Indexing permissions as part of the Elastic Agent policy

cmd/fleet/handleCheckin.go

@@ -21,6 +21,7 @@ import (
  "github.com/elastic/fleet-server/v7/internal/pkg/model"
  "github.com/elastic/fleet-server/v7/internal/pkg/monitor"
  "github.com/elastic/fleet-server/v7/internal/pkg/policy"
+ "github.com/elastic/fleet-server/v7/internal/pkg/smap"
 
  "github.com/julienschmidt/httprouter"
  "github.com/rs/zerolog/log"
@@ -263,7 +264,8 @@ func parsePolicy(ctx context.Context, bulker bulk.Bulk, agentId string, p model.
  // 4) Inject default api key into structure
  // 5) Re-serialize and return AgentResp structure
 
- var actionObj map[string]interface{}
+ // using json.RawMessage to avoid the full json de-serialization
+ var actionObj map[string]json.RawMessage
  if err := json.Unmarshal(p.Data, &actionObj); err != nil {
  return nil, err
  }
@@ -275,26 +277,66 @@ func parsePolicy(ctx context.Context, bulker bulk.Bulk, agentId string, p model.
  return nil, err
  }
 
+ // Check if need to generate a new output api key
+ var (
+ hash string
+ needKey bool
+ roles []byte
+ )
+
  if agent.DefaultApiKey == "" {
- defaultOutputApiKey, err := generateOutputApiKey(ctx, bulker.Client(), agent.Id, "default")
+ hash, roles, err = policy.GetRoleDescriptors(actionObj[policy.OutputPermissionsProperty])
+ if err != nil {
+ return nil, err
+ }
+ log.Debug().Str("agentId", agentId).Msg("Agent API key is missing")
+ } else {
+ hash, roles, needKey, err = policy.CheckOutputPermissionsChanged(agent.PolicyOutputPermissionsHash, actionObj[policy.OutputPermissionsProperty])
+ if err != nil {
+ return nil, err
+ }
+ if needKey {
+ log.Debug().Str("agentId", agentId).Msg("Policy output permissions changed")
+ }
+ }
+
+ if needKey {
+ log.Debug().Str("agentId", agentId).Interface("roles", roles).Str("hash", hash).Msg("Generating a new API key")
+ defaultOutputApiKey, err := generateOutputApiKey(ctx, bulker.Client(), agent.Id, policy.DefaultOutputName, roles)
  if err != nil {
  return nil, err
  }
  agent.DefaultApiKey = defaultOutputApiKey.Agent()
  agent.DefaultApiKeyId = defaultOutputApiKey.Id
+ agent.PolicyOutputPermissionsHash = hash
 
  log.Info().Str("agentId", agentId).Msg("Rewriting full agent record to pick up default output key.")
  if err = dl.IndexAgent(ctx, bulker, agent); err != nil {
  return nil, err
  }
  }
 
- if ok := setMapObj(actionObj, agent.DefaultApiKey, "outputs", "default", "api_key"); !ok {
- log.Debug().Msg("Cannot inject api_key into policy")
+ // Parse the outputs maps in order to inject the api key
+ const outputsProperty = "outputs"
+ outputs, err := smap.Parse(actionObj[outputsProperty])
+ if err != nil {
+ return nil, err
+ }
+
+ if outputs != nil {
+ if ok := setMapObj(outputs, agent.DefaultApiKey, "default", "api_key"); !ok {
+ log.Debug().Msg("Cannot inject api_key into policy")
+ } else {
+ outputRaw, err := json.Marshal(outputs)
+ if err != nil {
+ return nil, err
+ }
+ actionObj[outputsProperty] = json.RawMessage(outputRaw)
+ }
  }
 
  dataJSON, err := json.Marshal(struct {
- Policy map[string]interface{} `json:"policy"`
+ Policy map[string]json.RawMessage `json:"policy"`
  }{actionObj})
  if err != nil {
  return nil, err

cmd/fleet/handleEnroll.go

@@ -19,6 +19,7 @@ import (
  "github.com/elastic/fleet-server/v7/internal/pkg/config"
  "github.com/elastic/fleet-server/v7/internal/pkg/dl"
  "github.com/elastic/fleet-server/v7/internal/pkg/model"
+ "github.com/elastic/fleet-server/v7/internal/pkg/policy"
 
  "github.com/elastic/go-elasticsearch/v8"
  "github.com/gofrs/uuid"
@@ -179,7 +180,24 @@ func _enroll(ctx context.Context, bulker bulk.Bulk, c cache.Cache, req EnrollReq
  return nil, err
  }
 
- defaultOutputApiKey, err := generateOutputApiKey(ctx, bulker.Client(), agentId, "default")
+ // Fetch policy in order to get the permissions for the output api key
+ p, err := dl.FindPolicyByID(ctx, bulker, erec.PolicyId)
+ if err != nil {
+ return nil, err
+ }
+
+ // Parse top level only, consistent as check-in handling
+ var policyMap map[string]json.RawMessage
+ if err := json.Unmarshal(p.Data, &policyMap); err != nil {
+ return nil, err
+ }
+
+ permHash, roles, err := policy.GetRoleDescriptors(policyMap[policy.OutputPermissionsProperty])
+ if err != nil {
+ return nil, err
+ }
+
+ defaultOutputApiKey, err := generateOutputApiKey(ctx, bulker.Client(), agentId, policy.DefaultOutputName, roles)
  if err != nil {
  return nil, err
  }
@@ -198,15 +216,16 @@ func _enroll(ctx context.Context, bulker bulk.Bulk, c cache.Cache, req EnrollReq
  }
 
