-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Cases] [Security Solution] New cases subfeatures, add comments and reopen cases #194898
Changes from 39 commits
151f3e8
fa4cd43
ad8b154
c7e7ffd
b15b1f5
9fe5c56
25ccd1e
10d5265
8346f14
ec76101
a157ada
185d0ff
c37c224
01c1e73
21fcf2c
9cbadd8
910f979
2084b46
00a5213
28c9c1c
e707106
e21459f
bca4b76
f05411f
1755f43
8c25a54
355ad62
de8f012
8447c29
dc001ea
a9b9fc1
728a479
3ec1a7b
8db6f3e
a32a26b
a3f3322
1ee0f75
29f22e8
3c9a0ae
c5688d5
bc66e94
af31474
cf33281
8532f42
54da9c3
042b461
709e653
c32846d
d735c65
ac1eb26
4927d34
4daca54
9b6b3ef
38cce3f
5caf97e
5cb7c46
c307b1c
45cd5dd
f5dd06c
d449b8e
ca96951
13241af
8f4e89d
cacb5d1
e8ddbe1
f8eafdd
f46aa01
ffe55a3
262b23f
10f100e
bb519e5
d5b638f
e0b6ea5
245fd3c
3aa925d
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -46,7 +46,7 @@ viewer: | |
- feature_siem.read | ||
- feature_siem.read_alerts | ||
- feature_siem.endpoint_list_read | ||
- feature_securitySolutionCases.read | ||
- feature_securitySolutionCasesV2.read | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Are these new privileges for all these roles also updated in the elasticsearch-controller repo? The privileges in this file here should be a copy of those. If not, I'd suggest you create a PR on the other repo first, to update the privileges before merging this PR. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The privileges in There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
As I explained in https://github.com/elastic/kibana/pull/194898/files#r1801715345, it might be easier to do it the other way around: first merge the PR, wait until the changes reach production, and then drop legacy privileges from the predefined roles. Alternatively, you could update the predefined roles first, but you’d need to keep both old and new privileges since we’ll have Kibana pods running on different versions simultaneously, and later update predefined roles once again to remove legacy privileges. |
||
- feature_securitySolutionAssistant.all | ||
- feature_securitySolutionAttackDiscovery.all | ||
- feature_actions.read | ||
|
@@ -126,7 +126,7 @@ editor: | |
- feature_siem.process_operations_all | ||
- feature_siem.actions_log_management_all # Response actions history | ||
- feature_siem.file_operations_all | ||
- feature_securitySolutionCases.all | ||
- feature_securitySolutionCasesV2.all | ||
- feature_securitySolutionAssistant.all | ||
- feature_securitySolutionAttackDiscovery.all | ||
- feature_actions.read | ||
|
@@ -175,7 +175,7 @@ t1_analyst: | |
- feature_siem.read | ||
- feature_siem.read_alerts | ||
- feature_siem.endpoint_list_read | ||
- feature_securitySolutionCases.read | ||
- feature_securitySolutionCasesV2.read | ||
- feature_securitySolutionAssistant.all | ||
- feature_securitySolutionAttackDiscovery.all | ||
- feature_actions.read | ||
|
@@ -230,7 +230,7 @@ t2_analyst: | |
- feature_siem.read | ||
- feature_siem.read_alerts | ||
- feature_siem.endpoint_list_read | ||
- feature_securitySolutionCases.all | ||
- feature_securitySolutionCasesV2.all | ||
- feature_securitySolutionAssistant.all | ||
- feature_securitySolutionAttackDiscovery.all | ||
- feature_actions.read | ||
|
@@ -300,7 +300,7 @@ t3_analyst: | |
- feature_siem.actions_log_management_all # Response actions history | ||
- feature_siem.file_operations_all | ||
- feature_siem.scan_operations_all | ||
- feature_securitySolutionCases.all | ||
- feature_securitySolutionCasesV2.all | ||
- feature_securitySolutionAssistant.all | ||
- feature_securitySolutionAttackDiscovery.all | ||
- feature_actions.read | ||
|
@@ -362,7 +362,7 @@ threat_intelligence_analyst: | |
- feature_siem.all | ||
- feature_siem.endpoint_list_read | ||
- feature_siem.blocklist_all | ||
- feature_securitySolutionCases.all | ||
- feature_securitySolutionCasesV2.all | ||
- feature_securitySolutionAssistant.all | ||
- feature_securitySolutionAttackDiscovery.all | ||
- feature_actions.read | ||
|
@@ -430,7 +430,7 @@ rule_author: | |
- feature_siem.host_isolation_exceptions_read | ||
- feature_siem.blocklist_all # Elastic Defend Policy Management | ||
- feature_siem.actions_log_management_read | ||
- feature_securitySolutionCases.all | ||
- feature_securitySolutionCasesV2.all | ||
- feature_securitySolutionAssistant.all | ||
- feature_securitySolutionAttackDiscovery.all | ||
