Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Cloud Security features (Misconfigurations, Benchmakrs pages) don't work for users in serverless except org owners and admins #189538

Closed
maxcold opened this issue Jul 30, 2024 · 4 comments · Fixed by #194224
Closed

[Bug] Cloud Security features (Misconfigurations, Benchmakrs pages) don't work for users in serverless except org owners and admins #189538

maxcold opened this issue Jul 30, 2024 · 4 comments · Fixed by #194224
Assignees
@opauloh
Labels
8.16 candidate bug Fixes for quality problems that affect the customer experience Project:Serverless Work as part of the Serverless project for its initial release Team:Cloud Security Cloud Security team related

Comments

@maxcold
Copy link
Contributor

maxcold commented Jul 30, 2024
edited by kfirpeled
Loading

Kibana version:
serverless

Describe the bug:
Users who have access to the Secuirity Project with any role, except Admin, can't access Security > Findings > Misconfigurations and Security > Rules > Benchmarks pages. These pages seem to work only for organisation owners

Steps to reproduce:

  1. Create a Security project on cloud.elastic.co
  2. As an owner install CSPM integration and wait for data ingestion
  3. Go to Project Settings > Users and Roles
  4. Invite a user to an organisation with access only to the created project and a role "Editor"
  5. Login with this new user to cloud.elastic.co and open the security project
  6. Navigate to Security > Rules > Benchmarks or Security > Findings > Misconfigurations (Vulnerabilties most likely also affected) pages and see that the findings or benchmark rules don't load

Expected behavior:
Cloud Security features should be available for users with Editor role, but even better with Editor or Viewer (only read-only features) roles

Screenshots (if relevant):

Screenshot 2024-07-30 at 17 49 34 Screenshot 2024-07-30 at 17 49 49 Screenshot 2024-07-30 at 17 50 42

Errors in browser console (if relevant):
GET /internal/cloud_security_posture/benchmarks 403 (Forbidden)

Provide logs and/or server output (if relevant):

Any additional context:
Initially I thought our features didn't work even with the Admin role, but that's because I wasn't logging out after changing the role (which might be an issue by itself in general, but not specific to us). I updated the issue to note that our features don't work with Editor and Viewer roles
A related issue in ESS

We require specific setup for users to access Cloud Security features, but the access control on Serverless is different, so we need to find a way to make our features work there

@elastic/kibana-cloud-security-posture
@maxcold maxcold added bug Fixes for quality problems that affect the customer experience Team:Cloud Security Cloud Security team related labels Jul 30, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-cloud-security-posture (Team:Cloud Security)

@maxcold maxcold changed the title Cloud Security features (Misconfigurations, Benchmakrs) pages don't work for users in serverless except org owners Cloud Security features (Misconfigurations, Benchmakrs pages) don't work for users in serverless except org owners Jul 30, 2024
This was referenced Jul 30, 2024
Closed
Closed
@kfirpeled kfirpeled added 8.1 candidate 8.16 candidate Project:Serverless Work as part of the Serverless project for its initial release and removed 8.1 candidate labels Jul 31, 2024
@kfirpeled
Copy link
Contributor

Adding here relevant tickets:

@smriti0321
Copy link

@maxcold Thanks for testing this and opening the ticket-

Here is expected behaviour for Viewer and Editor roles.
We aim for consistency in ESS and Serverless for these roles. Both should be able to view the findings and dashboards, only difference between Editor and Viewer should be ability to create detection rules and enable/disable benchmark rule, later should not be able to create detection rule or disable/enable benchmark rules.

@kfirpeled kfirpeled changed the title Cloud Security features (Misconfigurations, Benchmakrs pages) don't work for users in serverless except org owners [Bug] Cloud Security features (Misconfigurations, Benchmakrs pages) don't work for users in serverless except org owners Aug 22, 2024
@maxcold maxcold changed the title [Bug] Cloud Security features (Misconfigurations, Benchmakrs pages) don't work for users in serverless except org owners [Bug] Cloud Security features (Misconfigurations, Benchmakrs pages) don't work for users in serverless except org owners and admins Sep 10, 2024
@acorretti
Copy link

Assigning @opauloh in case it's related to his current issue #188354

@opauloh opauloh mentioned this issue Sep 18, 2024
Closed
2 tasks
@opauloh opauloh mentioned this issue Sep 26, 2024
Merged
opauloh added a commit that referenced this issue Oct 8, 2024
@opauloh
[Security Solution] Add csp-rule-template to the Security Default Sav…
3862012 
…ed Objects (#194224)

## Summary

This PR fixes #189538, by adding `csp-rule-template` to the Security
Default Saved Objects.

