[Fleet] Require AgentPolicies:All to add a fleet server #193014
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
nchaulet
added
release_note:skip
|
Pinging @elastic/fleet (Team:Fleet) |
🤖 GitHub commentsExpand to view the GitHub comments
Just comment with:
|
💚 Build Succeeded
Metrics [docs]Async chunks
Page load bundle
To update your PR or re-run it, just comment with: cc @nchaulet |
jen-huang
approved these changes
Sep 16, 2024
There was a problem hiding this comment.
I think it makes sense for the "operator"/superuser persona, who has access to all privileges, to be the one that also manages Fleet Server enrollments. cc @nimarezainia for awareness and feedback.
nchaulet
added
backport:prev-minor
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Sep 17, 2024
(cherry picked from commit 193935c)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Sep 26, 2024
… (#193156) # Backport This will backport the following commits from `main` to `8.x`: - [[Fleet] Require AgentPolicies:All to add a fleet server (#193014)](#193014) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Nicolas Chaulet","email":"nicolas.chaulet@elastic.co"},"sourceCommit":{"committedDate":"2024-09-17T12:13:54Z","message":"[Fleet] Require AgentPolicies:All to add a fleet server (#193014)","sha":"193935cbf25c96ae1e6952f7233f001053e60a59","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Fleet","v9.0.0","backport:prev-minor","v8.16.0"],"title":"[Fleet] Require AgentPolicies:All to add a fleet server","number":193014,"url":"https://github.com/elastic/kibana/pull/193014","mergeCommit":{"message":"[Fleet] Require AgentPolicies:All to add a fleet server (#193014)","sha":"193935cbf25c96ae1e6952f7233f001053e60a59"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/193014","number":193014,"mergeCommit":{"message":"[Fleet] Require AgentPolicies:All to add a fleet server (#193014)","sha":"193935cbf25c96ae1e6952f7233f001053e60a59"}},{"branch":"8.x","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Nicolas Chaulet <nicolas.chaulet@elastic.co> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Resolve #187652
In the flow to add a fleet server, we may need to create a fleet server policy, this is why we should require the
AgentPolicies:Allto add a Fleet server.That PR address that, and add a unit test to compute that role.
Manual tests
You can after enabling subfeaturePrivileges experimental features and with a trial license create a role with access to Agents:all Settings:all and AgentPolicies:read and check you cannot add a fleet server
UI Change
With Agents:all Settings:all and Without AgentPolicies:all
With Agents:all Settings:all AgentPolicies:alll