-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Alerting feature controls #43994
Comments
1 seems better to me as it would involve less ongoing work, but it also might take a while to land. |
Ignoring the technical implementation and what's currently possible, which of the following would be the ideal use experience:
If we pursue option 1, when the user is granted "All" access to Uptime and Stack Monitoring, it'd make the most sense for users to automatically get the Alerting sub-feature and be able to create and view alerts for the specific feature. Where-as with option 2, when the user is grated "All" access to Alerting, they'd be able to use Alerts in every application. There's also an option 3 where we support both. This gets somewhat confusing, as roles and privileges in the ES model are additive. So if the user is granted "All" access to Stack Monitoring and "None" access to Alerting, they'd still be able to use Stack Monitoring alerts. |
In regards to @kobelb's suggestions, I was thinking option 1. Could this get interesting when determining if we show the alerting app or not? Since there won't be a single privilege to look for? Unless we can do an |
Is it possible that the alerting app is its own feature, distinct from creating in-app alerts themselves? Similar to how users create various saved objects within the discover, visualize, and dashboard applications today, but there is a separate "Saved Objects Management" feature which exposes that management app to end users. |
@legrego The alerting app would be the same scenario so we could do it that way. That resolves my concern. |
I don't know if we should be mirroring the "Saved Object Management" experience entirely. If we want for users to be able to create alerts from within Uptime when they're given the Uptime "All" privilege, I assume that these alerts themselves will then show-up within the "alerting app" itself. If we always treat "Alerting" as a sub-feature of the applications in which it's integrated, are there additional privileges which need to be granted. If so, what are they? |
I can't think of any extra privileges that would have to be granted. A new privilege to "show" the alerting UI would pretty much be it unless we can compute the capability. Also, I guess alerting wouldn't be much of a feature for users without read access to actions 🤔 |
We can derive this from the sub-feature privileges. If the user has any access to alerting, we can then display the alerting application. Is there a generic "create user defined alert" which we'll want to allow, similar to being able to free-form specify the Watcher job definitions?
This becomes somewhat complicated, since actions are used outside of Alerting. |
Had a quick chat with @kobelb, adding an update below.
In the future yes with kibana expressions. Users would be able to create alerts from the alerting app. We can register a separate feature for those.
Providing a tooltip indicating alerts require |
As Mike mentioned above, this is functionality we will want at some point. Whether it's through expressions or even forms for simple generic alert types. Does this mean we go down the route of @kobelb's option 3? Or provide an experience similar to saved object management? The saved object management approach sounds more applicable, especially if we end up introducing views for alert history and state. I could see a scenario (though I'm not sure how common it'd be) where users might want an overview of all alerts but admins do not want to provide CRUD permissions. Basically, a role that provides read only access to an alerting app with state / history and nothing else.
This will also be relevant for "Kibana Actions" (#32371) available in future dashboard panels. Dashboard end users will want the ability to add an action / interaction to a dashboard panel that sends to slack, email, etc. or fire off a webhook but may not have write access to actions. |
Technical implications aside, alerting is a service provided by Kibana, I think access should be controlled in the context of the consumer of that service (the app or solution). That would favour the 1st option Brandon described. Even if sub-features were added though, it seems the problem with alerting isn't providing more granular control to the list of "privilege actions" associated with a privilege. It seems like the issue is filtering data for a certain type of saved object? I'm not clear how sub-features would address that problem. |
It looks like this is the current set of "privilege actions" we have for alerting:
Am I understanding right the problem - these privilege actions right now provide access to all alerts, and we need to figure out how to restrict access to only a subset? |
Yep, that's correct. If each alert type had its own corresponding saved object type, then the existing privilege model would "just work" once sub-features are implemented. If all alerts share a common saved object type, then we'll need to figure out a way to restrict access to only a subset. |
Up until now, I was under the impression the sub-features issue would automatically filter data on an object type based on access (subType = "apm" || "uptime"). This isn't the case. Now that I am on the same page. The issue will diverge into "what technical challenges are we facing to implement feature controls" and discuss how we should solve them.
