Add manage_ingest_pipeline privilege check to Risk Engine enablement #215544
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ck for Risk Engine
CAWilson94
added
bug
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
Pinging @elastic/security-entity-analytics (Team:Entity Analytics) |
|
Just curious (haven't tested): does this also work for the Risk Engine management page? I assume it does if the two pages share that component? |
Comment on lines
24
to
28
| export const RISK_ENGINE_REQUIRED_ES_CLUSTER_PRIVILEGES = [ | ||
| 'manage_index_templates', | ||
| 'manage_transform', | ||
| 'manage_ingest_pipelines', | ||
| ] as ClusterPrivilege[]; |
There was a problem hiding this comment.
Installing the Risk Score Engine requires the following privileges:
manage_transformmanage_index_templates
Running the Risk Score Engine requires:
manage_transform
I believe we should define two separate constants for Risk Engine privileges since the required privileges differ for installation and running the engine.
If we're referring to the enablement modal, it's most likely related to installing the Risk Engine rather than running it.
Also, i think that manage_ingest_pipelines is only required for enabling (read as installing) the risk engine and not for running the risk engine.
There was a problem hiding this comment.
Context
Users can perform these actions in the UI
- Install the engine
- Enable an installed but disabled engine
- Run the transform for an enabled engine
Right now, we only verify the cluster privileges for number 1.
@abhishekbhatia1710 is adding a privileges check for number 3 here #213054
We agreed that for now, number 2 will keep using the same privileges check as number 1
Back to this PR
I agree with @abhishekbhatia1710. However, since we only have a privileges check for installing the engine. at this point, adding manage_ingest_pipeline to RISK_ENGINE_REQUIRED_ES_CLUSTER_PRIVILEGESVILEGES seems like the right thing to do.
There was a problem hiding this comment.
++ @machadoum and thanks everyone for the detailed discussion!
As in the UI we don't make a distinction I think we are best to stick with checking the superset of permissions, I see these as the permissions needed to have a "full" risk scoring experience.
@CAWilson94 This does seem like an opportunity to put a comment next to (or near) this array, something like:
// These are the required privileges to install the risk engine, enabling and running require less privileges.
// We check the superset of privileges to keep things simple and because in the UI there isn't difference between installing and enabling
There was a problem hiding this comment.
Also loving that we have managed to have this discussion on a one line PR :D
There was a problem hiding this comment.
Hey! Thanks Abhishek and Pablo for this, super helpful in filling in any context and understanding gaps. 🙇
There was a problem hiding this comment.
[Nit] @CAWilson94 The RISK_ENGINE_REQUIRED_ES_CLUSTER_PRIVILEGES array contains manage_ingest_pipelines, which is not part of the ClusterPrivilege type. We can add the manage_ingest_pipelines in the ClusterPrivilege type to prevent type mismatch
There was a problem hiding this comment.
Absolutely, lets get it in there. Good catch 🎣
There was a problem hiding this comment.
@abhishekbhatia1710 actually, even better note. I was wondering why this actually worked. Sneaky assertion in the wild. Also TiL - the satisfies operator
There was a problem hiding this comment.
Ah, that's even better. Thanks for sharing the link.
as forces a type, ignoring incorrect values.
satisfies validates the type without affecting inference.
There was a problem hiding this comment.
Yah! In general I would always avoid using a type assertion because its telling TS compiler "hey buddy, I know better than you. This is type "whatever type", dont even question it". Probably in tests though it can be useful, although I try to avoid :D
machadoum
approved these changes
Mar 24, 2025
Good question, thanks! I can confirm, this works there too:
|
CAWilson94
added
v9.0.0
backport:version
💚 Build Succeeded
Metrics [docs]Page load bundle
History
cc @CAWilson94 |
|
Starting backport for target branches: 8.18, 8.x, 9.0 |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Mar 25, 2025
…lastic#215544) ## Summary This PR adds the "manage_ingest_pipeline" cluster privilege to RISK_ENGINE_REQUIRED_ES_CLUSTER_PRIVILEGES. The Entity Analytics Enablement modal now displays a warning when the user lacks this privilege and prevents Risk Engine installation, as required. ### Screenshots #### Enablement Modal (installing/enabling)  #### Risk Management Page  (cherry picked from commit a296d08)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Mar 25, 2025
