Action connectors can be imported/exported with rules

[nastasha-solomon]

Description

With elastic/kibana#148703, users can now import and export connectors while importing/exporting rules. Previously, they had export/import connectors in a separate workflow from the Saved Objects page.

Doc updates

The use cases that need to be doc'd are:

• Exporting rules with action connectors: Now, when users export a rule with actions and connectors, the ndjson file contains the actions and the action connectors.
  • Update description of what's included in the export file and remove statement that "connectors used by the actions are not included". Content that needs to be refreshed is in third bullet under Export and import rules.
• Importing rules with action connectors when the connector is already in the space: Follow normal flow for exporting and importing rules.
  • These instructions are already doc'd at Export and import rules. Don't need to refresh them or add new steps.
• Importing rules with action connectors when there is a connector in the space that has the same (a conflicting?) action ID: Users might import rules with connectors that are being used by other rules -- this can happen if a preconfigured connector was copied multiple times. Or, they might have not deleted the connector before importing the rules. When either of these situations happen, an option to overwrite existing connectors with a conflicting action id appears in the modal.
  • Document the Overwrite existing connectors with conflicting action "id" option under step 3 in the Export and import rules section.
  • Need to add the new overwrite_action_connectors parameter here for the import rules API. The parameter type is Boolean.
  • In the Import rules API and Export rules API docs, will need to update description of what's included in the export file and remove statement that "connectors used by the actions are not included".
• Importing rules with action connectors that need to be re-authenticated/need sensitive info re-applied: When users export a connector, the export API wipes secure data so users will need to "fix" the connector (e.g., re-enter authentication details) after they import the connector. To do this, they should click Go to connectors within the Import rules modal. This will bring them to the Connectors page (Management -> Stack Management -> Connectors) where they can find the appropriate connector, and then click the Fix option.
  • Document this flow in the steps for importing a connector (might be appropriate to add as another optional step before step c.)

Questions

• Q: What privs do users need for the Action and Connectors feature when overwriting an existing connector with a conflicting action ID?
  • A: User needs All Action and Connector Kibana privs or they'll get an error message saying their privs are insufficient. Users can however import connectors without overwriting conflicting action IDs with Read only Action and Connector Kibana privs.
• Q: What happens when users import a rule that uses a connector that already exists within their Kibana space? Does the imported rule's connector overwrite the existing connector or is an error thrown?
  • A: The rule and connector import without any errors.
• Q: Can users complete the rule import process without addressing connector issues? For example, can they skip fixing connectors or overwriting existing duplicates?
  • A: Looks like users can click cancel to close the Import rules pane and then go to the Connectors page to fix issues at any time.

Test the following

• Check whether users can bulk export rules if their role has Read privs for Actions and connectors - [Security Solution] Bulk actions and Custom rules got disabled when custom user have "NONE" access of actions and connectors. kibana#141050.
  • They can
• Our docs currently say that, to import rules with actions and connectors, your role needs at least Read privileges. Will need to test and potentially update this.
  • If the privs for importing rules with actions has changed, will need to update notes in the following areas:
    • Import rules
    • Export rules
    • Export and import rules
    • Enable and access detections | Manage rules

Notes

• Users can still use the Saved Objects UI in Kibana (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs (experimental) to export and import any necessary connectors before exporting and importing detection rules. Can keep this "old" flow in the rule export docs, but should highlight the "new" flow in 8.7.
• Required privs for importing rules with actions and connectors:
  • Index privs: Need access to managing alert, SIEM signals, lists, and item indices (this is already doc'd)
  • Kibana feature: Privs based on what user needs to do:
    • Import rule with action connectors without overwriting the existing connector: Min req privs are Read.
    • Import rule with action connectors and overwrite the existing connector: Min req privs are All.
    • Import rule with new action connector: Min req privs are All.