Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add toggle to enable/disable rule install from SOs #106189

Merged
merged 9 commits into from
Jul 21, 2021
Merged

Add toggle to enable/disable rule install from SOs #106189

merged 9 commits into from
Jul 21, 2021

Conversation

rw-access
Copy link
Contributor

@rw-access rw-access commented Jul 19, 2021
edited
Loading

Summary

Closes #105980

Added config flags xpack.securitySolution.prebuiltRulesFromSavedObjects and xpack.securitySolution.prebuiltRulesFromFileSystem so cloud rule updates can be disabled for CI.

Here's how I tested the flag locally. Left a persistent ES running and removed three rules, then ran:

$ yarn start --ssl --xpack.securitySolution.prebuiltRulesFromSavedObjects=false

image

Then restarted Kibana (kept ES running) and enabled rules from Fleet SOs. The removed rules are now available as an update:

$ yarn start --ssl --xpack.securitySolution.prebuiltRulesFromSavedObjects=true

image

Checklist

Existing tests should work as-is.

Testing this under a few different scenarios

  • Remove a few rules, with prebuiltRulesFromSavedObjects=false. Should pass CI (035e116). Result: ✅ as expected
  • Remove a few rules, with prebuiltRulesFromSavedObjects=true. Should fail CI (327abcb). Result ❌ as expected for the relevant tests
  • Restore the rules back as they were and with prebuiltRulesFromSavedObjects=false. Must pass CI and be ready to merge (c0e4e03). Result: ✅ as expected

@rw-access rw-access added release_note:skip Skip the PR/issue when compiling release notes auto-backport Deprecated - use backport:version if exact versions are needed labels Jul 20, 2021
@rw-access rw-access marked this pull request as ready for review July 20, 2021 16:05
@rw-access rw-access requested a review from a team as a code owner July 20, 2021 16:05
@rw-access rw-access requested a review from a team as a code owner July 20, 2021 19:34
jbudz
jbudz approved these changes Jul 20, 2021
View reviewed changes
Copy link
Member

@jbudz jbudz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

kibana-docker LGTM

@rw-access rw-access requested a review from a team as a code owner July 20, 2021 23:36
FrankHassanabad
FrankHassanabad approved these changes Jul 20, 2021
View reviewed changes
Copy link
Contributor

@FrankHassanabad FrankHassanabad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM,

What I did:

  • Review the code

What I couldn't do:

  • I couldn't run Cypress, it crashes right now on my system. But it also on master, so it's not this PR issue.

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

✅ unchanged

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@rw-access rw-access enabled auto-merge (squash) July 21, 2021 02:55
@academo
Copy link
Contributor

academo commented Jul 21, 2021

Could add some unit tests as well for prebuiltRulesFromSavedObjects=true? I only see them for the false scenario.

paul-tavares
paul-tavares approved these changes Jul 21, 2021
View reviewed changes
Copy link
Contributor

@paul-tavares paul-tavares left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚢
Had only one question, but it's more for my own understanding.

x-pack/plugins/security_solution/server/fleet_integration/handlers/install_prepackaged_rules.ts
@@ -37,6 +39,8 @@ export const installPrepackagedRules = async ({
securityStart,
alerts,
maxTimelineImportExportSize,
prebuiltRulesFromFileSystem,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just for my own understanding - Is this why we needed to "thread" these two new arguments all the way through to the endpoint context + Fleet integration callback? to feed it into alerts.getAlertsClientWithRequest()?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah exactly

@rw-access rw-access merged commit 218c9c2 into elastic:master Jul 21, 2021
kibanamachine pushed a commit to kibanamachine/kibana that referenced this pull request Jul 21, 2021
@rw-access @kibanamachine
Add toggle to enable/disable rule install from SOs (elastic#106189)
97202ca 
* Add toggle to enable/disable rule install from SOs
* Fix lint and type tests
* Fix types for tests
* Enable prebuiltRulesFromSavedObjects with extra rules in fleet
* Restore rules and disable prebuiltRulesFromSavedObjects
* Pass explicit arguments instead of full config
* Set values in 'endpoint' setup
* Propagate prebuiltRulesFrom{FileSystem,SavedObjects} from configs
@kibanamachine kibanamachine mentioned this pull request Jul 21, 2021
Merged
@kibanamachine
Copy link
Contributor

💔 Backport failed

Status Branch Result
7.14 Commit could not be cherrypicked due to conflicts
7.x

Successful backport PRs will be merged automatically after passing CI.

