[Security Solution] split endpoint rbac feature flags #143991
Conversation
joeypoon
added
release_note:skip
|
Pinging @elastic/security-onboarding-and-lifecycle-mgt (Team:Onboarding and Lifecycle Mgt) |
| @@ -115,6 +115,10 @@ describe('Endpoint Authz service', () => { | |||
| }); | |||
|
|
|||
| describe('and endpoint rbac is enabled', () => { | |||
| beforeEach(() => { | |||
There was a problem hiding this comment.
the outer describe has superuser so we're ensuring this test block doesn't.
| @@ -57,7 +58,7 @@ export const useEndpointPrivileges = (): Immutable<EndpointPrivileges> => { | |||
| licenseService, | |||
| fleetAuthz, | |||
| userRoles, | |||
| isEndpointRbacEnabled, | |||
| isEndpointRbacEnabled || isEndpointRbacV1Enabled, | |||
There was a problem hiding this comment.
I would add another param here instead of using an OR in the existing one. Doing that, we can check if one or the other is enabled in authz and then use one or the other depending on the feature. For example, I don't want to use privileges for Trusted Apps if only the isEndpointRbacV1Enabled is enabled. Does that make sense?
There was a problem hiding this comment.
is there a use case for this? I purposely didn't want to over engineer it since we have pretty known use cases. since we added FF for the sake of privileges, it feels a bit odd to account for using the FF without privileges. this approach (in conjunction with the changes in authz.ts) controls privileges through the availability of subfeatures. since isEndpointRbacV1Enabled doesn't contain trusted apps subfeature, for example, trusted apps privilege would be false if only isEndpointRbacV1Enabled is enabled.
There was a problem hiding this comment.
I think from the change here it will be evaluated if one of both is enabled. So for a user having isEndpointRbacV1Enabled set to true, we will evaluate privileges for Trusted Apps, Event Filters or others. And we should return false as it is not supported.
There was a problem hiding this comment.
Spoke offline, the control is handled by the change made in features.ts. So we are ok with this! Thanks for the clarification @joeypoon
| } | ||
|
|
||
| // not superuser and FF not enabled, no access | ||
| if (!isEndpointRbacEnabled) { |
There was a problem hiding this comment.
As I wrote below, I think we should check here the specific FF depending on the feature.
joeypoon
force-pushed
the
feature/rbac-split-flags
branch
2 times, most recently
from
83d8660 to
00cbd84
Compare
|
Checked it out and tried it - works great! I can see the only the v1 set of RBAC features with the new feature flag set: The response console shows the permitted actions only: This version of the role has Host Isolation disabled: The Endpoint management view are still blocked by superuser access as expected: LGTM! |
joeypoon
force-pushed
the
feature/rbac-split-flags
branch
from
00cbd84 to
22f73fe
Compare
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]Async chunks
Page load bundle
History
To update your PR or re-run it, just comment with: |
Summary
Add
endpointRbacV1Enabledfeature flag that only enables RBAC for response actions.Checklist
For maintainers