[Alerting] Refactor alerts authorization client#99078
Conversation
…horization client on plugin start contract
…ing/refactor-alerts-authorization
x-pack/plugins/security/server/authorization/privileges/feature_privilege_builder/alerting.ts
Show resolved
Hide resolved
…ing/refactor-alerts-authorization
| authorizationType: string | ||
| ): string { | ||
| return `${authorizationResult} to ${operation} a "${alertTypeId}" alert ${ | ||
| return `${authorizationResult} to ${operation} a "${alertTypeId}" ${authorizationType} ${ |
There was a problem hiding this comment.
One thought that crosses my mind - once customers upgrade to 7.14 their audit logs will say rule where they used to say alert, and alert on the new Alert entities.
This means that if a user looks at their audit logs across versions they might have two audit log rows that say Alert, but in one its a Rule and in the other an Alert.
I'm not sure what we can do about that, but perhaps it's worth making it easier to distinguish between them by changing the format in 7.14 so that the sentences at least appear different in some manner? 🤔
x-pack/plugins/security/server/authorization/actions/alerting.ts
Outdated
Show resolved
Hide resolved
|
This looks like the right direction to me 👍 This sparks joy 🎉 😉 |
…ing/refactor-alerts-authorization
yctercero
left a comment
yctercero
left a comment
There was a problem hiding this comment.
LGTM! I integrated this PR into the work Devin and I have been doing for RAC. There are some open questions about possible changes needed to the feature privilege builder, but I think those can be addressed as follow up to keep things flowing 🌊
Thanks so much for all these changes and the quick turnaround!
|
@elasticmachine merge upstream |
| } | ||
|
|
||
| const readOperations: Record<AlertingType, string[]> = { | ||
| rule: ['get', 'getAlertState', 'getAlertInstanceSummary', 'find'], |
There was a problem hiding this comment.
This is probably a lack of understanding on my part -- why does the rule alerting type have operations called getAlertState and getAlertInstanceSummary? Are these names holdovers from the old terminology, or are they actually operations against the alert alerting type?
There was a problem hiding this comment.
Yes, these are holdovers from the old terminology and you are right, they are confusing. I will open an issue to update these separately.
There was a problem hiding this comment.
I guess we can change these as part of this PR if we want, as it's under the hood and shouldn't break anything if we change it in 7.14, right? 🤔
| Authorized = 'Authorized', | ||
| } | ||
|
|
||
| export class AlertsAuthorizationAuditLogger { |
There was a problem hiding this comment.
Since we are changing the recorded audit events, we should document this as a breaking change for the release notes
There was a problem hiding this comment.
@legrego I have added the release_note:breaking label and added a line in the PR description about the change to audit events.
There was a problem hiding this comment.
Thanks, @ymao1! I think it would be beneficial to our users if we also gave some examples of the changes made to the audit log. For example, mentioning that the audit event types have changed (alerts_authorization_failure -> alerting_authorization_failure, etc.)
ymao1
added
release_note:breaking
and removed
release_note:skip
chrisronline
left a comment
chrisronline
left a comment
There was a problem hiding this comment.
LGTM! I did some basic testing around creating rules on master with various permission sets and ensuring they still work properly on the PR and it looks great to me!
|
@elasticmachine merge upstream |
ymao1
added
the
auto-backport
💚 Build Succeeded
Metrics [docs]Public APIs missing comments
Public APIs missing exports
History
To update your PR or re-run it, just comment with: cc @ymao1 |
* WIP - creating alerting authorization client factory and exposing authorization client on plugin start contract * Updating alerting feature privilege builder to handle different alerting types * Passing in alerting authorization type to AlertingActions class string builder * Passing in authorization type in each function call * Passing in exempt consumer ids. Adding authorization type to audit logger * Changing alertType to ruleType * Changing alertType to ruleType * Updating unit tests * Updating unit tests * Passing field names into authorization query builder. Adding kql/es dsl option * Converting to es query if requested * Fixing functional tests * Removing ability to specify feature privilege name in constructor * Fixing some types and tests * Consolidating alerting authorization kuery filter options * Cleanup and tests * Cleanup and tests * Throwing error when AlertingAuthorizationClientFactory is not defined * Renaming authorizationType to entity * Renaming AlertsAuthorization to AlertingAuthorization * Fixing unit tests * Updating privilege string terminology * Updating privilege string terminology Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
💚 Backport successful
This backport PR will be merged automatically after passing CI. |
* WIP - creating alerting authorization client factory and exposing authorization client on plugin start contract * Updating alerting feature privilege builder to handle different alerting types * Passing in alerting authorization type to AlertingActions class string builder * Passing in authorization type in each function call * Passing in exempt consumer ids. Adding authorization type to audit logger * Changing alertType to ruleType * Changing alertType to ruleType * Updating unit tests * Updating unit tests * Passing field names into authorization query builder. Adding kql/es dsl option * Converting to es query if requested * Fixing functional tests * Removing ability to specify feature privilege name in constructor * Fixing some types and tests * Consolidating alerting authorization kuery filter options * Cleanup and tests * Cleanup and tests * Throwing error when AlertingAuthorizationClientFactory is not defined * Renaming authorizationType to entity * Renaming AlertsAuthorization to AlertingAuthorization * Fixing unit tests * Updating privilege string terminology * Updating privilege string terminology Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: ymao1 <ying.mao@elastic.co>
* WIP - creating alerting authorization client factory and exposing authorization client on plugin start contract * Updating alerting feature privilege builder to handle different alerting types * Passing in alerting authorization type to AlertingActions class string builder * Passing in authorization type in each function call * Passing in exempt consumer ids. Adding authorization type to audit logger * Changing alertType to ruleType * Changing alertType to ruleType * Updating unit tests * Updating unit tests * Passing field names into authorization query builder. Adding kql/es dsl option * Converting to es query if requested * Fixing functional tests * Removing ability to specify feature privilege name in constructor * Fixing some types and tests * Consolidating alerting authorization kuery filter options * Cleanup and tests * Cleanup and tests * Throwing error when AlertingAuthorizationClientFactory is not defined * Renaming authorizationType to entity * Renaming AlertsAuthorization to AlertingAuthorization * Fixing unit tests * Updating privilege string terminology * Updating privilege string terminology Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
8 participants
Resolves #98818
Summary
Refactoring alerts authorization client to be more generic. This uses the existing alerting feature privilege model to provide
allandreadprivileges torulesandalerts. There will be a followup issue to handle subfeature privilege specification. There should be no change to how the rules RBAC works functionally.entityin the feature privilege string. Allowed entities areruleandalertexemptConsumersin authorization client to handle the alerting use case wherealertswas a special consumer id with special handlingAlertsAuthorizationclass to reflect updatedruleterminologygetAlertingAuthorizationWithRequestthrough alerting plugin start to be used by other pluginsAlertsAuthorizationtoAlertingAuthorizationalerts_prefix toalerting_prefix:alerts_authorization_failureis nowalerting_authorization_failurealerts_unscoped_authorization_failureis nowalerting_unscoped_authorization_failurealerts_authorization_successis nowalerting_authorization_successalertshave been renamed torules, for example the audit eventuser Authorized to create a ".index-threshold" alert by "app"will now readuser Authorized to create a ".index-threshold" rule by "app"alert instanceshave been renamed toalert, for example audit events formuteInstanceandunmuteInstanceoperations will now referencemuteAlertandunmuteAlertTo Verify
Checklist