Add roles to the output permissions

For now we will only have a `fallback` role containing the current
permissions. Eventually the permissions needed for each integration will
be specified as individual roles.

x-pack/plugins/fleet/common/types/models/agent_policy.ts

@@ -72,7 +72,9 @@ export interface FullAgentPolicy {
     };
   };
   outputPermissions?: {
-    [key: string]: FullAgentPolicyPermission[];
+    [output: string]: {
+      [role: string]: FullAgentPolicyPermission[];
+    };
   };
   fleet?: {
     kibana: FullAgentPolicyKibanaConfig;

x-pack/plugins/fleet/server/services/agent_policy.ts

@@ -705,7 +705,7 @@ class AgentPolicyService {
       const output = fullAgentPolicy.outputs[outputName];
       if (output && output.type === 'elasticsearch') {
         // TODO Extract to a method
-        permissions[outputName] = [
+        permissions[outputName].fallback = [
           {
             names: ['logs-*', 'metrics-*', 'traces-*', '.logs-endpoint.diagnostic.collection-*'],
             privileges: ['auto_configure', 'create_doc'],

x-pack/plugins/fleet/server/services/agents/checkin/state_new_actions.test.ts

@@ -145,7 +145,7 @@ describe('test agent checkin new action services', () => {
             },
           },
           outputPermissions: {
-            default: [],
+            default: { fallback: [] },
           },
           inputs: [],
         },
@@ -162,7 +162,7 @@ describe('test agent checkin new action services', () => {
               id: 'policy1',
               inputs: [],
               outputs: { default: { api_key: 'MOCK_API_KEY', hosts: [], type: 'elasticsearch' } },
-              outputPermissions: { default: [] },
+              outputPermissions: { default: { fallback: [] } },
             },
           },
           id: 'action1',
@@ -227,7 +227,7 @@ describe('test agent checkin new action services', () => {
               id: 'policy1',
               inputs: [],
               outputs: { default: { api_key: 'MOCK_API_KEY', hosts: [], type: 'elasticsearch' } },
-              outputPermissions: { default: [] },
+              outputPermissions: { default: { fallback: [] } },
             },
           },
           id: 'action1',

x-pack/plugins/fleet/server/services/agents/checkin/state_new_actions.ts

@@ -115,7 +115,7 @@ async function getOrCreateAgentDefaultOutputAPIKey(
   soClient: SavedObjectsClientContract,
   esClient: ElasticsearchClient,
   agent: Agent,
-  permissions: FullAgentPolicyPermission[]
+  permissions: { [role: string]: FullAgentPolicyPermission[] }
 ): Promise<string> {
   const defaultAPIKey = await getAgentDefaultOutputAPIKey(soClient, esClient, agent);
   if (defaultAPIKey) {

x-pack/plugins/fleet/server/services/api_keys/index.ts

@@ -19,15 +19,23 @@ export async function generateOutputApiKey(
   soClient: SavedObjectsClientContract,
   outputId: string,
   agentId: string,
-  permissions: FullAgentPolicyPermission[]
+  permissions: { [role: string]: FullAgentPolicyPermission[] }
 ): Promise<{ key: string; id: string }> {
   const name = `${agentId}:${outputId}`;
-  const key = await createAPIKey(soClient, name, {
-    'fleet-output': {
-      cluster: ['monitor'],
-      index: permissions,
+
+  const APIKeyRequest = Object.entries(permissions).reduce<Record<string, any>>(
+    (request, [role, indices]) => {
+      request[role] = {
+        cluster: ['monitor'],
+        index: indices,
+      };
+
+      return request;
     },
-  });
+    {}
+  );
+
+  const key = await createAPIKey(soClient, name, APIKeyRequest);
 
   if (!key) {
     throw new Error('Unable to create an output api key');