[Fleet] RBAC - Make agents write APIs space aware #188507
Conversation
🤖 GitHub commentsExpand to view the GitHub comments
Just comment with:
|
jillguyonnet
added
Team:Fleet
jillguyonnet
force-pushed
the
fleet/185040-rbac-agents-write-api
branch
from
6982047 to
55389b2
Compare
|
/ci |
|
Pinging @elastic/fleet (Team:Fleet) |
|
Overall it look good, I think the |
|
@elasticmachine merge upstream |
💔 Build Failed
Failed CI StepsTest Failures
Metrics [docs]
History |
|
@elasticmachine merge upstream |
|
Hi @nchaulet thank you for your comment! In the spirit of keeping this PR small, I thought it could definitely be worthwhile adding a In other words, if agent1 is in spaces A and B and I bulk update tags from space A, is it correct that the associated action has EDIT: never mind, I see the mapping already contains |
|
/ci |
|
/ci |
| @@ -149,6 +149,9 @@ export async function updateTagsBatch( | |||
| const versionConflictCount = res.version_conflicts ?? 0; | |||
| const versionConflictIds = isLastRetry ? getUuidArray(versionConflictCount) : []; | |||
|
|
|||
| const currentNameSpace = soClient.getCurrentNamespace(); | |||
| const namespaces = currentNameSpace ? [currentNameSpace] : []; | |||
There was a problem hiding this comment.
@nchaulet Can you ensure this meets the expectations?
Awesome, thanks! And right, I'll make that change right away 😅 |
|
@nchaulet Can I check one thing? For instance
|
No this seems an issue, I will do a PR to address that |
I can fix that as part of this, it would be pretty easy (as the handler uses the same utility function as the update and delete handlers to check the space). |
I think it's worth being fixed in his own PR so it could be backported to 8.15 |
|
I pushed a commit to take care of this PR (it also fixes |
| const agent = await fleetContext.agentClient.asCurrentUser.getAgent(request.params.agentId); | ||
| if (!isAgentInNamespace(agent, coreContext.savedObjects.client.getCurrentNamespace())) { | ||
| throw new FleetNotFoundError(`${agent.id} not found in namespace`); | ||
| } |
There was a problem hiding this comment.
nit: I would be tempted to move these three line to a separate function, something like findAgentInNamespace, since it's repeated three times in the same file. What do you think?
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]
History
To update your PR or re-run it, just comment with: |
kibanamachine
added
v8.16.0
backport:skip
## Summary Closes #185040 Followup to: #188507 #189519 #190069 This PR contains the last required changed for making Fleet agents write APIs space aware: * Implement space awareness in the following endpoints: * `POST /agents/{agentId}/unenroll` * `POST /agents/{agentId}/request_diagnostics` * `POST /agents/bulk_unenroll` * `POST /agents/bulk_request_diagnostics` * Fix a bug in `POST /agents/bulk_update_agent_tags` where the space id was not passed. * Simply the setting of the `namespaces` property when creating agent actions when the space id is known. * Rename `currentNamespace` to `currentSpaceId` where appropriate (see comment below). * Add API integration tests and consolidate existing ones. ~⚠️ At the time of writing, I would like there to be more tests covering bulk query processing in batches, which are currently lacking. I have experienced difficulties getting those tests to pass consistently.~ Filed [followup issue](#191643) for those. ### A note on terminology As pointed out in #191083 (comment), it seems that the terms "namespace" and "space id" are occasionally used interchangeably in some parts of the codebase to refer to a Kibana space. For instance, documents in Fleet indices (agents, agent policies, agent actions...) [possess a `namespaces` property](elastic/elasticsearch#108363) to track the spaces they belong to. The current space id is also returned using the Saved Object client's `getCurrentNamespace` function. However, "namespace" is also a datastream property. In the Agent policy settings UI, the "Spaces" property (which will be linked to the saved object's `namespaces` property) is above the "Default namespace" property, which relates to the integration's data streams: <img width="1916" alt="Screenshot 2024-08-26 at 14 51 10" src="https://github.com/user-attachments/assets/fe2a0948-3387-4a93-96dc-90fc5cf1a683"> This should not be a source of major issues, but is best clarified for future reference. In this PR, I've replaced some occurrences of `namespace` with `spaceId` where appropriate to try to maximise the use of the latter. ### Testing * This PR should be put through the Flaky Test Runner prior to merging (I will kick the job). * Manual testing should also be performed for the new endpoints mentioned above. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed --------- Co-authored-by: Elastic Machine <[email protected]>
Summary
Relates to #185040
This PR makes the following Fleet agents API space aware:
PUT /agents/{agentId}DELETE /agents/{agentId}POST /agents/bulk_update_agent_tagsActions created from
POST /agents/bulk_update_agent_tagshave thenamespacesproperty populated with the current space.I am opening this PR with a few endpoints to get early feedback and make this more agile. Other endpoints will be implemented in a followup PR.
Testing
PUT /agents/{agentId}andDELETE /agents/{agentId}endpoints and check that the request fails for the agent in the custom space.POST /agents/bulk_update_agent_tagswith all agents ids and check that only the agents in the default space get updated.GET .fleet-actions/_search) and ensure thenamespacesproperty is correct.Checklist