Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[8.x] [SecuritySolution] Breaking out timeline & note privileges (#20…
…1780) (#207367) # Backport This will backport the following commits from `main` to `8.x`: - [[SecuritySolution] Breaking out timeline & note privileges (#201780)](#201780) <!--- Backport version: 9.6.4 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Jan Monschke","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-01-20T13:09:16Z","message":"[SecuritySolution] Breaking out timeline & note privileges (#201780)\n\n## Summary\n\nEpic: https://github.com/elastic/security-team/issues/7998\n\nIn this PR we're breaking out the `timeline` and `notes` features into\ntheir own feature privilege definition. Previously, access to both\nfeatures was granted implicitly through the `siem` feature. However, we\nfound that this level of access control is not sufficient for all\nclients who wanted a more fine-grained way to grant access to parts of\nsecurity solution.\n\nIn order to break out `timeline` and `notes` from `siem`, we had to\ndeprecate it feature privilege definition for. That is why you'll find\nplenty of changes of `siem` to `siemV2` in this PR. We're making use of\nthe feature privilege's `replacedBy` functionality, allowing for a\nseamless migration of deprecated roles.\n\nThis means that roles that previously granted `siem.all` are now granted\n`siemV2.all`, `timeline.all` and `notes.all` (same for `*.read`).\nExisting users are not impacted and should all still have the correct\naccess. We added tests to make sure this is working as expected.\n\nAlongside the `ui` privileges, this PR also adds dedicated API tags.\nThose tags haven been added to the new and previous version of the\nprivilege definitions to allow for a clean migration:\n\n```mermaid\nflowchart LR\n subgraph v1\n A(siem) --> Y(all)\n A --> X(read)\n Y -->|api| W(timeline_write / timeline_read / notes_read / notes_write)\n X -->|api| V(timeline_read /notes_read)\n end\n\n subgraph v2\n A-->|replacedBy| C[siemV2]\n A-->|replacedBy| E[timeline]\n A-->|replacedBy| G[notes]\n \n\n E --> L(all)\n E --> M(read)\n L -->|api| N(timeline_write / timeline_read)\n M -->|api| P(timeline_read)\n\n G --> Q(all)\n G --> I(read)\n\n Q -->|api| R(notes_write / notes_read)\n I -->|api| S(notes_read)\n end\n```\n\n### Visual changes\n\n#### Hidden/disabled elements\n\nMost of the changes are happening \"under\" the hood and are only\nexpressed in case a user has a role with `timeline.none` or\n`notes.none`. This would hide and/or disable elements that would usually\nallow them to interact with either timeline or the notes feature (within\ntimeline or the event flyout currently).\n\nAs an example, this is how the hover actions look for a user with and\nwithout timeline access:\n\n| With timeline access | Without timeline access |\n| --- | --- |\n| <img width=\"616\" alt=\"Screenshot 2024-12-18 at 17 22 49\"\nsrc=\"https://github.com/user-attachments/assets/a767fbb5-49c8-422a-817e-23e7fe1f0042\"\n/> | <img width=\"724\" alt=\"Screenshot 2024-12-18 at 17 23 29\"\nsrc=\"https://github.com/user-attachments/assets/3490306a-d1c3-41aa-af5b-05a1dd804b47\"\n/> |\n\n#### Roles\n\nAnother visible change of this PR is the addition of `Timeline` and\n`Notes` in the edit-role screen:\n\n| Before | After |\n| ------- | ------ |\n| <img width=\"746\" alt=\"Screenshot 2024-12-12 at 16 31 43\"\nsrc=\"https://github.com/user-attachments/assets/20a80dd4-c214-48a5-8c6e-3dc19c0cbc43\"\n/> | <img width=\"738\" alt=\"Screenshot 2024-12-12 at 16 32 53\"\nsrc=\"https://github.com/user-attachments/assets/afb1eab4-1729-4c4e-9f51-fddabc32b1dd\"\n/> |\n\nWe made sure that for migrated roles that hard `security.all` selected,\nthis screen correctly shows `security.all`, `timeline.all` and\n`notes.all` after the privilege migration.