-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution] [Detections] Adds scripts to create users + roles based on specific privileges #81866
[Security Solution] [Detections] Adds scripts to create users + roles based on specific privileges #81866
Conversation
75b148f
to
ff483e2
Compare
2d3c176
to
d979011
Compare
@elasticmachine merge upstream |
e66e3a8
to
365ddea
Compare
x-pack/plugins/security_solution/server/lib/detection_engine/scripts/roles_users/README.md
Outdated
Show resolved
Hide resolved
...n/server/lib/detection_engine/scripts/roles_users/detections_admin/delete_detections_user.sh
Show resolved
Hide resolved
...ty_solution/server/lib/detection_engine/scripts/roles_users/hunter/delete_detections_user.sh
Show resolved
Hide resolved
..._solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/post_detections_user.sh
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Checked out, tested scripts locally and all is awesome! 😀
Thanks so much for taking the time to get this foundation in place @dhurley14! This is huge for expanding our test coverage and improving our confidence in testing features with less permissive users/roles. Really appreciate the additional readme's and sample cypress test/helpers to get people using these scripts in their tests too.
I did leave a few nits you'll probably want to address, but overall this LGTM so approving! 👍 🚀
I am curious what we can do to leverage these from within the x-pack/test/detection_engine_api_integration
FTR tests -- any thoughts on how we could wire these up with supertest
, or at least during test environment setup?
365ddea
to
7c0c02a
Compare
ce3a417
to
57d62f5
Compare
…ith the users and inferring what the roles are supposed to do
…o sample tests showing example usage
aac9642
to
ed09038
Compare
@elasticmachine merge upstream |
d718ba8
to
ed09038
Compare
@elasticmachine merge upstream |
@@ -157,6 +161,79 @@ export default ({ getService }: FtrProviderContext) => { | |||
); | |||
expect(everySignalClosed).to.eql(true); | |||
}); | |||
|
|||
it('should NOT be able to close signals with t1 analyst user', async () => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking good! Thanks for adding these functional tests -- I think this gives everyone what they need to test all the different permission permutations when building out new features. This'll go a long way @dhurley14! 🙂
@elasticmachine merge upstream |
0388de3
to
ab2c851
Compare
@elasticmachine merge upstream |
💚 Build SucceededMetrics [docs]Distributable file count
History
To update your PR or re-run it, just comment with: |
… based on specific privileges (elastic#81866) * shell scripts for creating roles + users for testing * update readme's and updated privilege requirements based on testing with the users and inferring what the roles are supposed to do * update role privileges based on feedback meeting yesterday * updated scripts to accept filepath to role / user, added a test to ensure upload value list button is disabled * updated role scripts to be parameterized * adds login with role function and adds a sample test with a role to test that a t1 analyst user cannot upload a value list * add object with corresponding roles * fix spacing * parameterize urls for basic auth with roles + users * forgot to change the cy.visit string * add KIBANA_URL env var for cli runner * add env vars for curl script execution * second script * update readme's for each role and remove create_index from lists privilege for the soc manager role * remove 'manage' cluster privilege for rule author * remove 'create_index' privilege from soc_manager role since that is not parity with the security workflows spreadsheet * update the login function logic with glo's feedback * replace SIEM with Security Solution in markdown files * make role param optional not just undefined * remove unused file * add copyright to scripts files * update top-level README for roles scripts * remove reference to internal spreadsheet and reference readme for this pr * remove unnecessary -XPOST and remove verbose mode from post_detections_user script * adds utils for running integration tests with other users and adds two sample tests showing example usage * minor type updates and small refactor * fix x-pack/test types * use enum types instead of custom type * fix path to json Co-authored-by: Kibana Machine <[email protected]> Co-authored-by: Xavier Mouligneau <[email protected]>
… roles based on specific privileges (#81866) (#83861) * shell scripts for creating roles + users for testing * update readme's and updated privilege requirements based on testing with the users and inferring what the roles are supposed to do * update role privileges based on feedback meeting yesterday * updated scripts to accept filepath to role / user, added a test to ensure upload value list button is disabled * updated role scripts to be parameterized * adds login with role function and adds a sample test with a role to test that a t1 analyst user cannot upload a value list * add object with corresponding roles * fix spacing * parameterize urls for basic auth with roles + users * forgot to change the cy.visit string * add KIBANA_URL env var for cli runner * add env vars for curl script execution * second script * update readme's for each role and remove create_index from lists privilege for the soc manager role * remove 'manage' cluster privilege for rule author * remove 'create_index' privilege from soc_manager role since that is not parity with the security workflows spreadsheet * update the login function logic with glo's feedback * replace SIEM with Security Solution in markdown files * make role param optional not just undefined * remove unused file * add copyright to scripts files * update top-level README for roles scripts * remove reference to internal spreadsheet and reference readme for this pr * remove unnecessary -XPOST and remove verbose mode from post_detections_user script * adds utils for running integration tests with other users and adds two sample tests showing example usage * minor type updates and small refactor * fix x-pack/test types * use enum types instead of custom type * fix path to json Co-authored-by: Kibana Machine <[email protected]> Co-authored-by: Xavier Mouligneau <[email protected]> Co-authored-by: Kibana Machine <[email protected]> Co-authored-by: Xavier Mouligneau <[email protected]>
