forked from elastic/kibana
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Security Solution][Detections] Refactor ML calls for newest ML permi…
…ssions (elastic#74582) ## Summary Addresses elastic#73567. ML Users (role: `machine_learning_user`) were previously able to invoke the ML Recognizer API, which we use to get not-yet-installed ML Jobs relevant to our index patterns. As of elastic#64662 this is not true, and so we receive errors from components using the underlying hook, `useSiemJobs`. To solve this I've created two separate hooks to replace `useSiemJobs`: * `useSecurityJobs` * used on ML Popover * includes uninstalled ML Jobs * checks (and returns) `isMlAdmin` before fetching data * `useInstalledSecurityJobs` * used on ML Jobs Dropdown and Anomalies Table * includes only installed ML Jobs * checks (and returns) `isMlUser` before fetching data Note that we while we now receive the knowledge to do so, we do not always inform the user in the case of invalid permissions, and instead have the following behaviors: #### User has insufficient license * ML Popover: shows an upgrade CTA * Anomalies Tables: show no data * Rule Creation: ML Rule option is disabled, shows upgrade CTA * Rule Details: ML Job Id is displayed as text #### User is ML User * ML Popover: not shown * Anomalies Tables: show no data * Rule Creation: ML Rule option is disabled * Rule Details: ML Job Id is displayed as text #### User is ML Admin * ML Popover: shown * Anomalies Tables: show data __for installed ML Jobs__ * This is the same as previous logic, but worth calling out that you can't view historical anomalies * Rule Creation: ML Rule option is enabled, all ML Jobs available * Rule Details: ML Job Id is displayed as hyperlink, job status badge shown ### Checklist - [x] [Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)
- Loading branch information
Showing
56 changed files
with
733 additions
and
407 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
20 changes: 20 additions & 0 deletions
20
x-pack/plugins/security_solution/common/machine_learning/has_ml_license.test.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License; | ||
* you may not use this file except in compliance with the Elastic License. | ||
*/ | ||
|
||
import { emptyMlCapabilities } from './empty_ml_capabilities'; | ||
import { hasMlLicense } from './has_ml_license'; | ||
|
||
describe('hasMlLicense', () => { | ||
test('it returns false when license is not platinum or trial', () => { | ||
const capabilities = { ...emptyMlCapabilities, isPlatinumOrTrialLicense: false }; | ||
expect(hasMlLicense(capabilities)).toEqual(false); | ||
}); | ||
|
||
test('it returns true when license is platinum or trial', () => { | ||
const capabilities = { ...emptyMlCapabilities, isPlatinumOrTrialLicense: true }; | ||
expect(hasMlLicense(capabilities)).toEqual(true); | ||
}); | ||
}); |
10 changes: 10 additions & 0 deletions
10
x-pack/plugins/security_solution/common/machine_learning/has_ml_license.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License; | ||
* you may not use this file except in compliance with the Elastic License. | ||
*/ | ||
|
||
import { MlCapabilitiesResponse } from '../../../ml/common/types/capabilities'; | ||
|
||
export const hasMlLicense = (capabilities: MlCapabilitiesResponse): boolean => | ||
capabilities.isPlatinumOrTrialLicense; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
35 changes: 35 additions & 0 deletions
35
x-pack/plugins/security_solution/public/common/components/ml/api/get_jobs_summary.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License; | ||
* you may not use this file except in compliance with the Elastic License. | ||
*/ | ||
|
||
import { HttpSetup } from '../../../../../../../../src/core/public'; | ||
import { MlSummaryJob } from '../../../../../../ml/public'; | ||
|
||
export interface GetJobsSummaryArgs { | ||
http: HttpSetup; | ||
jobIds?: string[]; | ||
signal: AbortSignal; | ||
} | ||
|
||
/** | ||
* Fetches a summary of all ML jobs currently installed | ||
* | ||
* @param http HTTP Service | ||
* @param jobIds Array of job IDs to filter against | ||
