Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SECURITY] Deprecated sub feature cases in security solutions in 7.x #113172

Merged
merged 27 commits into from
Oct 14, 2021
Merged

[SECURITY] Deprecated sub feature cases in security solutions in 7.x #113172

merged 27 commits into from
Oct 14, 2021

Conversation

XavierM
Copy link
Contributor

@XavierM XavierM commented Sep 27, 2021

Summary

Create an Upgrade Assistant automated fix to rewrite roles that are granting access to the Cases sub-feature to use the new top-level Cases feature

#109158

Checklist

Delete any items that are not applicable to this PR.

@XavierM XavierM added release_note:deprecation enhancement New value added to drive a business result Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! labels Sep 27, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-threat-hunting-cases (Team:Threat Hunting:Cases)

@XavierM

This comment has been minimized.

Sign in to view
@XavierM XavierM mentioned this pull request Sep 27, 2021
Closed
1 task
XavierM
XavierM commented Sep 28, 2021
View reviewed changes
x-pack/plugins/security_solution/server/deprecation_privileges/index.ts
const siemPrivs = new Set<string>();
const casesPrivs = new Set<string>();

for (const priv of siemPrivileges) {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @jonathan-buttner, your idea to use a switch and a set make it more readable and easier to understand. Thanks for the suggestion.

jonathan-buttner
jonathan-buttner previously approved these changes Sep 30, 2021
View reviewed changes
Copy link
Contributor

@jonathan-buttner jonathan-buttner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the refactor 👍 Xavier and I paired on testing this too although we didn't test a full upgrade. Might be good to get QA to test that?

@jportner jportner self-requested a review October 6, 2021 13:36
@jportner
Copy link
Contributor

jportner commented Oct 6, 2021

Will review this first thing tomorrow morning

jportner
jportner reviewed Oct 7, 2021
View reviewed changes
Copy link
Contributor

@jportner jportner left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As discussed offline --

This looks great so far, but I think we need four changes:

  1. Update UI text to make sure that it is in line with the 7.16 upgrade assistant guidance
  2. The API call fails because the request payload contains an unexpected deprecationDetails field. It looks like the deprecations client is adding this automatically. We should submit a PR for 8.0/7.16 that adds a omitDeprecationDetails field, which the deprecations client should respect.
  3. Changing the existing "siem" feature privilege can unintentionally grant more access to a user in 7.16. For example, if the role has { siem: ['minimal_read'] }, the "Quick resolve" button changes that to { siem: ['read'] }. So we need to submit a PR for 8.0 that changes "siem" to something else like "securitySolutionApp", and change this code to add the new feature privilege without changing the existing one. Then, if the role has { siem: ['minimal_read'] }, the "Quick resolve" button should change that to { siem: ['minimal_read'], securitySolutionApp: ['read'] }.
  4. We should ensure that after the user fixes the role, it doesn't show in the upgrade assistant anymore. You should be able to filter out any roles that contain feature privileges for "securitySolutionApp" or "securitySolutionCases".

Another thing I thought of: if the user had a Gold license at one point, and added a role with sub-feature privileges, and then downgraded to Basic, the role's sub-feature privileges are essentially "zombie privileges" -- they exist but they don't grant access to anything. But honestly it's probably such an edge case, I don't think we really need to change this feature deprecation to take that into account. I'm interested to hear what @legrego thinks, though.

Edit: here are a couple of screenshots of the flyout in the upgrade assistant...

Current:
image

With my suggested text changes:
image

I chatted with the Stack Management team and I think we are in agreement that if there are no manual steps, the flyout should not render that "Fix manually" header at all. I'll add a comment here if they decide to update the flyout to remove that. Otherwise, we should add a manual step placeholder, like "Click the 'Quick resolve' button below", so we don't have an empty section there.

x-pack/plugins/security_solution/server/deprecation_privileges/index.ts Outdated Show resolved Hide resolved
x-pack/plugins/security_solution/server/deprecation_privileges/index.ts Outdated Show resolved Hide resolved
x-pack/plugins/security_solution/server/deprecation_privileges/index.ts Outdated Show resolved Hide resolved
x-pack/plugins/security_solution/server/deprecation_privileges/index.ts Show resolved Hide resolved
@jportner jportner requested review from gchaps and jportner October 7, 2021 16:19
@legrego
Copy link
Member

legrego commented Oct 7, 2021

Another thing I thought of: if the user had a Gold license at one point, and added a role with sub-feature privileges, and then downgraded to Basic, the role's sub-feature privileges are essentially "zombie privileges" -- they exist but they don't grant access to anything. But honestly it's probably such an edge case, I don't think we really need to change this feature deprecation to take that into account

It's a good question. Consider a role with siem privileges granting ['minimal_read', 'cases_read'].
Under a basic license, this role grants no access to siem, but if we run the role through the UA, then this role will (IIUC) grant read access to the new securitySolutionApp, and read access to securitySolutionCases after upgrading to 8.0.

