[ResponseOps] Granular Connector RBAC - adding API key to event log #204114
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…add-api-key-to-event-log
…doakalexi/kibana into connector-rbac-add-api-key-to-event-log
|
Pinging @elastic/response-ops (Team:ResponseOps) |
afharo
approved these changes
Dec 17, 2024
packages/core/security/core-security-common/src/authentication/authenticated_user.ts
Outdated
Show resolved
Hide resolved
azasypkin
approved these changes
Dec 17, 2024
packages/core/security/core-security-common/src/authentication/authenticated_user.ts
Outdated
Show resolved
Hide resolved
…doakalexi/kibana into connector-rbac-add-api-key-to-event-log
mikecote
approved these changes
Dec 19, 2024
|
Starting backport for target branches: 8.x https://github.com/elastic/kibana/actions/runs/12418639566 |
💚 Build Succeeded
Metrics [docs]Public APIs missing exports
Unknown metric groupsAPI count
History
|
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Dec 19, 2024
…lastic#204114) Part of elastic#180908 ## Summary This change is part of adding granular RBAC for SecuritySolution connectors. In this PR, I updated the action executor to log API key details when a connector is executed by a user authenticated via API key. The public name and id of the API key are now included in the event log. ### Checklist Check the PR satisfies following conditions. - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### To verify 1. Create an API key 2. Create a connector that will successfully run, it doesn't have to be SentinelOne. 3. Run the following with the ID and correct params for your connector type. ``` curl -X POST "http://localhost:5601/api/actions/connector/$CONNECTOR_ID/_execute" -H 'Authorization: ApiKey $API_KEY' -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' { "params": { "message": "hi" } }' ``` 4. Go to dev tools and run the following query to verify that the API key information is stored in the event log ``` GET /.kibana-event-log*/_search { "sort": [ { "@timestamp": { "order": "desc" } } ], "query": { "bool": { "filter": [ { "term": { "event.provider": { "value": "actions" } } } ] } } ``` (cherry picked from commit 1ba2716)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Dec 19, 2024
… log (#204114) (#204996) # Backport This will backport the following commits from `main` to `8.x`: - [[ResponseOps] Granular Connector RBAC - adding API key to event log (#204114)](#204114) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Alexi Doak","email":"109488926+doakalexi@users.noreply.github.com"},"sourceCommit":{"committedDate":"2024-12-19T18:30:15Z","message":"[ResponseOps] Granular Connector RBAC - adding API key to event log (#204114)\n\nPart of https://github.com/elastic/kibana/issues/180908\r\n\r\n## Summary\r\n\r\nThis change is part of adding granular RBAC for SecuritySolution\r\nconnectors. In this PR, I updated the action executor to log API key\r\ndetails when a connector is executed by a user authenticated via API\r\nkey. The public name and id of the API key are now included in the event\r\nlog.\r\n\r\n### Checklist\r\n\r\nCheck the PR satisfies following conditions. \r\n\r\n- [ ] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n### To verify\r\n\r\n1. Create an API key\r\n2. Create a connector that will successfully run, it doesn't have to be\r\nSentinelOne.\r\n3. Run the following with the ID and correct params for your connector\r\ntype.\r\n```\r\ncurl -X POST \"http://localhost:5601/api/actions/connector/$CONNECTOR_ID/_execute\" -H 'Authorization: ApiKey $API_KEY' -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'\r\n{\r\n \"params\": {\r\n \"message\": \"hi\"\r\n }\r\n}'\r\n```\r\n4. Go to dev tools and run the following query to verify that the API\r\nkey information is stored in the event log\r\n```\r\nGET /.kibana-event-log*/_search\r\n{\r\n \"sort\": [\r\n {\r\n \"@timestamp\": {\r\n \"order\": \"desc\"\r\n }\r\n }\r\n ],\r\n \"query\": {\r\n \"bool\": {\r\n \"filter\": [\r\n {\r\n \"term\": {\r\n \"event.provider\": {\r\n \"value\": \"actions\"\r\n }\r\n }\r\n }\r\n ]\r\n }\r\n }\r\n```","sha":"1ba2716c7b00086b35788d7714781b252be1d6a0","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:ResponseOps","v9.0.0","backport:prev-minor","v8.18.0"],"title":"[ResponseOps] Granular Connector RBAC - adding API key to event log","number":204114,"url":"https://github.com/elastic/kibana/pull/204114","mergeCommit":{"message":"[ResponseOps] Granular Connector RBAC - adding API key to event log (#204114)\n\nPart of https://github.com/elastic/kibana/issues/180908\r\n\r\n## Summary\r\n\r\nThis change is part of adding granular RBAC for SecuritySolution\r\nconnectors. In this PR, I updated the action executor to log API key\r\ndetails when a connector is executed by a user authenticated via API\r\nkey. The public name and id of the API key are now included in the event\r\nlog.