[Security Solution] Fix old siem feature override #207333
Conversation
semd
added
v9.0.0
Team:Threat Hunting
|
Pinging @elastic/security-threat-hunting (Team:Threat Hunting) |
|
I'm trying to make sense of this file and the failing tests. From my understanding, all granted privileges should be defined in their I wonder what was the reasoning of adding these feature overrides in the first place? |
|
@elasticmachine merge upstream |
@janmonschke In Security serverless projects, the platform features (aka Analytics) are "shared", they exist in all the different types of projects (solutions).
These platform features are granted implicitly when a role has a solution-specific feature, this is defined by these overrides. Essentially, this config is telling Kibana that when a role has The problem is that MKI is still executing the tests with the If you want to test the bug locally you can change the local roles definition The only remaining question I have is that these predefined roles do have explicit platform privileges granted like cc @azasypkin |
Sorry, I’m slightly out of context, but this does sound weird. Is it “just” the test that’s failing (there are too many variables in tests to pinpoint the culprit), or is there some real Discover/Dashboard functionality that isn’t available to users with the aforementioned predefined roles? |
The latter, features can not be accessed:
To reproduce it:
|
@semd how do you run Kibana and ES, and what role do you use to log in? I assume this file (https://github.com/elastic/kibana/blob/main/x-pack/test_serverless/shared/lib/security/kibana_roles/project_controller_security_roles.yml) is only used when you run FTR locally, for usual dev server Kibana is supposed to use https://github.com/elastic/kibana/blob/main/packages/kbn-es/src/serverless_resources/project_roles/security/roles.yml |
| @@ -50,6 +50,33 @@ xpack.features.overrides: | |||
| - feature: "maps" | |||
| privileges: [ "read" ] | |||
|
|
|||
| ### Security's feature privileges are fine-tuned to grant access to Discover, Dashboard, Maps, and Visualize apps. | |||
There was a problem hiding this comment.
| ### Security's feature privileges are fine-tuned to grant access to Discover, Dashboard, Maps, and Visualize apps. | |
| ### We're keeping around a copy of these overrides for the deprecated `siem` feature as well to make sure that they're applied all roles properly |
ES -> About the roles.yml duplication, I am not sure what is the purpose of each one, it would be great to centralize this definition. But for now changing The test failure is MKI, which executes UI tests to real QA deployments, so the test uses the production definition at https://github.com/elastic/elasticsearch-controller/blob/main/helm/values.yaml , which still has not been updated with the new features. I am simulating this config locally to reproduce it |
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]
Historycc @semd |
I’m pretty sure that |
@azasypkin Yes, you are right, I double checked and the one being used is https://github.com/elastic/kibana/blob/main/packages/kbn-es/src/serverless_resources/project_roles/security/roles.yml, sorry for the confusion, I always do the changes to both places at the same time to make sure they are applied. |
|
Starting backport for target branches: 8.x |
## Summary Adds the feature override for the old `siem` feature as well, we changed that to the new one here https://github.com/elastic/kibana/pull/201780/files#diff-5aba630e58630c087c90368aa97296afb736f62579a23285cef901dc1c3921edR27 Related failure: elastic#207285 The problem happened because MKI tests are using the outdated roles definition with the old `feature_siem` which was lacking the feature override in the serverless.security.yml Co-authored-by: Elastic Machine <[email protected]> (cherry picked from commit 9077414)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
@semd, yes, thanks! And here’s what’s happening. This is what we had in serverless.security.yml
---
## Fine-tune the security solution feature privileges. Also, refer to `serverless.yml` for the project-agnostic overrides.
xpack.features.overrides:
### Discover feature is hidden in Role management since it's automatically granted by SIEM feature.
discover.hidden: true
...
### Security's feature privileges are fine-tuned to grant access to Discover, Dashboard, Maps, and Visualize apps.
siemV2:
privileges:
### Security's `All` feature privilege should implicitly grant `All` access to Discover features.
all.composedOf:
- feature: "discover"
privileges: [ "all" ]And the excerpt of the role definition: roles.yaml
---
viewer:
cluster: []
indices:
- names: ...
privileges:
- read
applications:
- application: 'kibana-.kibana'
privileges:
- feature_siemV2.read
- feature_siemV2.read_alerts
- feature_siemV2.endpoint_list_read
- feature_discover.all
- ...
resources: '*'
|
|
@azasypkin Got it! Thanks for the explanation. So the This means that all the |
## Summary Adds the feature override for the old `siem` feature as well, we changed that to the new one here https://github.com/elastic/kibana/pull/201780/files#diff-5aba630e58630c087c90368aa97296afb736f62579a23285cef901dc1c3921edR27 Related failure: elastic#207285 The problem happened because MKI tests are using the outdated roles definition with the old `feature_siem` which was lacking the feature override in the serverless.security.yml Co-authored-by: Elastic Machine <[email protected]>
|
@semd , I am also trying to read through and understand the issue here.
Do you mean that this problem and this solution are temporary till MKI is using updated |
…07373) # Backport This will backport the following commits from `main` to `8.x`: - [[Security Solution] Fix old siem feature override (#207333)](#207333) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Sergi Massaneda","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-01-21T14:50:53Z","message":"[Security Solution] Fix old siem feature override (#207333)\n\n## Summary\r\n\r\nAdds the feature override for the old `siem` feature as well, we changed\r\nthat to the new one here\r\n\r\n\r\nhttps://github.com//pull/201780/files#diff-5aba630e58630c087c90368aa97296afb736f62579a23285cef901dc1c3921edR27\r\n\r\nRelated failure: https://github.com/elastic/kibana/issues/207285\r\n\r\nThe problem happened because MKI tests are using the outdated roles\r\ndefinition with the old `feature_siem` which was lacking the feature\r\noverride in the serverless.security.yml\r\n\r\nCo-authored-by: Elastic Machine <[email protected]>","sha":"9077414852f86a70aba5259e9f62d12a53a63090","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Threat Hunting","ci:build-serverless-image","backport:version","v8.18.0"],"title":"[Security Solution] Fix old siem feature override","number":207333,"url":"https://github.com/elastic/kibana/pull/207333","mergeCommit":{"message":"[Security Solution] Fix old siem feature override (#207333)\n\n## Summary\r\n\r\nAdds the feature override for the old `siem` feature as well, we changed\r\nthat to the new one here\r\n\r\n\r\nhttps://github.com//pull/201780/files#diff-5aba630e58630c087c90368aa97296afb736f62579a23285cef901dc1c3921edR27\r\n\r\nRelated failure: https://github.com/elastic/kibana/issues/207285\r\n\r\nThe problem happened because MKI tests are using the outdated roles\r\ndefinition with the old `feature_siem` which was lacking the feature\r\noverride in the serverless.security.yml\r\n\r\nCo-authored-by: Elastic Machine <[email protected]>","sha":"9077414852f86a70aba5259e9f62d12a53a63090"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/207333","number":207333,"mergeCommit":{"message":"[Security Solution] Fix old siem feature override (#207333)\n\n## Summary\r\n\r\nAdds the feature override for the old `siem` feature as well, we changed\r\nthat to the new one here\r\n\r\n\r\nhttps://github.com//pull/201780/files#diff-5aba630e58630c087c90368aa97296afb736f62579a23285cef901dc1c3921edR27\r\n\r\nRelated failure: https://github.com/elastic/kibana/issues/207285\r\n\r\nThe problem happened because MKI tests are using the outdated roles\r\ndefinition with the old `feature_siem` which was lacking the feature\r\noverride in the serverless.security.yml\r\n\r\nCo-authored-by: Elastic Machine <[email protected]>","sha":"9077414852f86a70aba5259e9f62d12a53a63090"}},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Sergi Massaneda <[email protected]>
@semd That’s correct, and yeah, I believe it’s a good idea to remove everything we believe is unused to make it easier to reason about these roles when needed (like in this case). |
Yes, that's what I tested |
Summary
Adds the feature override for the old
siemfeature as well, we changed that to the new one herehttps://github.com/elastic/kibana/pull/201780/files#diff-5aba630e58630c087c90368aa97296afb736f62579a23285cef901dc1c3921edR27
Related failure: #207285
The problem happened because MKI tests are using the outdated roles definition with the old
feature_siemwhich was lacking the feature override in the serverless.security.yml