[Security Solution] Prevent superuser access PLI gated APIs#176165
Merged
semd merged 19 commits intoelastic:mainfrom Feb 15, 2024
Merged
[Security Solution] Prevent superuser access PLI gated APIs#176165semd merged 19 commits intoelastic:mainfrom
semd merged 19 commits intoelastic:mainfrom
Conversation
Contributor
Author
|
/ci |
Contributor
Author
|
@elasticmachine merge upstream |
Contributor
Author
|
/ci |
paul-tavares
reviewed
Feb 5, 2024
x-pack/plugins/security_solution/server/endpoint/endpoint_app_context_services.ts
Outdated
Show resolved
Hide resolved
Contributor
Author
|
/ci |
Contributor
Author
|
/ci |
azasypkin
reviewed
Feb 6, 2024
x-pack/plugins/security_solution/server/lib/app_features_service/app_features_service.ts
Show resolved
Hide resolved
azasypkin
reviewed
Feb 6, 2024
x-pack/plugins/security_solution/server/lib/app_features_service/app_features_service.ts
Outdated
Show resolved
Hide resolved
azasypkin
reviewed
Feb 7, 2024
Contributor
azasypkin
left a comment
There was a problem hiding this comment.
Security-wise, the change looks good to me, thanks. I still think that re-using access: tags for feature checks adds additional risk (even though it's not planned, the Security plugin can modify the relationship between this route tag and privilege actions in the future) and a fair amount of complexity that we could potentially avoid if we could rely solely on securitySolutionAppFeature: tags for that purpose. However, if this approach brings significant value to you, I believe it's tolerable.
Contributor
Author
|
@elasticmachine merge upstream |
Contributor
Author
|
/ci |
Contributor
|
Pinging @elastic/security-threat-hunting (Team:Threat Hunting) |
Contributor
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
Contributor
|
Pinging @elastic/security-threat-hunting-explore (Team:Threat Hunting:Explore) |
Contributor
Author
|
@elasticmachine merge upstream |
Contributor
Author
|
@elasticmachine merge upstream |
paul-tavares
approved these changes
Feb 12, 2024
Contributor
paul-tavares
left a comment
There was a problem hiding this comment.
Thank you for all the changes - looks good 👍
Contributor
Author
|
@elasticmachine merge upstream |
Contributor
|
merge conflict between base and head |
hop-dev
approved these changes
Feb 14, 2024
Contributor
hop-dev
left a comment
There was a problem hiding this comment.
Thank for this, and the thorough entity analytics tests! 🚀
💛 Build succeeded, but was flaky
Failed CI StepsMetrics [docs]Async chunks
History
To update your PR or re-run it, just comment with: cc @semd |
CoenWarmer
pushed a commit
to CoenWarmer/kibana
that referenced
this pull request
Feb 15, 2024
…176165) ## Summary This PR solves an issue with `superuser` (or any `*`) role and PLI (product level item) control. Elasticsearch _has_privileges_ API always returns _true_ on any privilege for `superuser` role, even if the privilege has never been registered (more context [here](elastic/elasticsearch#33928 (comment))), causing superuser to be able to access product-restricted APIs (e.g. Routes that should only be available on _complete_ tier, are also available on _essentials_ tier). ## Solution We have the registered AppFeatures configuration locally, so we can solve the problem by checking that the action privilege exists and has been registered in the AppFeatures service, before doing any call to ES _hasPrivileges_ API for RBAC. ### Changes - AppFeatures service now stores a Set with all the (`api` and `ui`) actions registered. - Endpoint authz checks the actions against AppFeatures before checking RBAC. Only for server-side. - Route `access:` tag control has been extended to check actions against AppFeatures for _securitySolution_ prefixed actions. - New `securitySolutionAppFeature:` route tag control for non-RBAC product feature checks. (This is not being used yet, but it will be needed) ### Behavior change - UI: no change, everything should keep working the same way. - API: routes associated with higher product tier features (such as endpoint or entity analytics) won't be accessible for the superuser/admin role when running on lower product tiers, like _security essentials_. --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
fkanout
pushed a commit
to fkanout/kibana
that referenced
this pull request
Mar 4, 2024
…176165) ## Summary This PR solves an issue with `superuser` (or any `*`) role and PLI (product level item) control. Elasticsearch _has_privileges_ API always returns _true_ on any privilege for `superuser` role, even if the privilege has never been registered (more context [here](elastic/elasticsearch#33928 (comment))), causing superuser to be able to access product-restricted APIs (e.g. Routes that should only be available on _complete_ tier, are also available on _essentials_ tier). ## Solution We have the registered AppFeatures configuration locally, so we can solve the problem by checking that the action privilege exists and has been registered in the AppFeatures service, before doing any call to ES _hasPrivileges_ API for RBAC. ### Changes - AppFeatures service now stores a Set with all the (`api` and `ui`) actions registered. - Endpoint authz checks the actions against AppFeatures before checking RBAC. Only for server-side. - Route `access:` tag control has been extended to check actions against AppFeatures for _securitySolution_ prefixed actions. - New `securitySolutionAppFeature:` route tag control for non-RBAC product feature checks. (This is not being used yet, but it will be needed) ### Behavior change - UI: no change, everything should keep working the same way. - API: routes associated with higher product tier features (such as endpoint or entity analytics) won't be accessible for the superuser/admin role when running on lower product tiers, like _security essentials_. --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
8 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR solves an issue with
superuser(or any*) role and PLI (product level item) control.Elasticsearch has_privileges API always returns true on any privilege for
superuserrole, even if the privilege has never been registered (more context here), causing superuser to be able to access product-restricted APIs (e.g. Routes that should only be available on complete tier, are also available on essentials tier).Solution
We have the registered AppFeatures configuration locally, so we can solve the problem by checking that the action privilege exists and has been registered in the AppFeatures service, before doing any call to ES hasPrivileges API for RBAC.
Changes
apiandui) actions registered.access:tag control has been extended to check actions against AppFeatures for securitySolution prefixed actions.securitySolutionAppFeature:route tag control for non-RBAC product feature checks. (This is not being used yet, but it will be needed)Behavior change