To backport manually run:
node scripts/backport --pr 106189

kibanamachine added a commit that referenced this pull request Jul 21, 2021
@kibanamachine @rw-access
Add toggle to enable/disable rule install from SOs (#106189) (#106397)
5f08a44 
* Add toggle to enable/disable rule install from SOs
* Fix lint and type tests
* Fix types for tests
* Enable prebuiltRulesFromSavedObjects with extra rules in fleet
* Restore rules and disable prebuiltRulesFromSavedObjects
* Pass explicit arguments instead of full config
* Set values in 'endpoint' setup
* Propagate prebuiltRulesFrom{FileSystem,SavedObjects} from configs

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
jloleysens added a commit to jloleysens/kibana that referenced this pull request Jul 21, 2021
@jloleysens
Merge branch 'master' of github.com:elastic/kibana into reporting/onl…
5160a33 
…y-show-migrate-to-authzd-users

* 'master' of github.com:elastic/kibana: (48 commits)
  [Canvas] Expression shape (elastic#103219)
  [FTR] Skips Vega tests
  [Sample data] Use Lens in ecommerce data (elastic#106039)
  [APM] Backends inventory & overview page routes (elastic#106223)
  [TSVB] Add more functional tests for Gauge and TopN (elastic#105361)
  Add toggle to enable/disable rule install from SOs (elastic#106189)
  Improve unit test coverage of FS API calls (elastic#106242)
  Remove recursive plugin status in meta field (elastic#106286)
  [Ingest pipelines] add community id processor (elastic#103863)
  [XY axis] Fixes the values inside bar charts (elastic#106198)
  [data.search] Set default expiration to 1m if search sessions are disabled (elastic#105329)
  set the doc title when navigating to reporting and unset when navigating away (elastic#106253)
  [Lens] Display legend inside chart (elastic#105571)
  [RAC] [TGrid] Migrate the TGrid's rendering to `EuiDataGrid` (elastic#106199)
  [Security Solutions] Removes the elastic legacy client from lists and security_solution plugins (elastic#106130)
  [Enterprise Search] Require security plugin in 8.0 (elastic#106307)
  [DOCS] Updates screenshots in Dev Tools docs (elastic#105859)
  [DOCS] Updates text and screenshots in tags doc (elastic#105853)
  [Alerting] Allow rule types to extract/inject saved object references on rule CRU (elastic#101896)
  Jest and Storybook fixes (elastic#104991)
  ...

# Conflicts:
#	x-pack/plugins/reporting/public/plugin.ts
@rw-access rw-access deleted the ci/disable-fleet-security-rules branch July 21, 2021 15:14
@rw-access rw-access mentioned this pull request Jul 21, 2021
Merged
rw-access added a commit that referenced this pull request Jul 21, 2021
@rw-access
[7.14] Add toggle to enable/disable rule install from SOs (#106189) (#…
b846ad6 
…106418)

* Add toggle to enable/disable rule install from SOs
* Fix lint and type tests
* Fix types for tests
* Enable prebuiltRulesFromSavedObjects with extra rules in fleet
* Restore rules and disable prebuiltRulesFromSavedObjects
* Pass explicit arguments instead of full config
* Set values in 'endpoint' setup
* Propagate prebuiltRulesFrom{FileSystem,SavedObjects} from configs
@FrankHassanabad FrankHassanabad mentioned this pull request Jul 22, 2021
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@FrankHassanabad FrankHassanabad FrankHassanabad approved these changes

@jbudz jbudz jbudz approved these changes

@paul-tavares paul-tavares paul-tavares approved these changes

@academo academo Awaiting requested review from academo

@parkiino parkiino Awaiting requested review from parkiino

Assignees
No one assigned
Labels
auto-backport Deprecated - use backport:version if exact versions are needed release_note:skip Skip the PR/issue when compiling release notes v7.14.0 v7.15.0 v8.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Security Solutions] Add a setting to disable cloud rules for our CI system
6 participants
@rw-access @kibanamachine @academo @FrankHassanabad @jbudz @paul-tavares