Research how our actions framework can send emails for the system

[mikecote]

Related GH issues:

• [Personalisation] Notifications API MVP #140743
• [ResponseOps][Connectors] Opsgenie Connector #142776

With the ability to send notifications via email using our actions framework being in the works. We uncovered a blocker when it comes to the current authorization mechanisms we have in place (to access an actions client). When an email is sent in the case of notifications, it is done by the system, which doesn't have access to any Kibana feature and would fail our auth checks that are currently in place.

We should research and recommend a way to change our back-end code to allow this use case to happen without opening security holes in the system.

Some options:

• Look for something specific in the user object that would identify it’s the system user (would need to get help from Kibana platform security team on this one)
• Add a third authorization mode (Legacy, RBAC, none)
• Create a layered actions client where one can be created without authorization (without needing to call getActionsClientWithRequest)
• Something else

[elasticmachine]

Pinging @elastic/response-ops (Team:ResponseOps)

[pmuellr]

Will there end up being any user- or role-based auth going on here? So, if somehow a connector gets set up "for the system", then any user can use it, or will there be some restrictions on who can use it?

And just to clarify - this has nothing to do with multiple spaces - the connector in question would either be a pre-configured connector (available in all spaces) or a typical connector available in just a single space. Correct?

[arisonl]

@pmuellr The RBAC happens on the Cases level. In the context of Case assignment, if you have access to Cases, in 8.5 you will be able to assign Cases to other users (who also have access to Cases). They will then receive an email. In a future version, the notifications API will allow individual users to opt out. All this mostly for context, I do not believe that they affect the task at hand, the Cases and user search RBAC are already taken care of.

Nothing to do with multiple spaces at this point. For the MVP that we are working on, we will specifically only use pre-configured connectors (and the OOTB SMTP one on the Cloud). The thinking is: get Case assignment notifications that work across spaces (i.e. without having to setup connectors in each space separately) out the door with minimum effort.

[mikecote]

There is a POC PR opened: #143282. There won't be a user in context when the action runs for the system and it will be secured so it's not possible for a user to find a loophole (backend only code can make this happen).