This allows users with the [viewer
role](https://www.elastic.co/docs/current/serverless/general/assign-user-roles)
to Security projects in Serverless to see the [Cloud Security Posture
Benchmark
rules](https://github.com/elastic/integrations/tree/main/packages/cloud_security_posture/kibana/csp_rule_template)
that are stored as saved objects installed with the Cloud Security
Posture integration.


### Snapshots


![image](https://github.com/user-attachments/assets/95b92570-ac7a-42b5-b89f-a02d5b94f3b0)


![image](https://github.com/user-attachments/assets/a2aeb0a6-d10e-4864-84b9-9eaffe8ec3a2)


![image](https://github.com/user-attachments/assets/9eb9fb82-3fe6-4b6d-8523-566d406406ce)


![image](https://github.com/user-attachments/assets/37ebc71a-54be-4a7c-b5f8-37a1d6467816)
kibanamachine pushed a commit to kibanamachine/kibana that referenced this issue Oct 8, 2024
@opauloh
[Security Solution] Add csp-rule-template to the Security Default Sav…
11dc5c0 
…ed Objects (elastic#194224)

## Summary

This PR fixes elastic#189538, by adding `csp-rule-template` to the Security
Default Saved Objects.

This allows users with the [viewer
role](https://www.elastic.co/docs/current/serverless/general/assign-user-roles)
to Security projects in Serverless to see the [Cloud Security Posture
Benchmark
rules](https://github.com/elastic/integrations/tree/main/packages/cloud_security_posture/kibana/csp_rule_template)
that are stored as saved objects installed with the Cloud Security
Posture integration.

### Snapshots

![image](https://github.com/user-attachments/assets/95b92570-ac7a-42b5-b89f-a02d5b94f3b0)

![image](https://github.com/user-attachments/assets/a2aeb0a6-d10e-4864-84b9-9eaffe8ec3a2)

![image](https://github.com/user-attachments/assets/9eb9fb82-3fe6-4b6d-8523-566d406406ce)

![image](https://github.com/user-attachments/assets/37ebc71a-54be-4a7c-b5f8-37a1d6467816)

