diff --git a/packages/kbn-es/src/cli_commands/serverless.ts b/packages/kbn-es/src/cli_commands/serverless.ts index c8b3018e6f669..dcf8f1607f188 100644 --- a/packages/kbn-es/src/cli_commands/serverless.ts +++ b/packages/kbn-es/src/cli_commands/serverless.ts @@ -11,6 +11,8 @@ import getopts from 'getopts'; import { ToolingLog } from '@kbn/tooling-log'; import { getTimeReporter } from '@kbn/ci-stats-reporter'; +import { basename } from 'path'; +import { SERVERLESS_RESOURCES_PATHS } from '../paths'; import { Cluster } from '../cluster'; import { ES_SERVERLESS_REPO_ELASTICSEARCH, @@ -37,6 +39,13 @@ export const serverless: Command = { --ssl Enable HTTP SSL on the ES cluster --skipTeardown If this process exits, leave the ES cluster running in the background --waitForReady Wait for the ES cluster to be ready to serve requests + --resources Overrides resources under ES 'config/' directory, which are by default + mounted from 'packages/kbn-es/src/serverless_resources/users'. Value should + be a valid file path (relative or absolute). This option can be used multiple + times if needing to override multiple files. The following files can be overwritten: + ${SERVERLESS_RESOURCES_PATHS.map((filePath) => basename(filePath)).join( + ' | ' + )} -E Additional key=value settings to pass to ES -F Absolute paths for files to mount into containers @@ -63,7 +72,7 @@ export const serverless: Command = { files: 'F', }, - string: ['tag', 'image', 'basePath'], + string: ['tag', 'image', 'basePath', 'resources'], boolean: ['clean', 'ssl', 'kill', 'background', 'skipTeardown', 'waitForReady'], default: defaults, diff --git a/packages/kbn-es/src/serverless_resources/README.md b/packages/kbn-es/src/serverless_resources/README.md index d1ae204117075..82577579503dc 100644 --- a/packages/kbn-es/src/serverless_resources/README.md +++ b/packages/kbn-es/src/serverless_resources/README.md @@ -14,7 +14,7 @@ password: changeme ### Adding users -1. Add the user:encrypted_password to `users` file. The encrypted password for `elastic_serverless` is `changeme` if you want to reuse the value. +1. Add the `user:encrypted_password` to `users` file. The encrypted password for `elastic_serverless` is `changeme` if you want to reuse the value. 1. Set the new user's roles in `users_roles` file. 1. Add the username to `operator_users.yml` in the array for file realm users. @@ -46,4 +46,15 @@ If a node is configured to use this `service_tokens` file, then you can authenti curl -H "Authorization: Bearer AAEAAWVsYXN0aWMva2liYW5hL2tpYmFuYS1kZXY6VVVVVVVVTEstKiBaNA" http://localhost:9200/_security/_authenticate ``` -The name of the token (`kibana-dev`) is important because the `operator_users.yml` file designates that token as an operator and allows us to seed a serverless cluster with this token. \ No newline at end of file +The name of the token (`kibana-dev`) is important because the `operator_users.yml` file designates that token as an operator and allows us to seed a serverless cluster with this token. + + +## Overriding resources + +The files found in this directory can be overwritten with customized versions by using the `--resources` option of the `yarn es serverless` command. +Assuming a customized `users` and `users_roles` are located in `/tmp/my_es/` directory and executing the below command from the root of Kibana, here is an example: + +```shell +yarn es serverless --resources=/tmp/my_es/users --resources=/tmp/my_es/users_roles +``` + diff --git a/packages/kbn-es/src/serverless_resources/operator_users.yml b/packages/kbn-es/src/serverless_resources/operator_users.yml index 859226f258ebf..9040596005236 100644 --- a/packages/kbn-es/src/serverless_resources/operator_users.yml +++ b/packages/kbn-es/src/serverless_resources/operator_users.yml @@ -1,5 +1,5 @@ operator: - - usernames: ["elastic_serverless", "system_indices_superuser"] + - usernames: ["elastic_serverless", "system_indices_superuser", "soc_manager"] realm_type: "file" auth_type: "realm" - usernames: [ "elastic/kibana" ] diff --git a/packages/kbn-es/src/serverless_resources/users b/packages/kbn-es/src/serverless_resources/users index add4b7325c23d..01d8d2e82a372 100644 --- a/packages/kbn-es/src/serverless_resources/users +++ b/packages/kbn-es/src/serverless_resources/users @@ -1,2 +1,3 @@ elastic_serverless:$2a$10$nN6sRtQl2KX9Gn8kV/.NpOLSk6Jwn8TehEDnZ7aaAgzyl/dy5PYzW system_indices_superuser:$2a$10$nN6sRtQl2KX9Gn8kV/.NpOLSk6Jwn8TehEDnZ7aaAgzyl/dy5PYzW +soc_manager:$2a$10$nN6sRtQl2KX9Gn8kV/.NpOLSk6Jwn8TehEDnZ7aaAgzyl/dy5PYzW diff --git a/packages/kbn-es/src/serverless_resources/users_roles b/packages/kbn-es/src/serverless_resources/users_roles index aa42046898601..3e84bd5799228 100644 --- a/packages/kbn-es/src/serverless_resources/users_roles +++ b/packages/kbn-es/src/serverless_resources/users_roles @@ -1,2 +1,3 @@ superuser:elastic_serverless system_indices_superuser:system_indices_superuser +soc_manager:soc_manager diff --git a/packages/kbn-es/src/utils/docker.test.ts b/packages/kbn-es/src/utils/docker.test.ts index 08edc2a17521d..a45d57c7fe90a 100644 --- a/packages/kbn-es/src/utils/docker.test.ts +++ b/packages/kbn-es/src/utils/docker.test.ts @@ -445,6 +445,35 @@ describe('setupServerlessVolumes()', () => { expect(volumeCmd).toHaveLength(20); expect(pathsNotIncludedInCmd).toEqual([]); }); + + test('should use resource overrides', async () => { + mockFs(existingObjectStore); + const volumeCmd = await setupServerlessVolumes(log, { + basePath: baseEsPath, + resources: ['./relative/path/users', '/absolute/path/users_roles'], + }); + + expect(volumeCmd).toContain( + '/absolute/path/users_roles:/usr/share/elasticsearch/config/users_roles' + ); + expect(volumeCmd).toContain( + `${process.cwd()}/relative/path/users:/usr/share/elasticsearch/config/users` + ); + }); + + test('should throw if an unknown resource override is used', async () => { + mockFs(existingObjectStore); + + await expect(async () => { + await setupServerlessVolumes(log, { + basePath: baseEsPath, + resources: ['/absolute/path/invalid'], + }); + }).rejects.toThrow( + 'Unsupported ES serverless --resources value(s):\n /absolute/path/invalid\n\n' + + 'Valid resources: operator_users.yml | role_mapping.yml | roles.yml | service_tokens | users | users_roles' + ); + }); }); describe('runServerlessEsNode()', () => { diff --git a/packages/kbn-es/src/utils/docker.ts b/packages/kbn-es/src/utils/docker.ts index 5ed22e094e6f8..f9ce1e2f391ef 100644 --- a/packages/kbn-es/src/utils/docker.ts +++ b/packages/kbn-es/src/utils/docker.ts @@ -66,6 +66,11 @@ export interface ServerlessOptions extends EsClusterExecOptions, BaseOptions { background?: boolean; /** Wait for the ES cluster to be ready to serve requests */ waitForReady?: boolean; + /** + * Resource file(s) to overwrite + * (see list of files that can be overwritten under `packages/kbn-es/src/serverless_resources/users`) + */ + resources?: string | string[]; } interface ServerlessEsNodeArgs { @@ -470,7 +475,7 @@ export function getDockerFileMountPath(hostPath: string) { * Setup local volumes for Serverless ES */ export async function setupServerlessVolumes(log: ToolingLog, options: ServerlessOptions) { - const { basePath, clean, ssl, files } = options; + const { basePath, clean, ssl, files, resources } = options; const objectStorePath = resolve(basePath, 