…lastic#215544) ## Summary This PR adds the "manage_ingest_pipeline" cluster privilege to RISK_ENGINE_REQUIRED_ES_CLUSTER_PRIVILEGES. The Entity Analytics Enablement modal now displays a warning when the user lacks this privilege and prevents Risk Engine installation, as required. ### Screenshots #### Enablement Modal (installing/enabling)  #### Risk Management Page  (cherry picked from commit a296d08)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Mar 25, 2025
…lastic#215544) ## Summary This PR adds the "manage_ingest_pipeline" cluster privilege to RISK_ENGINE_REQUIRED_ES_CLUSTER_PRIVILEGES. The Entity Analytics Enablement modal now displays a warning when the user lacks this privilege and prevents Risk Engine installation, as required. ### Screenshots #### Enablement Modal (installing/enabling)  #### Risk Management Page  (cherry picked from commit a296d08)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Mar 25, 2025
…ement (#215544) (#215896) # Backport This will backport the following commits from `main` to `9.0`: - [Add manage_ingest_pipeline privilege check to Risk Engine enablement (#215544)](#215544) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Charlotte Alexandra Wilson","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-03-25T14:20:31Z","message":"Add manage_ingest_pipeline privilege check to Risk Engine enablement (#215544)\n\n## Summary\n\nThis PR adds the \"manage_ingest_pipeline\" cluster privilege to\nRISK_ENGINE_REQUIRED_ES_CLUSTER_PRIVILEGES.\n\nThe Entity Analytics Enablement modal now displays a warning when the\nuser lacks this privilege and prevents Risk Engine installation, as\nrequired.\n\n### Screenshots \n\n#### Enablement Modal (installing/enabling)\n\n\n\n#### Risk Management Page \n\n\n","sha":"a296d08990e62ab4d28cdcc382e8592826eb815e","branchLabelMapping":{"^v9.1.0$":"main","^v8.19.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:fix","v9.0.0","Team: SecuritySolution","Theme: entity_analytics","Team:Entity Analytics","backport:version","v8.18.0","v9.1.0","v8.19.0"],"title":"Add manage_ingest_pipeline privilege check to Risk Engine enablement","number":215544,"url":"https://github.com/elastic/kibana/pull/215544","mergeCommit":{"message":"Add manage_ingest_pipeline privilege check to Risk Engine enablement (#215544)\n\n## Summary\n\nThis PR adds the \"manage_ingest_pipeline\" cluster privilege to\nRISK_ENGINE_REQUIRED_ES_CLUSTER_PRIVILEGES.\n\nThe Entity Analytics Enablement modal now displays a warning when the\nuser lacks this privilege and prevents Risk Engine installation, as\nrequired.\n\n### Screenshots \n\n#### Enablement Modal (installing/enabling)\n\n\n\n#### Risk Management Page \n\n\n","sha":"a296d08990e62ab4d28cdcc382e8592826eb815e"}},"sourceBranch":"main","suggestedTargetBranches":["9.0","8.18","8.x"],"targetPullRequestStates":[{"branch":"9.0","label":"v9.0.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.18","label":"v8.18.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/215544","number":215544,"mergeCommit":{"message":"Add manage_ingest_pipeline privilege check to Risk Engine enablement (#215544)\n\n## Summary\n\nThis PR adds the \"manage_ingest_pipeline\" cluster privilege to\nRISK_ENGINE_REQUIRED_ES_CLUSTER_PRIVILEGES.\n\nThe Entity Analytics Enablement modal now displays a warning when the\nuser lacks this privilege and prevents Risk Engine installation, as\nrequired.\n\n### Screenshots \n\n#### Enablement Modal (installing/enabling)\n\n\n\n#### Risk Management Page \n\n\n","sha":"a296d08990e62ab4d28cdcc382e8592826eb815e"}},{"branch":"8.x","label":"v8.19.0","branchLabelMappingKey":"^v8.19.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Charlotte Alexandra Wilson <[email protected]>
kibanamachine
added a commit
that referenced
this pull request
Mar 25, 2025
…lement (#215544) (#215894) # Backport This will backport the following commits from `main` to `8.18`: - [Add manage_ingest_pipeline privilege check to Risk Engine enablement (#215544)](#215544) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Charlotte Alexandra Wilson","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-03-25T14:20:31Z","message":"Add manage_ingest_pipeline privilege check to Risk Engine enablement (#215544)\n\n## Summary\n\nThis PR adds the \"manage_ingest_pipeline\" cluster privilege to\nRISK_ENGINE_REQUIRED_ES_CLUSTER_PRIVILEGES.\n\nThe Entity Analytics Enablement modal now displays a warning when the\nuser lacks this privilege and prevents Risk Engine installation, as\nrequired.\n\n### Screenshots \n\n#### Enablement Modal (installing/enabling)\n\n\n\n#### Risk Management Page \n\n\n","sha":"a296d08990e62ab4d28cdcc382e8592826eb815e","branchLabelMapping":{"^v9.1.0$":"main","^v8.19.