The odds of this happening are quite small, as the license downgrade would have resulted in revoked access for one or more users, which had then gone unnoticed and uncorrected up until the point they run the UA. I'd consider this a nice-to-have, but not blocking.

Changing the existing "siem" feature privilege can unintentionally grant more access to a user in 7.16.

Great catch @jportner, sorry I hadn't considered this when we had discussed this earlier, @XavierM 😬

@jportner
Copy link
Contributor

jportner commented Oct 7, 2021

It's a good question. Consider a role with siem privileges granting ['minimal_read', 'cases_read']. Under a basic license, this role grants no access to siem, but if we run the role through the UA, then this role will (IIUC) grant read access to the new securitySolutionApp, and read access to securitySolutionCases after upgrading to 8.0.

The odds of this happening are quite small, as the license downgrade would have resulted in revoked access for one or more users, which had then gone unnoticed and uncorrected up until the point they run the UA. I'd consider this a nice-to-have, but not blocking.

Yeah, that's my understanding as well. OK, agreed that handling this is a nice-to-have but not blocking 👍

@XavierM
Copy link
Contributor Author

XavierM commented Oct 11, 2021

waiting on this PR now #114399

@XavierM
Copy link
Contributor Author

XavierM commented Oct 12, 2021

@elasticmachine merge upstream

jonathan-buttner
jonathan-buttner approved these changes Oct 12, 2021
View reviewed changes
Copy link
Contributor

@jonathan-buttner jonathan-buttner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! We tested it together 👍

@XavierM
Copy link
Contributor Author

XavierM commented Oct 12, 2021

@elasticmachine merge upstream

@jportner jportner self-requested a review October 12, 2021 14:56
@XavierM
Copy link
Contributor Author

XavierM commented Oct 12, 2021

@elasticmachine merge upstream

@XavierM
Copy link
Contributor Author

XavierM commented Oct 12, 2021

@elasticmachine merge upstream

jportner
jportner suggested changes Oct 13, 2021
View reviewed changes
Copy link
Contributor

@jportner jportner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tested by creating six roles:

  1. with siem: ['all']
  2. with siem: ['read']
  3. with siem: ['minimal_all', 'cases_all', 'cases_read']
  4. with siem: ['minimal_read', 'cases_read']
  5. with siem: ['minimal_all']
  6. with siem: ['minimal_read']

I would expect roles 1-4 to show in the upgrade assistant, and I would expect roles 5-6 to be hidden (because they don't currently grant access to Cases, so they don't need to be changed).

However, all roles showed in the upgrade assistant. When I clicked "Quick resolve" for role 5, of course nothing happened. Then I clicked "Quick resolve" for role 1, and refreshed, and all of the other deprecations were gone.

I think you need to make two changes and update tests accordingly; see comments below 😄

x-pack/plugins/security_solution/server/deprecation_privileges/index.ts Outdated Show resolved Hide resolved
x-pack/plugins/security_solution/server/deprecation_privileges/index.ts Outdated Show resolved Hide resolved
jportner
jportner approved these changes Oct 13, 2021
View reviewed changes
Copy link
Contributor

@jportner jportner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couple of tiny nits, but LGTM! I think we are exercising everything that we need to in the tests.

x-pack/plugins/security_solution/server/deprecation_privileges/index.test.ts Outdated Show resolved Hide resolved
x-pack/plugins/security_solution/server/deprecation_privileges/index.test.ts Outdated Show resolved Hide resolved
x-pack/plugins/security_solution/server/deprecation_privileges/index.test.ts Outdated Show resolved Hide resolved
@XavierM XavierM enabled auto-merge (squash) October 14, 2021 00:21
@XavierM
Copy link
Contributor Author

XavierM commented Oct 14, 2021

@elasticmachine merge upstream

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

✅ unchanged

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@XavierM XavierM merged commit f9487cd into elastic:7.x Oct 14, 2021
This was referenced Oct 14, 2021
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jportner jportner jportner approved these changes

@jonathan-buttner jonathan-buttner jonathan-buttner approved these changes

@cnasikas cnasikas Awaiting requested review from cnasikas

@gchaps gchaps Awaiting requested review from gchaps

Assignees
No one assigned
Labels
enhancement New value added to drive a business result release_note:deprecation Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! v7.16.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@XavierM @elasticmachine @jportner @legrego @kibanamachine @jonathan-buttner