\r\n\r\n### Checklist\r\n\r\nCheck the PR satisfies following conditions. \r\n\r\n- [ ] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n### To verify\r\n\r\n1. Create an API key\r\n2. Create a connector that will successfully run, it doesn't have to be\r\nSentinelOne.\r\n3. Run the following with the ID and correct params for your connector\r\ntype.\r\n```\r\ncurl -X POST \"http://localhost:5601/api/actions/connector/$CONNECTOR_ID/_execute\" -H 'Authorization: ApiKey $API_KEY' -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'\r\n{\r\n \"params\": {\r\n \"message\": \"hi\"\r\n }\r\n}'\r\n```\r\n4. Go to dev tools and run the following query to verify that the API\r\nkey information is stored in the event log\r\n```\r\nGET /.kibana-event-log*/_search\r\n{\r\n \"sort\": [\r\n {\r\n \"@timestamp\": {\r\n \"order\": \"desc\"\r\n }\r\n }\r\n ],\r\n \"query\": {\r\n \"bool\": {\r\n \"filter\": [\r\n {\r\n \"term\": {\r\n \"event.provider\": {\r\n \"value\": \"actions\"\r\n }\r\n }\r\n }\r\n ]\r\n }\r\n }\r\n```","sha":"1ba2716c7b00086b35788d7714781b252be1d6a0"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/204114","number":204114,"mergeCommit":{"message":"[ResponseOps] Granular Connector RBAC - adding API key to event log (#204114)\n\nPart of https://github.com/elastic/kibana/issues/180908\r\n\r\n## Summary\r\n\r\nThis change is part of adding granular RBAC for SecuritySolution\r\nconnectors. In this PR, I updated the action executor to log API key\r\ndetails when a connector is executed by a user authenticated via API\r\nkey. The public name and id of the API key are now included in the event\r\nlog.\r\n\r\n### Checklist\r\n\r\nCheck the PR satisfies following conditions. \r\n\r\n- [ ] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n### To verify\r\n\r\n1. Create an API key\r\n2. Create a connector that will successfully run, it doesn't have to be\r\nSentinelOne.\r\n3. Run the following with the ID and correct params for your connector\r\ntype.\r\n```\r\ncurl -X POST \"http://localhost:5601/api/actions/connector/$CONNECTOR_ID/_execute\" -H 'Authorization: ApiKey $API_KEY' -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'\r\n{\r\n \"params\": {\r\n \"message\": \"hi\"\r\n }\r\n}'\r\n```\r\n4. Go to dev tools and run the following query to verify that the API\r\nkey information is stored in the event log\r\n```\r\nGET /.kibana-event-log*/_search\r\n{\r\n \"sort\": [\r\n {\r\n \"@timestamp\": {\r\n \"order\": \"desc\"\r\n }\r\n }\r\n ],\r\n \"query\": {\r\n \"bool\": {\r\n \"filter\": [\r\n {\r\n \"term\": {\r\n \"event.provider\": {\r\n \"value\": \"actions\"\r\n }\r\n }\r\n }\r\n ]\r\n }\r\n }\r\n```","sha":"1ba2716c7b00086b35788d7714781b252be1d6a0"}},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Alexi Doak <109488926+doakalexi@users.noreply.github.com>
stratoula
pushed a commit
to stratoula/kibana
that referenced
this pull request
Jan 2, 2025
…lastic#204114) Part of elastic#180908 ## Summary This change is part of adding granular RBAC for SecuritySolution connectors. In this PR, I updated the action executor to log API key details when a connector is executed by a user authenticated via API key. The public name and id of the API key are now included in the event log. ### Checklist Check the PR satisfies following conditions. - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### To verify 1. Create an API key 2. Create a connector that will successfully run, it doesn't have to be SentinelOne. 3. Run the following with the ID and correct params for your connector type. ``` curl -X POST "http://localhost:5601/api/actions/connector/$CONNECTOR_ID/_execute" -H 'Authorization: ApiKey $API_KEY' -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' { "params": { "message": "hi" } }' ``` 4. Go to dev tools and run the following query to verify that the API key information is stored in the event log ``` GET /.kibana-event-log*/_search { "sort": [ { "@timestamp": { "order": "desc" } } ], "query": { "bool": { "filter": [ { "term": { "event.provider": { "value": "actions" } } } ] } } ```
