[EDR Workflows] The host isolation exception tab is hidden on the basic license if no artifacts#192562
Merged
szwarckonrad merged 14 commits intoelastic:mainfrom Sep 23, 2024
Merged
Conversation
1 task
Contributor
|
Pinging @elastic/security-defend-workflows (Team:Defend Workflows) |
Contributor
gergoabraham
left a comment
There was a problem hiding this comment.
nice work, @szwarckonrad, thanks for all the cleanup as well! 👏 tested with both ESS and serverless, works well
i have only some nitpicks - see below -, other than that, i have a question regarding the feature (cc @dasansol92 @caitlinbetz)
with Basic licence, if there's a HIE after downgrade
- we show the HIE page amongst the management page, that's clear bc there the user sees all HIE entries
- but, we also show the HIE tab on the Policy Details page regardless if anything is displayed there. so the question, do we want to show the HIE tab for every integration, including the ones that does not have a HIE assigned (and there's no global HIE)?
with this modification, on Basic license the user sees this if there are some HIE left but none of those are global or assigned to the opened integration:
x-pack/plugins/security_solution/public/management/pages/policy/view/tabs/policy_tabs.tsx
Outdated
Show resolved
Hide resolved
x-pack/plugins/security_solution/public/management/pages/policy/view/tabs/policy_tabs.tsx
Outdated
Show resolved
Hide resolved
x-pack/plugins/security_solution/public/management/pages/policy/view/tabs/policy_tabs.tsx
Outdated
Show resolved
Hide resolved
...security_solution/public/management/hooks/artifacts/use_host_isolation_exceptions_access.tsx
Outdated
Show resolved
Hide resolved
...security_solution/public/management/hooks/artifacts/use_host_isolation_exceptions_access.tsx
Outdated
Show resolved
Hide resolved
gergoabraham
approved these changes
Sep 17, 2024
Contributor
gergoabraham
left a comment
There was a problem hiding this comment.
last nitpicks are below, but it's looking real good, thanks for the changes! 🚀
(also quickly re-tested only with ESS, still works well 👍 )
| await waitFor(() => { | ||
| expect(checkArtifactHasData).not.toHaveBeenCalled(); | ||
| expect(result.current).toBe(true); | ||
| expect(result.current.hasAccessToHostIsolationExceptions).toBe(true); |
Contributor
There was a problem hiding this comment.
i think a test case for isHostIsolationExceptionsAccessLoading: true would be useful, both here and in policy_details.test.tsx
ashokaditya
approved these changes
Sep 18, 2024
Member
ashokaditya
left a comment
There was a problem hiding this comment.
Great work fixing this. 🚀 Tested it out and works as expected. I left some suggestions for you to consider.
| UpdateExceptionListItemSchema, | ||
| } from '@kbn/securitysolution-io-ts-list-types'; | ||
| import { ENDPOINT_BLOCKLISTS_LIST_ID } from '@kbn/securitysolution-list-constants'; | ||
| import { ENDPOINT_ARTIFACT_LISTS } from '@kbn/securitysolution-list-constants'; |
Member
There was a problem hiding this comment.
Thanks for cleaning up the deprecations 🥇
| const redirectHostIsolationException = | ||
| isInHostIsolationExceptionsTab && | ||
| (!canReadHostIsolationExceptions || | ||
| (!isHostIsolationExceptionsAccessLoading && !hasAccessToHostIsolationExceptions)); |
Member
There was a problem hiding this comment.
!isHostIsolationExceptionsAccessLoading check is redundant here.
| return; | ||
| } | ||
|
|
||
| const redirectHostIsolationException = |
Member
There was a problem hiding this comment.
