[Fleet] RBAC - Make read agent actions space aware #189519
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
🤖 GitHub commentsExpand to view the GitHub comments
Just comment with:
|
|
/ci |
jillguyonnet
force-pushed
the
fleet/185040-rbac-agents-write-api-2
branch
from
a1264cd to
3e64318
Compare
jillguyonnet
added
Team:Fleet
|
Pinging @elastic/fleet (Team:Fleet) |
nchaulet
reviewed
Jul 31, 2024
| @@ -39,6 +40,7 @@ export const postNewAgentActionHandlerBuilder = function ( | |||
| created_at: new Date().toISOString(), | |||
| ...newAgentAction, | |||
| agents: [agent.id], | |||
There was a problem hiding this comment.
Should we validate the agent is in the current namespace?
There was a problem hiding this comment.
I believe the call to actionsService.getAgent already handles that. I've added an integration test to cover that case.
There was a problem hiding this comment.
Just checked what is done in actionsService.getAgent and it seems there is no namespace validation there.
There was a problem hiding this comment.
Please correct me if I'm wrong :)
actionsService.getAgentis defined here- the
postNewAgentActionHandlerBuildermaps it toAgentService.getAgentByIdhere - and
getAgentByIdcontains namespace validation here
I've tried it manually as well and I'm seeing 404 for agent ids in other spaces. Am I missing anything?
There was a problem hiding this comment.
Looks like I missed that change in getAgentById 👍
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]
History
To update your PR or re-run it, just comment with: |
kibanamachine
added
v8.16.0
backport:skip
2 tasks
jillguyonnet
added a commit
that referenced
this pull request
Aug 30, 2024
## Summary Closes #185040 Followup to: #188507 #189519 #190069 This PR contains the last required changed for making Fleet agents write APIs space aware: * Implement space awareness in the following endpoints: * `POST /agents/{agentId}/unenroll` * `POST /agents/{agentId}/request_diagnostics` * `POST /agents/bulk_unenroll` * `POST /agents/bulk_request_diagnostics` * Fix a bug in `POST /agents/bulk_update_agent_tags` where the space id was not passed. * Simply the setting of the `namespaces` property when creating agent actions when the space id is known. * Rename `currentNamespace` to `currentSpaceId` where appropriate (see comment below). * Add API integration tests and consolidate existing ones. ~⚠️ At the time of writing, I would like there to be more tests covering bulk query processing in batches, which are currently lacking. I have experienced difficulties getting those tests to pass consistently.~ Filed [followup issue](#191643) for those. ### A note on terminology As pointed out in #191083 (comment), it seems that the terms "namespace" and "space id" are occasionally used interchangeably in some parts of the codebase to refer to a Kibana space. For instance, documents in Fleet indices (agents, agent policies, agent actions...) [possess a `namespaces` property](elastic/elasticsearch#108363) to track the spaces they belong to. The current space id is also returned using the Saved Object client's `getCurrentNamespace` function. However, "namespace" is also a datastream property. In the Agent policy settings UI, the "Spaces" property (which will be linked to the saved object's `namespaces` property) is above the "Default namespace" property, which relates to the integration's data streams: <img width="1916" alt="Screenshot 2024-08-26 at 14 51 10" src="https://github.com/user-attachments/assets/fe2a0948-3387-4a93-96dc-90fc5cf1a683"> This should not be a source of major issues, but is best clarified for future reference. In this PR, I've replaced some occurrences of `namespace` with `spaceId` where appropriate to try to maximise the use of the latter. ### Testing * This PR should be put through the Flaky Test Runner prior to merging (I will kick the job). * Manual testing should also be performed for the new endpoints mentioned above. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed --------- Co-authored-by: Elastic Machine <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Relates to #185040
This PR makes the following Fleet agents API space aware (behind
useSpaceAwarenessfeature flag):GET /agents/action_statusPOST /agents/{agentId}/actionsI have already started work on
POST /agents/{agentId}/actions/{actionId}/cancelbut I think it would best grouped withPOST /agents/{agentId}/upgradeandPOST /agents/bulk_upgradein a separate PR.Details
GET /agents/action_status
useSpaceAwarenessfeature flag is disabled, there is no change.namespaces: ['default']and those with nonamespacesproperty are returned.namespaces: ['spaceName']are returned.This is to ensure older actions with no
namespacesproperty are not lost. Feedback on this approach would be awesome.NB: only tag update agent actions and agent policy update actions have a
namespacesproperty at the moment.POST /agents/{agentId}/actions
useSpaceAwarenessfeature flag is enabled, the action fails if the agent is not in the current space.namespacesproperty is populated when the action is created.Other
This PR also fixes an issue with setting
namespacesin agent actions for tags update in the default space (this is because I didn't realisesoClient.getCurrentNamespace()returnsundefinedin the default space).isAgentInNamespacehelper to returntruein the default space for agents with no explicitly set namespaces.Finally, this PR introduces the following helpers:
getCurrentNamespace(soClient): this helper returns the stringdefaultinstead ofundefinedin the default space, which seems to be the behaviour we want most of the time.addNamespaceFilteringToQuery: this helper extends the ES queries used in the action status service to conditionally add filtering by namespace as described above. It should be reusable for other endpoints as well.isAgentInNamespaceandagentsKueryNamespaceFilterwere moved into thefleet/server/services/spacesfolder where other space-related helpers live.Testing
GET /agents/action_status, the best would be to have a custom space and create a mix of agent and agent policy actions across the default and the custom spaces, for instance:namespaces)namespacesproperty)Then check the output of
GET /agents/action_statusfrom the Dev Tools and the UI (agent activity flyout):POST /agents/{agentId}/actionsfrom the Dev Tools with any action type, e.g."UNENROLL":namespacesproperty.Checklist