-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adds Role Based Access-Control to the Alerting & Action plugins based on Kibana Feature Controls #67157
Merged
gmmorris
merged 196 commits into
elastic:master
from
gmmorris:alerting/consumer-based-rbac
Jul 22, 2020
Merged
Adds Role Based Access-Control to the Alerting & Action plugins based on Kibana Feature Controls #67157
Changes from 1 commit
Commits
Show all changes
196 commits
Select commit
Hold shift + click to select a range
c62a8fc
made SO client unsecure in alerting
gmmorris 764f515
fixed typing, commented unused authz
gmmorris 52a153e
fixed unit test
gmmorris 4b95c81
added rbac in alerting
gmmorris 95da803
made SO client unsecure in alerting
gmmorris 341afdb
fixed typing, commented unused authz
gmmorris c8e23f0
fixed unit test
gmmorris 1afad8e
added rbac in alerting
gmmorris 06495a6
fixed unit test
gmmorris 77348f1
provide default global privileges over builtin types
gmmorris 412f684
Merge branch 'alerting/consumer-based-rbac' of github.com:gmmorris/ki…
gmmorris 541a871
Merge branch 'master' into alerting/consumer-based-rbac
gmmorris 492f78a
fixed lintin errors
gmmorris 076ebdf
moved feature into main alerts plugin
gmmorris bdd5d28
fixed security tests
gmmorris 711fdba
fixed security unit tests
gmmorris a15c7d9
added _global namespace before global privileges
gmmorris 87d099f
fixed security acceptance tests
gmmorris ade2c4c
fixed lint
gmmorris 0ace530
use alerts privileges in the alertsExample feature
gmmorris efdb521
added more acceptance tests around alert creation and auth
gmmorris 665c427
Merge branch 'master' into alerting/consumer-based-rbac
gmmorris 11bbf16
fixed secuirty interface
gmmorris 2b84902
removed unused test fixture
gmmorris e15946c
added more acceptance tests around alert deletion, enabling, find and…
gmmorris 445710f
Merge branch 'master' into alerting/consumer-based-rbac
gmmorris ee79c9c
expanded acceptance tests around rbac in alerts
gmmorris 168ce21
Merge branch 'master' into alerting/consumer-based-rbac
gmmorris 6910165
fixed alerts UI tests
gmmorris 6b789ec
extracted auth function from alerts client
gmmorris 0aaaef5
fixed sapces only suite
gmmorris 86f7d73
Merge branch 'master' into alerting/consumer-based-rbac
gmmorris ba40757
added more unit tests around the extracted auth code
gmmorris 74a886a
fixed lintin issues
gmmorris f56a849
Merge branch 'master' into alerting/consumer-based-rbac
gmmorris c055216
fixed producer in siem alert types
gmmorris 399493b
added readme
gmmorris 8ecba62
removed unused export
gmmorris e4e6590
added audit logging
gmmorris 08541d3
added alerting to feature iterator
gmmorris 87bd206
added validation that alert type IDs dont contain invalid privilege c…
gmmorris e1e560c
added comment around alert type ID char limitations
gmmorris b012ae1
fixed tests
gmmorris 34b7cf9
Merge branch 'master' into alerting/consumer-based-rbac
gmmorris 64e802b
fixed features unit tests
gmmorris f287766
added index threshold as authorized alert type in example plugin
gmmorris acd9961
fixed a bunch of styling changes and small fixes
gmmorris 54ad8dd
changed casing of const
gmmorris 867b7c3
added support for fields in find
gmmorris f34d031
Merge branch 'master' into alerting/consumer-based-rbac
gmmorris 289a85b
revert feature ID to legacy ID to prevent old alerts from breaking
gmmorris c9453f1
corrected unit tests that relied on the new feature id
gmmorris 244874c
corrected acceptance tests that relied on the new feature id
gmmorris 606081b
moved logs alert type to the correct feature
gmmorris 213b330
reverted partial type
gmmorris 35a9971
fixed another place using the alerts consumer