* @param signal to cancel request | ||
* | ||
* @throws An error if response is not OK | ||
*/ | ||
export const getJobsSummary = async ({ | ||
http, | ||
jobIds, | ||
signal, | ||
}: GetJobsSummaryArgs): Promise<MlSummaryJob[]> => | ||
http.fetch<MlSummaryJob[]>('/api/ml/jobs/jobs_summary', { | ||
method: 'POST', | ||
body: JSON.stringify({ jobIds: jobIds ?? [] }), | ||
asSystemRequest: true, | ||
signal, | ||
}); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
12 changes: 12 additions & 0 deletions
12
x-pack/plugins/security_solution/public/common/components/ml/hooks/use_get_jobs_summary.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License; | ||
* you may not use this file except in compliance with the Elastic License. | ||
*/ | ||
|
||
import { useAsync, withOptionalSignal } from '../../../../shared_imports'; | ||
import { getJobsSummary } from '../api/get_jobs_summary'; | ||
|
||
const _getJobsSummary = withOptionalSignal(getJobsSummary); | ||
|
||
export const useGetJobsSummary = () => useAsync(_getJobsSummary); |
12 changes: 12 additions & 0 deletions
12
...ck/plugins/security_solution/public/common/components/ml/hooks/use_get_ml_capabilities.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License; | ||
* you may not use this file except in compliance with the Elastic License. | ||
*/ | ||
|
||
import { getMlCapabilities } from '../api/get_ml_capabilities'; | ||
import { useAsync, withOptionalSignal } from '../../../../shared_imports'; | ||
|
||
const _getMlCapabilities = withOptionalSignal(getMlCapabilities); | ||
|
||
export const useGetMlCapabilities = () => useAsync(_getMlCapabilities); |
99 changes: 99 additions & 0 deletions
99
...s/security_solution/public/common/components/ml/hooks/use_installed_security_jobs.test.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,99 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License; | ||
* you may not use this file except in compliance with the Elastic License. | ||
*/ | ||
|
||
import { renderHook } from '@testing-library/react-hooks'; | ||
|
||
import { hasMlUserPermissions } from '../../../../../common/machine_learning/has_ml_user_permissions'; | ||
import { hasMlLicense } from '../../../../../common/machine_learning/has_ml_license'; | ||
import { isSecurityJob } from '../../../../../common/machine_learning/is_security_job'; | ||
import { useAppToasts } from '../../../hooks/use_app_toasts'; | ||
import { useAppToastsMock } from '../../../hooks/use_app_toasts.mock'; | ||
import { mockJobsSummaryResponse } from '../../ml_popover/api.mock'; | ||
import { getJobsSummary } from '../api/get_jobs_summary'; | ||
import { useInstalledSecurityJobs } from './use_installed_security_jobs'; | ||
|
||
jest.mock('../../../../../common/machine_learning/has_ml_user_permissions'); | ||
jest.mock('../../../../../common/machine_learning/has_ml_license'); | ||
jest.mock('../../../hooks/use_app_toasts'); | ||
jest.mock('../api/get_jobs_summary'); | ||
|
||
describe('useInstalledSecurityJobs', () => { | ||
let appToastsMock: jest.Mocked<ReturnType<typeof useAppToastsMock.create>>; | ||
|
||
beforeEach(() => { | ||
appToastsMock = useAppToastsMock.create(); | ||
(useAppToasts as jest.Mock).mockReturnValue(appToastsMock); | ||
(getJobsSummary as jest.Mock).mockResolvedValue(mockJobsSummaryResponse); | ||
}); | ||
|
||
describe('when the user has permissions', () => { | ||
beforeEach(() => { | ||
(hasMlUserPermissions as jest.Mock).mockReturnValue(true); | ||
(hasMlLicense as jest.Mock).mockReturnValue(true); | ||
}); | ||
|
||
it('returns jobs and permissions', async () => { | ||
const { result, waitForNextUpdate } = renderHook(() => useInstalledSecurityJobs()); | ||
await waitForNextUpdate(); | ||
|
||
expect(result.current.jobs).toHaveLength(3); | ||
expect(result.current.jobs).toEqual( | ||
expect.arrayContaining([ | ||
{ | ||
datafeedId: 'datafeed-siem-api-rare_process_linux_ecs', | ||
datafeedIndices: ['auditbeat-*'], | ||
datafeedState: 'stopped', | ||
description: 'SIEM Auditbeat: Detect unusually rare processes on Linux (beta)', | ||
earliestTimestampMs: 1557353420495, | ||
