[Fleet] Enable subfeature privileges

[nchaulet]

Summary

Resolve #179546

Enable subfeature privileges.

Added a message in the tooltip that feature is in technical preview.

Release note

Add subfeatures privileges for Fleet, for Agents, Agent policies and Settings, that feature is in technical preview and may be changed or removed completely in a future release.

[elasticmachine]

Pinging @elastic/fleet (Team:Fleet)

[apmmachine]

🤖 GitHub comments

Expand to view the GitHub comments

Just comment with:

• /oblt-deploy : Deploy a Kibana instance using the Observability test environments.
• /oblt-deploy-serverless : Deploy a serverless Kibana instance using the Observability test environments.
• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[juliaElastic]

LGTM
Is it possible to add a beta badge? Might not be since this UI is not managed by Fleet.

[kpollich]

@elasticmachine merge upstream

[kpollich]

Is it possible to add a beta badge? Might not be since this UI is not managed by Fleet.

This is not possible today as we can only provide a few properties to control the UI displayed here. The tooltip approach was a compromise to convey the technical preview nature.

[kpollich]

These tests seem to fail in CI and pass locally, then the other way around every time I switch. Something is nondeterministic about the expected privileges that are generated in the tests. Having a lot of trouble sorting it out. I had the entire security suite passing before I pushed the last two commits and now they're failing in CI 🤷‍♀️

[juliaElastic]

This is weird, locally the tests are passing.

[kpollich]

Tests pass locally again 😢

yarn test:ftr:runner --config x-pack/test/api_integration/apis/security/config.ts
yarn run v1.22.22
$ node scripts/functional_test_runner --config x-pack/test/api_integration/apis/security/config.ts
 debg KIBANA_CI_STATS_CONFIG environment variable not found, disabling CiStatsReporter
 debg Loading config file from x-pack/test/api_integration/apis/security/config.ts
 debg Loading config file from x-pack/test/api_integration/config.ts
 debg Loading config file from x-pack/test/functional/config.base.js
 debg Loading config file from test/common/config.js
 debg Loading config file from test/functional/config.base.js
 debg Only running suites which are compatible with ES version 8.14.0
 debg randomness seed: 1712678425710
 debg ===============creating system indices role and user===============
 debg ===============creating roles and users===============
 debg creating role test_monitoring
 debg creating role test_logstash_reader
 debg creating role global_canvas_all
 debg creating role global_discover_all
 debg creating role global_dashboard_read
 debg creating role global_discover_read
 debg creating role global_visualize_read
 debg creating role global_visualize_all
 debg creating role global_dashboard_all
 debg creating role global_maps_all
 debg creating role global_maps_read
 debg creating role geoshape_data_reader
 debg creating role antimeridian_points_reader
 debg creating role antimeridian_shapes_reader
 debg creating role meta_for_geoshape_data_reader
 debg creating role geoconnections_data_reader
 debg creating role test_logs_data_reader
 debg creating role geoall_data_writer
 debg creating role global_index_pattern_management_all
 debg creating role global_devtools_read
 debg creating role global_upgrade_assistant_role
 debg creating role global_ccr_role
 debg creating role manage_rollups_role
 debg creating role test_rollup_reader
 debg creating role test_api_keys
 debg creating role manage_security
 debg creating role cluster_security_manager
 debg creating role ccr_user
 debg creating role manage_ilm
 debg creating role index_management_user
 debg creating role snapshot_restore_user
 debg creating role ingest_pipelines_user
 debg creating role license_management_user
 debg creating role logstash_read_user
 debg creating role remote_clusters_user
 debg creating role global_alerts_logs_all_else_read
 debg creating role slo_all
 debg creating role slo_read_only
 debg deleting user test_user
 debg no test user to delete
 debg default roles = superuser
 debg creating user test_user
 debg created user test_user
 debg Only running suites which are compatible with ES version 8.14.0
 info Starting tests