- feature_actions.read | ||
|
@@ -502,7 +502,7 @@ soc_manager: | |
- feature_siem.file_operations_all | ||
- feature_siem.execute_operations_all | ||
- feature_siem.scan_operations_all | ||
- feature_securitySolutionCases.all | ||
- feature_securitySolutionCasesV2.all | ||
- feature_securitySolutionAssistant.all | ||
- feature_securitySolutionAttackDiscovery.all | ||
- feature_actions.all | ||
|
@@ -562,7 +562,7 @@ detections_admin: | |
- feature_siem.all | ||
- feature_siem.read_alerts | ||
- feature_siem.crud_alerts | ||
- feature_securitySolutionCases.all | ||
- feature_securitySolutionCasesV2.all | ||
- feature_securitySolutionAssistant.all | ||
- feature_securitySolutionAttackDiscovery.all | ||
- feature_actions.all | ||
|
@@ -621,7 +621,7 @@ platform_engineer: | |
- feature_siem.host_isolation_exceptions_all | ||
- feature_siem.blocklist_all # Elastic Defend Policy Management | ||
- feature_siem.actions_log_management_read | ||
- feature_securitySolutionCases.all | ||
- feature_securitySolutionCasesV2.all | ||
- feature_securitySolutionAssistant.all | ||
- feature_securitySolutionAttackDiscovery.all | ||
- feature_actions.all | ||
|
@@ -694,7 +694,7 @@ endpoint_operations_analyst: | |
- feature_siem.file_operations_all | ||
- feature_siem.execute_operations_all | ||
- feature_siem.scan_operations_all | ||
- feature_securitySolutionCases.all | ||
- feature_securitySolutionCasesV2.all | ||
- feature_securitySolutionAssistant.all | ||
- feature_securitySolutionAttackDiscovery.all | ||
- feature_actions.all | ||
|
@@ -769,7 +769,7 @@ endpoint_policy_manager: | |
- feature_siem.event_filters_all | ||
- feature_siem.host_isolation_exceptions_all | ||
- feature_siem.blocklist_all # Elastic Defend Policy Management | ||
- feature_securitySolutionCases.all | ||
- feature_securitySolutionCasesV2.all | ||
- feature_securitySolutionAssistant.all | ||
- feature_securitySolutionAttackDiscovery.all | ||
- feature_actions.all | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -35,7 +35,7 @@ | |
"siem": ["read", "read_alerts"], | ||
"securitySolutionAssistant": ["all"], | ||
"securitySolutionAttackDiscovery": ["all"], | ||
"securitySolutionCases": ["read"], | ||
"securitySolutionCasesV2": ["read"], | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. same here @azasypkin - should both versions be kept? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Same answer here: you can keep just the latest in dev-only files, but production will require a bit of coordination. |
||
"actions": ["read"], | ||
"builtInAlerts": ["read"] | ||
}, | ||
|
@@ -82,7 +82,7 @@ | |
"siem": ["read", "read_alerts"], | ||
"securitySolutionAssistant": ["all"], | ||
"securitySolutionAttackDiscovery": ["all"], | ||
"securitySolutionCases": ["read"], | ||
"securitySolutionCasesV2": ["read"], | ||
"actions": ["read"], | ||
"builtInAlerts": ["read"] | ||
}, | ||
|
@@ -150,7 +150,7 @@ | |
"actions_log_management_all", | ||
"file_operations_all" | ||
], | ||
"securitySolutionCases": ["all"], | ||
"securitySolutionCasesV2": ["all"], | ||
"securitySolutionAssistant": ["all"], | ||
"securitySolutionAttackDiscovery": ["all"], | ||
"actions": ["read"], | ||
|
@@ -210,7 +210,7 @@ | |
"siem": ["all", "read_alerts", "crud_alerts"], | ||
"securitySolutionAssistant": ["all"], | ||
"securitySolutionAttackDiscovery": ["all"], | ||
"securitySolutionCases": ["all"], | ||
"securitySolutionCasesV2": ["all"], | ||
"actions": ["read"], | ||
"builtInAlerts": ["all"] | ||
}, | ||
|
@@ -263,7 +263,7 @@ | |
"siem": ["all", "read_alerts", "crud_alerts"], | ||
"securitySolutionAssistant": ["all"], | ||
"securitySolutionAttackDiscovery": ["all"], | ||
"securitySolutionCases": ["all"], | ||
"securitySolutionCasesV2": ["all"], | ||
"actions": ["all"], | ||
"builtInAlerts": ["all"] | ||
}, | ||
|
@@ -311,7 +311,7 @@ | |
"siem": ["all", "read_alerts", "crud_alerts"], | ||
"securitySolutionAssistant": ["all"], | ||
"securitySolutionAttackDiscovery": ["all"], | ||
"securitySolutionCases": ["all"], | ||
"securitySolutionCasesV2": ["all"], | ||
"actions": ["read"], | ||
"builtInAlerts": ["all"], | ||
"dev_tools": ["all"] | ||
|
@@ -366,7 +366,7 @@ | |
"siem": ["all", "read_alerts", "crud_alerts"], | ||
"securitySolutionAssistant": ["all"], | ||
"securitySolutionAttackDiscovery": ["all"], | ||
"securitySolutionCases": ["all"], | ||
