Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Index templates for Wazuh Server RBAC migration #288

Open
3 tasks done
AlexRuiz7 opened this issue Feb 20, 2025 · 3 comments · May be fixed by #303
Open
3 tasks done

Index templates for Wazuh Server RBAC migration #288

AlexRuiz7 opened this issue Feb 20, 2025 · 3 comments · May be fixed by #303
Assignees
@QU3B1M
Labels
level/task Task issue type/enhancement Enhancement issue

Comments

@AlexRuiz7
Copy link
Member

AlexRuiz7 commented Feb 20, 2025
edited by QU3B1M
Loading

Description

Related issue: wazuh/wazuh#27795

In order to migrate the Wazuh Server RBAC (role-based access control), we need to generate the index templates to migrate the databases used for it. We need to generate index templates for the users and roles tables described here.

The rules and policies entities could be inserted under the roles entity, as follows:

// roles
{
  "id": "uuid",
  "name": "role-name",
  "created_at": "timestamp",
  "rules": [],
  "policies": []
}

// users
{
  "id": "uuid",
  "username": "user-name",
  "password": "user-password",
  "allow_run_as": false,
  "created_at": "timestamp",
  "roles": ["role-1", "role-2"]
}

Consider using indices for the policies entity as well, for reusability.

Functional requirements

  • An index template is generated for each entity.
  • Index templates and initial and indices are created on start

Implementation restrictions

  • The index templates are ECS compliant.
  • The index templates are located under the ecs folder, so they are autogenerated by the GitHub Workflow.

Plan

  • Generate the index templates
  • Add them to the setup plugin.
  • Index templates and initial and indices are created on start.
@AlexRuiz7 AlexRuiz7 added level/task Task issue type/enhancement Enhancement issue labels Feb 20, 2025
@wazuhci wazuhci moved this to Backlog in XDR+SIEM/Release 5.0.0 Feb 20, 2025
@GGP1
Copy link
Member

GGP1 commented Feb 24, 2025
edited
Loading

@wazuh-devel-xdrsiem-indexer

After reviewing how we access and use the information in the current RBAC implementation, I found that it would be better from the server's perspective to have 4 separate indices, one for each entity (users, roles, rules and policies).

This is because we are accessing them separately and listing all the available items at once, instead of getting users and their relationships.

For example, listing all policies with just two indices would require the server to request all roles, list all the role's policies, compare them against the others to validate that they are unique (as they could be repeated) and add them to the list. On the other hand, with 4 indices, we would just get all items present in an index and return that.

To fix this, we could have 4 indices users, roles, policies, rules that would have the following structure:

Users 
id: "id"
name: "name"
password: "password_hash"
allow_run_as: false
created_at: 0
roles: ["role_id_1", "role_id_2"]
Roles 
id: "id"
name: "admin"
created_at: 0
level: 0
policies: ["policy_id_1", "policy_id_2"]
rules: ["rule_id_1", "rule_id_2"]
Policies 
id: "id"
name: "policy"
actions: ["agent:create"]
resources: ["*:*:*"]
effect: "allow"
level: 0
created_at: 0
Rules 
id: "id"
name: "rule"
body:
  FIND|MATCH:
    username: "admin"
created_at: 0

The rule's body is dynamic, it can be either FIND, MATCH or FIND$ and MATCH$. The $ symbol represents an exact match and could be replaced with another field like exact: true|false.

Note

Usernames and names must be unique, so we could use them as IDs.

@wazuhci wazuhci moved this from Backlog to In progress in XDR+SIEM/Release 5.0.0 Mar 6, 2025
@fdalmaup fdalmaup mentioned this issue Mar 6, 2025
Open
6 tasks
@QU3B1M QU3B1M linked a pull request Mar 6, 2025 that will close this issue
Open
@QU3B1M
Copy link
Member

QU3B1M commented Mar 6, 2025

The new index templates were generated and implemented alongside the ECS mappings and fields definitions on the PR:

Please, review the defined query.default_field to be the corresponding:

  • Policies: 
    "query.default_field": [
  "policy.name",
  "policy.level",
  "policy.effect"
]
  • Roles: 
    "query.default_field": [
  "role.name",
  "role.level"
]
  • Rules: 
    "query.default_field": [
  "rule.name"
]
  • Users: 
    "query.default_field": [
  "user.username",
  "user.allow_run_as",
  "user.roles"
]

@wazuhci wazuhci moved this from In progress to Pending review in XDR+SIEM/Release 5.0.0 Mar 6, 2025
@wazuhci wazuhci moved this from Pending review to On hold in XDR+SIEM/Release 5.0.0 Mar 7, 2025
@fdalmaup fdalmaup mentioned this issue Mar 7, 2025
Open
@GGP1 GGP1 mentioned this issue Mar 7, 2025
Open
@fdalmaup fdalmaup mentioned this issue Mar 11, 2025
Open
2 tasks
@wazuhci wazuhci moved this from On hold to In progress in XDR+SIEM/Release 5.0.0 Mar 11, 2025
@QU3B1M
Copy link
Member

QU3B1M commented Mar 11, 2025
edited
Loading

Until now, the design considered one index per entity and related them by referencing their IDs. We understand that this is not ideal for a multi-tenant environment and that a single large index is better than multiple small ones.

For this reason, we aim to have only two indexes: one containing the default resources (which will be used by all tenants) and the other containing all the tenant's custom information.

Each document will include all the necessary information: users, roles, policies, and rules, these elements will be duplicated across documents if needed.

We will have two indices with the same template, one will be hidden to have the Wazuh's default rbac configurations, and the other for the custom ones.

All-in-one index example structure:

# Hidden (default/internal) wazuh-internal-users
# Non-hidden (user customized) wazuh-custom-users
- id: "id"
  name: "name"
  password: "password_hash"
  allow_run_as: false
  created_at: 0
  roles:
    - name: "admin"
      created_at: 0
      level: 0
      policies:
        - name: "policy-one"
          actions: ["agent:create"]
          resources: ["*:*:*"]
          effect: "allow"
          level: 0
          created_at: 0
        - name: "policy-two"
          actions: ["agent:remove"]
          resources: ["*:*:*"]
          effect: "allow"
          level: 0
          created_at: 0
      rules:
        - name: "rule-one"
          body: {}
          created_at: 0

Mapping setting

"query.default_field": [
  "user.name",
  "user.roles.name",
  "user.roles.policies.name",
  "user.roles.rules.name",
]

@wazuhci wazuhci moved this from In progress to Pending review in XDR+SIEM/Release 5.0.0 Mar 12, 2025
@wazuhci wazuhci moved this from Pending review to In review in XDR+SIEM/Release 5.0.0 Mar 12, 2025
@wazuhci wazuhci moved this from In review to Pending review in XDR+SIEM/Release 5.0.0 Mar 13, 2025
@wazuhci wazuhci moved this from Pending review to Pending final review in XDR+SIEM/Release 5.0.0 Mar 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@QU3B1M QU3B1M

Labels
level/task Task issue type/enhancement Enhancement issue
Projects
XDR+SIEM/Release 5.0.0
Status: Pending final review
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Implement RBAC index templates wazuh/wazuh-indexer-plugins
3 participants
@AlexRuiz7 @QU3B1M @GGP1