 └-: security
   └-> "before all" hook: beforeTestSuite.trigger in "security"
   └-: API Keys
     └-> "before all" hook: beforeTestSuite.trigger in "API Keys"
     └-: GET /internal/security/api_key/_enabled
       └-> "before all" hook: beforeTestSuite.trigger for "should indicate that API Keys are enabled"
       └-> should indicate that API Keys are enabled
         └-> "before each" hook: global before each for "should indicate that API Keys are enabled"
         └- ✓ pass  (12ms)
       └-> "after all" hook: afterTestSuite.trigger for "should indicate that API Keys are enabled"
     └-: POST /internal/security/api_key
       └-> "before all" hook: beforeTestSuite.trigger for "should allow an API Key to be created"
       └-> should allow an API Key to be created
         └-> "before each" hook: global before each for "should allow an API Key to be created"
         └- ✓ pass  (700ms)
       └-> should allow an API Key to be created with metadata
         └-> "before each" hook: global before each for "should allow an API Key to be created with metadata"
         └- ✓ pass  (1.0s)
       └-> "after all" hook: afterTestSuite.trigger for "should allow an API Key to be created with metadata"
     └-: PUT /internal/security/api_key
       └-> "before all" hook: beforeTestSuite.trigger for "should allow an API Key to be updated"
       └-> should allow an API Key to be updated
         └-> "before each" hook: global before each for "should allow an API Key to be updated"
         └- ✓ pass  (2.1s)
       └-> "after all" hook: afterTestSuite.trigger for "should allow an API Key to be updated"
     └-: with kibana privileges
       └-> "before all" hook: beforeTestSuite.trigger in "with kibana privileges"
       └-: POST /internal/security/api_key
         └-> "before all" hook: beforeTestSuite.trigger for "should allow an API Key to be created"
         └-> should allow an API Key to be created
           └-> "before each" hook: global before each for "should allow an API Key to be created"
           └- ✓ pass  (1.0s)
         └-> "after all" hook: afterTestSuite.trigger for "should allow an API Key to be created"
       └-> "after all" hook: afterTestSuite.trigger in "with kibana privileges"
     └-> "after all" hook: afterTestSuite.trigger in "API Keys"
   └-: Basic authentication
     └-> "before all" hook: beforeTestSuite.trigger for "should redirect non-AJAX requests to the login page if not authenticated"
     └-> should redirect non-AJAX requests to the login page if not authenticated
       └-> "before each" hook: global before each for "should redirect non-AJAX requests to the login page if not authenticated"
       └- ✓ pass  (5ms)
     └-> should redirect non-AJAX New platform requests to the login page if not authenticated
       └-> "before each" hook: global before each for "should redirect non-AJAX New platform requests to the login page if not authenticated"
       └- ✓ pass  (2ms)
     └-> should reject API requests if client is not authenticated
       └-> "before each" hook: global before each for "should reject API requests if client is not authenticated"
       └- ✓ pass  (4ms)
     └-> should reject login with wrong credentials
       └-> "before each" hook: global before each for "should reject login with wrong credentials"
       └- ✓ pass  (104ms)
     └-> should set authentication cookie for login with valid credentials
       └-> "before each" hook: global before each for "should set authentication cookie for login with valid credentials"
       └- ✓ pass  (1.2s)
     └-> should reject access to the API with wrong credentials in the header
       └-> "before each" hook: global before each for "should reject access to the API with wrong credentials in the header"
       └- ✓ pass  (97ms)
     └-> should allow access to the API with valid credentials in the header
       └-> "before each" hook: global before each for "should allow access to the API with valid credentials in the header"
       └- ✓ pass  (80ms)
     └-: with session cookie
       └-> "before all" hook: beforeTestSuite.trigger for "should allow access to the API"
       └-> should allow access to the API
         └-> "before each" hook: global before each for "should allow access to the API"
         └-> "before each" hook for "should allow access to the API"
         └- ✓ pass  (25ms)
       └-> should extend cookie on every successful non-system API call
         └-> "before each" hook: global before each for "should extend cookie on every successful non-system API call"
         └-> "before each" hook for "should extend cookie on every successful non-system API call"
         └- ✓ pass  (20ms)
       └-> should not extend cookie for system API calls
         └-> "before each" hook: global before each for "should not extend cookie for system API calls"
         └-> "before each" hook for "should not extend cookie for system API calls"
         └- ✓ pass  (9ms)
       └-> should fail and preserve session cookie if unsupported authentication schema is used
         └-> "before each" hook: global before each for "should fail and preserve session cookie if unsupported authentication schema is used"
         └-> "before each" hook for "should fail and preserve session cookie if unsupported authentication schema is used"
         └- ✓ pass  (15ms)
       └-> should clear cookie on logout and redirect to login
         └-> "before each" hook: global before each for "should clear cookie on logout and redirect to login"
         └-> "before each" hook for "should clear cookie on logout and redirect to login"
         └- ✓ pass  (29ms)
       └-> should not render login page and redirect to `next` URL
         └-> "before each" hook: global before each for "should not render login page and redirect to `next` URL"
         └-> "before each" hook for "should not render login page and redirect to `next` URL"
         └- ✓ pass  (12ms)
       └-> should not render login page and redirect to the base path if `next` is absolute URL