"securitySolutionCasesV2": ["all"], | ||
"actions": ["all"], | ||
"builtInAlerts": ["all"] | ||
}, | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,89 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
import { i18n } from '@kbn/i18n'; | ||
|
||
import { DEFAULT_APP_CATEGORIES } from '@kbn/core-application-common'; | ||
import { KibanaFeatureScope } from '@kbn/features-plugin/common'; | ||
import type { BaseKibanaFeatureConfig } from '../../types'; | ||
import { APP_ID, CASES_FEATURE_ID, CASES_FEATURE_ID_V2 } from '../../constants'; | ||
import type { CasesFeatureParams } from '../types'; | ||
|
||
/** | ||
* @deprecated Use getCasesBaseKibanaFeatureV2 instead | ||
*/ | ||
export const getCasesBaseKibanaFeature = ({ | ||
uiCapabilities, | ||
apiTags, | ||
savedObjects, | ||
}: CasesFeatureParams): BaseKibanaFeatureConfig => { | ||
return { | ||
deprecated: { | ||
notice: i18n.translate( | ||
'securitySolutionPackages.features.featureRegistry.linkSecuritySolutionCase.deprecationMessage', | ||
{ | ||
defaultMessage: | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Note We don’t need to do anything right now, but eventually, when we start displaying this to our users, we might need to rephrase it since interactive users won’t understand what |
||
'The {currentId} permissions are deprecated, please see {casesFeatureIdV2}.', | ||
values: { | ||
currentId: CASES_FEATURE_ID, | ||
casesFeatureIdV2: CASES_FEATURE_ID_V2, | ||
}, | ||
} | ||
), | ||
}, | ||
id: CASES_FEATURE_ID, | ||
name: i18n.translate( | ||
'securitySolutionPackages.features.featureRegistry.linkSecuritySolutionCaseTitleDeprecated', | ||
{ | ||
defaultMessage: 'Cases (Deprecated)', | ||
} | ||
), | ||
order: 1100, | ||
category: DEFAULT_APP_CATEGORIES.security, | ||
scope: [KibanaFeatureScope.Spaces, KibanaFeatureScope.Security], | ||
app: [CASES_FEATURE_ID, 'kibana'], | ||
catalogue: [APP_ID], | ||
cases: [APP_ID], | ||
privileges: { | ||
all: { | ||
api: apiTags.all, | ||
app: [CASES_FEATURE_ID, 'kibana'], | ||
catalogue: [APP_ID], | ||
cases: { | ||
create: [APP_ID], | ||
read: [APP_ID], | ||
update: [APP_ID], | ||
}, | ||
savedObject: { | ||
all: [...savedObjects.files], | ||
read: [...savedObjects.files], | ||
}, | ||
ui: uiCapabilities.all, | ||
replacedBy: [ | ||
{ | ||
feature: CASES_FEATURE_ID_V2, | ||
privileges: ['minimal_all', 'create_comment', 'case_reopen'], | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Users currently with 'all For more on There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Important I believe we agreed in #194898 (comment) to use "extended" syntax to have separate definition for |
||
}, | ||
], | ||
}, | ||
read: { | ||
api: apiTags.read, | ||
app: [CASES_FEATURE_ID, 'kibana'], | ||
catalogue: [APP_ID], | ||
cases: { | ||
read: [APP_ID], | ||
}, | ||
savedObject: { | ||
all: [], | ||
read: [...savedObjects.files], | ||
}, | ||
ui: uiCapabilities.read, | ||
replacedBy: [{ feature: CASES_FEATURE_ID_V2, privileges: ['read'] }], | ||
}, | ||
}, | ||
}; | ||
}; |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
import type { ProductFeatureCasesKey, CasesSubFeatureId } from '../../product_features_keys'; | ||
import type { ProductFeatureKibanaConfig } from '../../types'; | ||
|
||
export type DefaultCasesProductFeaturesConfig = Record< | ||
ProductFeatureCasesKey, | ||
ProductFeatureKibanaConfig<CasesSubFeatureId> | ||
>; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@azasypkin is the expectation to keep both versions since the original
feature_securitySolutionCases
isn't "technically" gone, just deprecated? What would be the expectations be for serverless roles?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Important
This file is used for development, so you can safely remove the old privileges. However, for the real predefined roles defined in the ES controller Helm chart values, you’ll want to keep the old definitions until your changes are fully promoted to all environments, as there will be pods with different Kibana versions interacting with ES at the same time. Once your changes are fully deployed in Serverless production, you should be able to safely update the definitions in the ES controller to replace the privileges of the deprecated features.
(Corrected my original message, I shouldn’t write comments at night 🙈)