[Security Solution] Realign privileges serverless and ess

[semd]

Summary

Issue: #207050

Re-consolidate the Security features and privileges for serverless and ESS environments. This was not possible before due to the lack of role migrations.

The only privilege that needs to be migrated is endpoint-exceptions, which is currently a sub-feature only in serverless projects. This PR is making this privilege a sub-feature everywhere, also in stateful environments.
It also migrates all existing roles to the new structure, preventing the introduction of breaking changes.

Next changes

After these changes, we will be able to reduce a lot of complexity from the ProductFeatures service, using the feature configs in the package as the SSoT directly.

The refactor of the ProductFeatures service will be done in a separate task, targeting 8.19/9.1, after the proposal is agreed upon by all relevant teams.
Realigning the privilege configs is the first step in that direction.

Screenshot

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[elasticmachine]

Pinging @elastic/security-defend-workflows (Team:Defend Workflows)

[elasticmachine]

Pinging @elastic/security-threat-hunting-explore (Team:Threat Hunting:Explore)

[semd]

@elasticmachine merge upstream

[semd]

I noticed a problem. It only happens with particular set of conditions:

• Security serverless projects
• A custom role is defined with:
  • Security top-level feature is All.
  • Security sub-features are enabled
  • Security > Endpoint Exceptions sub-feature is Read

In this scenario, the role migration will assign Security > Endpoint Exceptions: All, a privilege not granted before. This happens because the Security minimal_all is configured to do so, which is necessary for non-serverless environments.

Changing to PR to draft while we try to find a solution that works for all environments.

[elasticmachine]

🤖 Jobs for this PR can be triggered through checkboxes. 🚧

ℹ️ To trigger the CI, please tick the checkbox below 👇

• Click to trigger kibana-pull-request for this PR!
• Click to trigger kibana-deploy-project-from-pr for this PR!

[elasticmachine]

💔 Build Failed

• Buildkite Build
• Commit: bd620a1

Failed CI Steps

• FTR Configs #44
• FTR Configs #44
• FTR Configs #93
• FTR Configs #93
• FTR Configs #97
• FTR Configs #97

Test Failures

• [job] [logs] FTR Configs #97 / security (basic license) Privileges GET /api/security/privileges should include sub-feature privileges when respectlicenseLevel is false
• [job] [logs] FTR Configs #97 / security (basic license) Privileges GET /api/security/privileges should include sub-feature privileges when respectlicenseLevel is false
• [job] [logs] FTR Configs #44 / security Privileges GET /api/security/privileges should return a privilege map with all known privileges, without actions
• [job] [logs] FTR Configs #44 / security Privileges GET /api/security/privileges should return a privilege map with all known privileges, without actions

Metrics [docs]

✅ unchanged

History

• 💔 Build #269234 failed 2d3ef2f
• 💔 Build #269150 failed 1d4df1d
• 💔 Build #268900 failed 356b14a
• 💔 Build #268774 failed f13287d

cc @semd

[gergoabraham]

I noticed a problem. It only happens with particular set of conditions:

• Security serverless projects

• A custom role is defined with:

  • Security top-level feature is All.
  • Security sub-features are enabled
  • Security > Endpoint Exceptions sub-feature is Read

In this scenario, the role migration will assign Security > Endpoint Exceptions: All, a privilege not granted before. This happens because the Security minimal_all is configured to do so, which is necessary for non-serverless environments.

Changing to PR to draft while we try to find a solution that works for all environments.

hey @semd,

i've added a PR that hopefully fixes the issue you described by adding role migration conditionally based on build flavor. i'll add you as a reviewer, could you take a look at it sometime? i'd be happy to have your thoughts and concerns on this approach.

pr: #219566
the related commit is called unify and migrate endpoint exceptions RBAC

the pr is still draft, as i'm still fixing the tests, and also, planning to keep the pr open for a while, so we can collect more siemV2->siemV3 migrations if needed.