…g to info so they persist when dismissed (#84904) **Addresses:** #76587 ## Summary In this PR I'm doing basically 2 things: 1. Making readonly callouts we have in Detections `primary` instead of `warning` and thus persistable in local storage (if a callout is dismissed, we remember it there) 2. Creating a reusable implementation for that. TODO: - [x] Adjust all callouts used in Detections to be of type `primary` - [x] Implement the local storage logic (dumb) - [x] Implement the local storage logic (reusable) - [x] Add a new user role: "Reader" (read-only user) - [x] Add Cypress tests Out of scope: - Add unit tests. I'll probably address this in a follow-up PR. Do you think it's worth it or better to wait until the rework (see the next point)? - Rework callouts to standardise them across Detections, Cases and other parts of the Security app? See my comment below in this PR. ## Screen recordings Quick demo of how this implementation works: - [primary callouts](https://drive.google.com/file/d/1SYQd_ihKPvzlVUxELI8qNEqLBOkL18Gd/view?usp=sharing) - [warning, danger](https://drive.google.com/file/d/1lrAFPyXNjOYSiEsUXxY_fjXsvmyDcdWY/view?usp=sharing) (callout types here were manually adjusted) ## Additional notes Cypress tests are based on the work done in #81866. ![](https://puu.sh/GXwOd/1c855cb03f.png)
…g to info so they persist when dismissed (elastic#84904) **Addresses:** elastic#76587 ## Summary In this PR I'm doing basically 2 things: 1. Making readonly callouts we have in Detections `primary` instead of `warning` and thus persistable in local storage (if a callout is dismissed, we remember it there) 2. Creating a reusable implementation for that. TODO: - [x] Adjust all callouts used in Detections to be of type `primary` - [x] Implement the local storage logic (dumb) - [x] Implement the local storage logic (reusable) - [x] Add a new user role: "Reader" (read-only user) - [x] Add Cypress tests Out of scope: - Add unit tests. I'll probably address this in a follow-up PR. Do you think it's worth it or better to wait until the rework (see the next point)? - Rework callouts to standardise them across Detections, Cases and other parts of the Security app? See my comment below in this PR. ## Screen recordings Quick demo of how this implementation works: - [primary callouts](https://drive.google.com/file/d/1SYQd_ihKPvzlVUxELI8qNEqLBOkL18Gd/view?usp=sharing) - [warning, danger](https://drive.google.com/file/d/1lrAFPyXNjOYSiEsUXxY_fjXsvmyDcdWY/view?usp=sharing) (callout types here were manually adjusted) ## Additional notes Cypress tests are based on the work done in elastic#81866. ![](https://puu.sh/GXwOd/1c855cb03f.png)
…g to info so they persist when dismissed (#84904) (#86047) **Addresses:** #76587 ## Summary In this PR I'm doing basically 2 things: 1. Making readonly callouts we have in Detections `primary` instead of `warning` and thus persistable in local storage (if a callout is dismissed, we remember it there) 2. Creating a reusable implementation for that. TODO: - [x] Adjust all callouts used in Detections to be of type `primary` - [x] Implement the local storage logic (dumb) - [x] Implement the local storage logic (reusable) - [x] Add a new user role: "Reader" (read-only user) - [x] Add Cypress tests Out of scope: - Add unit tests. I'll probably address this in a follow-up PR. Do you think it's worth it or better to wait until the rework (see the next point)? - Rework callouts to standardise them across Detections, Cases and other parts of the Security app? See my comment below in this PR. ## Screen recordings Quick demo of how this implementation works: - [primary callouts](https://drive.google.com/file/d/1SYQd_ihKPvzlVUxELI8qNEqLBOkL18Gd/view?usp=sharing) - [warning, danger](https://drive.google.com/file/d/1lrAFPyXNjOYSiEsUXxY_fjXsvmyDcdWY/view?usp=sharing) (callout types here were manually adjusted) ## Additional notes Cypress tests are based on the work done in #81866. ![](https://puu.sh/GXwOd/1c855cb03f.png)
Summary
As we add acute restrictions based on privileges to external plugins we need a quick, reproducible process to ensure these privilege checks and the UI restrictions put in place do not change unexpectedly. I have added scripts which will create a role + user to mimic the privileges described in the below chart. The originating spreadsheet contains descriptions of document-level security which has not been implemented yet and is not represented in the below recreation of that chart. This should get us pretty far though. Also included in this PR is a sample cypress test to provide guidance on how these scripts can be utilized to perform automated testing of privilege checks against certain features in Detections and across the Security Solution.
Checklist
Delete any items that are not applicable to this PR.
For maintainers