(cherry picked from commit 3862012)
kibanamachine added a commit that referenced this issue Oct 8, 2024
@kibanamachine @opauloh
[8.x] [Security Solution] Add csp-rule-template to the Security Defau…
fcd831c 
…lt Saved Objects (#194224) (#195338)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[Security Solution] Add csp-rule-template to the Security Default
Saved Objects (#194224)](#194224)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Paulo
Silva","email":"paulo.henrique@elastic.co"},"sourceCommit":{"committedDate":"2024-10-08T01:43:49Z","message":"[Security
Solution] Add csp-rule-template to the Security Default Saved Objects
(#194224)\n\n## Summary\r\n\r\nThis PR fixes #189538, by adding
`csp-rule-template` to the Security\r\nDefault Saved
Objects.\r\n\r\nThis allows users with the
[viewer\r\nrole](https://www.elastic.co/docs/current/serverless/general/assign-user-roles)\r\nto
Security projects in Serverless to see the [Cloud Security
Posture\r\nBenchmark\r\nrules](https://github.com/elastic/integrations/tree/main/packages/cloud_security_posture/kibana/csp_rule_template)\r\nthat
are stored as saved objects installed with the Cloud Security\r\nPosture
integration.\r\n\r\n\r\n###
Snapshots\r\n\r\n\r\n![image](https://github.com/user-attachments/assets/95b92570-ac7a-42b5-b89f-a02d5b94f3b0)\r\n\r\n\r\n![image](https://github.com/user-attachments/assets/a2aeb0a6-d10e-4864-84b9-9eaffe8ec3a2)\r\n\r\n\r\n![image](https://github.com/user-attachments/assets/9eb9fb82-3fe6-4b6d-8523-566d406406ce)\r\n\r\n\r\n![image](https://github.com/user-attachments/assets/37ebc71a-54be-4a7c-b5f8-37a1d6467816)","sha":"3862012a31d333a75955ea5de3bc76bdcdbc656a","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","v9.0.0","Team:
SecuritySolution","Team:Cloud
Security","v8.16.0","backport:version"],"title":"[Security Solution] Add
csp-rule-template to the Security Default Saved
Objects","number":194224,"url":"https://github.com/elastic/kibana/pull/194224","mergeCommit":{"message":"[Security
Solution] Add csp-rule-template to the Security Default Saved Objects
(#194224)\n\n## Summary\r\n\r\nThis PR fixes #189538, by adding
`csp-rule-template` to the Security\r\nDefault Saved
Objects.\r\n\r\nThis allows users with the
[viewer\r\nrole](https://www.elastic.co/docs/current/serverless/general/assign-user-roles)\r\nto
Security projects in Serverless to see the [Cloud Security
Posture\r\nBenchmark\r\nrules](https://github.com/elastic/integrations/tree/main/packages/cloud_security_posture/kibana/csp_rule_template)\r\nthat
are stored as saved objects installed with the Cloud Security\r\nPosture
integration.\r\n\r\n\r\n###
Snapshots\r\n\r\n\r\n![image](https://github.com/user-attachments/assets/95b92570-ac7a-42b5-b89f-a02d5b94f3b0)\r\n\r\n\r\n![image](https://github.com/user-attachments/assets/a2aeb0a6-d10e-4864-84b9-9eaffe8ec3a2)\r\n\r\n\r\n![image](https://github.com/user-attachments/assets/9eb9fb82-3fe6-4b6d-8523-566d406406ce)\r\n\r\n\r\n![image](https://github.com/user-attachments/assets/37ebc71a-54be-4a7c-b5f8-37a1d6467816)","sha":"3862012a31d333a75955ea5de3bc76bdcdbc656a"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/194224","number":194224,"mergeCommit":{"message":"[Security
Solution] Add csp-rule-template to the Security Default Saved Objects
(#194224)\n\n## Summary\r\n\r\nThis PR fixes #189538, by adding
`csp-rule-template` to the Security\r\nDefault Saved
Objects.\r\n\r\nThis allows users with the
[viewer\r\nrole](https://www.elastic.co/docs/current/serverless/general/assign-user-roles)\r\nto
Security projects in Serverless to see the [Cloud Security
Posture\r\nBenchmark\r\nrules](https://github.com/elastic/integrations/tree/main/packages/cloud_security_posture/kibana/csp_rule_template)\r\nthat
are stored as saved objects installed with the Cloud Security\r\nPosture
integration.\r\n\r\n\r\n###
Snapshots\r\n\r\n\r\n![image](https://github.com/user-attachments/assets/95b92570-ac7a-42b5-b89f-a02d5b94f3b0)\r\n\r\n\r\n![image](https://github.com/user-attachments/assets/a2aeb0a6-d10e-4864-84b9-9eaffe8ec3a2)\r\n\r\n\r\n![image](https://github.com/user-attachments/assets/9eb9fb82-3fe6-4b6d-8523-566d406406ce)\r\n\r\n\r\n![image](https://github.com/user-attachments/assets/37ebc71a-54be-4a7c-b5f8-37a1d6467816)","sha":"3862012a31d333a75955ea5de3bc76bdcdbc656a"}},{"branch":"8.x","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Paulo Silva <paulo.henrique@elastic.co>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@opauloh opauloh

Labels
8.16 candidate bug Fixes for quality problems that affect the customer experience Project:Serverless Work as part of the Serverless project for its initial release Team:Cloud Security Cloud Security team related
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Security Solution] Add csp-rule-template to the Security Default Saved Objects opauloh/kibana
7 participants
@acorretti @maxcold @elasticmachine @Omolola-Akinleye @opauloh @kfirpeled @smriti0321