gmmorris c18ab7f
use constant to make it easier to change i nthe future
gmmorris 9937143
Merge branch 'master' into alerting/consumer-based-rbac
gmmorris f2f3c2b
changed producer on metric alerts to match feature id
gmmorris ac37d1b
change feature in privileges bac kto alerts
gmmorris 0d2c859
change feature in privileges in basic back to alerts
gmmorris 80fe0fd
fixed consumer fields in siem
gmmorris 270ecb1
cleaned up some fixtures and featur eregestrations
gmmorris 9ff6666
Merge branch 'master' into alerting/consumer-based-rbac
gmmorris d78822c
fixed indentation
gmmorris 3c77b85
Merge branch 'master' into alerting/consumer-based-rbac
gmmorris 554e7ce
removed feature registration in alerting
gmmorris c177be0
ensure alerTypeId and Consumer cant be used for KQL injection
gmmorris bae77e4
added some missing unit tests
gmmorris 0370e9d
migrated feature to "alerts"
gmmorris 19d38aa
support alerts consumer without a feature backing it
gmmorris 3c66ba0
bump timeout on delete all test as the rbac work has made it a little…
gmmorris 8f82baf
removed alerting feature from privileges
gmmorris 04cd6f5
include alerts in auth consumers for all types
gmmorris 75a5fcb
Merge branch 'master' into alerting/consumer-based-rbac
gmmorris cc06e67
ensure test tag is isolated from other tests
gmmorris 3ccb14f
prevent parens and whitespace in consumer or alerttypeid
gmmorris a3082b0
Merge branch 'master' into alerting/consumer-based-rbac
gmmorris e00ffe4
improved perf of "find" api by improving the filter
gmmorris adefb2f
fixed tests broken by merge conflict
gmmorris 8b2a423
reduce features included in auth to those who grant alerting privileges
gmmorris 44a0c4e
incluyde sub features in privilege check
gmmorris 9de574c
Merge branch 'master' into alerting/consumer-based-rbac
gmmorris 2e75199
Merge branch 'master' into alerting/consumer-based-rbac
gmmorris b094910
fixed broken index threshold in non metrics users
gmmorris 17fba6a
Merge branch 'master' into alerting/consumer-based-rbac
gmmorris 611061e
migrate alerts with consumer "metrics" to be "infrastructure"
gmmorris bd0f78c
Merge branch 'master' into alerting/consumer-based-rbac
elasticmachine 1a20848
fixed consumer in metrics alert types
gmmorris 970656d
Merge branch 'alerting/consumer-based-rbac' of github.com:gmmorris/ki…
gmmorris 0ffe4a2
Merge branch 'master' into alerting/consumer-based-rbac
elasticmachine 025ed9e
use feature based RBAC for actions instead of api privileges
gmmorris f4f2f09
temporary security changes until alerting rbac branch is merged
gmmorris 29c9cc7
base execution privileges on access to action_task_params type
gmmorris 99e5ab0
fixed linting
gmmorris f22c7aa
Merge branch 'alerting/consumer-based-rbac' of github.com:gmmorris/ki…
gmmorris 90d0df4
Merge branch 'master' into alerting/consumer-based-rbac
gmmorris 036a082
fixed security typing
gmmorris 33ef0b0
ensure save/edit buttons in triggers UI is based on RBAC auth
gmmorris 3c4a7a9
Merge remote-tracking branch 'upstream/master' into alerting/consumer…
gmmorris 353dd25
introduces a feature for built-in alert types
gmmorris c0d09cc
introduces a feature for built-in alert types
gmmorris 0e001e6
Merge branch 'master' into alerting/built-in-alerts-feature
gmmorris ee05baa
show prompt if user has no privileges in flyout
gmmorris 6c42c92
fixed list types test
gmmorris a7d36e4
fixed unit tests in trigegrs UI
gmmorris ae38572
fix test broken by addition of built-in types feature
gmmorris a67950e
Merge branch 'master' into alerting/consumer-based-rbac
gmmorris 8f30d0f
updated readme and i18n usage
gmmorris e454e59
added builtInAlerts to feature set test
