[Fleet][Endpoint][RBAC V2] Update fleet router and config to allow API access via RBAC controls #145361
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ashokaditya
added
Team:Defend Workflows
ashokaditya
force-pushed
the
task/olm-policy-list-api-rbac-4926
branch
9 times, most recently
from
020caa1
to
b29cd19
Compare
This was referenced Nov 21, 2022
ashokaditya
force-pushed
the
task/olm-policy-list-api-rbac-4926
branch
3 times, most recently
from
c01607f
to
b82e709
Compare
gergoabraham
added a commit
that referenced
this pull request
Nov 23, 2022
## Summary RBAC UI features for Trusted Applications. To test, enable `endpointRbacEnabled` feature-flag, create a non-superuser user with _Security: ALL_ privilege and (All | Read | None) sub-privilege for _Trusted Applications_. <img width="541" alt="image" src="https://user-images.githubusercontent.com/39014407/203073992-fb71e293-2cd8-4639-8d61-4867e39ef071.png"> The modification should: - hide Trusted Apps from Manage navigation items if privilege is NONE, (note: it is still displayed for non-superusers, if the feature flag is disabled) - disable add/edit/delete for Trusted Applications if privilege is READ. ##⚠️ Note This PR focuses on _Read_ and _None_. The sub-privilege _All_ does not work perfectly at the moment, because of unauthorised API calls. A follow-up PR will fix this, after this PR is merged: #145361 ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
ashokaditya
force-pushed
the
task/olm-policy-list-api-rbac-4926
branch
5 times, most recently
from
e2d3807
to
e7a4db3
Compare
ashokaditya
changed the title
ashokaditya
force-pushed
the
task/olm-policy-list-api-rbac-4926
branch
from
e7a4db3
to
7f5102a
Compare
ashokaditya
added a commit
to ashokaditya/kibana
that referenced
this pull request
Dec 15, 2022
ashokaditya
added a commit
to ashokaditya/kibana
that referenced
this pull request
Dec 15, 2022
ashokaditya
added a commit
to ashokaditya/kibana
that referenced
this pull request
Dec 15, 2022
ashokaditya
added a commit
to ashokaditya/kibana
that referenced
this pull request
Dec 15, 2022
ashokaditya
added a commit
to ashokaditya/kibana
that referenced
this pull request
Dec 15, 2022
ashokaditya
added a commit
to ashokaditya/kibana
that referenced
this pull request
Dec 16, 2022
ashokaditya
added a commit
to ashokaditya/kibana
that referenced
this pull request
Dec 16, 2022
crespocarlos
pushed a commit
to crespocarlos/kibana
that referenced
this pull request
Dec 16, 2022
…I access via RBAC controls (elastic#145361) ## Summary > **Note** > This PR is adding changes only to some of `api/fleet/package_policies` API routes, there will be subsequent PRs after this to update `api/fleet/epm/packages`, `api/fleet/agent_policeis` and, `api/fleet/agent_status`. This PR introduces the framework needed in fleet in order to be able to support Package level Privileges - meaning: if a user does not have authorization granted via Fleet and/or Integration privileges, then package level privileges are check and API access granted. When access is granted based on Package Privileges, the data is also validated to ensure that it is limited to the integration package names that were given authorization to the API. The following APIs were updated to leverage this new framework: - Integration Package Policy list API - Integration Package Policy get one API - Integration Package Policy update one API - Integration Package Policy bulk get API > ℹ️ these API were updated in support of Endpoint use cases needed for v8.7. Example of API error for Package policies api: ```json5 { "statusCode": 403, "error": "Forbidden", "message": "Authorization denied to [package.name=fleet_server]. Allowed package.name's: endpoint" } ``` ___________ To test: 1. Log in as `elastic`/superuser and create some agent policies. 1. Under `Stack Management`, create a role `policy_role` with the following RBAC settings. **DO NOT** select `Fleet -> All` or toggle `Integrations`. Leave those RBAC toggles set to `None` <img width="610" alt="Screenshot 2022-11-16 at 14 45 15" src="https://user-images.githubusercontent.com/1849116/202196962-9123e380-3b8f-4d52-97f9-8af895fb4c26.png"> 2. Create a user e.g. `policy_user` and assign them _only_ the above role. **NOT** `superuser`. 3. Login with this user and navigate to `app/security/administration/policy` or curl/postman. 4. Expect to see the following: - GET `api/fleet/epm/packages?category=security` should return a `403` status. - GET `api/fleet/package_policies?page=1&perPage=10&kuery=ingest-package-policies.package.name%3A%20endpoint` should return a list of policies. - GET `/api/fleet/package_policies/<packagePolicyId>` should return a `200` and a signle item that has the policie's details. Note that the package name of this item is `endpoint`. - there should be a POST API request matching `api/fleet/agent_policies/_bulk_get`, and should return a `403`. 5. With `Policy Management` RBAC set to `All` - PUT `http://localhost:5601/api/fleet/package_policies/<packagePolicyId>` should return a `200` with the updated policy details as response ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) Co-authored-by: Paul Tavares <paul.tavares@elastic.co>