I will add more questions over time. |
I wonder if this needs to be solved at the Saved Objects level? It seems like anytime we have one feature (alerting) that intersects with other features (uptime, stack monitoring, apm, ...) we are going to encounter this problem. Maybe event/audit logging is another instance of this. Having an alerting saved object type per feature might work but feels like the wrong long term approach, especially as we add more types and more stack services features. |
@rudolf would be curious to hear your thoughts on this issue - some way to extend Saved Objects namespaces (or filtering) beyond just type? Wondering if this has ever come up before ( I looked through GH but there was nothing obviously similar). If the idea has merit I'll open a separate issue we can continue discussion there. |
We should be able to extend the saved-object authorization logic to allow validation using a field in addition to Do we intend for all consumers of alerting to abide by the same "schema" and have the same attributes as each other? Or is there perhaps additional justification for using discrete saved-object-types, but allowing these to be dynamically specified by the alerting plugin and its registered consumers? |
@peterschretlen I'm not aware of a similar requirement coming up in the past. Telemetry is somewhat similar but doesn't require the special authorization needs of actions. Here we use the saved object per consumer model but there is a specific requirement that the "schema" be customizable per consumer. It seems to me the discussion boils down to do we want (a) saved objects types per consumer or (b) one actions saved object type for all actions. If (b) we need to discuss how the security team can make the authorization model sufficiently powerful. I don't see a strong argument for going with either one, so if authorization seems easier in (a) that seems like the desired way to go. In my own head I got a bit tripped up by saved object "ownership", the dashboard plugin owns the Assuming alerting doesn't have the need for custom schemas per solution, we would want actions to "own" all actions saved objects. All this means is in the context of solution (a) is the actions plugin would be responsible for creating the saved object mappings (and possibly future migrations) required to use this plugin. I haven't investigated this in depth, so there might be some technical challenges, but in the New Platform I imagine that Plugins would "register" Saved Object mappings during setup lifecycle instead of statically defining all mappings upfront. This would allow the actions plugin to register new Saved Object types/mappings on behalf of action consumers. So in the I think this would solve the developer experience problem @mikecote brought up, a consumer just has to call the right actions API's, no need to define mappings or schemas. These types are fully owned/controlled by the actions plugin. Are there big advantages in going with option (b) that I'm missing? @mikecote Can you explain what you mean with the following, what is event logging in this context?:
|
Yes. Where the attributes start differentiating is within Just changing terminology from
We may have a chicken and egg problem with this if ever the alerting plugin "setup" creates / registers the mappings. The alerting "setup" function is called before the plugins that dependent on it. Only at the other plugins "setup" we would be able to register mappings and the alerting plugin would have to expose its mappings on "start" for it to possibly work?
This is more a disadvantage of option (a) but I can see the This is also assuming we repeat object types for even logs (apm-alerting-event-log, uptime-alerting-event-log, etc) in order to follow the same privilege model as alerts.
This is something @pmuellr is working on to capture events from task manager, alerting and actions plugin. It's similar to audit but captures different kind of information (when a task started, finished, when an alert type executed, when an alert type failed to execute, etc). You can find the WIP here: #45081. |
This sounds like a different "schema", and we're just working around this by not mapping it in Elasticesearch. Would we have one to many alert-types per "consumer of alerting"? |
Yes. Though they can be shared across applications as well. (Ex: SIEM using an ML alert type that would call SIEM actions). Down the road we'll try to provide some alert types out of the box (threshold alert type to begin). |
Aside from the chicken-egg problem @mikecote described ( alerting needing the mappings before dependent plugins can create them), and potential for large mappings …. are there any drawbacks to having a large number of saved object types? Does it add any complexity to the alerting plugin, having to be aware of or manage those types? Does this fall in the bounds of proper use of Saved Object types or are we abusing it. If we take the extreme of one saved object type per alert type, it sounds like might have to double that for history/audit log (for similar security reasons). Say we have 100 alert types, that would give us 200 saved object types. We won't get there overnight, but across solutions that's a reasonable number to expect. |
