kibana icon indicating copy to clipboard operation
kibana copied to clipboard

Published 20 hours ago verified publisher icon elastic

[Cloud Security] user with access to indexes documented in the public docs can't access CSPM Findings and Dashboard

Open maxcold opened this issue 10 months ago • 0 comments

Kibana version: 8.13.2

Elasticsearch version: 8.13.2

Server OS version:

Browser version:

Browser OS version:

Original install method (e.g. download page, yum, from source, etc.): ESS

Describe the bug: A user with access to Kibana Security and read privileges for ES indexes described in https://www.elastic.co/guide/en/security/8.12/cspm-get-started.html don't have access to the Misconfiguration Findings and to CSP dashboard

Steps to reproduce:

  1. Have an env with ingested CSPM data, eg. AWS CSPM integration installed.
  2. Make sure the data is present in the logs-cloud_security_posture.findings-* and in the logs-cloud_security_posture.findings_latest-* indexes
  3. Create a new role with all privileges for all spaces in Kibana and with read privileges for logs-cloud_security_posture.findings-*, logs-cloud_security_posture.findings_latest-* and logs-cloud_security_posture.scores-* indexes/data streams
  4. Navigate to Dashboard -> Cloud Security Posture or to Findings -> Misconfigurations

On the dashboard you will see Internal Server Error 500: An error occurred while trying to fetch csp settings: Unable to get cloud-security-posture-settings, 403 erorr

Expected behavior: no error, dashboard and findings page should display the data

Screenshots (if relevant): Screenshot 2024-04-22 at 17 01 54

Screenshot 2024-04-22 at 17 02 03

Errors in browser console (if relevant):

Provide logs and/or server output (if relevant):

Any additional context: This most likely is due to the changes introduced in 8.13 around benchmark rules with a new Saved Objected implemented to store the rules settings More context from @kfirpeled

here you can see that encryptedSavedObjects is based on user’s credentials and here it is being used to read the settings. The fault here that I would fix is that cspContext should not determine client or internal user usage. Either provide a proper name for each client with a suffix or allow it to be picked each usage, like esClient

@elastic/kibana-cloud-security-posture

maxcold avatar Apr 26 '24 16:04 maxcold