  agentData := model.Agent{
- Active: true,
- PolicyId: erec.PolicyId,
- Type: req.Type,
- EnrolledAt: now.UTC().Format(time.RFC3339),
- LocalMetadata: localMeta,
- AccessApiKeyId: accessApiKey.Id,
- DefaultApiKeyId: defaultOutputApiKey.Id,
- DefaultApiKey: defaultOutputApiKey.Agent(),
- ActionSeqNo: dl.UndefinedSeqNo,
+ Active: true,
+ PolicyId: erec.PolicyId,
+ Type: req.Type,
+ EnrolledAt: now.UTC().Format(time.RFC3339),
+ LocalMetadata: localMeta,
+ AccessApiKeyId: accessApiKey.Id,
+ DefaultApiKeyId: defaultOutputApiKey.Id,
+ DefaultApiKey: defaultOutputApiKey.Agent(),
+ ActionSeqNo: dl.UndefinedSeqNo,
+ PolicyOutputPermissionsHash: permHash,
  }
 
  err = createFleetAgent(ctx, bulker, agentId, agentData)
@@ -309,9 +328,9 @@ func generateAccessApiKey(ctx context.Context, client *elasticsearch.Client, age
  return apikey.Create(ctx, client, agentId, "", []byte(kFleetAccessRolesJSON))
 }
 
-func generateOutputApiKey(ctx context.Context, client *elasticsearch.Client, agentId string, outputName string) (*apikey.ApiKey, error) {
+func generateOutputApiKey(ctx context.Context, client *elasticsearch.Client, agentId, outputName string, roles []byte) (*apikey.ApiKey, error) {
  name := fmt.Sprintf("%s:%s", agentId, outputName)
- return apikey.Create(ctx, client, name, "", []byte(kFleetOutputRolesJSON))
+ return apikey.Create(ctx, client, name, "", roles)
 }
 
 func (et *EnrollerT) fetchEnrollmentKeyRecord(ctx context.Context, id string) (*model.EnrollmentApiKey, error) {

cmd/fleet/schema.go

@@ -35,26 +35,6 @@ const kFleetAccessRolesJSON = `
 }
 `
 
-const kFleetOutputRolesJSON = `
- {
- "fleet-output": {
- "cluster": ["monitor"],
- "index": [{
- "names": [
- "logs-*",
- "metrics-*",
- "traces-*",
- ".logs-endpoint.diagnostic.collection-*"
- ],
- "privileges": [
- "auto_configure",
- "create_doc"
- ]
- }]
- }
- }
-`
-
 // Wrong: no AAD;
 // This defeats the signature check;
 // can copy from one to another and will dispatch.

internal/pkg/dl/policies.go

@@ -8,16 +8,17 @@ import (
  "context"
  "encoding/json"
  "errors"
+
  "github.com/elastic/fleet-server/v7/internal/pkg/bulk"
  "github.com/elastic/fleet-server/v7/internal/pkg/model"
- "sync"
 
  "github.com/elastic/fleet-server/v7/internal/pkg/dsl"
 )
 
 var (
- tmplQueryLatestPolicies []byte
- initQueryLatestPoliciesOnce sync.Once
+ tmplQueryLatestPolicies = prepareQueryLatestPolicies()
+
+ queryPolicyByID = preparePolicyFindByID()
 )
 
 var ErrPolicyLeaderNotFound = errors.New("policy has no leader")
@@ -36,12 +37,22 @@ func prepareQueryLatestPolicies() []byte {
  return root.MustMarshalJSON()
 }
 
+func preparePolicyFindByID() *dsl.Tmpl {
+ tmpl := dsl.NewTmpl()
+ root := dsl.NewRoot()
+
+ root.Size(1)
+ root.Query().Bool().Filter().Term(FieldPolicyId, tmpl.Bind(FieldPolicyId), nil)
+ sort := root.Sort()
+ sort.SortOrder(FieldRevisionIdx, dsl.SortDescend)
+ sort.SortOrder(FieldCoordinatorIdx, dsl.SortDescend)
+
+ tmpl.MustResolve(root)
+ return tmpl
+}
+
 // QueryLatestPolices gets the latest revision for a policy
 func QueryLatestPolicies(ctx context.Context, bulker bulk.Bulk, opt ...Option) ([]model.Policy, error) {
- initQueryLatestPoliciesOnce.Do(func() {
- tmplQueryLatestPolicies = prepareQueryLatestPolicies()
- })
-
  o := newOption(FleetPolicies, opt...)
  res, err := bulker.Search(ctx, []string{o.indexName}, tmplQueryLatestPolicies)
  if err != nil {
@@ -79,3 +90,18 @@ func CreatePolicy(ctx context.Context, bulker bulk.Bulk, policy model.Policy, op
  }
  return bulker.Create(ctx, o.indexName, "", data)
 }
+
+// FindPolicyByID find policy by ID
+func FindPolicyByID(ctx context.Context, bulker bulk.Bulk, policyID string) (policy model.Policy, err error) {
+ res, err := SearchWithOneParam(ctx, bulker, queryPolicyByID, FleetPolicies, FieldPolicyId, policyID)
+ if err != nil {
+ return
+ }
+
+ if len(res.Hits) == 0 {
+ return policy, ErrNotFound
+ }
+
+ err = res.Hits[0].Unmarshal(&policy)
+ return policy, err
+}