ashokaditya
added a commit
to ashokaditya/kibana
that referenced
this pull request
Dec 16, 2022
2 tasks
ashokaditya
added a commit
to ashokaditya/kibana
that referenced
this pull request
Dec 16, 2022
ashokaditya
added a commit
to ashokaditya/kibana
that referenced
this pull request
Dec 19, 2022
ashokaditya
added a commit
to ashokaditya/kibana
that referenced
this pull request
Dec 19, 2022
ashokaditya
added a commit
to ashokaditya/kibana
that referenced
this pull request
Dec 19, 2022
ashokaditya
added a commit
to ashokaditya/kibana
that referenced
this pull request
Dec 19, 2022
ashokaditya
added a commit
to ashokaditya/kibana
that referenced
this pull request
Dec 19, 2022
ashokaditya
added a commit
to ashokaditya/kibana
that referenced
this pull request
Dec 19, 2022
ashokaditya
added a commit
to ashokaditya/kibana
that referenced
this pull request
Dec 19, 2022
ashokaditya
added a commit
to ashokaditya/kibana
that referenced
this pull request
Dec 19, 2022
ashokaditya
added a commit
to ashokaditya/kibana
that referenced
this pull request
Dec 19, 2022
ashokaditya
added a commit
to ashokaditya/kibana
that referenced
this pull request
Dec 19, 2022
ashokaditya
added a commit
to ashokaditya/kibana
that referenced
this pull request
Dec 20, 2022
ashokaditya
added a commit
to ashokaditya/kibana
that referenced
this pull request
Dec 21, 2022
ashokaditya
added a commit
to ashokaditya/kibana
that referenced
this pull request
Dec 22, 2022
ashokaditya
added a commit
to ashokaditya/kibana
that referenced
this pull request
Dec 22, 2022
ashokaditya
added a commit
to ashokaditya/kibana
that referenced
this pull request
Dec 22, 2022
ashokaditya
added a commit
to ashokaditya/kibana
that referenced
this pull request
Dec 23, 2022
ashokaditya
added a commit
that referenced
this pull request
Jan 3, 2023
## Summary Tests related to changes in /pull/145361 ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios Co-authored-by: Mark Hopkin <mark.hopkin@elastic.co> Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
ashokaditya
added a commit
that referenced
this pull request
Jan 3, 2023
…thz` (#147696) ## Summary Follow up PR to update `api/fleet/agent_status` route. refs /pull/145361 refs elastic/security-team/issues/5539 ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### For maintainers - [x] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR introduces the framework needed in fleet in order to be able to
support Package level Privileges - meaning: if a user does not have
authorization granted via Fleet and/or Integration privileges, then
package level privileges are check and API access granted. When access
is granted based on Package Privileges, the data is also validated to
ensure that it is limited to the integration package names that were
given authorization to the API.
The following APIs were updated to leverage this new framework:
Example of API error for Package policies api:
To test:
Log in as
elastic/superuser and create some agent policies.Under
Stack Management, create a rolepolicy_rolewith thefollowing RBAC settings. DO NOT select
Fleet -> Allor toggleIntegrations. Leave those RBAC toggles set toNoneCreate a user e.g.
policy_userand assign them only the aboverole. NOT
superuser.Login with this user and navigate to
app/security/administration/policyor curl/postman.Expect to see the following:
api/fleet/epm/packages?category=securityshould return a403status.
api/fleet/package_policies?page=1&perPage=10&kuery=ingest-package-policies.package.name%3A%20endpointshould return a list of policies.
/api/fleet/package_policies/<packagePolicyId>should return a200and a signle item that has the policie's details. Note that thepackage name of this item is
endpoint.api/fleet/agent_policies/_bulk_get, and should return a403.Policy ManagementRBAC set toAllhttp://localhost:5601/api/fleet/package_policies/<packagePolicyId>should return a
200with the updated policy details as responseChecklist
Unit or functional
tests
were updated or added to match the most common scenarios
This was checked for breaking API changes and was labeled
appropriately
Co-authored-by: Paul Tavares paul.tavares@elastic.co