[Response Ops][Alerting] Add additional features to alerting rules#252703
Merged
denar50 merged 41 commits intoelastic:mainfrom Mar 6, 2026
Merged
Conversation
managing the gap fill scheduler requires users to be able to read rules, backfills and schedule backfills
denar50
force-pushed
the
expose-permission-on-rules-to-modify-gap-autofill-scheduler
branch
from
d716807 to
699c3aa
Compare
denar50
added
release_note:skip
elastic-vault-github-plugin-prod
bot
requested a review
from a team
as a code owner
botelastic
bot
added
the
Team:One Workflow
dhurley14
approved these changes
Feb 17, 2026
darnautov
added
release_note:skip
Contributor
|
I think we should also update |
darnautov
reviewed
Mar 3, 2026
| }, | ||
| }, | ||
| }; | ||
|
|
Contributor
There was a problem hiding this comment.
Let's add a user with "all" on alertsFixture but with the manual_run sub-feature excluded. And use it to assert alerting.rule.all no longer implicitly grants sub-features
Suggested change
| export const AllWithoutManualRunUser: User = { | |
| username: 'all_without_manual_run', | |
| fullName: 'all_without_manual_run', | |
| password: 'all_without_manual_run-password', | |
| role: { | |
| name: 'all_without_manual_run_role', | |
| kibana: [ | |
| { | |
| feature: { | |
| actions: ['all'], | |
| alertsFixture: ['minimal_all', 'enable_disable', 'manage_rule_settings'], | |
| }, | |
| spaces: ['space1'], | |
| }, | |
| ], | |
| elasticsearch: { | |
| indices: [ | |
| { | |
| names: [`${ES_TEST_INDEX_NAME}*`], | |
| privileges: ['all'], | |
| }, | |
| ], | |
| }, | |
| }, | |
| }; |
then you can updates other tests like create_gap_auto_fill_scheduler.ts, update_gap_autp_fill_scheduler.ts etc, with assertions like "denies manual backfill scheduling when manual_run sub-feature is disabled"
Contributor
Author
There was a problem hiding this comment.
manage_rule_settings has permissions to trigger backfills though. I added two new users: one without any backfill permissions (manual_run and manage_rule_settings) and another without manage_rule_settings, and updated the tests related to gaps.
In order to verify that roles without explicit backfill features are denied even when they have alerting.rule.all
benakansara
approved these changes
Mar 5, 2026
Contributor
benakansara
left a comment
benakansara
left a comment
There was a problem hiding this comment.
actionable-obs changes LGTM
dhurley14
approved these changes
Mar 5, 2026
Contributor
dhurley14
left a comment
dhurley14
left a comment
There was a problem hiding this comment.
LGTM - unrelated to this PR but the @elastic/security-threat-hunting-investigations team is set as the only codeowners for the path x-pack/solutions/security/packages/features which I don't think is correct. We should split that up based on feature ownership, or add all the teams with features in the security solution as codeowners to that same path.
PhilippeOberti
approved these changes
Mar 5, 2026
crespocarlos
approved these changes
Mar 6, 2026
Contributor
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]
History
cc @denar50 |
kapral18
pushed a commit
to kapral18/kibana
that referenced
this pull request
Mar 9, 2026
…lastic#252703) # If you're here because your Kibana feature suddenly changed... That is happening because this PR is extracting features from `alerting.rule.all`, namely `enable`, `manual_run` and `manage_rule_settings` (see [this change](https://github.com/elastic/kibana/pull/252703/changes#diff-dc097e1e414af2ca21196b12c7d901373108da58de4dd7505cc169b0e62ec2d3L75)). Your role had `alerting.rule.all`, so I added the rest of the features to it to ensure backwards compatibility. If you think your Kibana feature doesn't need any of those, you're welcome to remove them in a follow up PR. # Summary ResposneOps previously created two alerting features on rules SOs in [this PR](elastic#237526): `enable` and `manual_run`, in order to enable the RBAC efforts in the Detection Engine. Now we are introducing a sub feature within the Rules feature inside the security solution to grant access to "rule settings management" which comprises the ability to manage the gap fill schedulers (see the ticket [here](elastic/security-team#15244)). However we encountered that there is no alerting privilege for rules that matches this new Kibana sub feature. Additionally we found that the existing `alerting.rule.all` feature does not allow us to toggle privileges off once it is granted (see the video below where we are able to bypass rules rbac permissions by calling an endpoint that performs authorization using only alerting privileges) https://github.com/user-attachments/assets/de2a38cd-259e-48aa-b1f2-a38c88f2de88 Therefore this PR : - introduces a new feature called `manage_rule_settings` feature for rule SOs in the alerting framework based on the previous PR. - fixes the issue where users with `alerting.rule.all` will always have all permissions of subfeatures even when they are explicitly toggled off through the Kibana Security role management UI. This is done by extracting the new alerting features from `alerting.rule.all` into their own features. This triggers a change in all existing Kibana features that previously included `alerting.rule.all` since now we will have to explicitly add `enable`, `manual_run` and `manage_rule_settings` in those places. # How was this tested? I put these commits on top of my branch where I have the "Rules management settings" sub feature which is using the alerting feature provided in this PR. ## `manage_rule_settings` I create a role with read only access to the rule feature and only this sub feature enable. I am then able to create operate the gap fill scheduler. See the video below 👇 https://github.com/user-attachments/assets/2bc285a4-d35a-412c-a9fd-2153fdec1b9e ## Issue with `alerting.rule.all` I created a role that has all the permissions for rules, I toggled off `enable` and then tried to reproduce the issue I previously recorded. https://github.com/user-attachments/assets/42d47fbf-5dd0-47ff-8f04-2a8f1c0591f9 --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
