Skip to content

Commit

Permalink
Add upgrade assistant warning for alerts as data
Browse files Browse the repository at this point in the history
  • Loading branch information
@marshallmain
marshallmain committed Mar 14, 2022
1 parent 06d7edf commit 4c8715c
Show file tree
Hide file tree
Showing 8 changed files with 442 additions and 103 deletions.
199 changes: 199 additions & 0 deletions x-pack/plugins/security_solution/server/deprecations/alerts_as_data_privileges.test.ts
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,199 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/

import { deprecationsServiceMock } from 'src/core/server/mocks';
import { RegisterDeprecationsConfig } from 'src/core/server';
import { registerAlertsIndexPrivilegeDeprecations } from './alerts_as_data_privileges';
import { getRoleMock, getContextMock } from './utils.mock';

const getDependenciesMock = () => ({
deprecationsService: deprecationsServiceMock.createSetupContract(),
getKibanaRoles: jest.fn(),
applicationName: 'kibana-.kibana',
});

describe('alerts as data privileges deprecation', () => {
describe('deprecation handler', () => {
let mockDependencies: ReturnType<typeof getDependenciesMock>;
let mockContext: ReturnType<typeof getContextMock>;
let deprecationHandler: RegisterDeprecationsConfig;

beforeEach(() => {
mockContext = getContextMock();
mockDependencies = getDependenciesMock();
registerAlertsIndexPrivilegeDeprecations(mockDependencies);

expect(mockDependencies.deprecationsService.registerDeprecations).toHaveBeenCalledTimes(1);
deprecationHandler =
mockDependencies.deprecationsService.registerDeprecations.mock.calls[0][0];
});

it('returns errors from getKibanaRoles', async () => {
const errorResponse = {
errors: [
{
correctiveActions: {
manualSteps: [
"A user with the 'manage_security' cluster privilege is required to perform this check.",
],
},
level: 'fetch_error',
message: 'Error retrieving roles for privilege deprecations: Test error',
title: 'Error in privilege deprecations services',
},
],
};
mockDependencies.getKibanaRoles.mockResolvedValue(errorResponse);
const result = await deprecationHandler.getDeprecations(mockContext);
expect(result).toEqual([
{
correctiveActions: {
manualSteps: [
"A user with the 'manage_security' cluster privilege is required to perform this check.",
],
},
level: 'fetch_error',
message: 'Error retrieving roles for privilege deprecations: Test error',
title: 'Error in privilege deprecations services',
},
]);
});

it('returns no deprecation if no roles are found', async () => {
mockDependencies.getKibanaRoles.mockResolvedValue({
roles: [],
});
const result = await deprecationHandler.getDeprecations(mockContext);
expect(result).toEqual([]);
});

it('returns no deprecation when a role also has read access to the alerts-as-data index alias and backing index pattern', async () => {
mockDependencies.getKibanaRoles.mockResolvedValue({
roles: [
getRoleMock(
[
{
names: [
'other-index',
'.siem-signals-*',
'.alerts-security.alerts-*',
'.internal.alerts-security.alerts-*',
],
privileges: ['all'],
},
],
'roleWithCorrectAccess'
),
],
});
const result = await deprecationHandler.getDeprecations(mockContext);
expect(result).toEqual([]);
});

it('returns no deprecation if all roles found are internal', async () => {
const internalRoleMock = {
...getRoleMock(
[
{
names: ['other-index', '.siem-signals-*'],
privileges: ['all'],
},
],
'internalRole'
),
metadata: {
_reserved: true,
},
};
mockDependencies.getKibanaRoles.mockResolvedValue({
roles: [internalRoleMock],
});
const result = await deprecationHandler.getDeprecations(mockContext);
expect(result).toEqual([]);
});

it('returns an appropriate deprecation if roles are found', async () => {
mockDependencies.getKibanaRoles.mockResolvedValue({
roles: [
getRoleMock(
[
{
names: ['other-index', 'second-index'],
privileges: ['all'],
},
],
'irrelevantRole'
),
getRoleMock(
[
{
names: [
'other-index',
'.siem-signals-*',
'.alerts-security.alerts-*',
'.internal.alerts-security.alerts-*',
],
privileges: ['all'],
},
],
'roleWithCorrectAccess'
),
getRoleMock(
[
{
names: ['other-index', '.siem-signals-*', '.alerts-security.alerts-*'],
privileges: ['all'],
},
],
'relevantRole1'
),
getRoleMock(
[
{
names: ['other-index', '.siem-signals-*', '.internal.alerts-security.alerts-*'],
privileges: ['all'],
},
],
'relevantRole2'
),
getRoleMock(
[
{
names: ['other-index', '.siem-signals-*'],
privileges: ['all'],
},
],
'relevantRole3'
),
],
});
const result = await deprecationHandler.getDeprecations(mockContext);
expect(result).toEqual([
{
correctiveActions: {
manualSteps: [
'Update your roles to include read privileges for the detection alerts indices appropriate for that role and space(s).',
'In 8.0, users will be unable to view alerts until those permissions are added.',
'The roles that currently have read access to detection alerts indices are: relevantRole1, relevantRole2, relevantRole3',
],
},
deprecationType: 'feature',
documentationUrl:
'https://www.elastic.co/guide/en/security/8.0/whats-new.html#index-updates-8.0',
level: 'warning',
message: `In order to view detection alerts in 8.0+, users will need read privileges to new detection alerts index aliases \
(.alerts-security.alerts-<KIBANA_SPACE>) and backing indices (.internal.alerts-security.alerts-<KIBANA_SPACE>-*), \
analogous to existing detection alerts indices (.siem-signals-<KIBANA_SPACE>). \
In addition, any enabled Detection rules will be automatically disabled during the upgrade and must be manually re-enabled after \
upgrading. Rules that are automatically disabled will also automatically be tagged to assist in manually re-enabling them post-upgrade. \
Alerts created after upgrading will use a different schema.`,
title: 'The Detection Alerts index names are changing',
},
]);
});
});
});
113 changes: 113 additions & 0 deletions x-pack/plugins/security_solution/server/deprecations/alerts_as_data_privileges.ts
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,113 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/