I think that's a great question to ask, @peterschretlen. I think it'd be good if we came up with general guidelines for when we should be using a different saved-object type, while ignoring the complications that it introduces from the security perspective. We can definitely add the ability to secure sub-sets of saved-objects with the same type; however, it is a reasonable amount of work. |
When a plugin exposes an API, other plugins can keep on using that API in their relevant lifecycle. So if plugin A exposes an API method I think this dynamism is really valuable in some cases, but the downside is it becomes really hard to track where a mapping comes from, you can no longer search the code base for static @peterschretlen I agree that exploding the field count might have some undesired consequences. We will probably have to benchmark the performance. We shouldn't go over ES's 1000 field default limit, but assuming that the Kibana index doesn't have more than an order of magnitude of 10^2 or 10^4 documents performance might be acceptable. It's hard for me to comment on the "proper" use of Saved Object types without knowing the history that led us to the current design. I suspect having a single index for operational simplicity has been the biggest design goal above performance or ES data-modelling best practices. @epixa I think your input would be valuable in this discussion. |
Following a sync up between @elastic/kibana-alerting-services and @legrego we came to the conclusion that the initial model where To address this we've now introduced a Kibana Feature called "Built-In Alerts" which grants privileges over these alert types (currently this is only Index Threshold as all other types are solution based). @mdefazio I've used the Bell for now, but once we introduce the Action feature this will become confusing. We probably need another icon for 7.9 |
It is still up to solutions to check whether a user is privileged to interact with alerts before opening the flyout, but if they forget to do so, the user is shown the Flyout without the ability to save and the following call out: Ideally we wouldn't show the Alert fields at all, but sadly this will require some broader changes in the Alerting UI and I'd really like to keep this PR from going any larger than it already is. It'\s also worth noting this is aligned with how the UI currently behaves - as we show the flyout without a Save button if users don't have the |
Encountered an interesting UX question. If a user has All privileges over a plugin which provides alerts (such as the Built-In Alerts feature) and the Read privilege to Actions, then that user can create the alert types provided by that plugin and is allowed to attach actions to these alerts (as Read grants both the But, if they click on an action that doesn't yet have a connector (such as PD in this example) they'll see the following: Now, if a user had *All for Actions, then they could create a connector, but as this user has Read they can't. There are three options here and this is where the question is:
I vote for option 3, but wanted to run this past y'all.. and I guess if we do go with option 3, then @gchaps 's help with the copy would be highly appreciated :) You can see the current behaviour in this draft PR which has both the Alerting and Actions RBAC working side by side: #70734 |
I agree as well with option 3. |
This issue is now blocked on the following: #70851 Thanks |
@gmmorris Here is my suggestion:
Also note that there is no ending period after "No PagerDuty connectors" because it is a title. |
Thanks @gchaps! |
The @elastic/kibana-alerting-services team had a catch up today to discuss the viability of reaching confidence with the RBAC PR by 7.9. To make sure we don't keep the PR longer lived than needed and to address the concerns that we have we've decided to do the following:
|
We had a discussion today to assess whether we feel ready to merge the RBAC PR but came to the conclusion that we don't yet feel confident enough to merge. Broadly speaking the team seems comfortable with the idea of gating the Built-In AlertTypes on a feature, the final blocker we have is that there are concerns around which feature we'll gate on. In the PR as it stand we gate on a new feature called Built-In Alerts which simply grants privileges to the Index Threshold alert type. We chose not to name it Alerting or Alerts Management as it does not gate the access to alerts management, and we felt that it would be confusing when a user gains access to alerts management (via a solution) and yet doesn't have access to this feature. The concern raised in the meeting was this: Discussing the different options we realised that in the case that such a requirement is introduced, we would be able to address it as part of v8.0.0 and the main question we need to answer is this: How likely are we to need an Alerts Management feature before v8.0.0 and can we live with two features existing side by side if we do?. Our feeling is that:
We'll schedule a sync with the team to try and find an answer to that question. |
We've sent out an email to Kibana Contributers notifying them of the upcoming merge of this PR.
|
… on Kibana Feature Controls (#67157) This PR adds _Role Based Access-Control_ to the Alerting framework & Actions feature using Kibana Feature Controls, addressing most of the Meta issue: #43994 This also closes #62438 This PR includes the following: 1. Adds `alerting` specific Security Actions (not to be confused with Alerting Actions) to the `security` plugin which allows us to assign alerting specific privileges to users of other plugins using the `features` plugin. 2. Removes the security wrapper from the savedObjectsClient in AlertsClient and instead plugs in the new AlertsAuthorization which performs the privilege checks on each api call made to the AlertsClient. 3. Adds privileges in each plugin that is already using the Alerting Framework which mirror (as closely as possible) the existing api-level tag-based privileges and plugs them into the AlertsClient. 4. Adds feature granted privileges arounds Actions (by relying on Saved Object privileges under the hood) and plugs them into the ActionsClient 5. Removes the legacy api-level tag-based privilege system from both the Alerts and Action HTTP APIs
… on Kibana Feature Controls (elastic#67157) This PR adds _Role Based Access-Control_ to the Alerting framework & Actions feature using Kibana Feature Controls, addressing most of the Meta issue: elastic#43994 This also closes elastic#62438 This PR includes the following: 1. Adds `alerting` specific Security Actions (not to be confused with Alerting Actions) to the `security` plugin which allows us to assign alerting specific privileges to users of other plugins using the `features` plugin. 2. Removes the security wrapper from the savedObjectsClient in AlertsClient and instead plugs in the new AlertsAuthorization which performs the privilege checks on each api call made to the AlertsClient. 3. Adds privileges in each plugin that is already using the Alerting Framework which mirror (as closely as possible) the existing api-level tag-based privileges and plugs them into the AlertsClient. 4. Adds feature granted privileges arounds Actions (by relying on Saved Object privileges under the hood) and plugs them into the ActionsClient 5. Removes the legacy api-level tag-based privilege system from both the Alerts and Action HTTP APIs
… on Kibana Feature Controls (#67157) (#72850) This PR adds _Role Based Access-Control_ to the Alerting framework & Actions feature using Kibana Feature Controls, addressing most of the Meta issue: #43994 This also closes #62438 This PR includes the following: 1. Adds `alerting` specific Security Actions (not to be confused with Alerting Actions) to the `security` plugin which allows us to assign alerting specific privileges to users of other plugins using the `features` plugin. 2. Removes the security wrapper from the savedObjectsClient in AlertsClient and instead plugs in the new AlertsAuthorization which performs the privilege checks on each api call made to the AlertsClient. 3. Adds privileges in each plugin that is already using the Alerting Framework which mirror (as closely as possible) the existing api-level tag-based privileges and plugs them into the AlertsClient. 4. Adds feature granted privileges arounds Actions (by relying on Saved Object privileges under the hood) and plugs them into the ActionsClient 5. Removes the legacy api-level tag-based privilege system from both the Alerts and Action HTTP APIs Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Closing issue now that the work is complete and part of the 7.10 release 🎉 There is a follow up issue to apply the same to the connectors which will happen once we have our first connector provided by a different Kibana plugin (most likely the case action type). |
Feature controls is designed to give a role access to features within Kibana. The access to a feature can be
none
,read
orall
at this time. This would then apply to alerts (none, read or all) and actions (none, read or all).The problem we encounter is alerting spans different applications within Kibana that themselves may be set to
none
. When set tonone
, the user shouldn't see the alerts for the disabled application.There is an issue on the security team roadmap to allow implementing sub features (#35616). Until it's implemented, I have opened a discuss issue to see what we should do until then (hopefully in a migratable way to it, if anything).
Example
Uptime: None
Stack Monitoring: All
Alerts: All
Actions: All
As you can see, the user shouldn't be able to see Uptime alerts. With the current implementation, they would.
Possible solutions
We do nothing until Feature Controls - Feature privileges besides
all
andread
#35616 is implemented. This would allow users to see and edit alerts for applications they don't have access to.Split alert saved objects by solution (Ex:
uptime_alert
,stack_monitoring_alert
, etc). This would leave actions as a generic group but alerts would then automatically get enabled by the application whenever enabled. (Ex: turningread
access to Uptime would give youread
access touptime_alert
as well). The downside of this is we'll have to do the same for history, likeuptime_alert_history
.Other solution??
cc @elastic/kibana-stack-services @elastic/kibana-security @alexfrancoeur @peterschretlen
The text was updated successfully, but these errors were encountered: