-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Cases] Add import/export functionality #110148
[Cases] Add import/export functionality #110148
Conversation
import { createCaseError, defaultSortField } from '../../common'; | ||
import { ESCaseAttributes } from '../../services/cases/types'; | ||
|
||
export async function handleExport({ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We intentionally do not want to do authorization checks while exporting because it is valid for a user to export a case while not having either security solution or observability cases read privileges.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is valid? It seems like users can always read a case this way even if they do not have read access.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Christos and I talked offline. This is the current behavior with other entities within Kibana. We don't have a way to enforce the feature privileges for import/export right now.
} | ||
|
||
const [{ savedObjects }] = await coreSetup.getStartServices(); | ||
const savedObjectsClient = savedObjects.getScopedClient(context.request, { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm creating the saved objects client directly here instead of using our service layer because the service layer can mutate the data (for example creating the connector_id field when the objects are returned). We can also make more performant calls here for both the attachments and user actions at the same time using point in time searches instead of the implementation that the service layer uses.
} | ||
} | ||
|
||
async function getAttachmentsAndUserActionsForCases( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We only need to export the attachments and user actions. The connectors are stored as outbound references so they are exported automatically by the framework.
sortField: string; | ||
type: string; | ||
}): Promise<Array<SavedObject<T>>> { | ||
const references = caseIds.map((id) => ({ type: CASE_SAVED_OBJECT, id })); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is basically searching for all the case ids for attachments or user actions at the same time.
Pinging @elastic/security-threat-hunting (Team:Threat Hunting) |
@elasticmachine merge upstream |
@elasticmachine merge upstream |
@elasticmachine merge upstream |
@elasticsearchmachine merge upstream |
@elasticmachine merge upstream |
💚 Build SucceededMetrics [docs]
History
To update your PR or re-run it, just comment with: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tested locally. Everything worked as expected. LGTM!
@cnasikas found an issue with the import where if the case is deleted and then imported it will mark the case as needing to be pushed. We talked about possible solutions for this and there are many other situations depending on what case is being imported that could cause us to get into a state where we think we need to push when we actually don't need to. For now we're going to leave it as it is and investigate other possible solutions for tracking when a case needs to be pushed. Like keeping a counter associated with the case to mark the sequential version of the case so that we don't need to use the user actions to determine if the case needs to be pushed. |
* Working export but not import * Adding user action import flag * Adding a few integration tests * Adding connector test * Finishing integration tests * Removing connector after each test to restore original state * Bumping migration version for comment so Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
💚 Backport successful
This backport PR will be merged automatically after passing CI. |
Nice work @jonathan-buttner 🥇 |
* Working export but not import * Adding user action import flag * Adding a few integration tests * Adding connector test * Finishing integration tests * Removing connector after each test to restore original state * Bumping migration version for comment so Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Jonathan Buttner <56361221+jonathan-buttner@users.noreply.github.com>
This PR allows the cases saved objects to be exported and imported. The functionality is provided through the Saved Objects Management Page.
Since cases uses inbound references, when a case is selected for export we search for all comments and user actions that reference that case.
What is exported?
Permissions
For a user to view the Saved Objects Management Page they must have the
Saved Objects Management
privilegeGranting this privilege also grants the user
all
access to all saved objects. So it is possible for a user to have no Cases privileges but still be able to import/export via the Saved Objects Management privilege.Issues
Release note
Cases can now be imported and exported through the Saved Objects Management Page. Only the Cases themselves need to be selected for export. The Case title will be shown in the Saved Objects Management Page table's title column. Cases are also labeled with the case icon:
Rows labeled
cases-comment
orcases-user-actions
should be ignored and not selected when exporting.