution][Detection Engine] adds bulkGetUserProfiles privilege to Security Feature (#211824) 
## Summary

- addresses https://github.com/elastic/kibana/issues/202051

Few observations, based on ticket
[description](https://github.com/elastic/kibana/issues/202051):

1. User can update assignees in alert(i.e. update any alert details,
which is handled by **SecuritySolution** priv)
2. User can see suggested users in searchbox
3. User **can not** see assignees details(name, avatar) in alerts table
column and alerts flyout(that's where error toast originates from)

Why this happens?
2 different APIs used to show users in searchbox and user details in
alerts table column:

1. API to show users in searchbox:
[/internal/detection_engine/users/_find](https://github.com/elastic/kibana/blob/8.18/x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/routes/users/suggest_user_profiles_route.ts#L24)
It requires `securitySolution` privilege
2. API for alerts table cell:
[/internal/security/user_profile/_bulk_get](https://github.com/elastic/kibana/blob/8.18/x-pack/platform/plugins/shared/security/server/routes/user_profile/bulk_get.ts#L20)
It requires `bulkGetUserProfiles` privilege

User was configured with read only Security Feature, that covers only
first API, that's why we see error
> API [POST /internal/security/user_profile/_bulk_get] is unauthorized
for user, this action is granted by the Kibana privileges
[bulkGetUserProfiles] (403)

However `bulkGetUserProfiles` is covered by `Cases` feature already. If
Cases access will be set to read, user would be able to see assignees
details through `/internal/security/user_profile/_bulk_get` API.
It happens, because cases API tags include `bulkGetUserProfiles`
privilege:
https://github.com/elastic/kibana/blob/8.18/x-pack/platform/plugins/shared/cases/common/utils/api_tags.ts#L32,
https://github.com/elastic/kibana/blob/8.18/x-pack/solutions/security/packages/features/src/cases/types.ts#L7

This PR includes `bulkGetUserProfiles` privilege in Security Feature:
https://github.com/elastic/kibana/pull/211824. Since, it's already
present in Cases feature, and user profiles available through Security
Solution `/internal/detection_engine/users/_find` API
2025-03-04 15:08:41 +00:00
..
services Upgrade ES client to 9.0.0-alpha.3 (#208776) 2025-02-25 14:37:23 +00:00
test_suites [Security Solution][Detection Engine] adds bulkGetUserProfiles privilege to Security Feature (#211824) 2025-03-04 15:08:41 +00:00
config.base.ts [kbn-scout] add test config category to reporting (#210167) 2025-02-12 11:17:04 +01:00
ftr_provider_context.d.ts