Skip to content

[Security Solution][Detections] Loosen lists permissions #75378

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Aug 19, 2020
Merged

[Security Solution][Detections] Loosen lists permissions #75378

merged 3 commits into from
Aug 19, 2020

Conversation

@rylnd
Copy link
Contributor

@rylnd rylnd commented Aug 18, 2020
edited
Loading

Summary

In 7.9 we required that a user has write permissions to the lists indexes in order to use Detections. This relaxes that requirement, leaving the following behaviors:

  1. If the lists indexes do not exist, we show a configuration page if the user cannot create them (lists manage)
  2. If the lists indexes exist but the user cannot write to them (lists write), we disable the "Upload Value Lists" modal button

Review Steps

  1. Setup: a kibana instance with Security Solution enabled and set up
    • namely: both the alerts and lists indexes are created
  2. Create a user with the following permissions:
    Home_-_Elastic
    Home_-_Elastic
  3. Navigate to detections and verify that:
    1. No "needs configuration" screen is displayed, and instead you can interact with the plugin
    2. The "Upload Value Lists" modal button is disabled

Checklist

Delete any items that are not applicable to this PR.

  • Documentation was added for features that require explanation or tutorials

For maintainers

rylnd added 3 commits August 18, 2020 12:48
@rylnd
Allow read-only lists users to use Detections if lists indexes exist
06e554e 
We were previously showing them a configuration page, which was
incorrect. The only place we require the write permission is the value
lists modal, which is now hidden if that permission is absent.
@rylnd
Disable the Value Lists modal when the user cannot write lists
a119d84 
If the user does not have permission to write to the lists index, they
should not be able to CRUD value lists.
@rylnd
style: Remove unnecessary useCallbacks
f856762 
* Replaces useCallback functions with inline anonymous functions
* Renames the modal state to be more similar to existing analogous
  modal state
@rylnd rylnd self-assigned this Aug 18, 2020
@kibanamachine
Copy link
Contributor

kibanamachine commented Aug 19, 2020

💚 Build Succeeded

Build metrics

async chunks size

id value diff baseline
securitySolution 7.2MB -201.0B 7.2MB

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@rylnd rylnd marked this pull request as ready for review August 19, 2020 00:35
@rylnd rylnd requested review from a team as code owners August 19, 2020 00:35
@elasticmachine
Copy link
Contributor

elasticmachine commented Aug 19, 2020

Pinging @elastic/siem (Team:SIEM)

FrankHassanabad
FrankHassanabad reviewed Aug 19, 2020
View reviewed changes
...s/security_solution/public/detections/containers/detection_engine/lists/use_lists_config.tsx
const needsIndexConfiguration =
needsIndex && (canManageIndex === false || (canManageIndex === true && hasIndexError));
const needsConfiguration = !enabled || canWriteIndex === false || needsIndexConfiguration;
const needsConfiguration = !enabled || needsIndexConfiguration;
Copy link
Contributor

@FrankHassanabad FrankHassanabad Aug 19, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only suggestions I would have would be if we can have tests around this area that would be pretty nice to add to the documentation and help future maintainers.

return { canManageIndex, canWriteIndex, enabled, loading, needsConfiguration };

This looks really good in that later we can push this to the "needs permissions" and make actionable UI's to tell the user what they're missing exactly and how to fix it. So this was really nice to see here.

Copy link
Contributor Author

@rylnd rylnd Aug 19, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wholeheartedly agree on the tests. I had been waiting to write a functional test for "read-only lists user can use Detections," but in the interim I will add some unit tests around these hooks in a followup PR 👍

FrankHassanabad
FrankHassanabad approved these changes Aug 19, 2020
View reviewed changes
Copy link
Contributor

@FrankHassanabad FrankHassanabad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, appreciate the speed and response to this on top of all the other #1 priorities going on.

@rylnd rylnd merged commit 32c23ea into elastic:master Aug 19, 2020
@rylnd rylnd deleted the loosen_lists_permissions branch August 19, 2020 16:25
This was referenced Aug 19, 2020
Merged
Merged
rylnd added a commit to rylnd/kibana that referenced this pull request Aug 19, 2020
@rylnd
[Security Solution][Detections] Loosen lists permissions (elastic#75378)
19969c0 
* Allow read-only lists users to use Detections if lists indexes exist

We were previously showing them a configuration page, which was
incorrect. The only place we require the write permission is the value
lists modal, which is now hidden if that permission is absent.

* Disable the Value Lists modal when the user cannot write lists

If the user does not have permission to write to the lists index, they
should not be able to CRUD value lists.

* style: Remove unnecessary useCallbacks

* Replaces useCallback functions with inline anonymous functions
* Renames the modal state to be more similar to existing analogous
  modal state
@rylnd
Copy link
Contributor Author

rylnd commented Aug 19, 2020

@benskelker This removes the write permission from the lists indexes as a requirement to use Detections.

rylnd added a commit to rylnd/kibana that referenced this pull request Aug 19, 2020
@rylnd
[Security Solution][Detections] Loosen lists permissions (elastic#75378)
9196e3a 
* Allow read-only lists users to use Detections if lists indexes exist

We were previously showing them a configuration page, which was
incorrect. The only place we require the write permission is the value
lists modal, which is now hidden if that permission is absent.

* Disable the Value Lists modal when the user cannot write lists

If the user does not have permission to write to the lists index, they
should not be able to CRUD value lists.

* style: Remove unnecessary useCallbacks

* Replaces useCallback functions with inline anonymous functions
* Renames the modal state to be more similar to existing analogous
  modal state
rylnd added a commit that referenced this pull request Aug 19, 2020
@rylnd
[Security Solution][Detections] Loosen lists permissions (#75378) (#7…
e0e50ed 
…5459)

* Allow read-only lists users to use Detections if lists indexes exist

We were previously showing them a configuration page, which was
incorrect. The only place we require the write permission is the value
lists modal, which is now hidden if that permission is absent.

* Disable the Value Lists modal when the user cannot write lists

If the user does not have permission to write to the lists index, they
should not be able to CRUD value lists.

* style: Remove unnecessary useCallbacks

* Replaces useCallback functions with inline anonymous functions
* Renames the modal state to be more similar to existing analogous
  modal state
rylnd added a commit that referenced this pull request Aug 19, 2020
@rylnd
[Security Solution][Detections] Loosen lists permissions (#75378) (#7…
3e9f98a 
…5460)

* Allow read-only lists users to use Detections if lists indexes exist

We were previously showing them a configuration page, which was
incorrect. The only place we require the write permission is the value
lists modal, which is now hidden if that permission is absent.

* Disable the Value Lists modal when the user cannot write lists

If the user does not have permission to write to the lists index, they
should not be able to CRUD value lists.

* style: Remove unnecessary useCallbacks

* Replaces useCallback functions with inline anonymous functions
* Renames the modal state to be more similar to existing analogous
  modal state
@rylnd rylnd mentioned this pull request Aug 19, 2020
Merged
3 tasks
@MindyRS MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Sep 23, 2021
@elasticmachine
Copy link
Contributor

elasticmachine commented Sep 23, 2021

Pinging @elastic/security-solution (Team: SecuritySolution)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@FrankHassanabad FrankHassanabad FrankHassanabad approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@rylnd rylnd

Labels

release_note:fix Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM v7.9.1 v7.10.0 v8.0.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@rylnd @kibanamachine @elasticmachine @FrankHassanabad @MindyRS @spong