Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Fleet] Allow package to specify cluster privileges #114945

Merged
merged 6 commits into from
Oct 18, 2021
Merged

[Fleet] Allow package to specify cluster privileges #114945

merged 6 commits into from
Oct 18, 2021

Conversation

nchaulet
Copy link
Member

@nchaulet nchaulet commented Oct 14, 2021
edited
Loading

Summary

Resolve #114686
Related to elastic/package-spec#226
Depends on elastic/package-registry#750

Allow packages to specify cluster privileges:

  • packages can specify elasticsearch.privileges.cluster: ["monitor"] in the package manifest.yml this will be returned by the package registry API
  • When adding|editing|updating a package policy we save that info on the package policy saved object
  • When generating the agent policy we use that to generate the correct privileges

How to tests

I added basic unit test to ensure we generate the correct privileges

This PR is a little hard to test locally as there is a lot of moving parts, this is how I tested it my self:

  • I am running the package registry locally based on that PR Add support for elasticsearch.privileges.cluster package-registry#750
  • I created a new version of the system integrations locally with elasticsearch.privileges.cluster: ["monitor_ml"] in the manifest.yml
  • Than I added the system integration to a policy enrolled agents and checked in .fleet-agents for the default api key to check if the API key has the correct privileges

@nchaulet nchaulet added v8.0.0 release_note:skip Skip the PR/issue when compiling release notes Team:Fleet Team label for Observability Data Collection Fleet team auto-backport Deprecated - use backport:version if exact versions are needed v7.16.0 labels Oct 14, 2021
@nchaulet nchaulet self-assigned this Oct 14, 2021
@stuartnelson3 stuartnelson3 mentioned this pull request Oct 14, 2021
Merged
2 tasks
@nchaulet nchaulet force-pushed the feature-package-cluster-privileges branch from 22fe4e2 to e9a1c80 Compare October 14, 2021 13:07
@nchaulet nchaulet marked this pull request as ready for review October 14, 2021 15:07
@nchaulet nchaulet requested a review from a team as a code owner October 14, 2021 15:07
@elasticmachine
Copy link
Contributor

Pinging @elastic/fleet (Team:Fleet)

hop-dev
hop-dev approved these changes Oct 18, 2021
View reviewed changes
x-pack/plugins/fleet/server/services/package_policies_to_agent_permissions.ts Outdated
@@ -121,12 +121,25 @@ export async function storedPackagePoliciesToAgentPermissions(
});
}

let clusterRoleDescriptor = {};
if (
packagePolicy.elasticsearch &&
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: we could use optional chaining ?. for this and save a few lines

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id before after diff
fleet 1119 1121 +2

Saved Objects .kibana field count

Every field in each saved object type adds overhead to Elasticsearch. Kibana needs to keep the total field count below Elasticsearch's default limit of 1000 fields. Only specify field mappings for the fields you wish to search on or query. See https://www.elastic.co/guide/en/kibana/master/development-plugin-saved-objects.html#_mappings

id before after diff
ingest-package-policies 35 38 +3
Unknown metric groups

API count

id before after diff
fleet 1219 1221 +2

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @nchaulet

@nchaulet nchaulet merged commit 2f27ccf into elastic:master Oct 18, 2021
@nchaulet nchaulet deleted the feature-package-cluster-privileges branch October 18, 2021 17:16
kibanamachine pushed a commit to kibanamachine/kibana that referenced this pull request Oct 18, 2021
@nchaulet @kibanamachine
[Fleet] Allow package to specify cluster privileges (elastic#114945)
189a505
@kibanamachine kibanamachine mentioned this pull request Oct 18, 2021
Merged
@kibanamachine
Copy link
Contributor

💚 Backport successful

Status Branch Result
7.x

This backport PR will be merged automatically after passing CI.

kibanamachine added a commit that referenced this pull request Oct 19, 2021
@kibanamachine @nchaulet
[7.x] [Fleet] Allow package to specify cluster privileges (#114945) (#…
6e11540 
…115416)

* [Fleet] Allow package to specify cluster privileges (#114945)

* Fix types

* Fix types

Co-authored-by: Nicolas Chaulet <[email protected]>
@gbamparop gbamparop mentioned this pull request Dec 16, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hop-dev hop-dev hop-dev approved these changes

Assignees

@nchaulet nchaulet

Labels
auto-backport Deprecated - use backport:version if exact versions are needed release_note:skip Skip the PR/issue when compiling release notes Team:Fleet Team label for Observability Data Collection Fleet team v7.16.0 v8.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Fleet] support for specifying cluster privileges in packages
4 participants
@nchaulet @elasticmachine @kibanamachine @hop-dev