qn895
pushed a commit
to qn895/kibana
that referenced
this pull request
Mar 11, 2026
…lastic#252703) # If you're here because your Kibana feature suddenly changed... That is happening because this PR is extracting features from `alerting.rule.all`, namely `enable`, `manual_run` and `manage_rule_settings` (see [this change](https://github.com/elastic/kibana/pull/252703/changes#diff-dc097e1e414af2ca21196b12c7d901373108da58de4dd7505cc169b0e62ec2d3L75)). Your role had `alerting.rule.all`, so I added the rest of the features to it to ensure backwards compatibility. If you think your Kibana feature doesn't need any of those, you're welcome to remove them in a follow up PR. # Summary ResposneOps previously created two alerting features on rules SOs in [this PR](elastic#237526): `enable` and `manual_run`, in order to enable the RBAC efforts in the Detection Engine. Now we are introducing a sub feature within the Rules feature inside the security solution to grant access to "rule settings management" which comprises the ability to manage the gap fill schedulers (see the ticket [here](elastic/security-team#15244)). However we encountered that there is no alerting privilege for rules that matches this new Kibana sub feature. Additionally we found that the existing `alerting.rule.all` feature does not allow us to toggle privileges off once it is granted (see the video below where we are able to bypass rules rbac permissions by calling an endpoint that performs authorization using only alerting privileges) https://github.com/user-attachments/assets/de2a38cd-259e-48aa-b1f2-a38c88f2de88 Therefore this PR : - introduces a new feature called `manage_rule_settings` feature for rule SOs in the alerting framework based on the previous PR. - fixes the issue where users with `alerting.rule.all` will always have all permissions of subfeatures even when they are explicitly toggled off through the Kibana Security role management UI. This is done by extracting the new alerting features from `alerting.rule.all` into their own features. This triggers a change in all existing Kibana features that previously included `alerting.rule.all` since now we will have to explicitly add `enable`, `manual_run` and `manage_rule_settings` in those places. # How was this tested? I put these commits on top of my branch where I have the "Rules management settings" sub feature which is using the alerting feature provided in this PR. ## `manage_rule_settings` I create a role with read only access to the rule feature and only this sub feature enable. I am then able to create operate the gap fill scheduler. See the video below 👇 https://github.com/user-attachments/assets/2bc285a4-d35a-412c-a9fd-2153fdec1b9e ## Issue with `alerting.rule.all` I created a role that has all the permissions for rules, I toggled off `enable` and then tried to reproduce the issue I previously recorded. https://github.com/user-attachments/assets/42d47fbf-5dd0-47ff-8f04-2a8f1c0591f9 --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
17 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
If you're here because your Kibana feature suddenly changed...
That is happening because this PR is extracting features from
alerting.rule.all, namelyenable,manual_runandmanage_rule_settings(see this change). Your role hadalerting.rule.all, so I added the rest of the features to it to ensure backwards compatibility. If you think your Kibana feature doesn't need any of those, you're welcome to remove them in a follow up PR.Summary
ResposneOps previously created two alerting features on rules SOs in this PR:
enableandmanual_run, in order to enable the RBAC efforts in the Detection Engine.Now we are introducing a sub feature within the Rules feature inside the security solution to grant access to "rule settings management" which comprises the ability to manage the gap fill schedulers (see the ticket here).
However we encountered that there is no alerting privilege for rules that matches this new Kibana sub feature.
Additionally we found that the existing
alerting.rule.allfeature does not allow us to toggle privileges off once it is granted (see the video below where we are able to bypass rules rbac permissions by calling an endpoint that performs authorization using only alerting privileges)rule-subfeature-issue.mov
Therefore this PR :
manage_rule_settingsfeature for rule SOs in the alerting framework based on the previous PR.alerting.rule.allwill always have all permissions of subfeatures even when they are explicitly toggled off through the Kibana Security role management UI.This is done by extracting the new alerting features from
alerting.rule.allinto their own features. This triggers a change in all existing Kibana features that previously includedalerting.rule.allsince now we will have to explicitly addenable,manual_runandmanage_rule_settingsin those places.How was this tested?
I put these commits on top of my branch where I have the "Rules management settings" sub feature which is using the alerting feature provided in this PR.
manage_rule_settingsI create a role with read only access to the rule feature and only this sub feature enable. I am then able to create operate the gap fill scheduler. See the video below 👇
alerts-rbac-test.mov
Issue with
alerting.rule.allI created a role that has all the permissions for rules, I toggled off
enableand then tried to reproduce the issue I previously recorded.alert.rule.all.fixed.mov