Suggested change
| const redirectHostIsolationException = | |
| const shouldNotSeeHostIsolationExceptions = |
| await waitFor(() => { | ||
| expect(checkArtifactHasData).not.toHaveBeenCalled(); | ||
| expect(result.current).toBe(true); | ||
| expect(result.current.hasAccessToHostIsolationExceptions).toBe(true); |
x-pack/plugins/security_solution/public/management/pages/policy/view/policy_details.test.tsx
Outdated
Show resolved
Hide resolved
…y/view/policy_details.test.tsx Co-authored-by: Ash <1849116+ashokaditya@users.noreply.github.com>
💛 Build succeeded, but was flaky
Failed CI StepsTest FailuresMetrics [docs]Module Count
Async chunks
Unknown metric groupsReferences to deprecated APIs
History
To update your PR or re-run it, just comment with: |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Sep 23, 2024
…ic license if no artifacts (elastic#192562) This PR updates how the Host Isolation Exceptions tab is displayed based on the user’s permissions and license. The tab is always visible to platinum+ users. For lower-tier licenses, a check is performed: if a user has previously defined host isolation exceptions, they will see the tab and be able to view or remove existing exceptions. If they haven’t, the tab will be hidden, and the functionality will be inaccessible. Previously, even if a user didn’t have access to host isolation exceptions, they could still see and enter the Host Isolation Exceptions tab. To test locally: ESS: 1. Start ES + Kibana the regular way, with the default `trial` license. 2. Add HIE 3. Downgrade license (https://github.com/elastic/pzl-es-tools) 4. Verify that the license had been downgraded Serverless: 1. Start Serverless ES `yarn es serverless --clean --teardown --kill -E xpack.security.authc.api_key.enabled=true -E http.host=0.0.0.0 --projectType security` 2. Start Serverless Kibana `yarn serverless-security` 3. Add HIE 4. Modify `config/serverless.security.yml` to security and endpoint essential 5. Wait for Kibana to reload ESS: https://github.com/user-attachments/assets/75527af7-9d06-4da7-9e86-6ce6b22ac147 Serverless: https://github.com/user-attachments/assets/e89bd642-9e99-4a22-8b42-5997f7333ea6 --------- Co-authored-by: Ash <1849116+ashokaditya@users.noreply.github.com> (cherry picked from commit 636baad)
Contributor
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Sep 23, 2024
…he basic license if no artifacts (#192562) (#193711) # Backport This will backport the following commits from `main` to `8.x`: - [[EDR Workflows] The host isolation exception tab is hidden on the basic license if no artifacts (#192562)](#192562) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Konrad Szwarc","email":"konrad.szwarc@elastic.co"},"sourceCommit":{"committedDate":"2024-09-23T12:00:15Z","message":"[EDR Workflows] The host isolation exception tab is hidden on the basic license if no artifacts (#192562)\n\nThis PR updates how the Host Isolation Exceptions tab is displayed based\r\non the user’s permissions and license. The tab is always visible to\r\nplatinum+ users. For lower-tier licenses, a check is performed: if a\r\nuser has previously defined host isolation exceptions, they will see the\r\ntab and be able to view or remove existing exceptions. If they haven’t,\r\nthe tab will be hidden, and the functionality will be inaccessible.\r\n\r\nPreviously, even if a user didn’t have access to host isolation\r\nexceptions, they could still see and enter the Host Isolation Exceptions\r\ntab.\r\n\r\nTo test locally:\r\nESS:\r\n1. Start ES + Kibana the regular way, with the default `trial` license. \r\n2. Add HIE\r\n3. Downgrade license (https://github.com/elastic/pzl-es-tools) \r\n4. Verify that the license had been downgraded\r\n\r\nServerless:\r\n1. Start Serverless ES `yarn es serverless --clean --teardown --kill -E\r\nxpack.security.authc.api_key.enabled=true -E http.host=0.0.0.0\r\n--projectType security`\r\n2. Start Serverless Kibana `yarn serverless-security` \r\n3. Add HIE\r\n4. Modify `config/serverless.security.yml` to security and endpoint\r\nessential\r\n5. Wait for Kibana to reload\r\n\r\nESS:\r\n\r\n\r\nhttps://github.com/user-attachments/assets/75527af7-9d06-4da7-9e86-6ce6b22ac147\r\n\r\nServerless:\r\n\r\n\r\nhttps://github.com/user-attachments/assets/e89bd642-9e99-4a22-8b42-5997f7333ea6\r\n\r\n---------\r\n\r\nCo-authored-by: Ash <1849116+ashokaditya@users.noreply.github.com>","sha":"636baadfa278bf831ad21457be4abde4b9c837c9","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Defend Workflows","v8.16.0","backport:version"],"title":"[EDR Workflows] The host isolation exception tab is hidden on the basic license if no artifacts","number":192562,"url":"https://github.com/elastic/kibana/pull/192562","mergeCommit":{"message":"[EDR Workflows] The host isolation exception tab is hidden on the basic license if no artifacts (#192562)\n\nThis PR updates how the Host Isolation Exceptions tab is displayed based\r\non the user’s permissions and license. The tab is always visible to\r\nplatinum+ users. For lower-tier licenses, a check is performed: if a\r\nuser has previously defined host isolation exceptions, they will see the\r\ntab and be able to view or remove existing exceptions. If they haven’t,\r\nthe tab will be hidden, and the functionality will be inaccessible.\r\n\r\nPreviously, even if a user didn’t have access to host isolation\r\nexceptions, they could still see and enter the Host Isolation Exceptions\r\ntab.