         └-> "before each" hook: global before each for "should not render login page and redirect to the base path if `next` is absolute URL"
         └-> "before each" hook for "should not render login page and redirect to the base path if `next` is absolute URL"
         └- ✓ pass  (13ms)
       └-> should not render login page and redirect to the base path if `next` is network-path reference
         └-> "before each" hook: global before each for "should not render login page and redirect to the base path if `next` is network-path reference"
         └-> "before each" hook for "should not render login page and redirect to the base path if `next` is network-path reference"
         └- ✓ pass  (17ms)
       └-> should redirect to login page if cookie is not provided
         └-> "before each" hook: global before each for "should redirect to login page if cookie is not provided"
         └-> "before each" hook for "should redirect to login page if cookie is not provided"
         └- ✓ pass  (2ms)
       └-> "after all" hook: afterTestSuite.trigger for "should redirect to login page if cookie is not provided"
     └-> "after all" hook: afterTestSuite.trigger for "should allow access to the API with valid credentials in the header"
   └-: Builtin ES Privileges
     └-> "before all" hook: beforeTestSuite.trigger in "Builtin ES Privileges"
     └-: GET /internal/security/esPrivileges/builtin
       └-> "before all" hook: beforeTestSuite.trigger for "should return a list of available builtin privileges"
       └-> should return a list of available builtin privileges
         └-> "before each" hook: global before each for "should return a list of available builtin privileges"
         └- ✓ pass  (7ms)
       └-> "after all" hook: afterTestSuite.trigger for "should return a list of available builtin privileges"
     └-> "after all" hook: afterTestSuite.trigger in "Builtin ES Privileges"
   └-: Change password
     └-> "before all" hook: beforeTestSuite.trigger for "should reject password change if current password is wrong"
     └-> should reject password change if current password is wrong
       └-> "before each" hook: global before each for "should reject password change if current password is wrong"
       └-> "before each" hook for "should reject password change if current password is wrong"
         │ debg creating user test-user
         │ debg created user test-user
       └- ✓ pass  (523ms)
     └-> "after each" hook for "should reject password change if current password is wrong"
       │ debg deleting user test-user
       │ debg deleted user test-user
     └-> should allow password change if current password is correct
       └-> "before each" hook: global before each for "should allow password change if current password is correct"
       └-> "before each" hook for "should allow password change if current password is correct"
         │ debg creating user test-user
         │ debg created user test-user
       └- ✓ pass  (390ms)
     └-> "after each" hook for "should allow password change if current password is correct"
       │ debg deleting user test-user
       │ debg deleted user test-user
     └-> "after all" hook: afterTestSuite.trigger for "should allow password change if current password is correct"
   └-: Index Fields
     └-> "before all" hook: beforeTestSuite.trigger in "Index Fields"
     └-> "before all" hook in "Index Fields"
       │ info [x-pack/test/functional/es_archives/security/flstest/data] Loading "mappings.json"
       │ info [x-pack/test/functional/es_archives/security/flstest/data] Loading "data.json.gz"
       │ info [x-pack/test/functional/es_archives/security/flstest/data] Created index "flstest"
       │ debg [x-pack/test/functional/es_archives/security/flstest/data] "flstest" settings {"index":{"number_of_replicas":"1","number_of_shards":"5"}}
       │ info [x-pack/test/functional/es_archives/security/flstest/data] Indexed 2 docs into "flstest"
     └-: GET /internal/security/fields/{query}
       └-> "before all" hook: beforeTestSuite.trigger for "should return a list of available index mapping fields"
       └-> should return a list of available index mapping fields
         └-> "before each" hook: global before each for "should return a list of available index mapping fields"
         └- ✓ pass  (22ms)
       └-> should not include runtime fields
         └-> "before each" hook: global before each for "should not include runtime fields"
         └- ✓ pass  (7ms)
       └-> should return an empty result for indices that do not exist
         └-> "before each" hook: global before each for "should return an empty result for indices that do not exist"
         └- ✓ pass  (5ms)
       └-> "after all" hook: afterTestSuite.trigger for "should return an empty result for indices that do not exist"
     └-> "after all" hook in "Index Fields"
       │ info [x-pack/test/functional/es_archives/security/flstest/data] Unloading indices from "mappings.json"
       │ info [x-pack/test/functional/es_archives/security/flstest/data] Deleted existing index "flstest"
       │ info [x-pack/test/functional/es_archives/security/flstest/data] Unloading indices from "data.json.gz"
     └-> "after all" hook: afterTestSuite.trigger in "Index Fields"
   └-: Roles
     └-> "before all" hook: beforeTestSuite.trigger in "Roles"
     └-: Create Role
       └-> "before all" hook: beforeTestSuite.trigger for "should allow us to create an empty role"
       └-> should allow us to create an empty role
         └-> "before each" hook: global before each for "should allow us to create an empty role"
         └- ✓ pass  (28ms)
       └-> should create a role with kibana and elasticsearch privileges
         └-> "before each" hook: global before each for "should create a role with kibana and elasticsearch privileges"
         └- ✓ pass  (42ms)
       └-> should  create a role with kibana and FLS/DLS elasticsearch
       │      privileges on trial licenses
