[EDR Workflows] Global artifact API privilege to deprecated features#225678
Merged
gergoabraham merged 16 commits intoelastic:mainfrom Jul 15, 2025
Merged
Conversation
Contributor
|
Pinging @elastic/security-defend-workflows (Team:Defend Workflows) |
gergoabraham
commented
Jun 27, 2025
| ...(baseFeatureConfig.privileges.all.api ?? []), | ||
|
|
||
| // API access must be also added, as only UI privileges are copied when replacing a deprecated feature | ||
| `${APP_ID}-writeGlobalArtifacts`, |
Contributor
Author
There was a problem hiding this comment.
@semd @azasypkin @paul-tavares
here we have kind of a hole in the system, but i'd like to add a rationale to it.
on serverless, we provide global_artifact_management_all for users who have siem|siemV2.all (because it includes endpoint exceptions all), and not for siem|siemV2.minimal_all.
but, the api privileges do not differentiate between all and minimal_all, therefore there can be users, who have the minimal_all, but don't have any artifact write privilege, and they will still granted with the new writeGlobalArtifacts api privilege.
what can they do with it?
nothing. (@paul-tavares, please correct me if i'm wrong).
the api privilege on its own does not mean a thing. it is always used together with an artifact ALL privilege (siem.all for endpoint exceptions, siem.anything + siem.trusted_applications_all|event_filters_all|etc for others)
also, as soon the role will be updated to siemV3 (e.g. by manual update), this situation stops existing. hence, i believe we can go forward with this, for the sake of not making this even more complex.
please let me know your thoughts!
Contributor
There was a problem hiding this comment.
This is correct - the privilege by itself does not grant users access to artifacts.
gergoabraham
commented
Jun 27, 2025
| "api:bulkGetUserProfiles", | ||
| "api:securitySolution-entity-analytics", | ||
| "api:securitySolution-threat-intelligence", | ||
| "api:securitySolution-writeGlobalArtifacts", |
Contributor
Author
There was a problem hiding this comment.
in this file it is visible, that api:securitySolution-writeGlobalArtifacts has 2 more occurrences than ui:siemV3/writeGlobalArtifacts, namely, the extra occurrences are in siem.minimal_all and `siemV2.minimal_all.
the reason is in this comment: #225678 (comment)
9 tasks
Contributor
Would you mind adding instructions to the PR description on how to toggle this feature flag and test it locally? I definitely lack a lot of context around the security solution features, how they're composed, and how they're used to do a proper review, but I can at least look at the lower-level details (registered privileges and actions level) to see if anything obvious stands out. |
Contributor
Author
hey @azasypkin, i'd definitely appreciate you looking into the details, thanks! 🙇 there are detailed steps in the linked bug issue, does that work for you? let me know if you miss something. |
azasypkin
added a commit
that referenced
this pull request
Jul 7, 2025
…privilege is replaced with more privileges than necessary (#226473) ## Summary Log a warning in tests if deprecated feature …privilege is replaced with more privileges than necessary. It can come in handy when we review feature deprecation PRs and want to quickly check CI test logs for early signs of problems. See example output in #225678 (review) Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Jul 7, 2025
…privilege is replaced with more privileges than necessary (elastic#226473) ## Summary Log a warning in tests if deprecated feature …privilege is replaced with more privileges than necessary. It can come in handy when we review feature deprecation PRs and want to quickly check CI test logs for early signs of problems. See example output in elastic#225678 (review) Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> (cherry picked from commit 89c5382)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Jul 7, 2025
…privilege is replaced with more privileges than necessary (elastic#226473) ## Summary Log a warning in tests if deprecated feature …privilege is replaced with more privileges than necessary. It can come in handy when we review feature deprecation PRs and want to quickly check CI test logs for early signs of problems. See example output in elastic#225678 (review) Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> (cherry picked from commit 89c5382)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Jul 7, 2025
…privilege is replaced with more privileges than necessary (elastic#226473) ## Summary Log a warning in tests if deprecated feature …privilege is replaced with more privileges than necessary. It can come in handy when we review feature deprecation PRs and want to quickly check CI test logs for early signs of problems. See example output in elastic#225678 (review) Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> (cherry picked from commit 89c5382)
