[Security Solution] UI trusted applications RBAC#145593
[Security Solution] UI trusted applications RBAC#145593gergoabraham merged 6 commits intoelastic:mainfrom
Conversation
gergoabraham
added
release_note:skip
gergoabraham
force-pushed
the
feature/olm-4913-ui-trusted-applications-rbac
branch
from
3cc4cc5 to
bf8c768
Compare
gergoabraham
force-pushed
the
feature/olm-4913-ui-trusted-applications-rbac
branch
from
bf8c768 to
c20c08e
Compare
|
Pinging @elastic/security-onboarding-and-lifecycle-mgt (Team:Onboarding and Lifecycle Mgt) |
ashokaditya
left a comment
ashokaditya
left a comment
There was a problem hiding this comment.
Mostly nits, but it's good to 🚢
| linksToExclude.push(SecurityPageName.hostIsolationExceptions); | ||
| } | ||
|
|
||
| if (endpointRbacEnabled && !canReadTrustedApplications) { |
There was a problem hiding this comment.
endpointRbacEnabled is redundant here, as canReadTrustedApplications is already calculated with isEndpointRbacEnabled which is true if either FF (endpointRbacEnabled, endpointRbacV1Enabled) is true.
There was a problem hiding this comment.
There is a slight difference in the operation with and without the feature flag:
- if RBAC is enabled, we should hide the Trusted Apps from nav,
- if disabled, Trusted Apps should be visible to non-superusers, too, but they are shown the Privileges Required screen when clicking on it.
So this condition here is to ensure that the operation stays exactly the same if the feature flag is disabled.
There was a problem hiding this comment.
@gergoabraham ,
I agree with @ashokaditya here. The fact that the TA menu items appear before, even if the user did not have permission to it, was actually not the desired behaviour and is something we been meaning to correct for a while.
There was a problem hiding this comment.
@paul-tavares
Oh, I see, didn't know that it was a not desired behaviour. I'll clean it up in a next RBAC UI PR then. 👍 Another benefit is that there will be less to clean up when removing the feature flag.
| mockedEndpointPrivileges = { canWriteTrustedApplications: true }; | ||
| mockUserPrivileges.mockReturnValue({ endpointPrivileges: mockedEndpointPrivileges }); |
There was a problem hiding this comment.
Consider resetting mockUserPrivileges after each test
There was a problem hiding this comment.
nice catch, thanks!
| const getLinksWithout = (...excludedLinks: SecurityPageName[]) => ({ | ||
| ...links, | ||
| links: links.links?.filter((link) => !excludedLinks.includes(link.id)), | ||
| }); | ||
|
|
dasansol92
left a comment
dasansol92
left a comment
There was a problem hiding this comment.
LGTM! Left minor suggestion but other than that, this is good to go!
| let getPlugins: (roles: string[]) => StartPlugins; | ||
| let fakeHttpServices: jest.Mocked<HttpSetup>; | ||
|
|
||
| const getLinksWithout = (...excludedLinks: SecurityPageName[]) => ({ |
There was a problem hiding this comment.
Would be worth using the without function from lodash?
There was a problem hiding this comment.
I wasn't familiar with without so thanks for the suggestion! However, it looks like that without uses equality comparison on objects, so I don't think it's possible to filter out objects based on their attributes, link.id here.
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]Async chunks
Unknown metric groupsESLint disabled in files
ESLint disabled line counts
Total ESLint disabled count
History
To update your PR or re-run it, just comment with: |
gergoabraham
deleted the
feature/olm-4913-ui-trusted-applications-rbac
branch
## Summary Similarly to #145593, this PR handles the _None_ and _Read_ privileges for the Event Filters sub-feature. The _All_ privilege should not need any UI modification, but will need API modification. <img width="554" alt="image" src="https://user-images.githubusercontent.com/39014407/203514418-b016a47b-819c-4057-a86e-d7b4a3d8e5c5.png"> The modification should: - hide Event Filters from Manage navigation items if privilege is NONE, ~(note: it is still displayed for non-superusers, if the feature flag is disabled)~ update: it is hidden for non-superusers if the feature flag is disabled - disable add/edit/delete for Event Filters if privilege is READ. #### Checked: - the Event Filters form still works from the "Hosts > Events" side of the app ✅ <img width="1354" alt="image" src="https://user-images.githubusercontent.com/39014407/204316619-85121106-9d28-4165-9675-522890e39dfe.png"> <img width="1323" alt="image" src="https://user-images.githubusercontent.com/39014407/204326904-6917c8fe-a364-4a40-8bdc-e8240115fa1d.png"> ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
## Summary Similarly to #145593 and #146111, this PR handles the None and Read privileges for the Blocklist sub-feature. The All privilege should not need any UI modification, but will need API modification. <img width="541" alt="image" src="https://user-images.githubusercontent.com/39014407/204349035-ca234eae-66ec-4018-bc04-8deaebdd8a0b.png"> The modification should: - hide Blocklist from Manage navigation items if privilege is NONE, - disable add/edit/delete for Blocklist if privilege is READ. - disable opening Policies from Blocklist (and any other `ArtifactListPage`) by disabling the links in the _'Applied for N policies'_ context menu For testing the last part: - add `Read` privilege for Blocklist (or any other artifact using `ArtifactListPage`), and `None` to Policies - for now, it has to be tested with `Fleet:All` and `Integrations:Read` privileges With `Policies:Read` privilege, hovering on the last item: <img width="773" alt="image" src="https://user-images.githubusercontent.com/39014407/205944360-fed60b11-7a88-42d5-93cd-307c7b34891b.png"> With `Policies:None` privilege, hovering on the last item: <img width="778" alt="image" src="https://user-images.githubusercontent.com/39014407/205944198-7dccfa37-177f-4eb7-a773-09eaeaa4b1fe.png"> ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
6 participants
Summary
RBAC UI features for Trusted Applications. To test, enable
endpointRbacEnabledfeature-flag, create a non-superuser user with Security: ALL privilege and (All | Read | None) sub-privilege for Trusted Applications.The modification should:
This PR focuses on Read and None. The sub-privilege All does not work perfectly at the moment, because of unauthorised API calls. A follow-up PR will fix this, after this PR is merged: #145361
Checklist
Delete any items that are not applicable to this PR.