\r\n\r\nTo test locally:\r\nESS:\r\n1. Start ES + Kibana the regular way, with the default `trial` license. \r\n2. Add HIE\r\n3. Downgrade license (https://github.com/elastic/pzl-es-tools) \r\n4. Verify that the license had been downgraded\r\n\r\nServerless:\r\n1. Start Serverless ES `yarn es serverless --clean --teardown --kill -E\r\nxpack.security.authc.api_key.enabled=true -E http.host=0.0.0.0\r\n--projectType security`\r\n2. Start Serverless Kibana `yarn serverless-security` \r\n3. Add HIE\r\n4. Modify `config/serverless.security.yml` to security and endpoint\r\nessential\r\n5. Wait for Kibana to reload\r\n\r\nESS:\r\n\r\n\r\nhttps://github.com/user-attachments/assets/75527af7-9d06-4da7-9e86-6ce6b22ac147\r\n\r\nServerless:\r\n\r\n\r\nhttps://github.com/user-attachments/assets/e89bd642-9e99-4a22-8b42-5997f7333ea6\r\n\r\n---------\r\n\r\nCo-authored-by: Ash <1849116+ashokaditya@users.noreply.github.com>","sha":"636baadfa278bf831ad21457be4abde4b9c837c9"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/192562","number":192562,"mergeCommit":{"message":"[EDR Workflows] The host isolation exception tab is hidden on the basic license if no artifacts (#192562)\n\nThis PR updates how the Host Isolation Exceptions tab is displayed based\r\non the user’s permissions and license. The tab is always visible to\r\nplatinum+ users. For lower-tier licenses, a check is performed: if a\r\nuser has previously defined host isolation exceptions, they will see the\r\ntab and be able to view or remove existing exceptions. If they haven’t,\r\nthe tab will be hidden, and the functionality will be inaccessible.\r\n\r\nPreviously, even if a user didn’t have access to host isolation\r\nexceptions, they could still see and enter the Host Isolation Exceptions\r\ntab.\r\n\r\nTo test locally:\r\nESS:\r\n1. Start ES + Kibana the regular way, with the default `trial` license. \r\n2. Add HIE\r\n3. Downgrade license (https://github.com/elastic/pzl-es-tools) \r\n4. Verify that the license had been downgraded\r\n\r\nServerless:\r\n1. Start Serverless ES `yarn es serverless --clean --teardown --kill -E\r\nxpack.security.authc.api_key.enabled=true -E http.host=0.0.0.0\r\n--projectType security`\r\n2. Start Serverless Kibana `yarn serverless-security` \r\n3. Add HIE\r\n4. Modify `config/serverless.security.yml` to security and endpoint\r\nessential\r\n5. Wait for Kibana to reload\r\n\r\nESS:\r\n\r\n\r\nhttps://github.com/user-attachments/assets/75527af7-9d06-4da7-9e86-6ce6b22ac147\r\n\r\nServerless:\r\n\r\n\r\nhttps://github.com/user-attachments/assets/e89bd642-9e99-4a22-8b42-5997f7333ea6\r\n\r\n---------\r\n\r\nCo-authored-by: Ash <1849116+ashokaditya@users.noreply.github.com>","sha":"636baadfa278bf831ad21457be4abde4b9c837c9"}},{"branch":"8.x","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Konrad Szwarc <konrad.szwarc@elastic.co>
weizijun
added a commit
to weizijun/kibana
that referenced
this pull request
Sep 23, 2024
* main: (176 commits) [ML][Rules] Fixes deletion in Check interval input for anomaly detection rule (elastic#193420) Bump maximum supported package spec version to 3.2 (elastic#193574) [ES|QL] new pattern for `SORT` autocomplete (elastic#193595) [Inventory][ECO] Entities page search bar (elastic#193546) [Synthetics] Remove extra overview route (elastic#192449) [Obs Alerts table] Fix error on clicking alert reason message (elastic#193693) [Migrations] Remove tests that are not applicable in 9.x (elastic#193699) [EDR Workflows] Set Agent Tamper Protection to false on policy unassignment (elastic#193017) [Inventory][ECO] Enable elastic entity model from inventory (elastic#193557) [EDR Workflows] The host isolation exception tab is hidden on the basic license if no artifacts (elastic#192562) [Entity Analytics] Ensuring definition transforms are managed (elastic#193408) [Automatic Import] Do not remove message field for unstructured logs (elastic#193678) [Fleet] Add missing permissions for connector package (elastic#193573) [Fleet] using @kbn/config-schema part 2 (outputs and other apis) (elastic#193326) [Migrations] Provide testing archives + tooling for migrations integration tests (elastic#193328) [ES|QL] Renames the textbased editor to esql editor (elastic#193521) [ES|QL] Update function metadata (elastic#193662) [Security Solution][Entity Analytics] Scoping the entity store to spaces (elastic#193303) [Docs] Update Sharing docs (elastic#190318) [ML] AIOps: Move Log Rate Analysis results callout to help popover. (elastic#192243) ... # Conflicts: # x-pack/plugins/search_inference_endpoints/public/components/all_inference_endpoints/render_table_columns/render_endpoint/endpoint_info.test.tsx # x-pack/plugins/search_inference_endpoints/public/components/all_inference_endpoints/render_table_columns/render_endpoint/endpoint_info.tsx
5 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR updates how the Host Isolation Exceptions tab is displayed based on the user’s permissions and license. The tab is always visible to platinum+ users. For lower-tier licenses, a check is performed: if a user has previously defined host isolation exceptions, they will see the tab and be able to view or remove existing exceptions. If they haven’t, the tab will be hidden, and the functionality will be inaccessible.
Previously, even if a user didn’t have access to host isolation exceptions, they could still see and enter the Host Isolation Exceptions tab.
To test locally:
ESS:
triallicense.Serverless:
yarn es serverless --clean --teardown --kill -E xpack.security.authc.api_key.enabled=true -E http.host=0.0.0.0 --projectType securityyarn serverless-securityconfig/serverless.security.ymlto security and endpoint essentialESS:
Screen.Recording.2024-09-11.at.15.27.26.mov
Serverless:
Screen.Recording.2024-09-11.at.15.47.46.mov