kibanamachine
added a commit
that referenced
this pull request
Jul 7, 2025
…eature privilege is replaced with more privileges than necessary (#226473) (#226790) # Backport This will backport the following commits from `main` to `8.17`: - [chore(security, tests): log a warning in tests if deprecated feature privilege is replaced with more privileges than necessary (#226473)](#226473) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Aleh Zasypkin","email":"aleh.zasypkin@elastic.co"},"sourceCommit":{"committedDate":"2025-07-07T11:52:08Z","message":"chore(security, tests): log a warning in tests if deprecated feature privilege is replaced with more privileges than necessary (#226473)\n\n## Summary\n\nLog a warning in tests if deprecated feature …privilege is replaced with\nmore privileges than necessary. It can come in handy when we review\nfeature deprecation PRs and want to quickly check CI test logs for early\nsigns of problems.\n\nSee example output in\nhttps://github.com//pull/225678#pullrequestreview-2984050064\n\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"89c5382d54541d5769dfb51694f3fa122177f57d","branchLabelMapping":{"^v9.2.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["test","chore","Team:Security","release_note:skip","backport:prev-major","v9.2.0"],"title":"chore(security, tests): log a warning in tests if deprecated feature …privilege is replaced with more privileges than necessary","number":226473,"url":"https://github.com/elastic/kibana/pull/226473","mergeCommit":{"message":"chore(security, tests): log a warning in tests if deprecated feature privilege is replaced with more privileges than necessary (#226473)\n\n## Summary\n\nLog a warning in tests if deprecated feature …privilege is replaced with\nmore privileges than necessary. It can come in handy when we review\nfeature deprecation PRs and want to quickly check CI test logs for early\nsigns of problems.\n\nSee example output in\nhttps://github.com//pull/225678#pullrequestreview-2984050064\n\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"89c5382d54541d5769dfb51694f3fa122177f57d"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.2.0","branchLabelMappingKey":"^v9.2.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/226473","number":226473,"mergeCommit":{"message":"chore(security, tests): log a warning in tests if deprecated feature privilege is replaced with more privileges than necessary (#226473)\n\n## Summary\n\nLog a warning in tests if deprecated feature …privilege is replaced with\nmore privileges than necessary. It can come in handy when we review\nfeature deprecation PRs and want to quickly check CI test logs for early\nsigns of problems.\n\nSee example output in\nhttps://github.com//pull/225678#pullrequestreview-2984050064\n\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"89c5382d54541d5769dfb51694f3fa122177f57d"}}]}] BACKPORT--> Co-authored-by: Aleh Zasypkin <aleh.zasypkin@elastic.co> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
kibanamachine
added a commit
that referenced
this pull request
Jul 7, 2025
…eature privilege is replaced with more privileges than necessary (#226473) (#226792) # Backport This will backport the following commits from `main` to `8.19`: - [chore(security, tests): log a warning in tests if deprecated feature privilege is replaced with more privileges than necessary (#226473)](#226473) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Aleh Zasypkin","email":"aleh.zasypkin@elastic.co"},"sourceCommit":{"committedDate":"2025-07-07T11:52:08Z","message":"chore(security, tests): log a warning in tests if deprecated feature privilege is replaced with more privileges than necessary (#226473)\n\n## Summary\n\nLog a warning in tests if deprecated feature …privilege is replaced with\nmore privileges than necessary. It can come in handy when we review\nfeature deprecation PRs and want to quickly check CI test logs for early\nsigns of problems.\n\nSee example output in\nhttps://github.com//pull/225678#pullrequestreview-2984050064\n\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"89c5382d54541d5769dfb51694f3fa122177f57d","branchLabelMapping":{"^v9.2.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["test","chore","Team:Security","release_note:skip","backport:prev-major","v9.2.0"],"title":"chore(security, tests): log a warning in tests if deprecated feature …privilege is replaced with more privileges than necessary","number":226473,"url":"https://github.com/elastic/kibana/pull/226473","mergeCommit":{"message":"chore(security, tests): log a warning in tests if deprecated feature privilege is replaced with more privileges than necessary (#226473)\n\n## Summary\n\nLog a warning in tests if deprecated feature …privilege is replaced with\nmore privileges than necessary. It can come in handy when we review\nfeature deprecation PRs and want to quickly check CI test logs for early\nsigns of problems.