-
Notifications
You must be signed in to change notification settings - Fork 8.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Fleet] Expose permissions as part of the agent policy #94591
[Fleet] Expose permissions as part of the agent policy #94591
Conversation
Yeah sorry about that. The code had a silly error. It's fixed now |
Pinging @elastic/fleet (Feature:Fleet) |
x-pack/plugins/fleet/server/services/agents/checkin/state_new_actions.ts
Outdated
Show resolved
Hide resolved
This should help fleet server to process the payload a bit more efficiently.
testing with osquerybeat that ships the data using libbeat, the fallback permissions don't seem to be sufficient
the missing |
I think to get this moving, lets add |
@urso Can we get rid of monitor privs? I see at least one case of the /_xpack API being called: We probably do not want the endpoint to have that much information about the output cluster. |
Beats in xpack (the ones used for agent) will always query Elasticsearch for the right license, but I'm not sure if this API call really requires the monitoring permissions. At least my assumption was 'no'. Originally monitoring permissions have been required to check if the template, policy, index, or alias do exist. But the agent should create a configuration that suppresses these checks. If monitoring is still required for the license check, we might consider to disable the check via agent as well (and maybe have agent do the check). |
To make sure we don't block this PR, I suggest we readd the |
💚 Build SucceededMetrics [docs]Page load bundle
History
To update your PR or re-run it, just comment with: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚀
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. nice job!
@@ -167,15 +174,18 @@ export async function createAgentActionFromPolicyAction( | |||
} | |||
); | |||
|
|||
// agent <= 7.9 uses `data.config` instead of `data.policy` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@nchaulet one to cleanup as soon we will not support 7.9 agents anymore.
Hi @jen-huang If any testing is required to be done on this ticket from our end, could you please let know more details about how to validate this. Thanks |
Hi @dikshachauhan-qasource, no specific for this for now, the risk areas here would be covered by existing test cases. |
Ok Thanks for the confirmation @jen-huang |
Summary
Closes #94058
Fleet server needs to generate an API key for each agent so it can communicate with elasticsearch. As of today, these API keys have coarse permissions; every agent can write on any
logs-*,metrics-*,traces-*
index. We want to narrow down the permissions for each agent based on their integrations.This PR does some groundwork to move forward this goal.
1. Specify how to add permissions to the agent policy,
To do so we need to specify in the agent policy which permissions are needed for that agent. We have added a
outputPermissions
key to the agent containing this information.The type signature is as follows:
2. Move current hardcoded permissions from fleet server to the policy itself.
Since the integrations don't specify their permissions yet, we will use the current broad permissions in the policy, under the
fallback
key.Checklist
Delete any items that are not applicable to this PR.
For maintainers