benakansara
pushed a commit
to benakansara/kibana
that referenced
this pull request
Jan 2, 2025
…lastic#204114) Part of elastic#180908 ## Summary This change is part of adding granular RBAC for SecuritySolution connectors. In this PR, I updated the action executor to log API key details when a connector is executed by a user authenticated via API key. The public name and id of the API key are now included in the event log. ### Checklist Check the PR satisfies following conditions. - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### To verify 1. Create an API key 2. Create a connector that will successfully run, it doesn't have to be SentinelOne. 3. Run the following with the ID and correct params for your connector type. ``` curl -X POST "http://localhost:5601/api/actions/connector/$CONNECTOR_ID/_execute" -H 'Authorization: ApiKey $API_KEY' -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' { "params": { "message": "hi" } }' ``` 4. Go to dev tools and run the following query to verify that the API key information is stored in the event log ``` GET /.kibana-event-log*/_search { "sort": [ { "@timestamp": { "order": "desc" } } ], "query": { "bool": { "filter": [ { "term": { "event.provider": { "value": "actions" } } } ] } } ```
CAWilson94
pushed a commit
to CAWilson94/kibana
that referenced
this pull request
Jan 13, 2025
…lastic#204114) Part of elastic#180908 ## Summary This change is part of adding granular RBAC for SecuritySolution connectors. In this PR, I updated the action executor to log API key details when a connector is executed by a user authenticated via API key. The public name and id of the API key are now included in the event log. ### Checklist Check the PR satisfies following conditions. - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### To verify 1. Create an API key 2. Create a connector that will successfully run, it doesn't have to be SentinelOne. 3. Run the following with the ID and correct params for your connector type. ``` curl -X POST "http://localhost:5601/api/actions/connector/$CONNECTOR_ID/_execute" -H 'Authorization: ApiKey $API_KEY' -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' { "params": { "message": "hi" } }' ``` 4. Go to dev tools and run the following query to verify that the API key information is stored in the event log ``` GET /.kibana-event-log*/_search { "sort": [ { "@timestamp": { "order": "desc" } } ], "query": { "bool": { "filter": [ { "term": { "event.provider": { "value": "actions" } } } ] } } ```
viduni94
pushed a commit
to viduni94/kibana
that referenced
this pull request
Jan 23, 2025
…lastic#204114) Part of elastic#180908 ## Summary This change is part of adding granular RBAC for SecuritySolution connectors. In this PR, I updated the action executor to log API key details when a connector is executed by a user authenticated via API key. The public name and id of the API key are now included in the event log. ### Checklist Check the PR satisfies following conditions. - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### To verify 1. Create an API key 2. Create a connector that will successfully run, it doesn't have to be SentinelOne. 3. Run the following with the ID and correct params for your connector type. ``` curl -X POST "http://localhost:5601/api/actions/connector/$CONNECTOR_ID/_execute" -H 'Authorization: ApiKey $API_KEY' -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' { "params": { "message": "hi" } }' ``` 4. Go to dev tools and run the following query to verify that the API key information is stored in the event log ``` GET /.kibana-event-log*/_search { "sort": [ { "@timestamp": { "order": "desc" } } ], "query": { "bool": { "filter": [ { "term": { "event.provider": { "value": "actions" } } } ] } } ```
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Part of #180908
Summary
This change is part of adding granular RBAC for SecuritySolution connectors. In this PR, I updated the action executor to log API key details when a connector is executed by a user authenticated via API key. The public name and id of the API key are now included in the event log.
Checklist
Check the PR satisfies following conditions.
To verify