elastic
[Security][9.1] Security roles `siemV3` migration
Summary
The need for siemV2 to siemV3 role migration has arisen with Endpoint Exceptions RBAC, and this PR aims to perform this migration.
However, as doing these migrations is a bit of a pain, this PR is opened for every Security Solution team to add their own migrations which are needed for v9.1.0.
What's in the PR?
- Required changes around security role migration from
siemV2tosiemV3 - Improvements by parameterizing
siemV3in lots of places, to ease future role migrations by decreasing the occurrences that have to be changed. - Endpoint Exceptions role migration: https://github.com/elastic/security-team/issues/12269
- Global Artifact Management [space awareness] role migration: https://github.com/elastic/security-team/issues/11717
- [tdb]
📆 Timeline 📆
-
[x] May 12-30: Please add your
v9.1.0targeted migrations if needed. Feel free to commit directly, or I can cherry-pick as well (in June). Please don't force push. You can also add them to this collection issue: https://github.com/elastic/security-team/issues/12538 -
[ ] June 2-13 todos: Finalization, code reviews: 🙏 other teams, please feel free to review. 🙏 There are some upcoming smaller changes, but only in the scope of @elastic/security-defend-workflows team.
- [x] Updating predefined roles for serverless in elasticsearch-controller: https://github.com/elastic/elasticsearch-controller/pull/1010 🗒️ current PR goes in first, gets released, then the elasticsearch-controller PR get merged 🗒️
- [x] Updating predefined roles with Global Artifact Management privilege
- [x] Decision about Global Artifact Management: to keep it behind feature flag or not.
- [ ] Some fixes for Endpoint Exception privileges, after #222223
- [ ] Automated tests for Endpoint Exception role migration
-
June 16-23: 🤞 Merge! 🤞 on the same week when space awareness is enabled
Background
- Previous role migration PR: https://github.com/elastic/kibana/pull/201780
- Role migration description: https://github.com/elastic/kibana/pull/186800
Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
- [ ] Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
- [ ] Documentation was added for features that require explanation or tutorials
- [ ] Unit or functional tests were updated or added to match the most common scenarios
- [ ] The PR description includes the appropriate Release Notes section, and the correct
release_note:*label is applied per the guidelines
Hey @gergoabraham, thanks for the ping. After talking with @michaelolo24, we decided we'll try to include this inside the V3 migration. We'll keep you posted
Hey @gergoabraham, thanks for the ping. After talking with @michaelolo24, we decided we'll try to include this inside the V3 migration. We'll keep you posted
hey @semd,
i think it is included in this PR - i used your related draft PR (https://github.com/elastic/kibana/pull/207258) as a starting point for unifying Endpoint Exceptions privilege/subfeature, and i'd say all of the modifications are included in this PR, so looks like there's nothing to do on your side, except reviewing this PR : )
so looks like there's nothing to do on your side, except reviewing this PR : )
@gergoabraham Right! I assumed V3 was being introduced for other reasons. I had these changes in my TODO list, so this is awesome.
The implementation looks solid, I only have one concern about the isServerless checks as I mentioned, but we can tackle that after 9.1 FF.
And thanks for replacing all the hardcoded siemV2 with the SECURITY_FEATURE_ID constant 👏 .
The predefined roles changes look good as well. This will be the only sub-feature that is already included implicitly in the feature_siemV3.all | feature_siemV3.read via includeIn, so no need to add them explicitly to the roles definition.
I think we are good to open it.
And it would be great if @azasypkin could give his okay as well 🙏
And it would be great if @azasypkin could give his okay as well 🙏
ACK: I'm on PTO tomorrow, so it will likely slide to Mon-Tue, but it's on my list!
@dmlemeshko @joeypoon @azasypkin @seanrathier @jloleysens @rylnd @jbudz @paul-tavares @semd
thank you all for the reviews so far!
[!important] some concerns came up yesterday regarding upcoming Endpoint Exceptions changes, and until those are not cleared, we decided to remove Endpoint Exception privilege related changes from this PR
so it will contain the generic changes and improvements around bumping siemVX version, and adding Global Artifact Management privilege with role migrations.
in the next day(s) i'll do the needed changes and respond all of your comments. then i'll re-request reviews from some of you, but will try to keep it not so disruptive.
i know this is a huge PR, and not easy to review (next time i'll probably try @jloleysens 's suggestion to have a feature branch with smaller PRs), so thank you for doing it and also for your understanding towards the scope change 🙇
:robot: GitHub comments
Expand to view the GitHub comments
Just comment with:
/oblt-deploy: Deploy a Kibana instance using the Observability test environments.rundocs-build: Re-trigger the docs validation. (use unformatted text in the comment!)
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
:green_heart: Build Succeeded
- Buildkite Build
- Commit: cee449ab49af1d082838001e97f5c6922d96136c
- Cloud Deployment
- Kibana Serverless Image:
docker.elastic.co/kibana-ci/kibana-serverless:pr-219566-cee449ab49af - Security Deployment
- Elasticsearch Serverless Deployment
Metrics [docs]
Async chunks
Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app
| id | before | after | diff |
|---|---|---|---|
fleet |
1.8MB | 1.8MB | +26.0B |
securitySolution |
9.4MB | 9.4MB | +27.0B |
| total | +53.0B |
Page load bundle
Size of the bundles that are downloaded on every page load. Target size is below 100kb
| id | before | after | diff |
|---|---|---|---|
fleet |
168.2KB | 168.3KB | +82.0B |
History
- :broken_heart: Build #311034 failed 5132bc31a9498670a329a6a4fe781a00962c9803
- :broken_heart: Build #310722 failed 93d872137167ddb311018e3bc37838ef45d09b25
- :broken_heart: Build #310650 failed 309abb30a84c702ff136b1fbe4a933eeb21eb068
- :broken_heart: Build #310534 failed a4dd40a8afdfa302d1466827b58375b3153c545d
cc @gergoabraham
Hi @gergoabraham ,
We have validated this ticket on latest 9.2.0-Serverless builds and below are the observations
Login Credentials
- https://p.elstc.co/paste/N4Qux86T#5Mrtf2FtuC4+1oESCpq+zbFUNFKJdTTHS2cu0dQugDB
Below are the Testing Details :
Build Details:
VERSION: 9.2.0
BUILD: 87753
COMMIT: 27183690142a5590b4ad72d060c43cad869f3f3c
Detailed Observations with Screen-captures for 9.2.0-Serverless:
-
Validated SIM v2/SIEM v2 to SIEM v3 migration ensures global artifact management privilege is retained only when all or any artifact has 'all' privilege; none if privileges are 'read' or 'none ✔
- The global artifact management role migration is working as expected.
- If all artifacts have "All", it shows "All" for the global artifact management
- If any single artifact has "All", it shows "All" for or the global artifact management
- If all artifacts have "Read", it shows "None" for the global artifact management
- If all artifacts are "None", it shows "None" for the global artifact management as well.
- Users with global artifact management privilege set to 'all' are able to create artifacts globally. : ✔
https://github.com/user-attachments/assets/87485e1b-10af-4809-9c9a-62a041c5b213
- Pre-built rules with global 'all' access to artifacts are able to create artifacts globally : ✔
https://github.com/user-attachments/assets/46f486b4-db90-4ff8-acbc-cf6cb90130d4
https://github.com/user-attachments/assets/0d9f6a1e-77e9-4c9e-b56a-80e76ed4be7f
Please let us know if anything else is required from our end.
Thanks !!