import { i18n } from '@kbn/i18n';

import { DeprecationsServiceSetup } from 'src/core/server';
import type { PrivilegeDeprecationsService, Role } from '../../../security/common/model';
import { DEFAULT_SIGNALS_INDEX } from '../../common/constants';
import { roleHasReadAccess, roleIsExternal } from './utils';

const ALERTS_INDEX_PREFIX = '.alerts-security.alerts';
const INTERNAL_ALERTS_INDEX_PREFIX = '.internal.alerts-security.alerts';

const buildManualSteps = (roleNames: string[]): string[] => {
const baseSteps = [
i18n.translate('xpack.securitySolution.deprecations.alertsIndexPrivileges.manualStep1', {
defaultMessage:
'Update your roles to include read privileges for the detection alerts indices appropriate for that role and space(s).',
}),
i18n.translate('xpack.securitySolution.deprecations.alertsIndexPrivileges.manualStep2', {
defaultMessage:
'In 8.0, users will be unable to view alerts until those permissions are added.',
}),
];
const informationalStep = i18n.translate(
'xpack.securitySolution.deprecations.alertsIndexPrivileges.manualStep3',
{
defaultMessage:
'The roles that currently have read access to detection alerts indices are: {roles}',
values: {
roles: roleNames.join(', '),
},
}
);

if (roleNames.length === 0) {
return baseSteps;
} else {
return [...baseSteps, informationalStep];
}
};

interface Dependencies {
deprecationsService: DeprecationsServiceSetup;
getKibanaRoles?: PrivilegeDeprecationsService['getKibanaRoles'];
}

export const registerAlertsIndexPrivilegeDeprecations = ({
deprecationsService,
getKibanaRoles,
}: Dependencies) => {
deprecationsService.registerDeprecations({
getDeprecations: async (context) => {
let rolesWhichReadSignals: Role[] = [];

if (getKibanaRoles) {
const { roles, errors } = await getKibanaRoles({ context });
if (errors?.length) {
return errors;
}

rolesWhichReadSignals =
roles?.filter(
(role) =>
roleIsExternal(role) &&
roleHasReadAccess(role) &&
(!roleHasReadAccess(role, ALERTS_INDEX_PREFIX) ||
!roleHasReadAccess(role, INTERNAL_ALERTS_INDEX_PREFIX))
) ?? [];
}

if (rolesWhichReadSignals.length === 0) {
return [];
}

const roleNamesWhichReadSignals = rolesWhichReadSignals.map((role) => role.name);

return [
{
title: i18n.translate('xpack.securitySolution.deprecations.alertsIndexPrivileges.title', {
defaultMessage: 'The Detection Alerts index names are changing',
}),
message: i18n.translate(
'xpack.securitySolution.deprecations.alertsIndexPrivileges.message',
{
values: {
alertsIndexPrefix: ALERTS_INDEX_PREFIX,
internalAlertsIndexPrefix: INTERNAL_ALERTS_INDEX_PREFIX,
signalsIndexPrefix: DEFAULT_SIGNALS_INDEX,
},
defaultMessage: `In order to view detection alerts in 8.0+, users will need read privileges to new detection alerts index aliases \
({alertsIndexPrefix}-<KIBANA_SPACE>) and backing indices ({internalAlertsIndexPrefix}-<KIBANA_SPACE>-*), \
analogous to existing detection alerts indices ({signalsIndexPrefix}-<KIBANA_SPACE>). \
In addition, any enabled Detection rules will be automatically disabled during the upgrade and must be manually re-enabled after \
upgrading. Rules that are automatically disabled will also automatically be tagged to assist in manually re-enabling them post-upgrade. \
Alerts created after upgrading will use a different schema.`,
}
),
level: 'warning',
deprecationType: 'feature',
documentationUrl: `https://www.elastic.co/guide/en/security/8.0/whats-new.html#index-updates-8.0`,
correctiveActions: {
manualSteps: buildManualSteps(roleNamesWhichReadSignals),
},
},
];
},
});
};
Loading

0 comments on commit 4c8715c

Please sign in to comment.