'stateless'); log.info(chalk.bold(`Checking for local serverless ES object store at ${objectStorePath}`)); @@ -509,12 +514,38 @@ export async function setupServerlessVolumes(log: ToolingLog, options: Serverles volumeCmds.push(...fileCmds); } + const resourceFileOverrides: Record = resources + ? (Array.isArray(resources) ? resources : [resources]).reduce((acc, filePath) => { + acc[basename(filePath)] = resolve(process.cwd(), filePath); + return acc; + }, {} as Record) + : {}; + const serverlessResources = SERVERLESS_RESOURCES_PATHS.reduce((acc, path) => { - acc.push('--volume', `${path}:${SERVERLESS_CONFIG_PATH}${basename(path)}`); + const fileName = basename(path); + let localFilePath = path; + + if (resourceFileOverrides[fileName]) { + localFilePath = resourceFileOverrides[fileName]; + log.info(`'${fileName}' resource overridden with: ${localFilePath}`); + delete resourceFileOverrides[fileName]; + } + + acc.push('--volume', `${localFilePath}:${SERVERLESS_CONFIG_PATH}${fileName}`); return acc; }, []); + if (Object.keys(resourceFileOverrides).length > 0) { + throw new Error( + `Unsupported ES serverless --resources value(s):\n ${Object.values( + resourceFileOverrides + ).join(' \n')}\n\nValid resources: ${SERVERLESS_RESOURCES_PATHS.map((filePath) => + basename(filePath) + ).join(' | ')}` + ); + } + volumeCmds.push( ...getESp12Volume(), ...serverlessResources, diff --git a/x-pack/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/README.md b/x-pack/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/README.md new file mode 100644 index 0000000000000..d2e519a0aab68 --- /dev/null +++ b/x-pack/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/README.md @@ -0,0 +1,47 @@ +# Security Solution Serverless Resources + +Directory contains ES serverless resources that can be used to override the defaults that are loaded when ES is started in serverless mode. For more information on how these are used [packages/kbn-es/src/serverless_resources/README.md](https://github.com/elastic/kibana/blob/main/packages/kbn-es/src/serverless_resources/README.md) + +> **ℹ️ NOTE** +> +> The files referenced via `--resources` argument will be bound and mounted to the ES docker containers that are running ES. This means that any changes to the files done on the host machine will be automatically (after a delay - 5s by default) picked up by Elasticsearch and applied to the ES docker nodes. + +## Usage + +Example executed from the root directory of Kibana: + +```shell +yarn es serverless \ +--clean \ +--kill \ +-E xpack.security.authc.api_key.enabled=true \ +-E http.host=0.0.0.0 \ +--resources=./x-pack/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/roles.yml \ +--resources=./x-pack/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/users \ +--resources=./x-pack/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/users_roles +``` + +> **💡️TIP** +> +> If needing to make custom changes to any of the ES resources for personal dev. purposes, copy the files located in this folder to your own local directly, make changes there and then use those file paths when starting ES + + + +## Files + +### `roles.yml` + +The list of Roles that are loaded into security serverless projects. The values in this file should match those in the [project controller](https://github.com/elastic/project-controller/blob/main/internal/project/security/config/roles.yml) and should remain in sync. + +### `users` + +List of users that are loaded into ES for serverless. This file currently includes a user for each of the Security Project roles (same name as the role). All users in this file have their password set to `changeme` + +Format: `user:encrypted_password` + +### `users_roles` + +A map of role names (should match those define in the `roles.yml`) to list of users (values found in the `users` file). All Security serverless roles are listed in this file along with one user by the same name. + +Format: `role_name:username,username,username` + diff --git a/x-pack/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/roles.yml b/x-pack/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/roles.yml new file mode 100644 index 0000000000000..005f6e968ffc4 --- /dev/null +++ b/x-pack/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/roles.yml @@ -0,0 +1,571 @@ +--- +#-------------------------------------------------------------------------------------------------- +# +# FILE SOURCE AT: +# https://github.com/elastic/project-controller/blob/main/internal/project/security/config/roles.yml +# +# !!!! IMPORTANT !!!! DO NOT MAKE CHANGES TO THIS FILE, UNLESS THOSE CHANGES +# HAVE ALSO BEEN MADE TO PROJECT CONTROLLER (path above) +# +#-------------------------------------------------------------------------------------------------- + +viewer: + cluster: [] + indices: + - names: + - "/~(([.]|ilm-history-).*)/" + privileges: + - "read" + - "view_index_metadata" + allow_restricted_indices: false + - names: + - ".siem-signals*" + - ".lists-*" + - ".items-*" + privileges: + - "read" + - "view_index_metadata" + allow_restricted_indices: false + - names: + - ".alerts*" + - ".preview.alerts*" + privileges: + - "read" + - "view_index_metadata" + allow_restricted_indices: false + applications: + - application: "kibana-.kibana" + privileges: + - "read" + resources: + - "*" + run_as: [] +editor: + cluster: [] + indices: + - names: + - "/~(([.]|ilm-history-).*)/" + privileges: + - "read" + - "view_index_metadata" + allow_restricted_indices: false + - names: + - "observability-annotations" + privileges: + - "read" + - "view_index_metadata" + - "write" + allow_restricted_indices: false + - names: + - ".siem-signals*" + - ".lists-*" + - ".items-*" + privileges: + - "read" + - "view_index_metadata" + - "write" + - "maintenance" + allow_restricted_indices: false + - names: + - ".internal.alerts*" + - ".alerts*" + - ".internal.preview.alerts*" + - ".preview.alerts*" + privileges: + - "read" + - "view_index_metadata" + - "write" + - "maintenance" + allow_restricted_indices: false + applications: + - application: "kibana-.kibana" + privileges: + - "all" + resources: + - "*" + run_as: [] + +t1_analyst: + cluster: + indices: + - names: + - ".alerts-security*" + - ".siem-signals-*" + privileges: + - read + - write + - maintenance + - names: + - apm-*-transaction* + - traces-apm* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - winlogbeat-* + - metrics-endpoint.metadata_current_* + - ".fleet-agents*" + - ".fleet-actions*" + privileges: + - read + applications: + - application: "kibana-.kibana" + privileges: + - feature_ml.read + - feature_siem.read + - feature_siem.read_alerts + - feature_siem.endpoint_list_read + - feature_securitySolutionCases.read + - feature_actions.read + - feature_builtInAlerts.read + - feature_osquery.read + - feature_osquery.run_saved_queries + resources: "*" + +t2_analyst: + cluster: + indices: + - names: + - .alerts-security* + - .siem-signals-* + privileges: + - read + - write + - maintenance + - names: + - .lists* + - .items* + - apm-*-transaction* + - traces-apm* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - winlogbeat-* + - metrics-endpoint.metadata_current_* + - .fleet-agents* + - .fleet-actions* + privileges: + - read + applications: + - application: "kibana-.kibana" + privileges: + - feature_ml.read + - feature_siem.read + - feature_siem.read_alerts + - feature_siem.endpoint_list_read + - feature_securitySolutionCases.all + - feature_actions.read + - feature_builtInAlerts.read + - feature_osquery.read + - feature_osquery.run_saved_queries + resources: "*" + +t3_analyst: + cluster: + indices: + - names: + - apm-*-transaction* + - traces-apm* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - winlogbeat-* + privileges: + - read + - write + - names: + - .alerts-security* + - .siem-signals-* + privileges: + - read + - write + - names: + - .lists* + - .items* + privileges: + - read + - write + - names: + - metrics-endpoint.metadata_current_* + - .fleet-agents* + - .fleet-actions* + privileges: + - read + applications: + - application: "kibana-.kibana" + privileges: + - feature_ml.read + - feature_siem.all + - feature_siem.read_alerts + - feature_siem.crud_alerts + - feature_siem.endpoint_list_all + - feature_siem.trusted_applications_all + - feature_siem.event_filters_all + - feature_siem.host_isolation_exceptions_all + - feature_siem.blocklist_all + - feature_siem.policy_management_read # Elastic Defend Policy Management + - feature_siem.host_isolation_all + - feature_siem.process_operations_all + - feature_siem.actions_log_management_all # Response actions history + - feature_siem.file_operations_all + - feature_securitySolutionCases.all + - feature_actions.read + - feature_builtInAlerts.all + - feature_osquery.all + resources: "*" + +threat_intelligence_analyst: + cluster: + indices: + - names: + - apm-*-transaction* + - traces-apm* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - .lists* + - .items* + - packetbeat-* + - winlogbeat-* + privileges: + - read + - names: + - .alerts-security* + - .siem-signals-* + privileges: + - read + - write + - maintenance + - names: + - metrics-endpoint.metadata_current_* + - .fleet-agents* + - .fleet-actions* + privileges: + - read + applications: + - application: "kibana-.kibana" + privileges: + - feature_ml.read + - feature_siem.read + - feature_siem.read_alerts + - feature_siem.endpoint_list_read + - feature_siem.blocklist_all + - feature_securitySolutionCases.all + - feature_actions.read + - feature_builtInAlerts.read + - feature_osquery.all + resources: "*" + +rule_author: + cluster: + indices: + - names: + - apm-*-transaction* + - traces-apm* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - winlogbeat-* + privileges: + - read + - write + - names: + - .alerts-security* + - .siem-signals-* + - .internal.preview.alerts-security* + - .preview.alerts-security* + privileges: + - read + - write + - maintenance + - view_index_metadata + - names: + - .lists* + - .items* + privileges: + - read + - write + - names: + - metrics-endpoint.metadata_current_* + - .fleet-agents* + - .fleet-actions* + privileges: + - read + applications: + - application: "kibana-.kibana" + privileges: + - feature_ml.read + - feature_siem.all + - feature_siem.read_alerts + - feature_siem.crud_alerts + - feature_siem.policy_management_all + - feature_siem.endpoint_list_all + - feature_siem.trusted_applications_all + - feature_siem.event_filters_all + - feature_siem.host_isolation_exceptions_read + - feature_siem.blocklist_all # Elastic Defend Policy Management + - feature_siem.actions_log_management_read + - feature_securitySolutionCases.all + - feature_actions.read + - feature_builtInAlerts.all + - feature_osquery.all + resources: "*" + +soc_manager: + cluster: + indices: + - names: + - apm-*-transaction* + - traces-apm* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - winlogbeat-* + privileges: + - read + - write + - names: + - .alerts-security* + - .siem-signals-* + - .preview.alerts-security* + - .internal.preview.alerts-security* + privileges: + - read + - write + - manage + - names: + - .lists* + - .items* + privileges: + - read + - write + - names: + - metrics-endpoint.metadata_current_* + - .fleet-agents* + - .fleet-actions* + privileges: + - read + applications: + - application: "kibana-.kibana" + privileges: + - feature_ml.read + - feature_siem.all + - feature_siem.read_alerts + - feature_siem.crud_alerts + - feature_siem.policy_management_all + - feature_siem.endpoint_list_all + - feature_siem.trusted_applications_all + - feature_siem.event_filters_all + - feature_siem.host_isolation_exceptions_all + - feature_siem.blocklist_all + - feature_siem.host_isolation_all + - feature_siem.process_operations_all + - feature_siem.actions_log_management_all + - feature_siem.file_operations_all + - feature_siem.execute_operations_all + - feature_securitySolutionCases.all + - feature_actions.all + - feature_builtInAlerts.all + - feature_osquery.all + resources: "*" + +detections_admin: + cluster: + indices: + - names: + - apm-*-transaction* + - traces-apm* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - winlogbeat-* + - .lists* + - .items* + - .alerts-security* + - .siem-signals-* + - .preview.alerts-security* + - .internal.preview.alerts-security* + privileges: + - read + - write + - manage + - names: + - metrics-endpoint.metadata_current_* + - .fleet-agents* + - .fleet-actions* + privileges: + - read + applications: + - application: "kibana-.kibana" + privileges: + - feature_ml.all + - feature_siem.all + - feature_siem.read_alerts + - feature_siem.crud_alerts + - feature_securitySolutionCases.all + - feature_actions.all + - feature_builtInAlerts.all + - feature_dev_tools.all + resources: "*" + +platform_engineer: + cluster: + - manage + indices: + - names: + - apm-*-transaction* + - traces-apm* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - winlogbeat-* + - .lists* + - .items* + - .alerts-security* + - .siem-signals-* + - .preview.alerts-security* + - .internal.preview.alerts-security* + privileges: + - all + applications: + - application: "kibana-.kibana" + privileges: + - feature_ml.all + - feature_siem.all + - feature_siem.read_alerts + - feature_siem.crud_alerts + - feature_siem.policy_management_all + - feature_siem.endpoint_list_all + - feature_siem.trusted_applications_all + - feature_siem.event_filters_all + - feature_siem.host_isolation_exceptions_all + - feature_siem.blocklist_all # Elastic Defend Policy Management + - feature_siem.actions_log_management_read + - feature_securitySolutionCases.all + - feature_actions.all + - feature_builtInAlerts.all + - feature_fleet.all + - feature_fleetv2.all + - feature_osquery.all + resources: "*" + +endpoint_operations_analyst: + cluster: + indices: + - names: + - metrics-endpoint.metadata_current_* + - .fleet-agents* + - .fleet-actions* + privileges: + - read + - names: + - apm-*-transaction* + - traces-apm* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - winlogbeat-* + - .lists* + - .items* + privileges: + - read + - names: + - .alerts-security* + - .siem-signals-* + - .preview.alerts-security* + - .internal.preview.alerts-security* + privileges: + - read + - write + applications: + - application: "kibana-.kibana" + privileges: + - feature_ml.read + - feature_siem.all + - feature_siem.read_alerts + - feature_siem.policy_management_all + - feature_siem.endpoint_list_all + - feature_siem.trusted_applications_all + - feature_siem.event_filters_all + - feature_siem.host_isolation_exceptions_all + - feature_siem.blocklist_all + - feature_siem.host_isolation_all + - feature_siem.process_operations_all + - feature_siem.actions_log_management_all # Response History + - feature_siem.file_operations_all + - feature_siem.execute_operations_all # Execute + - feature_securitySolutionCases.all + - feature_actions.all + - feature_builtInAlerts.all + - feature_osquery.all + - feature_fleet.all + - feature_fleetv2.all + resources: "*" + +endpoint_policy_manager: + cluster: + indices: + - names: + - metrics-endpoint.metadata_current_* + - .fleet-agents* + - .fleet-actions* + privileges: + - read + - names: + - apm-*-transaction* + - traces-apm* + - auditbeat-* + - endgame-* + - filebeat-* + - logs-* + - packetbeat-* + - winlogbeat-* + - .lists* + - .items* + privileges: + - read + - names: + - .alerts-security* + - .siem-signals-* + - .preview.alerts-security* + - .internal.preview.alerts-security* + privileges: + - read + - write + - manage + applications: + - application: "kibana-.kibana" + privileges: + - feature_ml.all + - feature_siem.all + - feature_siem.read_alerts + - feature_siem.crud_alerts + - feature_siem.policy_management_all + - feature_siem.endpoint_list_all + - feature_siem.trusted_applications_all + - feature_siem.event_filters_all + - feature_siem.host_isolation_exceptions_all + - feature_siem.blocklist_all # Elastic Defend Policy Management + - feature_securitySolutionCases.all + - feature_actions.all + - feature_builtInAlerts.all + - feature_osquery.all + - feature_fleet.all + - feature_fleetv2.all + resources: "*" diff --git a/x-pack/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/users b/x-pack/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/users new file mode 100644 index 0000000000000..f15735954f759 --- /dev/null +++ b/x-pack/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/users @@ -0,0 +1,13 @@ +elastic_serverless:$2a$10$nN6sRtQl2KX9Gn8kV/.NpOLSk6Jwn8TehEDnZ7aaAgzyl/dy5PYzW +system_indices_superuser:$2a$10$nN6sRtQl2KX9Gn8kV/.NpOLSk6Jwn8TehEDnZ7aaAgzyl/dy5PYzW +t1_analyst:$2a$10$nN6sRtQl2KX9Gn8kV/.NpOLSk6Jwn8TehEDnZ7aaAgzyl/dy5PYzW +t2_analyst:$2a$10$nN6sRtQl2KX9Gn8kV/.NpOLSk6Jwn8TehEDnZ7aaAgzyl/dy5PYzW +t3_analyst:$2a$10$nN6sRtQl2KX9Gn8kV/.NpOLSk6Jwn8TehEDnZ7aaAgzyl/dy5PYzW +threat_intelligence_analyst:$2a$10$nN6sRtQl2KX9Gn8kV/.NpOLSk6Jwn8TehEDnZ7aaAgzyl/dy5PYzW +rule_author:$2a$10$nN6sRtQl2KX9Gn8kV/.NpOLSk6Jwn8TehEDnZ7aaAgzyl/dy5PYzW +soc_manager:$2a$10$nN6sRtQl2KX9Gn8kV/.NpOLSk6Jwn8TehEDnZ7aaAgzyl/dy5PYzW +detections_admin:$2a$10$nN6sRtQl2KX9Gn8kV/.NpOLSk6Jwn8TehEDnZ7aaAgzyl/dy5PYzW +platform_engineer:$2a$10$nN6sRtQl2KX9Gn8kV/.NpOLSk6Jwn8TehEDnZ7aaAgzyl/dy5PYzW +endpoint_operations_analyst:$2a$10$nN6sRtQl2KX9Gn8kV/.NpOLSk6Jwn8TehEDnZ7aaAgzyl/dy5PYzW +endpoint_policy_manager:$2a$10$nN6sRtQl2KX9Gn8kV/.NpOLSk6Jwn8TehEDnZ7aaAgzyl/dy5PYzW +reader:$2a$10$nN6sRtQl2KX9Gn8kV/.NpOLSk6Jwn8TehEDnZ7aaAgzyl/dy5PYzW diff --git a/x-pack/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/users_roles b/x-pack/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/users_roles new file mode 100644 index 0000000000000..d1bbf7bb660a8 --- /dev/null +++ b/x-pack/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/users_roles @@ -0,0 +1,13 @@ +superuser:elastic_serverless +system_indices_superuser:system_indices_superuser +t1_analyst:t1_analyst +t2_analyst:t2_analyst +t3_analyst:t3_analyst +threat_intelligence_analyst:threat_intelligence_analyst +rule_author:rule_author +soc_manager:soc_manager +detections_admin:detections_admin +platform_engineer:platform_engineer +endpoint_operations_analyst:endpoint_operations_analyst +endpoint_policy_manager:endpoint_policy_manager +reader:reader diff --git a/x-pack/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/index.ts b/x-pack/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/index.ts new file mode 100644 index 0000000000000..23a44df2d0808 --- /dev/null +++ b/x-pack/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/index.ts @@ -0,0 +1,25 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { resolve, join } from 'path'; +import { readFileSync } from 'fs'; + +const ES_RESOURCES_DIR = resolve(__dirname, 'es_serverless_resources'); + +export const ES_RESOURCES = Object.freeze({ + roles: join(ES_RESOURCES_DIR, 'roles.yml'), + users: join(ES_RESOURCES_DIR, 'users'), + users_roles: join(ES_RESOURCES_DIR, 'users_roles'), +}); + +export const ES_LOADED_USERS = readFileSync(ES_RESOURCES.users) + .toString() + .split(/\n/) + .filter((v) => !!v) // Ensure no empty strings + .map((userAndPasswordString) => { + return userAndPasswordString.split(':').at(0); + }); diff --git a/x-pack/plugins/security_solution/scripts/endpoint/es_serverless/index.ts b/x-pack/plugins/security_solution/scripts/endpoint/es_serverless/index.ts new file mode 100644 index 0000000000000..ddfb128e3e4cb --- /dev/null +++ b/x-pack/plugins/security_solution/scripts/endpoint/es_serverless/index.ts @@ -0,0 +1,79 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { run, type RunContext } from '@kbn/dev-cli-runner'; +import { cyan, gray } from 'chalk'; +import execa from 'execa'; +import { REPO_ROOT } from '@kbn/repo-info'; +import { join } from 'path'; +import { ColumnLayoutFormatter } from '../common/screen/column_layout_formatter'; +import { ES_LOADED_USERS, ES_RESOURCES } from '../common/roles_users/serverless'; + +export const cli = async () => { + return run( + async (cliContext: RunContext) => { + const exeScript = join(REPO_ROOT, 'scripts', 'es'); + const callingArgs = process.argv.slice(2); + + if (!callingArgs.includes('serverless')) { + callingArgs.unshift('serverless'); + } + + callingArgs.push( + ...Object.values(ES_RESOURCES).reduce((acc, resourcePath) => { + acc.push('--resources', resourcePath); + return acc; + }, [] as string[]) + ); + + cliContext.log.info(` +Starting ES with supported Security project roles and users. +User accounts available for login: + +${ + new ColumnLayoutFormatter( + [ + ['USERNAME', '-'.repeat(20), ...ES_LOADED_USERS.map((u) => cyan(u))].join('\n'), + + [ + 'PASSWORD', + '-'.repeat(20), + ' ', + ' ', + gray('Password for all'), + gray('accounts set'), + `${gray('to:')} ${cyan('changeme')}`, + ].join('\n'), + ], + { separator: ' ', widths: [50, 40] } + ).output +} +`); + + cliContext.log.info(gray(`node ${exeScript} ${callingArgs.join(' ')}`)); + + await execa.node(exeScript, callingArgs, { + stderr: 'inherit', + stdout: 'inherit', + }); + }, + { + description: `ES serverless start script for Security project. +This is a bypass utility that calls ${cyan('yarn es serverless')} along with some default options +that will enable users and roles to be loaded into ES. +`, + flags: { + allowUnexpected: true, + help: ` +Any option supported by ${cyan('yarn es')} can also be used with this utility. + +For more on ${cyan('yarn es')} usage, enter: ${cyan('yarn es --help')} +`, + }, + } + ); +}; diff --git a/x-pack/plugins/security_solution/scripts/endpoint/start_es_serverless_with_security_users.js b/x-pack/plugins/security_solution/scripts/endpoint/start_es_serverless_with_security_users.js new file mode 100644 index 0000000000000..14169bc43ed08 --- /dev/null +++ b/x-pack/plugins/security_solution/scripts/endpoint/start_es_serverless_with_security_users.js @@ -0,0 +1,9 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +require('../../../../../src/setup_node_env'); +require('./es_serverless').cli();