Skip to content

Commit

Permalink
[Fleet] Allow package to specify cluster privileges
Browse files Browse the repository at this point in the history
  • Loading branch information
@nchaulet
nchaulet committed Oct 14, 2021
1 parent 8d1c96c commit e9a1c80
Show file tree
Hide file tree
Showing 9 changed files with 185 additions and 22 deletions.
5 changes: 5 additions & 0 deletions x-pack/plugins/fleet/common/types/models/epm.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -125,6 +125,11 @@ interface RegistryAdditionalProperties {
readme?: string;
internal?: boolean; // Registry addition[0] and EPM uses it[1] [0]: https://github.com/elastic/package-registry/blob/dd7b021893aa8d66a5a5fde963d8ff2792a9b8fa/util/package.go#L63 [1]
data_streams?: RegistryDataStream[]; // Registry addition [0] [0]: https://github.com/elastic/package-registry/blob/dd7b021893aa8d66a5a5fde963d8ff2792a9b8fa/util/package.go#L65
elasticsearch?: {
privileges?: {
cluster?: string[];
};
};
}
interface RegistryOverridePropertyValue {
icons?: RegistryImage[];
Expand Down
5 changes: 5 additions & 0 deletions x-pack/plugins/fleet/common/types/models/package_policy.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,11 @@ export interface NewPackagePolicy {
package?: PackagePolicyPackage;
inputs: NewPackagePolicyInput[];
vars?: PackagePolicyConfigRecord;
elasticsearch?: {
privileges?: {
cluster?: string[];
};
};
}

export interface UpdatePackagePolicy extends NewPackagePolicy {
Expand Down
2 changes: 1 addition & 1 deletion x-pack/plugins/fleet/server/mocks/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ export const xpackMocks = {

export const createPackagePolicyServiceMock = (): jest.Mocked<PackagePolicyServiceInterface> => {
return {
compilePackagePolicyInputs: jest.fn(),
_compilePackagePolicyInputs: jest.fn(),
buildPackagePolicyFromPackage: jest.fn(),
bulkCreate: jest.fn(),
create: jest.fn(),
Expand Down
2 changes: 1 addition & 1 deletion x-pack/plugins/fleet/server/routes/package_policy/handlers.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ jest.mock(
} => {
return {
packagePolicyService: {
compilePackagePolicyInputs: jest.fn((packageInfo, vars, dataInputs) =>
_compilePackagePolicyInputs: jest.fn((registryPkgInfo, packageInfo, vars, dataInputs) =>
Promise.resolve(dataInputs)
),
buildPackagePolicyFromPackage: jest.fn(),
Expand Down
10 changes: 10 additions & 0 deletions x-pack/plugins/fleet/server/saved_objects/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -236,6 +236,16 @@ const getSavedObjectTypes = (
version: { type: 'keyword' },
},
},
elasticsearch: {
enabled: false,
properties: {
privileges: {
properties: {
cluster: { type: 'keyword' },
},
},
},
},
vars: { type: 'flattened' },
inputs: {
type: 'nested',
Expand Down
97 changes: 97 additions & 0 deletions x-pack/plugins/fleet/server/services/package_policies_to_agent_permissions.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -277,6 +277,103 @@ describe('storedPackagePoliciesToAgentPermissions()', () => {
});
});

it('Returns the cluster privileges if there is one in the package policy', async () => {
getPackageInfoMock.mockResolvedValueOnce({
name: 'test-package',
version: '0.0.0',
latestVersion: '0.0.0',
release: 'experimental',
format_version: '1.0.0',
title: 'Test Package',
description: '',
icons: [],
owner: { github: '' },
status: 'not_installed',
assets: {
kibana: {
dashboard: [],
visualization: [],
search: [],
index_pattern: [],
map: [],
lens: [],
security_rule: [],
ml_module: [],
tag: [],
},
elasticsearch: {
component_template: [],
ingest_pipeline: [],
ilm_policy: [],
transform: [],
index_template: [],
data_stream_ilm_policy: [],
},
},
data_streams: [
{
type: 'logs',
dataset: 'some-logs',
title: '',
release: '',
package: 'test-package',
path: '',
ingest_pipeline: '',
streams: [{ input: 'test-logs', title: 'Test Logs', template_path: '' }],
},
],
});

const packagePolicies: PackagePolicy[] = [
{
id: '12345',
name: 'test-policy',
namespace: 'test',
enabled: true,
package: { name: 'test-package', version: '0.0.0', title: 'Test Package' },
elasticsearch: {
privileges: {
cluster: ['monitor/main'],
},
},
inputs: [
{
type: 'test-logs',
enabled: true,
streams: [
{
id: 'test-logs',
enabled: true,
data_stream: { type: 'logs', dataset: 'some-logs' },
compiled_stream: { data_stream: { dataset: 'compiled' } },
},
],
},
],
created_at: '',
updated_at: '',
created_by: '',
updated_by: '',
revision: 1,
policy_id: '',
output_id: '',
},
];

