Skip to content

Ability scopes and infra availability checks for Advanced VM using ES

Advanced VM using ES should be available only when an instance has ES installed and for the MVC we are focussing on SASS and dedicated only.

So introduce a policy ability, which check the installations types and ES availability and sets the ability for the current user, this ability will be used by the frontend.

For the backend ingestion logic and API gating we can use a method inside the models.

Implementation proposal:

Model
def use_elasticsearch?
  # Global instance checks (not user-specific)
  return false unless Gitlab::CurrentSettings.elasticsearch_indexing?
  return false unless Gitlab.com? || Gitlab::CurrentSettings.gitlab_dedicated_instance?
  
  # Optional project/group checks
  project = vulnerability.project
  return false unless project&.licensed_feature_available?(:security_dashboard)
  
  # During transition period, also check feature flag
  ::Feature.enabled?(:vulnerability_es_ingestion, project, type: :gitlab_com_derisk) ||
    (vulnerability.group && ::Feature.enabled?(:vulnerability_es_ingestion, vulnerability.group, type: :gitlab_com_derisk))
end
Controller
before_action do
  push_frontend_ability(ability: :advanced_vulnerability_management_using_es, resource: @vulnerability, user: current_user)
end
VulnerabilityPolicy
  # Condition for Elasticsearch-based advanced vulnerability management
  condition(:elasticsearch_enabled) do
    # Check if global instance settings allow ES usage
    Gitlab::CurrentSettings.elasticsearch_indexing? &&
      (Gitlab.com? || Gitlab::CurrentSettings.gitlab_dedicated_instance?)
  end

  # Condition for user-specific ES permissions
  condition(:can_access_advanced_es_features) do
    # User must have security resource access
    can?(:read_security_resource) && 
      # During transition period, also check feature flag
      ( ::Feature.enabled?(:advanced_vulnerability_management, @subject.group) ||
        ::Feature.enabled?(:advanced_vulnerability_management, @subject.project) ||
        ::Feature.enabled?(:advanced_vulnerability_management, @user)
      )
       
  end

  # Rule for advanced ES-based vulnerability management
  rule { elasticsearch_enabled & can_access_advanced_es_features }.enable :advanced_vulnerability_management_using_es
Edited by Bala Kumar