Rule Preview not Working

j91321 · March 15, 2023, 8:33am

I have this weird problem where detection engine rules preview is not working for users.

Now the users have roles that grant them read access to .preview.alerts-security.alerts-<space-id> and All Kibana pirvileges on Kibana Security App as mentioned in documentation. Still the preview fails with:

Missing "read" privileges for the ".preview.alerts-security.alerts" or ".internal.preview.alerts-security.alerts" indices. Without these privileges you cannot use the Rule Preview feature.

Now I've tried to debug this by creating a data view to that system index. The admin user can create data view on that index and read the data in it no problem. The affected user says no indices matched. When I try to view or edit the data view with the affected user it says that the pattern in not matching any indices.

However when I go to the Index Management with the affected user (he has monitor privileges) I can list system indices and see that the index .internal.preview.alerts-security.alerts-... exists but trying to read the settings just gives me toast with word Forbidden.

When I try to see the settings for .internal.preview.alerts-security.alerts-... through dev console I get:

action [indices:monitor/settings/get] is unauthorized for user [j91321] with effective roles [...]
on indices [.internal.preview.alerts-security.alerts-something-dev-000001], this action is granted by the index privileges [monitor,view_index_metadata,manage,all]

Seems like the privilege does not get applied for the index. I've tried all of the listed privileges (all, read+view_index_metadata, or read+monitor)

Elasticsearch version is 8.6.1

georgii · March 22, 2023, 12:58pm

Hey @j91321, thanks for your question!

I'm looking at the code that returns this error and seeing this:

github.com

elastic/kibana/blob/1980e2b92a174bce6df74e9c0769597cd9997961/x-pack/plugins/security_solution/server/lib/detection_engine/rule_preview/api/preview_rules/route.ts#L134-L160


      
          const { hasAllRequested } = await securityService.authz
            .checkPrivilegesWithRequest(request)
            .atSpace(spaceId, {
              elasticsearch: {
                index: {
                  [`${DEFAULT_PREVIEW_INDEX}`]: ['read'],
                  [`.internal${DEFAULT_PREVIEW_INDEX}-`]: ['read'],
                },
                cluster: [],
              },
            });
          
          
if (!hasAllRequested) {
            return response.ok({
              body: {
                logs: [
                  {
                    errors: [
                      'Missing "read" privileges for the ".preview.alerts-security.alerts" or ".internal.preview.alerts-security.alerts" indices. Without these privileges you cannot use the Rule Preview feature.',
                    ],

This file has been truncated. show original

I'm not sure why access to both the index alias (.preview.alerts-security.alerts) and concrete internal index name (.internal.preview.alerts-security.alerts) are required here, but looks like this check was added in this PR:

github.com/elastic/kibana

[Security Solution] Adds rule preview error message for users without appropriate `read` privilege

elastic:main ← dplumlee:rule-preview-privilege-warning

opened 08:58PM - 11 Apr 22 UTC

dplumlee

+130 -69

## Summary Addresses https://github.com/elastic/kibana/issues/128284 Adds …an error message for when a user attempts to use the rule preview feature without the necessary `read` privilege for the `.preview.alerts-security.alerts` index. To test: - Create a role with the usual detection alerts index permissions, but _without_ `.preview.alerts-security.alerts` and/or `.internal.preview.alerts-security.alerts` - Attempt to use the rule preview feature within rule creation - See that no histogram shows up #### Screenshots ![Screen Shot 2022-04-11 at 5 34 19 PM](https://user-images.githubusercontent.com/56367316/162837224-19ebbf25-ce35-4a62-b2c6-a69d41eef447.png) ### Checklist Delete any items that are not applicable to this PR. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)

I'll reach out to the PR author and the team and we'll figure out if the implementation is wrong or the docs are out-of-date.

Meanwhile, could you please try adding a read privilege to .preview.alerts-security.alerts-<space-id> and .internal.preview.alerts-security.alerts-<space-id> to the user's role and see if it fixes the issue?

j91321 · March 23, 2023, 10:38am

Hi the user has read privileges to both, yet the issue persists.

    {
      "names": [
        ".preview.alerts-security.alerts-something-dev"
      ],
      "privileges": [
        "monitor",
        "read",
        "view_index_metadata"
      ],
      "allow_restricted_indices": false
    },
    {
      "names": [
        ".internal.preview.alerts-security.alerts-something-dev"
      ],
      "privileges": [
        "monitor",
        "read",
        "view_index_metadata"
      ],
      "allow_restricted_indices": false
    },

georgii · March 24, 2023, 9:55am

@j91321 Thank you for checking this. Folks on our team confirmed that this is a bug and opened a PR with a fix for it:

github.com/elastic/kibana

[Security Solution][Rule Preview] Fixes `<space-id>` index permission bug with Rule Preview

elastic:main ← dplumlee:preview-index-permission-bug

opened 06:45PM - 23 Mar 23 UTC

dplumlee

+2 -2

## Summary Addresses a [problem found via the community slack](https://discus…s.elastic.co/t/rule-preview-not-working/327737/2) where rule preview doesn't properly recognize permissions granted to it when using a kibana `space-id` which is correctly documented [here](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html#enable-detections-ui) as something to include in the permissions. To test: - Create a role with the usual detection alerts index permissions in the `default` space, using `.preview.alerts-security.alerts-default` and/or `.internal.preview.alerts-security.alerts-default-*` instead of the normal preview indices. - Attempt to use the rule preview feature within rule creation - You are now able to use the rule preview without index permission error (this won't currently work in `main`/kibana dev) ### Checklist Delete any items that are not applicable to this PR. - [x] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)

system · April 21, 2023, 9:56am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.