const permissions = await storedPackagePoliciesToAgentPermissions(soClient, packagePolicies);
expect(permissions).toMatchObject({
'test-policy': {
indices: [
{
names: ['logs-compiled-test'],
privileges: ['auto_configure', 'create_doc'],
},
],
cluster: ['monitor/main'],
},
});
});

it('Returns the dataset for osquery_manager package', async () => {
getPackageInfoMock.mockResolvedValueOnce({
format_version: '1.0.0',
Expand Down
13 changes: 13 additions & 0 deletions x-pack/plugins/fleet/server/services/package_policies_to_agent_permissions.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -121,12 +121,25 @@ export async function storedPackagePoliciesToAgentPermissions(
});
}

let clusterRoleDescriptor = {};
if (
packagePolicy.elasticsearch &&
packagePolicy.elasticsearch.privileges &&
packagePolicy.elasticsearch.privileges.cluster &&
packagePolicy.elasticsearch.privileges.cluster.length > 0
) {
clusterRoleDescriptor = {
cluster: packagePolicy.elasticsearch.privileges.cluster,
};
}

return [
packagePolicy.name,
{
indices: dataStreamsForPermissions.map((ds) =>
getDataStreamPrivileges(ds, packagePolicy.namespace)
),
...clusterRoleDescriptor,
},
];
}
Expand Down
31 changes: 22 additions & 9 deletions x-pack/plugins/fleet/server/services/package_policy.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ import type {
InputsOverride,
NewPackagePolicy,
NewPackagePolicyInput,
RegistryPackage,
} from '../../common';

import { IngestManagerError } from '../errors';
Expand Down Expand Up @@ -88,6 +89,10 @@ hosts:
];
}

function mockedRegistryInfo() {
return {} as RegistryPackage;
}

jest.mock('./epm/packages/assets', () => {
return {
getAssetsData: mockedGetAssetsData,
Expand Down Expand Up @@ -129,9 +134,10 @@ jest.mock('./agent_policy', () => {
type CombinedExternalCallback = PutPackagePolicyUpdateCallback | PostPackagePolicyCreateCallback;

describe('Package policy service', () => {
describe('compilePackagePolicyInputs', () => {
describe('_compilePackagePolicyInputs', () => {
it('should work with config variables from the stream', async () => {
const inputs = await packagePolicyService.compilePackagePolicyInputs(
const inputs = await packagePolicyService._compilePackagePolicyInputs(
mockedRegistryInfo(),
{
data_streams: [
{
Expand Down Expand Up @@ -194,7 +200,8 @@ describe('Package policy service', () => {
});

it('should work with a two level dataset name', async () => {
const inputs = await packagePolicyService.compilePackagePolicyInputs(
const inputs = await packagePolicyService._compilePackagePolicyInputs(
mockedRegistryInfo(),
{
data_streams: [
{
Expand Down Expand Up @@ -246,7 +253,8 @@ describe('Package policy service', () => {
});

it('should work with config variables at the input level', async () => {
const inputs = await packagePolicyService.compilePackagePolicyInputs(
const inputs = await packagePolicyService._compilePackagePolicyInputs(
mockedRegistryInfo(),
{
data_streams: [
{
Expand Down Expand Up @@ -309,7 +317,8 @@ describe('Package policy service', () => {
});

it('should work with config variables at the package level', async () => {
const inputs = await packagePolicyService.compilePackagePolicyInputs(
const inputs = await packagePolicyService._compilePackagePolicyInputs(
mockedRegistryInfo(),
{
data_streams: [
{
Expand Down Expand Up @@ -377,7 +386,8 @@ describe('Package policy service', () => {
});

it('should work with an input with a template and no streams', async () => {
const inputs = await packagePolicyService.compilePackagePolicyInputs(
const inputs = await packagePolicyService._compilePackagePolicyInputs(
mockedRegistryInfo(),
{
data_streams: [],
policy_templates: [
Expand Down Expand Up @@ -419,7 +429,8 @@ describe('Package policy service', () => {
});

it('should work with an input with a template and streams', async () => {
const inputs = await packagePolicyService.compilePackagePolicyInputs(
const inputs = await packagePolicyService._compilePackagePolicyInputs(
mockedRegistryInfo(),
{
data_streams: [
{
Expand Down Expand Up @@ -524,7 +535,8 @@ describe('Package policy service', () => {
});

it('should work with a package without input', async () => {
const inputs = await packagePolicyService.compilePackagePolicyInputs(
const inputs = await packagePolicyService._compilePackagePolicyInputs(
mockedRegistryInfo(),
{
policy_templates: [
{
Expand All @@ -540,7 +552,8 @@ describe('Package policy service', () => {
});

it('should work with a package with a empty inputs array', async () => {
const inputs = await packagePolicyService.compilePackagePolicyInputs(
const inputs = await packagePolicyService._compilePackagePolicyInputs(
mockedRegistryInfo(),
{
policy_templates: [
{
Expand Down
Loading

0 comments on commit e9a1c80

Please sign in to comment.