[Security Solution][PoC] AI 4 SOC navigation approach 2 #212652
Conversation
|
🤖 Jobs for this PR can be triggered through checkboxes. 🚧
ℹ️ To trigger the CI, please tick the checkbox below 👇
|
| @@ -108,6 +108,7 @@ export class FeatureRegistry { | |||
| for (const [featureId, featureOverride] of Object.entries(overrides)) { | |||
| const feature = this.kibanaFeatures[featureId]; | |||
| if (!feature) { | |||
| continue; | |||
There was a problem hiding this comment.
This needs to be discussed with @elastic/kibana-security
There was a problem hiding this comment.
I have a few questions to better understand what you’re trying to achieve:
- What is the process for changing the product tier/line?
- Is it something a user can do themselves?
- Is the current tier stored somewhere in ES, or is it a config value?
- Does the change require a Kibana restart?
- In which offerings is it possible to dynamically update tiers/lines (ECH, ECS, on-prem)?
I vaguely remember that dynamic configuration was only possible in Elastic Cloud (or even only in Serverless?), where the configuration flag for the current tier lived in the Kibana config and was managed by infra (controller?). Is that still the case? If so, is there any reason the code that changes the tier config in the Kibana config couldn’t also alter overrides in the config?
There was a problem hiding this comment.
To the best of my knowledge:
- the configuration is done through the Cloud UI.
- Good question: @angorayc do you know?
- 99% just the config value
- Yes
- Only serverless.
I think the overrides changes the capabilities, right? We're here trying to not even register the feature which makes the corresponding RBAC privileges not even visible for the user.
There was a problem hiding this comment.
Hey @azasypkin, thanks for taking a look. Sorry that this line is outdated, I should have removed this continue;, it's no longer needed. In the previous approach that I implemented I was skipping the registration of the siem/siemV2 feature when the new tier was enabled, in the current approach this feature is always registered, just with a different configuration for this new tier.
I vaguely remember that dynamic configuration was only possible in Elastic Cloud (or even only in Serverless?), where the configuration flag for the current tier lived in the Kibana config and was managed by infra (controller?). Is that still the case? If so, is there any reason the code that changes the tier config in the Kibana config couldn’t also alter overrides in the config?
You have a good memory. That's right. In serverless, we use the project controller to create the tiers and roles configuration that we read from Kibana. This approach worked well, and I think we should follow a similar approach. However, I think we should be careful and try to minimize the cross-repo dependencies we introduce, they have become problematic in different ways for the predefined role definitions: we have to keep duplicates in Kibana which are confusing and hard to maintain in sync with the production configs.
I think we should be able to keep the single source of truth inside Kibana, and use the project-controller as the decision maker. I was thinking about having a yaml file with different definitions of the features overrides, one per tier, or maybe having one file per tier would also make sense (e.g. security.essentials.override.yml, security.complete.overrides.yml...), inside Kibana. And the project-controller somehow applies one of them depending on the current tier. Or maybe Kibana itself should pick the correct override config, using the tiers config that is already provided by the project-controller.
wdyt?
cc @YulNaumenko
There was a problem hiding this comment.
in the current approach this feature is always registered, just with a different configuration for this new tier.
Aha, good to know. That should definitely simplify things.
However, I think we should be careful and try to minimize the cross-repo dependencies we introduce, they have become problematic in different ways for the predefined role definitions: we have to keep duplicates in Kibana which are confusing and hard to maintain in sync with the production configs.
Agree. The only reason I mentioned controller is that I thought you were skipping the feature registration completely, and hence it would make sense for controller to remove overrides for the feature that doesn’t exist from the config as well. But since you changed your approach, we don’t need to do that.
I think we should be able to keep the single source of truth inside Kibana, and use the project-controller as the decision maker. I was thinking about having a yaml file with different definitions of the features overrides, one per tier, or maybe having one file per tier would also make sense (e.g. security.essentials.override.yml, security.complete.overrides.yml...), inside Kibana. And the project-controller somehow applies one of them depending on the current tier. Or maybe Kibana itself should pick the correct override config, using the tiers config that is already provided by the project-controller.
Here’s the proofread version of your text:
If I understand your current approach correctly, you’re just changing the feature definition at runtime depending on the tier. If so, it sounds much easier than doing this via the configuration like we did with feature overrides. If it fully works for you and doesn't require any nasty hacks (?), I think it’s better to keep what you have, but let’s discuss this during our sync later today to make sure I’m not missing anything.
There was a problem hiding this comment.
If I understand your current approach correctly, you’re just changing the feature definition at runtime depending on the tier. If so, it sounds much easier than doing this via the configuration like we did with feature overrides. If it fully works for you and doesn't require any nasty hacks (?), I think it’s better to keep what you have, but let’s discuss this during our sync later today to make sure I’m not missing anything.
Great! glad that you like the idea, but that's only for Security features.
The missing part is with other features outside the Security plugin, that we also need we need to disable/hide for this tier, such as Fleet, Osquery...
This is what we want to discuss with you, the proposal of having a different override configuration per tier is meant to solve this.
|
(tagging myself for review to provide preliminary feedback) |
| configurator.timeline = getTimelineProductFeaturesConfigurator(enabledProductFeatureKeys); | ||
| configurator.notes = getNotesProductFeaturesConfigurator(enabledProductFeatureKeys); | ||
|
|
||
| // timeline and notes are not available for the searchAiLake tier within Security |
There was a problem hiding this comment.
Leaving this here so we do not forget:
With this config:
{ product_line: 'security', product_tier: 'search_ai_lake' },
{ product_line: 'ai_soc', product_tier: 'search_ai_lake' },
we should not see timelines, notes, and siem_migration.
@ashokaditya This is why we talked about not registering them in the first place (approach 2). You did the approach 1 with capabilities.
Does the trick for the most parts but not all :P
What do you think? 👍
| @@ -104,21 +104,6 @@ export const getSecurityBaseKibanaFeature = ({ | |||
| }, | |||
| app: [APP_ID, CLOUD_POSTURE_APP_ID, CLOUD_DEFEND_APP_ID, 'kibana'], | |||
| catalogue: [APP_ID], | |||
| api: [ | |||
There was a problem hiding this comment.
question: I’m not familiar enough with the mechanics here or whether these API privileges are needed, but we’re not making a breaking change for users who have roles with this privielge, right?
There was a problem hiding this comment.
To best of my knowledge, this is safe. We are just moving these privileges to product_feature_config which also add's the possibility to be run against PLI configuration.
CC: @semd
There was a problem hiding this comment.
Yup, this is safe. We are just moving things around to make them tier-dependent.
- All existing tiers will have these privileges configured with the same API/UI actions as currently.
- The new tier will have these privileges configured with a new set of API/UI actions specific to this tier.
There was a problem hiding this comment.
Roger that, thanks for clarifying!
| @@ -108,6 +108,7 @@ export class FeatureRegistry { | |||
| for (const [featureId, featureOverride] of Object.entries(overrides)) { | |||
| const feature = this.kibanaFeatures[featureId]; | |||
| if (!feature) { | |||
| continue; | |||
There was a problem hiding this comment.
I have a few questions to better understand what you’re trying to achieve:
- What is the process for changing the product tier/line?
- Is it something a user can do themselves?
- Is the current tier stored somewhere in ES, or is it a config value?
- Does the change require a Kibana restart?
- In which offerings is it possible to dynamically update tiers/lines (ECH, ECS, on-prem)?
I vaguely remember that dynamic configuration was only possible in Elastic Cloud (or even only in Serverless?), where the configuration flag for the current tier lived in the Kibana config and was managed by infra (controller?). Is that still the case? If so, is there any reason the code that changes the tier config in the Kibana config couldn’t also alter overrides in the config?
There was a problem hiding this comment.
Thanks @azasypkin,
These are great questions, I tried to answer to the best of my knowledge, however also cc'ying @semd since he's the great mind behind this approach.
| @@ -104,21 +104,6 @@ export const getSecurityBaseKibanaFeature = ({ | |||
| }, | |||
| app: [APP_ID, CLOUD_POSTURE_APP_ID, CLOUD_DEFEND_APP_ID, 'kibana'], | |||
| catalogue: [APP_ID], | |||
| api: [ | |||
There was a problem hiding this comment.
To best of my knowledge, this is safe. We are just moving these privileges to product_feature_config which also add's the possibility to be run against PLI configuration.
CC: @semd
| @@ -108,6 +108,7 @@ export class FeatureRegistry { | |||
| for (const [featureId, featureOverride] of Object.entries(overrides)) { | |||
| const feature = this.kibanaFeatures[featureId]; | |||
| if (!feature) { | |||
| continue; | |||
There was a problem hiding this comment.
To the best of my knowledge:
- the configuration is done through the Cloud UI.
- Good question: @angorayc do you know?
- 99% just the config value
- Yes
- Only serverless.
I think the overrides changes the capabilities, right? We're here trying to not even register the feature which makes the corresponding RBAC privileges not even visible for the user.
| @@ -53,27 +48,21 @@ export const registerProductFeatures = ( | |||
| // Cases are always enabled (both for security and AI-SOC) | |||
| configurator.cases = getCasesProductFeaturesConfigurator(enabledProductFeatureKeys); | |||
|
|
|||
| if (productLines[ProductLine.security]) { | |||
| // TODO: clarify what happens with siem migrations | |||
| if (productLines[ProductLine.security] && !productTiers[ProductTier.searchAiLake]) { | |||
There was a problem hiding this comment.
I wouldn't hide Security fully, just the timelines and notes (oh an siem_migrations). Because now if the config is:
{ product_line: 'security', product_tier: 'search_ai_lake' },
{ product_line: 'ai_soc', product_tier: 'search_ai_lake' },
We won't have security.
| } | ||
|
|
||
| if (productLines[ProductLine.aiSoc]) { | ||
| if (productLines[ProductLine.aiSoc] && productTiers[ProductTier.searchAiLake]) { |
There was a problem hiding this comment.
I think this is not necessary, moreover would block us from using this with higher tiers.
Summary
This approach implements the RBAC by disabling (not registering) entire Kibana features.
Approach 1 is: #212128
Screenshots
Security + AI
Left nav
Custom roles creation
Only AI
Left nav
Custom role creation
Only security
Left nav
...
Custom role creation