\n\n#### Timeline toast\n\nThere are tons of places in security solution where `Investigate / Add\nto timeline` are shown. We did our best to disable all of these actions\nbut there is no guarantee that this PR catches all the places where we\nlink to timeline (actions). One layer of extra protection is that the\nAPI endpoints don't give access to timelines to users without the\ncorrect privileges. Another one is a Redux middleware that makes sure\ntimelines cannot be shown in missed cases. The following toast will be\nshown instead of the timeline:\n\n<img width=\"354\" alt=\"Screenshot 2024-12-19 at 10 34 23\"\nsrc=\"https://github.com/user-attachments/assets/1304005e-2753-4268-b6e7-bd7e22d8a1e3\"\n/>\n\n### Changes to predefined security roles\n\nAll predefined security roles have been updated to grant the new\nprivileges (in ESS and serverless). In accordance with the migration,\nall roles with `siem.all` have been assigned `siemV2.all`,\n`timeline.all` and `notes.all` (and `*.read` respectively).\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [x] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [x] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.\n\n---------\n\nCo-authored-by: kibanamachine <[email protected]>\nCo-authored-by: PhilippeOberti <[email protected]>\nCo-authored-by: Steph Milovic <[email protected]>","sha":"1b167d9dc23a9e0e8e47992a37563ca89ccf3c7d","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:Fleet","v9.0.0","release_note:feature","Team:Threat Hunting:Investigations","backport:prev-minor","ci:cloud-deploy","ci:project-persist-deployment","v8.18.0"],"title":"[SecuritySolution] Breaking out timeline & note privileges","number":201780,"url":"https://github.com/elastic/kibana/pull/201780","mergeCommit":{"message":"[SecuritySolution] Breaking out timeline & note privileges (#201780)\n\n## Summary\n\nEpic: https://github.com/elastic/security-team/issues/7998\n\nIn this PR we're breaking out the `timeline` and `notes` features into\ntheir own feature privilege definition. Previously, access to both\nfeatures was granted implicitly through the `siem` feature. However, we\nfound that this level of access control is not sufficient for all\nclients who wanted a more fine-grained way to grant access to parts of\nsecurity solution.\n\nIn order to break out `timeline` and `notes` from `siem`, we had to\ndeprecate it feature privilege definition for. That is why you'll find\nplenty of changes of `siem` to `siemV2` in this PR. We're making use of\nthe feature privilege's `replacedBy` functionality, allowing for a\nseamless migration of deprecated roles.\n\nThis means that roles that previously granted `siem.all` are now granted\n`siemV2.all`, `timeline.all` and `notes.all` (same for `*.read`).\nExisting users are not impacted and should all still have the correct\naccess. We added tests to make sure this is working as expected.\n\nAlongside the `ui` privileges, this PR also adds dedicated API tags.\nThose tags haven been added to the new and previous version of the\nprivilege definitions to allow for a clean migration:\n\n```mermaid\nflowchart LR\n subgraph v1\n A(siem) --> Y(all)\n A --> X(read)\n Y -->|api| W(timeline_write / timeline_read / notes_read / notes_write)\n X -->|api| V(timeline_read /notes_read)\n end\n\n subgraph v2\n A-->|replacedBy| C[siemV2]\n A-->|replacedBy| E[timeline]\n A-->|replacedBy| G[notes]\n \n\n E --> L(all)\n E --> M(read)\n L -->|api| N(timeline_write / timeline_read)\n M -->|api| P(timeline_read)\n\n G --> Q(all)\n G --> I(read)\n\n Q -->|api| R(notes_write / notes_read)\n I -->|api| S(notes_read)\n end\n```\n\n### Visual changes\n\n#### Hidden/disabled elements\n\nMost of the changes are happening \"under\" the hood and are only\nexpressed in case a user has a role with `timeline.none` or\n`notes.none`. This would hide and/or disable elements that would usually\nallow them to interact with either timeline or the notes feature (within\ntimeline or the event flyout currently).