[RAC][Observability] Overflow options "mark as acknowledged" and "closed selected" don't appear in all rows

[mgiota]

📝 Summary

There is some logic that determines when the workflow status related actions should appear. This logic needs to be clearly defined so that we can determine if the appearance or not of these options is because of a bug or because of some logic we are not aware of.
https://user-images.githubusercontent.com/2852703/130520934-b91bc272-a4a4-4708-95c3-6a955c4ffc07.mov

UPDATE

It turns out there were 2 different types of problems here:

• rule types created through stack management didn't show the Mark as Acknowledged and Closed options
• apm rule types specifically wouldn't show above options because they support custom alerting capabilities during role creation which weren't taken into consideration

✔️ Acceptance criteria

Given user has All Kibana privileges
And he has created a rule of any type (logs, metrics, uptime, apm) through Stack Management
When an alert fires
Then the status actions Mark as Acknowledged and Closed options should appear in the overflow menu

Given user has Read Kibana privileges for APM
When an APM alert fires
Then the status actions Mark as Acknowledged and Closed options should not appear in the overflow menu for this alert

Given user has Read Kibana privileges for Logs | Metrics | Uptime
When an alert of the respective rule type fires
Then the status actions Mark as Acknowledged and Closed options should not appear in the overflow menu for this alert

[elasticmachine]

Pinging @elastic/logs-metrics-ui (Team:logs-metrics-ui)

[mgiota]

There was a merged PR #109759 that most probably fixes this issue.

[mgiota]

@stephmilovic I am logged in with a kibana_system user and here are the permissions I have. Below I have a screenshot as well. Could you verify that everything works as expected?

{
   "name":"kibana_system",
   "metadata":{
      "_reserved":true
   },
   "transient_metadata":{
      "enabled":true
   },
   "elasticsearch":{
      "cluster":[
         "monitor",
         "manage_index_templates",
         "cluster:admin/xpack/monitoring/bulk",
         "manage_saml",
         "manage_token",
         "manage_oidc",
         "cluster:admin/xpack/security/api_key/invalidate",
         "grant_api_key",
         "cluster:admin/xpack/security/privilege/builtin/get",
         "delegate_pki",
         "cluster:admin/ilm/get",
         "cluster:admin/ilm/put",
         "manage_ml",
         "cluster:admin/analyze",
         "monitor_text_structure",
         "cancel_task"
      ],
      "indices":[
         {
            "names":[
               ".kibana*",
               ".reporting-*"
            ],
            "privileges":[
               "all"
            ],
            "allow_restricted_indices":false
         },
         {
            "names":[
               ".monitoring-*"
            ],
            "privileges":[
               "read",
               "read_cross_cluster"
            ],
            "allow_restricted_indices":false
         },
         {
            "names":[
               ".management-beats"
            ],
            "privileges":[
               "create_index",
               "read",
               "write"
            ],
            "allow_restricted_indices":false
         },
         {
            "names":[
               ".ml-anomalies*",
               ".ml-stats-*"
            ],
            "privileges":[
               "read"
            ],
            "allow_restricted_indices":false
         },
         {
            "names":[
               ".ml-annotations*",
               ".ml-notifications*"
            ],
            "privileges":[
               "read",
               "write"
            ],
            "allow_restricted_indices":false
         },
         {
            "names":[
               ".apm-agent-configuration"
            ],
            "privileges":[
               "all"
            ],
            "allow_restricted_indices":false
         },
         {
            "names":[
               ".apm-custom-link"
            ],
            "privileges":[
               "all"
            ],
            "allow_restricted_indices":false
         },
         {
            "names":[
               "apm-*"
            ],
            "privileges":[
               "read",
               "read_cross_cluster"
            ],
            "allow_restricted_indices":false
         },
         {
            "names":[
               "*"
            ],
            "privileges":[
               "view_index_metadata",
               "monitor"
            ],
            "allow_restricted_indices":false
         },
         {
            "names":[
               ".logs-endpoint.diagnostic.collection-*"
            ],
            "privileges":[
               "read"
            ],
            "allow_restricted_indices":false
         },
         {
            "names":[
               ".fleet*"
            ],
            "privileges":[
               "all"
            ],
            "allow_restricted_indices":false
         },
         {
            "names":[
               ".siem-signals*"
            ],
            "privileges":[
               "all"
            ],
            "allow_restricted_indices":false
         },
         {
            "names":[
               ".internal.alerts*"
            ],
            "privileges":[
               "all"
            ],
            "allow_restricted_indices":false
         },
         {
            "names":[
               ".alerts*"
            ],
            "privileges":[
               "all"
            ],
            "allow_restricted_indices":false
         },
         {
            "names":[
               "metrics-endpoint.policy-*"
            ],
            "privileges":[
               "read"
            ],
            "allow_restricted_indices":false
         },
         {
            "names":[
               "metrics-endpoint.metrics-*"
            ],
            "privileges":[
               "read"
            ],
            "allow_restricted_indices":false
         }
      ],
      "run_as":[
         
      ]
   },
   "kibana":[
      
   ],
   "_transform_error":[
      
   ],
   "_unrecognized_applications":[
      
   ]
}

The 2nd alert (apm rule type) in my screenshot below has the crud options disabled. Is it because apm-* above has readonly privileges?

Regarding the other alerts (log and metric rule types) in the above json I sent where can I see that this user has write permissions for these rule types?

I am trying to understand if everything works as expected based on the role of the current user.

[XavierM]

@mgiota I think that you got it because you do not have the kibana All privileges in APM but Read so you can not update the alert but you can see it. We are using the kibana privileges to authorize or not action on the alerts. In security solution, we created a sub feature specifically to alerts so it can be independent of the kibana privileges of our plugin.

[mgiota]

@XavierM Ok you are saying you use kibana privileges to authorize the actions on the alerts. Isn't it weird though that I login to kibana with the default elastic user with superuser role? I would expect this user to have all privileges. That kibana_system role I sent above is for elastic search, so maybe it was irrelevant.

Kibana privileges for APM are maybe a bit different than other rule types? It looks like by default they give no privileges to Alerts (the screenshot below is when creating a new role and adding some Kibana privileges). You can give it a try and create an Error count threshold while you are logged in with the elastic superuser. This user will not have access to use crud operations on alerts. Either this is a bug or this is by design and we don't want to enable crud operations on APM alerts. Could you verify that everything works as expected?

[mgiota]

@XavierM Can you point me to that sub feature you mentioned that is independent of the kibana privileges?

[jasonrhodes]

I started reading this and then I got too confused and scared and figured I need more context. Can someone walk me through what this problem was and how we are fixing it tomorrow?

[mgiota]

@jasonrhodes I just read this message. I had to come back to this to verify which fields are needed for implementing RBAC. We need consumer and I need to verify if producer is needed as well. In this PR it looks like producer is being used to determine alert permissions. I can walk you through this and you can give me a bit more context on your current knowledge regarding consumers and producers. Shall we discuss it tomorrow in our sync up call?