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:fix","v9.0.0","Team: SecuritySolution","Theme: entity_analytics","Team:Entity Analytics","backport:version","v8.18.0","v9.1.0","v8.19.0"],"title":"Add manage_ingest_pipeline privilege check to Risk Engine enablement","number":215544,"url":"https://github.com/elastic/kibana/pull/215544","mergeCommit":{"message":"Add manage_ingest_pipeline privilege check to Risk Engine enablement (#215544)\n\n## Summary\n\nThis PR adds the \"manage_ingest_pipeline\" cluster privilege to\nRISK_ENGINE_REQUIRED_ES_CLUSTER_PRIVILEGES.\n\nThe Entity Analytics Enablement modal now displays a warning when the\nuser lacks this privilege and prevents Risk Engine installation, as\nrequired.\n\n### Screenshots \n\n#### Enablement Modal (installing/enabling)\n\n\n\n#### Risk Management Page \n\n\n","sha":"a296d08990e62ab4d28cdcc382e8592826eb815e"}},"sourceBranch":"main","suggestedTargetBranches":["9.0","8.18","8.x"],"targetPullRequestStates":[{"branch":"9.0","label":"v9.0.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.18","label":"v8.18.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/215544","number":215544,"mergeCommit":{"message":"Add manage_ingest_pipeline privilege check to Risk Engine enablement (#215544)\n\n## Summary\n\nThis PR adds the \"manage_ingest_pipeline\" cluster privilege to\nRISK_ENGINE_REQUIRED_ES_CLUSTER_PRIVILEGES.\n\nThe Entity Analytics Enablement modal now displays a warning when the\nuser lacks this privilege and prevents Risk Engine installation, as\nrequired.\n\n### Screenshots \n\n#### Enablement Modal (installing/enabling)\n\n\n\n#### Risk Management Page \n\n\n","sha":"a296d08990e62ab4d28cdcc382e8592826eb815e"}},{"branch":"8.x","label":"v8.19.0","branchLabelMappingKey":"^v8.19.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Charlotte Alexandra Wilson <[email protected]>
kibanamachine
added a commit
that referenced
this pull request
Mar 25, 2025
…ement (#215544) (#215895) # Backport This will backport the following commits from `main` to `8.x`: - [Add manage_ingest_pipeline privilege check to Risk Engine enablement (#215544)](#215544) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Charlotte Alexandra Wilson","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-03-25T14:20:31Z","message":"Add manage_ingest_pipeline privilege check to Risk Engine enablement (#215544)\n\n## Summary\n\nThis PR adds the \"manage_ingest_pipeline\" cluster privilege to\nRISK_ENGINE_REQUIRED_ES_CLUSTER_PRIVILEGES.\n\nThe Entity Analytics Enablement modal now displays a warning when the\nuser lacks this privilege and prevents Risk Engine installation, as\nrequired.\n\n### Screenshots \n\n#### Enablement Modal (installing/enabling)\n\n\n\n#### Risk Management Page \n\n\n","sha":"a296d08990e62ab4d28cdcc382e8592826eb815e","branchLabelMapping":{"^v9.1.0$":"main","^v8.19.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:fix","v9.0.0","Team: SecuritySolution","Theme: entity_analytics","Team:Entity Analytics","backport:version","v8.18.0","v9.1.0","v8.19.0"],"title":"Add manage_ingest_pipeline privilege check to Risk Engine enablement","number":215544,"url":"https://github.com/elastic/kibana/pull/215544","mergeCommit":{"message":"Add manage_ingest_pipeline privilege check to Risk Engine enablement (#215544)\n\n## Summary\n\nThis PR adds the \"manage_ingest_pipeline\" cluster privilege to\nRISK_ENGINE_REQUIRED_ES_CLUSTER_PRIVILEGES.\n\nThe Entity Analytics Enablement modal now displays a warning when the\nuser lacks this privilege and prevents Risk Engine installation, as\nrequired.\n\n### Screenshots \n\n#### Enablement Modal (installing/enabling)\n\n\n\n#### Risk Management Page \n\n\n","sha":"a296d08990e62ab4d28cdcc382e8592826eb815e"}},"sourceBranch":"main","suggestedTargetBranches":["9.0","8.18","8.x"],"targetPullRequestStates":[{"branch":"9.0","label":"v9.0.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.18","label":"v8.18.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/215544","number":215544,"mergeCommit":{"message":"Add manage_ingest_pipeline privilege check to Risk Engine enablement (#215544)\n\n## Summary\n\nThis PR adds the \"manage_ingest_pipeline\" cluster privilege to\nRISK_ENGINE_REQUIRED_ES_CLUSTER_PRIVILEGES.\n\nThe Entity Analytics Enablement modal now displays a warning when the\nuser lacks this privilege and prevents Risk Engine installation, as\nrequired.\n\n### Screenshots \n\n#### Enablement Modal (installing/enabling)\n\n\n\n#### Risk Management Page \n\n\n","sha":"a296d08990e62ab4d28cdcc382e8592826eb815e"}},{"branch":"8.x","label":"v8.19.0","branchLabelMappingKey":"^v8.19.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Charlotte Alexandra Wilson <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds the "manage_ingest_pipeline" cluster privilege to RISK_ENGINE_REQUIRED_ES_CLUSTER_PRIVILEGES.
The Entity Analytics Enablement modal now displays a warning when the user lacks this privilege and prevents Risk Engine installation, as required.
Screenshots
Enablement Modal (installing/enabling)
Risk Management Page