         └-> "before each" hook: global before each for "should  create a role with kibana and FLS/DLS elasticsearch
         │      privileges on trial licenses"
         └- ✓ pass  (32ms)
       └-: with the createOnly option enabled
         └-> "before all" hook: beforeTestSuite.trigger for "should fail when role already exists"
         └-> should fail when role already exists
           └-> "before each" hook: global before each for "should fail when role already exists"
           └- ✓ pass  (28ms)
         └-> should succeed when role does not exist
           └-> "before each" hook: global before each for "should succeed when role does not exist"
           └- ✓ pass  (24ms)
         └-> "after all" hook: afterTestSuite.trigger for "should succeed when role does not exist"
       └-> "after all" hook: afterTestSuite.trigger for "should  create a role with kibana and FLS/DLS elasticsearch
       │      privileges on trial licenses"
     └-: Update Role
       └-> "before all" hook: beforeTestSuite.trigger for "should update a role with elasticsearch, kibana and other applications privileges"
       └-> should update a role with elasticsearch, kibana and other applications privileges
         └-> "before each" hook: global before each for "should update a role with elasticsearch, kibana and other applications privileges"
         └- ✓ pass  (62ms)
       └-> should  update a role adding DLS and TLS priviledges
       │      when using trial license
         └-> "before each" hook: global before each for "should  update a role adding DLS and TLS priviledges
         │      when using trial license"
         └- ✓ pass  (74ms)
       └-> "after all" hook: afterTestSuite.trigger for "should  update a role adding DLS and TLS priviledges
       │      when using trial license"
     └-: Get Role
       └-> "before all" hook: beforeTestSuite.trigger for "should get roles"
       └-> should get roles
         └-> "before each" hook: global before each for "should get roles"
         └- ✓ pass  (28ms)
       └-> "after all" hook: afterTestSuite.trigger for "should get roles"
     └-: Delete Role
       └-> "before all" hook: beforeTestSuite.trigger for "should delete the roles we created"
       └-> should delete the roles we created
         └-> "before each" hook: global before each for "should delete the roles we created"
         └- ✓ pass  (119ms)
       └-> "after all" hook: afterTestSuite.trigger for "should delete the roles we created"
     └-> "after all" hook: afterTestSuite.trigger in "Roles"
   └-: Users
     └-> "before all" hook: beforeTestSuite.trigger for "should disable user"
     └-> should disable user
       └-> "before each" hook: global before each for "should disable user"
       └-> "before each" hook for "should disable user"
         │ debg creating user test-user
         │ debg created user test-user
       └- ✓ pass  (49ms)
     └-> "after each" hook for "should disable user"
       │ debg deleting user test-user
       │ debg deleted user test-user
     └-> should enable user
       └-> "before each" hook: global before each for "should enable user"
       └-> "before each" hook for "should enable user"
         │ debg creating user test-user
         │ debg created user test-user
       └- ✓ pass  (8ms)
     └-> "after each" hook for "should enable user"
       │ debg deleting user test-user
       │ debg deleted user test-user
     └-> "after all" hook: afterTestSuite.trigger for "should enable user"
   └-: Privileges
     └-> "before all" hook: beforeTestSuite.trigger in "Privileges"
     └-: GET /api/security/privileges
       └-> "before all" hook: beforeTestSuite.trigger for "should return a privilege map with all known privileges, without actions"
       └-> should return a privilege map with all known privileges, without actions
         └-> "before each" hook: global before each for "should return a privilege map with all known privileges, without actions"
         └- ✓ pass  (21ms)
       └-> "after all" hook: afterTestSuite.trigger for "should return a privilege map with all known privileges, without actions"
     └-: GET /api/security/privileges?includeActions=true
       └-> "before all" hook: beforeTestSuite.trigger for "should return a privilege map with actions which do not include wildcards"
       └-> should return a privilege map with actions which do not include wildcards
         └-> "before each" hook: global before each for "should return a privilege map with actions which do not include wildcards"
         └- ✓ pass  (1.9s)
       └-> "after all" hook: afterTestSuite.trigger for "should return a privilege map with actions which do not include wildcards"
     └-: GET /api/security/privileges?respectLicenseLevel=false
       └-> "before all" hook: beforeTestSuite.trigger for "should return a privilege map with all known privileges, without actions"
       └-> should return a privilege map with all known privileges, without actions
         └-> "before each" hook: global before each for "should return a privilege map with all known privileges, without actions"
         └- ✓ pass  (18ms)
       └-> "after all" hook: afterTestSuite.trigger for "should return a privilege map with all known privileges, without actions"
     └-: GET /api/security/privileges?includeActions=true&respectLicenseLevel=false
       └-> "before all" hook: beforeTestSuite.trigger for "should return a privilege map with actions which do not include wildcards"
       └-> should return a privilege map with actions which do not include wildcards
         └-> "before each" hook: global before each for "should return a privilege map with actions which do not include wildcards"
         └- ✓ pass  (1.9s)
       └-> "after all" hook: afterTestSuite.trigger for "should return a privilege map with actions which do not include wildcards"
     └-> "after all" hook: afterTestSuite.trigger in "Privileges"
   └-> "after all" hook: afterTestSuite.trigger in "security"