gmmorris b3ed832
use alertsclient in task runner
gmmorris e4a16c7
Merge branch 'master' into alerting/consumer-based-rbac
gmmorris f0f82f3
fixed lodash usage broken by upgrade to lodash 4
gmmorris 541cdfd
prevent rendering alert editing when there are no privileges to edit …
gmmorris f56574f
Merge branch 'master' into actions/feature
gmmorris 169789a
allow all to see list of action types by default (for now)
gmmorris c426139
Merge branch 'master' into alerting/consumer-based-rbac
gmmorris 1611aff
Merge branch 'actions/feature' into actions/feature-and-rbac
gmmorris 49b40be
fixec privileges feature tests
gmmorris 53916fd
fixed security test
gmmorris 0e0d175
Merge branch 'actions/feature' into actions/feature-and-rbac
gmmorris e6025ba
disble connector fields when user is read only
gmmorris e919958
Merge branch 'actions/feature' into actions/feature-and-rbac
gmmorris d7f0b27
correct capabilities check
gmmorris d78b918
fixed type errors
gmmorris 14ebe0e
Merge branch 'master' into actions/feature
gmmorris a2d25cf
Merge branch 'master' into alerting/consumer-based-rbac
gmmorris 5671159
Merge branch 'actions/feature' into actions/feature-and-rbac
gmmorris 9cc3753
Merge branch 'master' into alerting/consumer-based-rbac
gmmorris a4f1a7d
fixed security unit test
gmmorris 2ae533a
Merge branch 'actions/feature' into actions/feature-and-rbac
gmmorris 3cc2cb5
fixed some missing typing
gmmorris 7f5099c
show prompt if user has no privileges in actions form
gmmorris 76d2818
added actions feature to features test
gmmorris a449385
Merge branch 'actions/feature' into actions/feature-and-rbac
gmmorris 6a2b64d
Merge branch 'master' into actions/feature
gmmorris 3fd2309
added missing SO privileges
gmmorris da1f944
improved copy
gmmorris ae3c7a7
Merge branch 'master' into alerting/consumer-based-rbac
gmmorris 22efe49
Merge branch 'actions/feature' into actions/feature-and-rbac
gmmorris 61626a0
Merge branch 'master' into actions/feature
gmmorris a73fff5
Merge branch 'actions/feature' into actions/feature-and-rbac
gmmorris d412665
Merge branch 'alerting/consumer-based-rbac' into actions/feature-and-…
gmmorris 23dafe8
Merge branch 'master' into alerting/consumer-based-rbac
gmmorris a3f6142
added readonly support to servicenow connector
gmmorris 5c5ff2d
Merge branch 'actions/feature' into actions/feature-and-rbac
gmmorris 6c84a9d
removed unused variable in i18n
gmmorris 96dfb5a
Merge branch 'actions/feature' into actions/feature-and-rbac
gmmorris 12f2049
Merge branch 'master' into alerting/consumer-based-rbac
gmmorris 84947d2
Merge branch 'alerting/consumer-based-rbac' into actions/feature-and-…
gmmorris 57ffda5
Merge branch 'master' into alerting/consumer-based-rbac
gmmorris 4d6d96e
Merge branch 'alerting/consumer-based-rbac' into actions/feature-and-…
gmmorris a84a263
Merge branch 'master' into actions/feature-and-rbac
gmmorris 5e2f0dd
added bulk audit log api for alerts
gmmorris abbb2c0
fixed bulk audit log api for alerts
gmmorris 84da270
Merge branch 'alerting/consumer-based-rbac' into actions/feature-and-…
gmmorris 8d8ea54
removed actio nSO privileges from builtin alert types
gmmorris f33ac25
Merge branch 'master' into actions/feature-and-rbac
gmmorris 7b8cbe2
Merge branch 'master' into alerting/consumer-based-rbac
elasticmachine 9e74773
Merge branch 'master' into alerting/consumer-based-rbac
gmmorris 6c0f72c
Merge branch 'alerting/consumer-based-rbac' of github.com:gmmorris/ki…
gmmorris 98a00b6
removed ui capabilities that are no longer in use
gmmorris 4efb5e7
removed ui and api capabilities from built-in alerts that are no long…
gmmorris 053ca76
