[Fleet] Add reserved privilege for Fleet setup #112647
Comments
joshdover
added
enhancement
|
Pinging @elastic/fleet (Team:Fleet) |
|
@legrego I've gotten pretty far with this, but I could some advice on how to proceed here. I have implemented the suggested changes, however, the built-in privilege check using the This is the request being executed by GET http://localhost:9200/_security/user/_has_privileges
Authorization: Bearer <elastic/fleet-server service account token>
content-type: application/json
{
"index": [],
"application": [
{
"application": "kibana-.kibana",
"resources": [
"space:default"
],
"privileges": [
"version:8.0.0",
"login:",
"api:8.0.0:fleet-setup"
]
}
]
}Which returns: {
"username": "elastic/fleet-server",
"has_all_requested": false,
"cluster": {},
"index": {},
"application": {
"kibana-.kibana": {
"space:default": {
"api:8.0.0:fleet-setup": true,
"login:": false,
"version:8.0.0": true
}
}
}
}It seems to me that we shouldn't grant this user the It's also worth noting that we plan to remove this in 8.0, so this could be seen as a temporary measure which may make this more acceptable. Here is the PR that adds the privileges to the service account in Elasticsearch: elastic/elasticsearch#78192 |
@joshdover ah this was an oversight in my initial proposal, sorry about that.
I agree, the fleet service account should not have this action granted to it.
I only have 1 other idea. Instead of relying on the route's diff --git a/x-pack/plugins/security/server/authorization/check_privileges.ts b/x-pack/plugins/security/server/authorization/check_privileges.ts
index 3a35cf164ad..adfb5f97aea 100644
--- a/x-pack/plugins/security/server/authorization/check_privileges.ts
+++ b/x-pack/plugins/security/server/authorization/check_privileges.ts
@@ -25,6 +25,18 @@ interface CheckPrivilegesActions {
version: string;
}
+/**
+ * Options to influence the privilege checks.
+ */
+export interface CheckPrivilegesOptions {
+ /**
+ * Whether or not the `login` action should be required (default: true).
+ * Setting this to false is not advised except for special circumstances, when you do not require
+ * the request to belong to a user capable of logging into Kibana.
+ */
+ requireLoginAction?: boolean;
+}
+
export function checkPrivilegesWithRequestFactory(
actions: CheckPrivilegesActions,
getClusterClient: () => Promise<IClusterClient>,
@@ -38,7 +50,10 @@ export function checkPrivilegesWithRequestFactory(
);
};
- return function checkPrivilegesWithRequest(request: KibanaRequest): CheckPrivileges {
+ return function checkPrivilegesWithRequest(
+ request: KibanaRequest,
+ { requireLoginAction = true }: CheckPrivilegesOptions = {}
+ ): CheckPrivileges {
const checkPrivilegesAtResources = async (
resources: string[],
privileges: CheckPrivilegesPayload
@@ -48,7 +63,11 @@ export function checkPrivilegesWithRequestFactory(
: privileges.kibana
? [privileges.kibana]
: [];
- const allApplicationPrivileges = uniq([actions.version, actions.login, ...kibanaPrivileges]);
+ const allApplicationPrivileges = uniq([
+ actions.version,
+ ...[requireLoginAction && actions.login],
+ ...kibanaPrivileges,
+ ]);
const clusterClient = await getClusterClient();
const { body } = await clusterClient.asScoped(request).asCurrentUser.security.hasPrivileges({And then in your route definition, remove the router.post(
{
path: '/internal/fleet/my-special-endpoint',
validate: false,
},
(async (context, request, response) => {
if (securityStart.authz.mode.useRbacForRequest(request)) {
const checkPrivileges = securityStart.checkPrivilegesDynamicallyWithRequest(request);
const { hasAllRequested } = await checkPrivileges(
{
kibana: [securityStart.authz.actions.api.get('fleet-setup')],
},
{
requireLoginAction: false,
}
);
if (!hasAllRequsted) {
return response.forbidden();
}
}
})
);I slightly prefer this approach over the proposal in https://github.com/elastic/kibana/pull/112808/files#diff-f258f464e2091c78a6081cc606d85949c1009b38616069449eccc197594c8d30 as #112808 forces
Agreed. If my proposal here isn't workable or palatable for some reason, then I can personally get behind your proposal as a short-term solution. cc @jportner / @elastic/kibana-security as I shouldn't be making these types of technical decisions unilaterally at this point 🙂 |
Makes sense to me, I'll implement and tests for that now and we can review the changes in the PR. |
Thanks for tagging me, I agree this sounds like the best path forward. |
As part of #112648, we need to grant the elastic/fleet-server service account privileges that would allow it to call the Fleet setup API without giving it access to anything else in Kibana.
Broadly, this involves:
kibana-*application (ES issue to be opened for this)Notes on how to do this from @legrego, copied from an internal ticket:
I wonder if we can take advantage of Kibana's "reserved privileges" here. With this setup, Kibana would register a privilege similar to the following:
{ "kibana-.kibana": { "reserved_fleet-setup": { "actions": [ "setup:fleet" ], "metadata": { "description": "Setup access to Fleet Setup API" } } } }And then we could update the Fleet service account in ES to grant this privilege to the
kibana-*application, which would give these tokens the appropriate access regardless of the currentkibana.indexsetting. This is what we do for some of the built-in roles today, such asmachine_learning_user:https://github.com/elastic/elasticsearch/blob/7.x/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStore.java#L197-L209
If we take this route, then Fleet could register this privilege itself, similar to the following:
Note the
apiproperty within the privilege. This should allow us to take advantage of the existing authorization checks, so if you tag your route withaccess:fleet-setup, then you shouldn't need to make your own_has_privilegescheck.We might have to tweak the Role Management UI a to make sure the Fleet feature still renders as expected, but that shouldn't take much effort on our part if needed.
The text was updated successfully, but these errors were encountered: