Skip to content

Commit

Permalink
[Security Solution] split endpoint rbac feature flags (#143991)
Browse files Browse the repository at this point in the history
  • Loading branch information
@joeypoon
joeypoon authored Oct 28, 2022
1 parent c7769ce commit c5b1afd
Show file tree
Hide file tree
Showing 8 changed files with 439 additions and 414 deletions.
4 changes: 4 additions & 0 deletions x-pack/plugins/security_solution/common/endpoint/service/authz/authz.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -115,6 +115,10 @@ describe('Endpoint Authz service', () => {
});

describe('and endpoint rbac is enabled', () => {
beforeEach(() => {
userRoles = [];
});

it.each<[EndpointAuthzKeyList[number], string]>([
['canWriteEndpointList', 'writeEndpointList'],
['canReadEndpointList', 'readEndpointList'],
Expand Down
15 changes: 12 additions & 3 deletions x-pack/plugins/security_solution/common/endpoint/service/authz/authz.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,9 +25,18 @@ function hasPermission(
hasEndpointManagementAccess: boolean,
privilege: typeof ENDPOINT_PRIVILEGES[number]
): boolean {
return isEndpointRbacEnabled
? fleetAuthz.packagePrivileges?.endpoint?.actions[privilege].executePackageAction ?? false
: hasEndpointManagementAccess;
// user is superuser, always return true
if (hasEndpointManagementAccess) {
return true;
}

// not superuser and FF not enabled, no access
if (!isEndpointRbacEnabled) {
return false;
}

// FF enabled, access based on privileges
return fleetAuthz.packagePrivileges?.endpoint?.actions[privilege].executePackageAction ?? false;
}

/**
Expand Down
6 changes: 6 additions & 0 deletions x-pack/plugins/security_solution/common/experimental_features.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,12 @@ export const allowedExperimentalValues = Object.freeze({
*/
endpointRbacEnabled: false,

/**
* Enables endpoint package level rbac for response actions only.
* if endpointRbacEnabled is enabled, it will take precedence.
*/
endpointRbacV1Enabled: false,

/**
* Enables the Guided Onboarding tour in security
*/
Expand Down
4 changes: 3 additions & 1 deletion ...ity_solution/public/common/components/user_privileges/endpoint/use_endpoint_privileges.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ export const useEndpointPrivileges = (): Immutable<EndpointPrivileges> => {

const fleetServices = fleetServicesFromUseKibana ?? fleetServicesFromPluginStart;
const isEndpointRbacEnabled = useIsExperimentalFeatureEnabled('endpointRbacEnabled');
const isEndpointRbacV1Enabled = useIsExperimentalFeatureEnabled('endpointRbacV1Enabled');

const endpointPermissions = calculatePermissionsFromCapabilities(
useKibana().services.application.capabilities
Expand All @@ -57,7 +58,7 @@ export const useEndpointPrivileges = (): Immutable<EndpointPrivileges> => {
licenseService,
fleetAuthz,
userRoles,
isEndpointRbacEnabled,
isEndpointRbacEnabled || isEndpointRbacV1Enabled,
endpointPermissions
)
: getEndpointAuthzInitialState()),
Expand All @@ -72,6 +73,7 @@ export const useEndpointPrivileges = (): Immutable<EndpointPrivileges> => {
licenseService,
userRoles,
isEndpointRbacEnabled,
isEndpointRbacV1Enabled,
endpointPermissions,
]);

Expand Down
4 changes: 2 additions & 2 deletions x-pack/plugins/security_solution/public/management/links.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -244,7 +244,7 @@ export const getManagementFilteredLinks = async (
plugins: StartPlugins
): Promise<LinkItem> => {
const fleetAuthz = plugins.fleet?.authz;
const isEndpointRbacEnabled = ExperimentalFeaturesService.get().endpointRbacEnabled;
const { endpointRbacEnabled, endpointRbacV1Enabled } = ExperimentalFeaturesService.get();
const endpointPermissions = calculatePermissionsFromCapabilities(core.application.capabilities);
const linksToExclude: SecurityPageName[] = [];

Expand All @@ -255,7 +255,7 @@ export const getManagementFilteredLinks = async (
licenseService,
fleetAuthz,
currentUserResponse.roles,
isEndpointRbacEnabled,
endpointRbacEnabled || endpointRbacV1Enabled,
endpointPermissions
)
: getEndpointAuthzInitialState();
Expand Down
4 changes: 2 additions & 2 deletions x-pack/plugins/security_solution/server/endpoint/endpoint_app_context_services.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -167,7 +167,7 @@ export class EndpointAppContextService {
public async getEndpointAuthz(request: KibanaRequest): Promise<EndpointAuthz> {
const fleetAuthz = await this.getFleetAuthzService().fromRequest(request);
const userRoles = this.security?.authc.getCurrentUser(request)?.roles ?? [];
const isEndpointRbacEnabled = this.experimentalFeatures.endpointRbacEnabled;
const { endpointRbacEnabled, endpointRbacV1Enabled } = this.experimentalFeatures;

let endpointPermissions = defaultEndpointPermissions();
if (this.security) {
Expand All @@ -185,7 +185,7 @@ export class EndpointAppContextService {
this.getLicenseService(),
fleetAuthz,
userRoles,
isEndpointRbacEnabled,
endpointRbacEnabled || endpointRbacV1Enabled,
endpointPermissions
);
}
Expand Down
Loading

0 comments on commit c5b1afd

Please sign in to comment.