removed ui capabilities from solutions that are no longer in use
gmmorris 9f004db
improved "no permission" call out in UI
gmmorris acc5f55
ensure user has authrization to actions when an alert has actions
gmmorris 662e4a2
disabled switches on alert details page when there are no privileges
gmmorris 048e769
Merge branch 'master' into alerting/consumer-based-rbac
gmmorris cd0522e
Merge branch 'master' into alerting/consumer-based-rbac
gmmorris d2c732f
Merge branch 'master' into alerting/consumer-based-rbac
gmmorris 46845fc
handle case where security is disabled in ES but enabled in kibana
gmmorris 97b4262
Merge branch 'master' into alerting/consumer-based-rbac
gmmorris 67e913a
prevent unknown consumers from being authorized
gmmorris 6b090eb
Merge branch 'master' into alerting/consumer-based-rbac
gmmorris d1cc1cd
moved migration to v7.10.0 as this feature hasnt made it into 7.9.0
gmmorris e9ac83c
corrected var name
gmmorris cdef95d
Merge branch 'master' into alerting/consumer-based-rbac
gmmorris d6616db
Merge branch 'master' into alerting/consumer-based-rbac
gmmorris a6989b5
Merge branch 'master' into alerting/consumer-based-rbac
gmmorris 07e1a1c
take into account which features available in the active space
gmmorris cbee849
Merge branch 'master' into alerting/consumer-based-rbac
gmmorris 16ab6c6
Merge branch 'master' into alerting/consumer-based-rbac
gmmorris 46f0d74
corrected consumer on enable operation
gmmorris 6b14aaf
Merge branch 'master' into alerting/consumer-based-rbac
gmmorris e2fff84
added valifation of the alerting privileges at feature level
gmmorris d7ecd86
corrected security check for rbac
gmmorris 46f46c7
fixed unit in alerts client factory
gmmorris a894e5a
allow user to disable alert even if they dont have privileges to the …
gmmorris 81978c3
fixed alerts test
gmmorris 7febd47
Merge branch 'master' into alerting/consumer-based-rbac
gmmorris 5582f06
expclude security wrapper in SO client passed to ActionsClient
gmmorris 12f6536
removed uneeded tests
gmmorris 407b09a
Merge branch 'master' into alerting/consumer-based-rbac
gmmorris 7bafd5d
includes hidden params type in SO client
gmmorris e794518
renamed variable to make it clear the SO client is unsecured
gmmorris 53aa8e9
Merge branch 'master' into alerting/consumer-based-rbac
gmmorris File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
added readme
- Loading branch information
commit 399493b96c75225a4645180c7be50c1a5bbf96f2
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm sure we've talked about this and I'm sure we will again. But to refresh my memory; I was thinking this was automatic and not controlled?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, it's confusing, no worries.
It works like this:
Producer privilege throughout Kibana & Consumer privilege to create built-in types in Alerts Management are automatic.
Consumer privilege to create built-in types in a consumer that isn't Alerts Management is not automatic.
We did this so that:
all
access to create alerts insiem
, for example, doesn't automatically grant you the right to create any built-in withsiem
as consumer- as that might mean that if they run afind
for allsiem
alerts they'll get back AlertTypes they don't support or expect.siem
do actually want to allow a built-in type, but only to a certain role or as a sub-privilege? We'd have to provide for that and doing so automatically now isn't something we can (necessarily) easily dial back, so best to keep this explicit for now (I think).There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, I'll process this soon.
It looks like @kobelb has a similar question as well: #43994 (comment).