-
Notifications
You must be signed in to change notification settings - Fork 8.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Fleet][Endpoint][RBAC V2] Update fleet router and config to allow AP…
…I access via RBAC controls (#145361) ## Summary > **Note** > This PR is adding changes only to some of `api/fleet/package_policies` API routes, there will be subsequent PRs after this to update `api/fleet/epm/packages`, `api/fleet/agent_policeis` and, `api/fleet/agent_status`. This PR introduces the framework needed in fleet in order to be able to support Package level Privileges - meaning: if a user does not have authorization granted via Fleet and/or Integration privileges, then package level privileges are check and API access granted. When access is granted based on Package Privileges, the data is also validated to ensure that it is limited to the integration package names that were given authorization to the API. The following APIs were updated to leverage this new framework: - Integration Package Policy list API - Integration Package Policy get one API - Integration Package Policy update one API - Integration Package Policy bulk get API > ℹ️ these API were updated in support of Endpoint use cases needed for v8.7. Example of API error for Package policies api: ```json5 { "statusCode": 403, "error": "Forbidden", "message": "Authorization denied to [package.name=fleet_server]. Allowed package.name's: endpoint" } ``` ___________ To test: 1. Log in as `elastic`/superuser and create some agent policies. 1. Under `Stack Management`, create a role `policy_role` with the following RBAC settings. **DO NOT** select `Fleet -> All` or toggle `Integrations`. Leave those RBAC toggles set to `None` <img width="610" alt="Screenshot 2022-11-16 at 14 45 15" src="https://user-images.githubusercontent.com/1849116/202196962-9123e380-3b8f-4d52-97f9-8af895fb4c26.png"> 2. Create a user e.g. `policy_user` and assign them _only_ the above role. **NOT** `superuser`. 3. Login with this user and navigate to `app/security/administration/policy` or curl/postman. 4. Expect to see the following: - GET `api/fleet/epm/packages?category=security` should return a `403` status. - GET `api/fleet/package_policies?page=1&perPage=10&kuery=ingest-package-policies.package.name%3A%20endpoint` should return a list of policies. - GET `/api/fleet/package_policies/<packagePolicyId>` should return a `200` and a signle item that has the policie's details. Note that the package name of this item is `endpoint`. - there should be a POST API request matching `api/fleet/agent_policies/_bulk_get`, and should return a `403`. 5. With `Policy Management` RBAC set to `All` - PUT `http://localhost:5601/api/fleet/package_policies/<packagePolicyId>` should return a `200` with the updated policy details as response ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) Co-authored-by: Paul Tavares <[email protected]>
- Loading branch information
1 parent
d1e7f50
commit b1a75ae
Showing
40 changed files
with
1,405 additions
and
483 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.