Skip to content

Fix/deduplication privilege level change #12068

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
michalpristas wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Fix/deduplication privilege level change #12068

michalpristas wants to merge 9 commits into from
+189 −17

Conversation

@michalpristas
Copy link
Contributor

@michalpristas michalpristas commented Jan 2, 2026

This PR adds some kind of deduplication layer for privilege level change, in case we're already running unelevated it checks desired user and group and if they match current user action is considered duplicate and acked successfully only with warning in logs.

In case of mismatch it fails with error

Fixes: #11993

@michalpristas michalpristas self-assigned this Jan 2, 2026
@michalpristas michalpristas added bug Something isn't working Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team labels Jan 2, 2026
@michalpristas michalpristas requested a review from a team as a code owner January 2, 2026 10:17
@michalpristas michalpristas added skip-changelog backport-9.3 Automated backport to the 9.3 branch labels Jan 2, 2026
@elasticmachine
Copy link
Contributor

elasticmachine commented Jan 2, 2026

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)

ycombinator
ycombinator reviewed Jan 2, 2026
View reviewed changes
Copy link
Contributor

@ycombinator ycombinator left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In addition to the unit test added for the new function, targetingSameUser, would it be possible to write a unit test covering the new logic in the handle method? The test could be skipped if utils.HasRoot() returns true so that you only need to test the various cases in the if !isRoot block, i.e. the new logic added in this PR. Essentially, we'd want to check if ackCommitFn, featuring a mocked acker, is called if we're targeting the same user, indicating that deduplication is happening OR if we're not targeting the same user, the expected error is thrown.

@elasticmachine
Copy link
Contributor

elasticmachine commented Jan 6, 2026

💛 Build succeeded, but was flaky

Failed CI Steps

History

cc @michalpristas

@cmacknz
Copy link
Member

cmacknz commented Jan 6, 2026
edited
Loading

An integration test that sends the privilege level change action twice in a row would probably be the best thing to test this, considering how coupled it is to how agent is installed I am skeptical we can cover the action implementation purely with unit tests.

There are integration tests for the command line version of this already but I don't see one for the action.

elastic-agent/testing/integration/ess/switch_unprivileged_test.go

Line 28 in adab9b6

func TestSwitchUnprivilegedWithoutBasePath(t *testing.T) {

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ycombinator ycombinator ycombinator left review comments

@blakerouse blakerouse Awaiting requested review from blakerouse blakerouse is a code owner automatically assigned from elastic/elastic-agent-control-plane

At least 1 approving review is required to merge this pull request.

Assignees

@michalpristas michalpristas

Labels

backport-9.3 Automated backport to the 9.3 branch bug Something isn't working skip-changelog Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Agent gets unhealthy and shows error on Last Check-in on triggering multiple single or bulk privilege change API calls

4 participants

@michalpristas @elasticmachine @cmacknz @ycombinator