\n\nAs an example, this is how the hover actions look for a user with and\nwithout timeline access:\n\n| With timeline access | Without timeline access |\n| --- | --- |\n| <img width=\"616\" alt=\"Screenshot 2024-12-18 at 17 22 49\"\nsrc=\"https://github.com/user-attachments/assets/a767fbb5-49c8-422a-817e-23e7fe1f0042\"\n/> | <img width=\"724\" alt=\"Screenshot 2024-12-18 at 17 23 29\"\nsrc=\"https://github.com/user-attachments/assets/3490306a-d1c3-41aa-af5b-05a1dd804b47\"\n/> |\n\n#### Roles\n\nAnother visible change of this PR is the addition of `Timeline` and\n`Notes` in the edit-role screen:\n\n| Before | After |\n| ------- | ------ |\n| <img width=\"746\" alt=\"Screenshot 2024-12-12 at 16 31 43\"\nsrc=\"https://github.com/user-attachments/assets/20a80dd4-c214-48a5-8c6e-3dc19c0cbc43\"\n/> | <img width=\"738\" alt=\"Screenshot 2024-12-12 at 16 32 53\"\nsrc=\"https://github.com/user-attachments/assets/afb1eab4-1729-4c4e-9f51-fddabc32b1dd\"\n/> |\n\nWe made sure that for migrated roles that hard `security.all` selected,\nthis screen correctly shows `security.all`, `timeline.all` and\n`notes.all` after the privilege migration.\n\n#### Timeline toast\n\nThere are tons of places in security solution where `Investigate / Add\nto timeline` are shown. We did our best to disable all of these actions\nbut there is no guarantee that this PR catches all the places where we\nlink to timeline (actions). One layer of extra protection is that the\nAPI endpoints don't give access to timelines to users without the\ncorrect privileges. Another one is a Redux middleware that makes sure\ntimelines cannot be shown in missed cases. The following toast will be\nshown instead of the timeline:\n\n<img width=\"354\" alt=\"Screenshot 2024-12-19 at 10 34 23\"\nsrc=\"https://github.com/user-attachments/assets/1304005e-2753-4268-b6e7-bd7e22d8a1e3\"\n/>\n\n### Changes to predefined security roles\n\nAll predefined security roles have been updated to grant the new\nprivileges (in ESS and serverless). In accordance with the migration,\nall roles with `siem.all` have been assigned `siemV2.all`,\n`timeline.all` and `notes.all` (and `*.read` respectively).\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [x] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [x] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.\n\n---------\n\nCo-authored-by: kibanamachine <[email protected]>\nCo-authored-by: PhilippeOberti <[email protected]>\nCo-authored-by: Steph Milovic <[email protected]>","sha":"1b167d9dc23a9e0e8e47992a37563ca89ccf3c7d"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/201780","number":201780,"mergeCommit":{"message":"[SecuritySolution] Breaking out timeline & note privileges (#201780)\n\n## Summary\n\nEpic: https://github.com/elastic/security-team/issues/7998\n\nIn this PR we're breaking out the `timeline` and `notes` features into\ntheir own feature privilege definition. Previously, access to both\nfeatures was granted implicitly through the `siem` feature. However, we\nfound that this level of access control is not sufficient for all\nclients who wanted a more fine-grained way to grant access to parts of\nsecurity solution.\n\nIn order to break out `timeline` and `notes` from `siem`, we had to\ndeprecate it feature privilege definition for. That is why you'll find\nplenty of changes of `siem` to `siemV2` in this PR. We're making use of\nthe feature privilege's `replacedBy` functionality, allowing for a\nseamless migration of deprecated roles.\n\nThis means that roles that previously granted `siem.all` are now granted\n`siemV2.all`, `timeline.all` and `notes.all` (same for `*.read`).