42 passing (13.8s)

✨  Done in 23.75s.

@elastic/kibana-security - Any hunches on what might be happening with these privilege tests in CI?

[kpollich]

Weirdly the test seem to pass locally whether I change the fleetv2 permissions back to their original values or not.

[legrego]

Any hunches on what might be happening with these privilege tests in CI?

@kpollich double check that your local configuration matches what this CI group expects. If your privileges are conditionally registered, then CI might not see them.

Also double check that your local license level matches what this CI group expects.

I noticed this:

kibana/x-pack/plugins/fleet/server/plugin.ts

Line 305 in 31c573f

'All Spaces is required for Fleet access. Subfeatures privileges functionality is in technical preview and may be changed or removed completely in a future release.',

We don't support "tech preview" feature toggles. Once they are released, they are GA.

[kpollich]

@elasticmachine merge upstream

[kpollich]

@elasticmachine merge upstream

[kibana-ci]

💛 Build succeeded, but was flaky

• Buildkite Build
• Commit: d358017

Failed CI Steps

• FTR Configs #90

Test Failures

• [job] [logs] FTR Configs #90 / discover/group3 discover sidebar renders field groups should work with ad-hoc data views and runtime fields

Metrics [docs]

✅ unchanged

History

• 💔 Build #202544 failed dbcf408
• 💛 Build #202402 was flaky a1e4210
• 💔 Build #202273 failed f48adb8
• 💔 Build #202226 failed 31c573f
• 💔 Build #202118 failed ea7f159

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @nchaulet @kpollich

[kpollich]

We don't support "tech preview" feature toggles. Once they are released, they are GA.

Thanks this is good to know. I'll hold off on merging this until we can align with product on whether we want this to land now as GA or not.

[nicpenning]

Is this something that can be tested in 8.14.0? It was in the release notes but I don't see it in my test instance. Is there a way to turn it on?

[zez3]

@nicpenning I suppose you/we need to activate the flag &
Add the following to your kibana.dev.yml
xpack.fleet.enableExperimental: ['subfeaturePrivileges']
See: #178006 (comment) How to test

I'll try this today after I update my stack

[nicpenning]

@nicpenning I suppose you/we need to activate the flag & Add the following to your kibana.dev.yml xpack.fleet.enableExperimental: ['subfeaturePrivileges'] See: #178006 (comment) How to test

I'll try this today after I update my stack

Confirmed, this does the trick!