Add necessary privileges to apps using alerting

[peterschretlen]

Right now SIEM is the only app with alerting and actions privileges. Until features privileges is fully supported, we should add permissions to:

• Uptime
• APM ( done in [APM] Threshold alerts  #59566 )
• Metrics

This snippet shows how it is done for SIEM, we would do the same in other apps:

kibana/x-pack/legacy/plugins/siem/server/plugin.ts

Lines 86 to 144 in 875e2a5

	plugins.features.registerFeature({
	id: this.name,
	name: i18n.translate('xpack.siem.featureRegistry.linkSiemTitle', {
	defaultMessage: 'SIEM',
	}),
	icon: 'securityAnalyticsApp',
	navLinkId: 'siem',
	app: ['siem', 'kibana'],
	catalogue: ['siem'],
	privileges: {
	all: {
	api: ['siem', 'actions-read', 'actions-all', 'alerting-read', 'alerting-all'],
	savedObject: {
	all: [
	'alert',
	'action',
	'action_task_params',
	noteSavedObjectType,
	pinnedEventSavedObjectType,
	timelineSavedObjectType,
	ruleStatusSavedObjectType,
	],
	read: ['config'],
	},
	ui: [
	'show',
	'crud',
	'alerting:show',
	'actions:show',
	'alerting:save',
	'actions:save',
	'alerting:delete',
	'actions:delete',
	],
	},
	read: {
	api: ['siem', 'actions-read', 'actions-all', 'alerting-read', 'alerting-all'],
	savedObject: {
	all: ['alert', 'action', 'action_task_params'],
	read: [
	'config',
	noteSavedObjectType,
	pinnedEventSavedObjectType,
	timelineSavedObjectType,
	ruleStatusSavedObjectType,
	],
	},
	ui: [
	'show',
	'alerting:show',
	'actions:show',
	'alerting:save',
	'actions:save',
	'alerting:delete',
	'actions:delete',
	],
	},
	},
	});

Alerting/Actions management UI capabilities have explicit checks on the SIEM feature, this may need some rework:

kibana/x-pack/plugins/triggers_actions_ui/public/application/lib/capabilities.ts

Lines 13 to 25 in 8951424

	export function hasShowAlertsCapability(capabilities: any): boolean {
	if (capabilities.siem && capabilities.siem['alerting:show']) {
	return true;
	}
	return false;
	}
	export function hasShowActionsCapability(capabilities: any): boolean {
	if (capabilities.siem && capabilities.siem['actions:show']) {
	return true;
	}
	return false;
	}

[elasticmachine]

Pinging @elastic/kibana-alerting-services (Team:Alerting Services)

[pmuellr]

Some notes while I work on this ...

The following files need changes

• https://github.com/elastic/kibana/blob/master/x-pack/plugins/uptime/server/kibana.index.ts (uptime)
• https://github.com/elastic/kibana/blob/master/x-pack/plugins/infra/server/features.ts (metrics)
• https://github.com/elastic/kibana/blob/master/x-pack/plugins/triggers_actions_ui/public/application/lib/capabilities.ts (add ids for uptime and metrics)

Metrics is under infra, which also includes logs, so it's not as 1-1 as uptime.

To repro not being able to see alerts with these users now, I created the following role and user:

role: alerting_uptime_metrics

• cluster privileges: all
• space privilege: global; everything NONE but uptime/metrics ALL - but you should test them independently - only one on at a time

user: al (erting)

• roles: alerting_uptime_metrics, monitoring_user, transport_client (added randomly, thought I might need it), apm_user

Logged in as this user, the Alerts and Actions management app does not appear.

In order to create an index threshold alert, you'll need to have an index pattern for the index to read from. I'm using es-apm-sys-sim, and so started it, then created an index pattern for it. You'll then need to add this under Index Privileges for the role created, and can give it the all permission,