\nExisting users are not impacted and should all still have the correct\naccess. We added tests to make sure this is working as expected.\n\nAlongside the `ui` privileges, this PR also adds dedicated API tags.\nThose tags haven been added to the new and previous version of the\nprivilege definitions to allow for a clean migration:\n\n```mermaid\nflowchart LR\n subgraph v1\n A(siem) --> Y(all)\n A --> X(read)\n Y -->|api| W(timeline_write / timeline_read / notes_read / notes_write)\n X -->|api| V(timeline_read /notes_read)\n end\n\n subgraph v2\n A-->|replacedBy| C[siemV2]\n A-->|replacedBy| E[timeline]\n A-->|replacedBy| G[notes]\n \n\n E --> L(all)\n E --> M(read)\n L -->|api| N(timeline_write / timeline_read)\n M -->|api| P(timeline_read)\n\n G --> Q(all)\n G --> I(read)\n\n Q -->|api| R(notes_write / notes_read)\n I -->|api| S(notes_read)\n end\n```\n\n### Visual changes\n\n#### Hidden/disabled elements\n\nMost of the changes are happening \"under\" the hood and are only\nexpressed in case a user has a role with `timeline.none` or\n`notes.none`. This would hide and/or disable elements that would usually\nallow them to interact with either timeline or the notes feature (within\ntimeline or the event flyout currently).\n\nAs an example, this is how the hover actions look for a user with and\nwithout timeline access:\n\n| With timeline access | Without timeline access |\n| --- | --- |\n| <img width=\"616\" alt=\"Screenshot 2024-12-18 at 17 22 49\"\nsrc=\"https://github.com/user-attachments/assets/a767fbb5-49c8-422a-817e-23e7fe1f0042\"\n/> | <img width=\"724\" alt=\"Screenshot 2024-12-18 at 17 23 29\"\nsrc=\"https://github.com/user-attachments/assets/3490306a-d1c3-41aa-af5b-05a1dd804b47\"\n/> |\n\n#### Roles\n\nAnother visible change of this PR is the addition of `Timeline` and\n`Notes` in the edit-role screen:\n\n| Before | After |\n| ------- | ------ |\n| <img width=\"746\" alt=\"Screenshot 2024-12-12 at 16 31 43\"\nsrc=\"https://github.com/user-attachments/assets/20a80dd4-c214-48a5-8c6e-3dc19c0cbc43\"\n/> | <img width=\"738\" alt=\"Screenshot 2024-12-12 at 16 32 53\"\nsrc=\"https://github.com/user-attachments/assets/afb1eab4-1729-4c4e-9f51-fddabc32b1dd\"\n/> |\n\nWe made sure that for migrated roles that hard `security.all` selected,\nthis screen correctly shows `security.all`, `timeline.all` and\n`notes.all` after the privilege migration.\n\n#### Timeline toast\n\nThere are tons of places in security solution where `Investigate / Add\nto timeline` are shown. We did our best to disable all of these actions\nbut there is no guarantee that this PR catches all the places where we\nlink to timeline (actions). One layer of extra protection is that the\nAPI endpoints don't give access to timelines to users without the\ncorrect privileges. Another one is a Redux middleware that makes sure\ntimelines cannot be shown in missed cases. The following toast will be\nshown instead of the timeline:\n\n<img width=\"354\" alt=\"Screenshot 2024-12-19 at 10 34 23\"\nsrc=\"https://github.com/user-attachments/assets/1304005e-2753-4268-b6e7-bd7e22d8a1e3\"\n/>\n\n### Changes to predefined security roles\n\nAll predefined security roles have been updated to grant the new\nprivileges (in ESS and serverless). In accordance with the migration,\nall roles with `siem.all` have been assigned `siemV2.all`,\n`timeline.all` and `notes.all` (and `*.read` respectively).\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [x] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [x] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.\n\n---------\n\nCo-authored-by: kibanamachine <[email protected]>\nCo-authored-by: PhilippeOberti <[email protected]>\nCo-authored-by: Steph Milovic <[email protected]>","sha":"1b167d9dc23a9e0e8e47992a37563ca89ccf3c7d"}},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT-->
- Loading branch information
1 parent
f9bed85
commit 8e02172