groups: ['siem'], | ||
hasDatafeed: true, | ||
id: 'siem-api-rare_process_linux_ecs', | ||
isSingleMetricViewerJob: true, | ||
jobState: 'closed', | ||
latestTimestampMs: 1557434782207, | ||
memory_status: 'hard_limit', | ||
processed_record_count: 582251, | ||
}, | ||
]) | ||
); | ||
expect(result.current.isMlUser).toEqual(true); | ||
expect(result.current.isLicensed).toEqual(true); | ||
}); | ||
|
||
it('filters out non-security jobs', async () => { | ||
const { result, waitForNextUpdate } = renderHook(() => useInstalledSecurityJobs()); | ||
await waitForNextUpdate(); | ||
|
||
expect(result.current.jobs.length).toBeGreaterThan(0); | ||
expect(result.current.jobs.every(isSecurityJob)).toEqual(true); | ||
}); | ||
|
||
it('renders a toast error if the ML call fails', async () => { | ||
(getJobsSummary as jest.Mock).mockRejectedValue('whoops'); | ||
const { waitForNextUpdate } = renderHook(() => useInstalledSecurityJobs()); | ||
await waitForNextUpdate(); | ||
|
||
expect(appToastsMock.addError).toHaveBeenCalledWith('whoops', { | ||
title: 'Security job fetch failure', | ||
}); | ||
}); | ||
}); | ||
|
||
describe('when the user does not have valid permissions', () => { | ||
beforeEach(() => { | ||
(hasMlUserPermissions as jest.Mock).mockReturnValue(false); | ||
(hasMlLicense as jest.Mock).mockReturnValue(false); | ||
}); | ||
|
||
it('returns empty jobs and false predicates', () => { | ||
const { result } = renderHook(() => useInstalledSecurityJobs()); | ||
|
||
expect(result.current.jobs).toEqual([]); | ||
expect(result.current.isMlUser).toEqual(false); | ||
expect(result.current.isLicensed).toEqual(false); | ||
}); | ||
}); | ||
}); |
63 changes: 63 additions & 0 deletions
63
...lugins/security_solution/public/common/components/ml/hooks/use_installed_security_jobs.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License; | ||
* you may not use this file except in compliance with the Elastic License. | ||
*/ | ||
|
||
import { useEffect, useState } from 'react'; | ||
|
||
import { MlSummaryJob } from '../../../../../../ml/public'; | ||
import { hasMlUserPermissions } from '../../../../../common/machine_learning/has_ml_user_permissions'; | ||
import { hasMlLicense } from '../../../../../common/machine_learning/has_ml_license'; | ||
import { isSecurityJob } from '../../../../../common/machine_learning/is_security_job'; | ||
import { useAppToasts } from '../../../hooks/use_app_toasts'; | ||
import { useHttp } from '../../../lib/kibana'; | ||
import { useMlCapabilities } from './use_ml_capabilities'; | ||
import * as i18n from '../translations'; | ||
import { useGetJobsSummary } from './use_get_jobs_summary'; | ||
|
||
export interface UseInstalledSecurityJobsReturn { | ||
loading: boolean; | ||
jobs: MlSummaryJob[]; | ||
isMlUser: boolean; | ||
isLicensed: boolean; | ||
} | ||
|
||
/** | ||
* Returns a collection of installed ML jobs (MlSummaryJob) relevant to | ||
* Security Solution, i.e. all installed jobs in the `security` ML group. | ||
* Use the corresponding helper functions to filter the job list as | ||
* necessary (running jobs, etc). | ||
* | ||
*/ | ||
export const useInstalledSecurityJobs = (): UseInstalledSecurityJobsReturn => { | ||
const [jobs, setJobs] = useState<MlSummaryJob[]>([]); | ||
const { addError } = useAppToasts(); | ||
const mlCapabilities = useMlCapabilities(); | ||
const http = useHttp(); | ||
const { error, loading, result, start } = useGetJobsSummary(); | ||
|
||
const isMlUser = hasMlUserPermissions(mlCapabilities); | ||
const isLicensed = hasMlLicense(mlCapabilities); | ||
|
||
useEffect(() => { | ||
if (isMlUser && isLicensed) { | ||
start({ http }); | ||
} | ||
}, [http, isMlUser, isLicensed, start]); | ||
|
||
useEffect(() => { | ||
if (result) { | ||
const securityJobs = result.filter(isSecurityJob); | ||
setJobs(securityJobs); | ||
} | ||
}, [result]); | ||
|
||
useEffect(() => { | ||
if (error) { | ||
addError(error, { title: i18n.SIEM_JOB_FETCH_FAILURE }); | ||
} | ||
}, [addError, error]); | ||
|
||
return { isLicensed, isMlUser, jobs, loading }; | ||
}; |
Oops, something went wrong.