\n\nSee example output in\nhttps://github.com//pull/225678#pullrequestreview-2984050064\n\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"89c5382d54541d5769dfb51694f3fa122177f57d"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.2.0","branchLabelMappingKey":"^v9.2.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/226473","number":226473,"mergeCommit":{"message":"chore(security, tests): log a warning in tests if deprecated feature privilege is replaced with more privileges than necessary (#226473)\n\n## Summary\n\nLog a warning in tests if deprecated feature …privilege is replaced with\nmore privileges than necessary. It can come in handy when we review\nfeature deprecation PRs and want to quickly check CI test logs for early\nsigns of problems.\n\nSee example output in\nhttps://github.com//pull/225678#pullrequestreview-2984050064\n\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"89c5382d54541d5769dfb51694f3fa122177f57d"}}]}] BACKPORT--> Co-authored-by: Aleh Zasypkin <aleh.zasypkin@elastic.co> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
kibanamachine
added a commit
that referenced
this pull request
Jul 7, 2025
…eature privilege is replaced with more privileges than necessary (#226473) (#226791) # Backport This will backport the following commits from `main` to `8.18`: - [chore(security, tests): log a warning in tests if deprecated feature privilege is replaced with more privileges than necessary (#226473)](#226473) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Aleh Zasypkin","email":"aleh.zasypkin@elastic.co"},"sourceCommit":{"committedDate":"2025-07-07T11:52:08Z","message":"chore(security, tests): log a warning in tests if deprecated feature privilege is replaced with more privileges than necessary (#226473)\n\n## Summary\n\nLog a warning in tests if deprecated feature …privilege is replaced with\nmore privileges than necessary. It can come in handy when we review\nfeature deprecation PRs and want to quickly check CI test logs for early\nsigns of problems.\n\nSee example output in\nhttps://github.com//pull/225678#pullrequestreview-2984050064\n\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"89c5382d54541d5769dfb51694f3fa122177f57d","branchLabelMapping":{"^v9.2.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["test","chore","Team:Security","release_note:skip","backport:prev-major","v9.2.0"],"title":"chore(security, tests): log a warning in tests if deprecated feature …privilege is replaced with more privileges than necessary","number":226473,"url":"https://github.com/elastic/kibana/pull/226473","mergeCommit":{"message":"chore(security, tests): log a warning in tests if deprecated feature privilege is replaced with more privileges than necessary (#226473)\n\n## Summary\n\nLog a warning in tests if deprecated feature …privilege is replaced with\nmore privileges than necessary. It can come in handy when we review\nfeature deprecation PRs and want to quickly check CI test logs for early\nsigns of problems.\n\nSee example output in\nhttps://github.com//pull/225678#pullrequestreview-2984050064\n\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"89c5382d54541d5769dfb51694f3fa122177f57d"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.2.0","branchLabelMappingKey":"^v9.2.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/226473","number":226473,"mergeCommit":{"message":"chore(security, tests): log a warning in tests if deprecated feature privilege is replaced with more privileges than necessary (#226473)\n\n## Summary\n\nLog a warning in tests if deprecated feature …privilege is replaced with\nmore privileges than necessary. It can come in handy when we review\nfeature deprecation PRs and want to quickly check CI test logs for early\nsigns of problems.\n\nSee example output in\nhttps://github.com//pull/225678#pullrequestreview-2984050064\n\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"89c5382d54541d5769dfb51694f3fa122177f57d"}}]}] BACKPORT--> Co-authored-by: Aleh Zasypkin <aleh.zasypkin@elastic.co> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
PhilippeOberti
approved these changes
Jul 8, 2025
paul-tavares
approved these changes
Jul 10, 2025
szwarckonrad
approved these changes
Jul 11, 2025
Contributor
szwarckonrad
left a comment
There was a problem hiding this comment.
Went through the DW code, looks good implementation wise!
Contributor
💚 Build Succeeded
Metrics [docs]
History
|
Contributor
|
Starting backport for target branches: 9.1 |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Jul 15, 2025
…lastic#225678) ## Summary elastic#219566 deprecated `siemV2`, and added a new `global_artifact_management_all` privilege. See previous PR description for diagrams. However, the `replaceBy` role deprecation feature does not 'migrate' privileges completely, only copies `ui:` privileges. Therefore, `api:securitySolution-writeGlobalArtifacts` was missing from the required places, resulting in the bug described in the original issue: elastic/security-team#12921 This PR: - adds the missing `api:` privileges to the required places, - for this, it copy/pastes Endpoint Exceptions `api`/`ui` privileges directly into multiple Kibana feature versions, so it can be versioned/deprecated (its `siem`/`siemV2` privileges differ from `siemV3`): 17f6397 and 4c8730e - adds a new backward compatibility API test, that uses the space aware feature flag to regress the bug issue > [!TIP] > This bug was found by another backward compatibility tests, during enabling the space awareness feature flag. Those tests were skipped in the PR, and can be enabled after this fix is merged to 9.1. https://github.com/elastic/kibana/pull/222230/files#diff-2f89ba63a6a03d9982bb0a0022c1a6e733b889aa7779a8ea9ebb771bae9e68f2 > [!IMPORTANT] > The fix only affects an `api` privilege, that is only used behind a feature flag. Therefore, not having this fix in the next serverless promotion should not cause any issue on serverless, as serverless environment does not use this api privilege. ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios (cherry picked from commit 1dc8cf8)
Contributor
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Jul 15, 2025
…tures (#225678) (#227991) # Backport This will backport the following commits from `main` to `9.1`: - [[EDR Workflows] Global artifact API privilege to deprecated features (#225678)](#225678) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Gergő Ábrahám","email":"gergo.abraham@elastic.co"},"sourceCommit":{"committedDate":"2025-07-15T11:49:20Z","message":"[EDR Workflows] Global artifact API privilege to deprecated features (#225678)\n\n## Summary\n\n#219566 deprecated `siemV2`, and added a new\n`global_artifact_management_all` privilege. See previous PR description\nfor diagrams.\n\nHowever, the `replaceBy` role deprecation feature does not 'migrate'\nprivileges completely, only copies `ui:` privileges.\n\nTherefore, `api:securitySolution-writeGlobalArtifacts` was missing from\nthe required places, resulting in the bug described in the original\nissue: https://github.com/elastic/security-team/issues/12921\n\nThis PR:\n- adds the missing `api:` privileges to the required places,\n- for this, it copy/pastes Endpoint Exceptions `api`/`ui` privileges\ndirectly into multiple Kibana feature versions, so it can be\nversioned/deprecated (its `siem`/`siemV2` privileges differ from\n`siemV3`): 17f6397 and\n4c8730e0d37dd51a819fe990664e1811e959b51c\n- adds a new backward compatibility API test, that uses the space aware\nfeature flag to regress the bug issue\n\n> [!TIP]\n> This bug was found by another backward compatibility tests, during\nenabling the space awareness feature flag. Those tests were skipped in\nthe PR, and can be enabled after this fix is merged to 9.1.\n\nhttps://github.com//pull/222230/files#diff-2f89ba63a6a03d9982bb0a0022c1a6e733b889aa7779a8ea9ebb771bae9e68f2\n\n> [!IMPORTANT]\n> The fix only affects an `api` privilege, that is only used behind a\nfeature flag. Therefore, not having this fix in the next serverless\npromotion should not cause any issue on serverless, as serverless\nenvironment does not use this api privilege.\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios","sha":"1dc8cf828ab39ad36f4651780a606d900c13202c","branchLabelMapping":{"^v9.2.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Defend Workflows","backport:version","v9.1.0","v9.2.0"],"title":"[EDR Workflows] Global artifact API privilege to deprecated features","number":225678,"url":"https://github.com/elastic/kibana/pull/225678","mergeCommit":{"message":"[EDR Workflows] Global artifact API privilege to deprecated features (#225678)\n\n## Summary\n\n#219566 deprecated `siemV2`, and added a new\n`global_artifact_management_all` privilege. See previous PR description\nfor diagrams.\n\nHowever, the `replaceBy` role deprecation feature does not 'migrate'\nprivileges completely, only copies `ui:` privileges.\n\nTherefore, `api:securitySolution-writeGlobalArtifacts` was missing from\nthe required places, resulting in the bug described in the original\nissue: https://github.com/elastic/security-team/issues/12921\n\nThis PR:\n- adds the missing `api:` privileges to the required places,\n- for this, it copy/pastes Endpoint Exceptions `api`/`ui` privileges\ndirectly into multiple Kibana feature versions, so it can be\nversioned/deprecated (its `siem`/`siemV2` privileges differ from\n`siemV3`): 17f6397 and\n4c8730e0d37dd51a819fe990664e1811e959b51c\n- adds a new backward compatibility API test, that uses the space aware\nfeature flag to regress the bug issue\n\n> [!TIP]\n> This bug was found by another backward compatibility tests, during\nenabling the space awareness feature flag. Those tests were skipped in\nthe PR, and can be enabled after this fix is merged to 9.1.\n\nhttps://github.com//pull/222230/files#diff-2f89ba63a6a03d9982bb0a0022c1a6e733b889aa7779a8ea9ebb771bae9e68f2\n\n> [!IMPORTANT]\n> The fix only affects an `api` privilege, that is only used behind a\nfeature flag. Therefore, not having this fix in the next serverless\npromotion should not cause any issue on serverless, as serverless\nenvironment does not use this api privilege.\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios","sha":"1dc8cf828ab39ad36f4651780a606d900c13202c"}},"sourceBranch":"main","suggestedTargetBranches":["9.1"],"targetPullRequestStates":[{"branch":"9.1","label":"v9.1.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.2.0","branchLabelMappingKey":"^v9.2.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/225678","number":225678,"mergeCommit":{"message":"[EDR Workflows] Global artifact API privilege to deprecated features (#225678)\n\n## Summary\n\n#219566 deprecated `siemV2`, and added a new\n`global_artifact_management_all` privilege. See previous PR description\nfor diagrams.\n\nHowever, the `replaceBy` role deprecation feature does not 'migrate'\nprivileges completely, only copies `ui:` privileges.\n\nTherefore, `api:securitySolution-writeGlobalArtifacts` was missing from\nthe required places, resulting in the bug described in the original\nissue: https://github.com/elastic/security-team/issues/12921\n\nThis PR:\n- adds the missing `api:` privileges to the required places,\n- for this, it copy/pastes Endpoint Exceptions `api`/`ui` privileges\ndirectly into multiple Kibana feature versions, so it can be\nversioned/deprecated (its `siem`/`siemV2` privileges differ from\n`siemV3`): 17f6397 and\n4c8730e0d37dd51a819fe990664e1811e959b51c\n- adds a new backward compatibility API test, that uses the space aware\nfeature flag to regress the bug issue\n\n> [!TIP]\n> This bug was found by another backward compatibility tests, during\nenabling the space awareness feature flag. Those tests were skipped in\nthe PR, and can be enabled after this fix is merged to 9.1.\n\nhttps://github.com//pull/222230/files#diff-2f89ba63a6a03d9982bb0a0022c1a6e733b889aa7779a8ea9ebb771bae9e68f2\n\n> [!IMPORTANT]\n> The fix only affects an `api` privilege, that is only used behind a\nfeature flag. Therefore, not having this fix in the next serverless\npromotion should not cause any issue on serverless, as serverless\nenvironment does not use this api privilege.\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios","sha":"1dc8cf828ab39ad36f4651780a606d900c13202c"}}]}] BACKPORT--> Co-authored-by: Gergő Ábrahám <gergo.abraham@elastic.co>
This was referenced Jul 15, 2025
gergoabraham
added a commit
that referenced
this pull request
Jul 17, 2025
## Summary These tests have been disabled on `9.1` due to a bug, that has been fixed since with this PR: - #225678
Bluefinger
pushed a commit
to Bluefinger/kibana
that referenced
this pull request
Jul 22, 2025
…lastic#225678) ## Summary elastic#219566 deprecated `siemV2`, and added a new `global_artifact_management_all` privilege. See previous PR description for diagrams. However, the `replaceBy` role deprecation feature does not 'migrate' privileges completely, only copies `ui:` privileges. Therefore, `api:securitySolution-writeGlobalArtifacts` was missing from the required places, resulting in the bug described in the original issue: elastic/security-team#12921 This PR: - adds the missing `api:` privileges to the required places, - for this, it copy/pastes Endpoint Exceptions `api`/`ui` privileges directly into multiple Kibana feature versions, so it can be versioned/deprecated (its `siem`/`siemV2` privileges differ from `siemV3`): 17f6397 and 4c8730e - adds a new backward compatibility API test, that uses the space aware feature flag to regress the bug issue > [!TIP] > This bug was found by another backward compatibility tests, during enabling the space awareness feature flag. Those tests were skipped in the PR, and can be enabled after this fix is merged to 9.1. https://github.com/elastic/kibana/pull/222230/files#diff-2f89ba63a6a03d9982bb0a0022c1a6e733b889aa7779a8ea9ebb771bae9e68f2 > [!IMPORTANT] > The fix only affects an `api` privilege, that is only used behind a feature flag. Therefore, not having this fix in the next serverless promotion should not cause any issue on serverless, as serverless environment does not use this api privilege. ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
kertal
pushed a commit
to kertal/kibana
that referenced
this pull request
Jul 25, 2025
…privilege is replaced with more privileges than necessary (elastic#226473) ## Summary Log a warning in tests if deprecated feature …privilege is replaced with more privileges than necessary. It can come in handy when we review feature deprecation PRs and want to quickly check CI test logs for early signs of problems. See example output in elastic#225678 (review) Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
kertal
pushed a commit
to kertal/kibana
that referenced
this pull request
Jul 25, 2025
…lastic#225678) ## Summary elastic#219566 deprecated `siemV2`, and added a new `global_artifact_management_all` privilege. See previous PR description for diagrams. However, the `replaceBy` role deprecation feature does not 'migrate' privileges completely, only copies `ui:` privileges. Therefore, `api:securitySolution-writeGlobalArtifacts` was missing from the required places, resulting in the bug described in the original issue: elastic/security-team#12921 This PR: - adds the missing `api:` privileges to the required places, - for this, it copy/pastes Endpoint Exceptions `api`/`ui` privileges directly into multiple Kibana feature versions, so it can be versioned/deprecated (its `siem`/`siemV2` privileges differ from `siemV3`): 17f6397 and 4c8730e - adds a new backward compatibility API test, that uses the space aware feature flag to regress the bug issue > [!TIP] > This bug was found by another backward compatibility tests, during enabling the space awareness feature flag. Those tests were skipped in the PR, and can be enabled after this fix is merged to 9.1. https://github.com/elastic/kibana/pull/222230/files#diff-2f89ba63a6a03d9982bb0a0022c1a6e733b889aa7779a8ea9ebb771bae9e68f2 > [!IMPORTANT] > The fix only affects an `api` privilege, that is only used behind a feature flag. Therefore, not having this fix in the next serverless promotion should not cause any issue on serverless, as serverless environment does not use this api privilege. ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
8 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
#219566 deprecated
siemV2, and added a newglobal_artifact_management_allprivilege. See previous PR description for diagrams.However, the
replaceByrole deprecation feature does not 'migrate' privileges completely, only copiesui:privileges.Therefore,
api:securitySolution-writeGlobalArtifactswas missing from the required places, resulting in the bug described in the original issue: https://github.com/elastic/security-team/issues/12921This PR:
api:privileges to the required places,api/uiprivileges directly into multiple Kibana feature versions, so it can be versioned/deprecated (itssiem/siemV2privileges differ fromsiemV3): 17f6397 and 4c8730eTip
This bug was found by another backward compatibility tests, during enabling the space awareness feature flag. Those tests were skipped in the PR, and can be enabled after this fix is merged to 9.1.
https://github.com/elastic/kibana/pull/222230/files#diff-2f89ba63a6a03d9982bb0a0022c1a6e733b889aa7779a8ea9ebb771bae9e68f2
Important
The fix only affects an
apiprivilege, that is only used behind a feature flag. Therefore, not having this fix in the next serverless promotion should not cause any issue on serverless, as serverless environment does not use this api privilege.Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.