diff --git a/x-pack/plugins/fleet/common/constants/epm.ts b/x-pack/plugins/fleet/common/constants/epm.ts index f55a7294c0273d..486175b4c73aba 100644 --- a/x-pack/plugins/fleet/common/constants/epm.ts +++ b/x-pack/plugins/fleet/common/constants/epm.ts @@ -27,6 +27,7 @@ export const FLEET_CLOUD_SECURITY_POSTURE_CSPM_POLICY_TEMPLATE = 'cspm'; export const FLEET_CLOUD_SECURITY_POSTURE_CNVM_POLICY_TEMPLATE = 'vuln_mgmt'; export const FLEET_CLOUD_DEFEND_PACKAGE = 'cloud_defend'; export const FLEET_CLOUD_BEAT_PACKAGE = 'cloudbeat'; +export const FLEET_CONNECTORS_PACKAGE = 'elastic_connectors'; export const GLOBAL_DATA_TAG_EXCLUDED_INPUTS = new Set([ FLEET_APM_PACKAGE, diff --git a/x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_permissions.test.ts b/x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_permissions.test.ts index b042684016199d..9bf54b454b2b9b 100644 --- a/x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_permissions.test.ts +++ b/x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_permissions.test.ts @@ -11,6 +11,7 @@ import type { PackagePolicy, RegistryDataStream } from '../../types'; import type { DataStreamMeta } from './package_policies_to_agent_permissions'; import { + ELASTIC_CONNECTORS_INDEX_PERMISSIONS, getDataStreamPrivileges, storedPackagePoliciesToAgentPermissions, UNIVERSAL_PROFILING_PERMISSIONS, @@ -281,6 +282,48 @@ packageInfoCache.set('apm-8.9.0-preview', { }, }); +packageInfoCache.set('elastic_connectors-1.0.0', { + format_version: '2.7.0', + name: 'elastic_connectors', + title: 'Elastic Connectors', + version: '1.0.0', + license: 'basic', + description: 'Sync data from source to the Elasticsearch index.', + type: 'integration', + release: 'beta', + categories: ['connector'], + icons: [], + owner: { github: 'elastic/ingestion-team' }, + data_streams: [], + latestVersion: '1.0.0', + status: 'not_installed', + assets: { + kibana: { + csp_rule_template: [], + dashboard: [], + visualization: [], + search: [], + index_pattern: [], + map: [], + lens: [], + security_rule: [], + ml_module: [], + tag: [], + osquery_pack_asset: [], + osquery_saved_query: [], + }, + elasticsearch: { + component_template: [], + ingest_pipeline: [], + ilm_policy: [], + transform: [], + index_template: [], + data_stream_ilm_policy: [], + ml_model: [], + }, + }, +}); + describe('storedPackagePoliciesToAgentPermissions()', () => { it('Returns `undefined` if there are no package policies', async () => { const permissions = await storedPackagePoliciesToAgentPermissions(packageInfoCache, 'test', []); @@ -761,3 +804,51 @@ describe('getDataStreamPrivileges()', () => { }); }); }); + +it('Returns the Elastic Connectors permissions for elastic_connectors package', async () => { + const packagePolicies: PackagePolicy[] = [ + { + id: 'package-policy-uuid-test-123', + name: 'test-policy', + namespace: '', + enabled: true, + package: { name: 'elastic_connectors', version: '1.0.0', title: 'Elastic Connectors' }, + inputs: [ + { + type: 'connectors-py', + enabled: true, + streams: [], + }, + ], + created_at: '', + updated_at: '', + created_by: '', + updated_by: '', + revision: 1, + policy_id: '', + policy_ids: [''], + }, + ]; + + const permissions = await storedPackagePoliciesToAgentPermissions( + packageInfoCache, + 'test', + packagePolicies + ); + + expect(permissions).toMatchObject({ + 'package-policy-uuid-test-123': { + cluster: ['manage_connector'], + indices: [ + { + names: ['.elastic-connectors*'], + privileges: ELASTIC_CONNECTORS_INDEX_PERMISSIONS, + }, + { + names: ['content-*', '.search-acl-filter-*'], + privileges: ELASTIC_CONNECTORS_INDEX_PERMISSIONS, + }, + ], + }, + }); +}); diff --git a/x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_permissions.ts b/x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_permissions.ts index a5fc2ba25de476..8530676ce0d03a 100644 --- a/x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_permissions.ts +++ b/x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_permissions.ts @@ -12,6 +12,7 @@ import type { import { FLEET_APM_PACKAGE, + FLEET_CONNECTORS_PACKAGE, FLEET_UNIVERSAL_PROFILING_COLLECTOR_PACKAGE, FLEET_UNIVERSAL_PROFILING_SYMBOLIZER_PACKAGE, } from '../../../common/constants'; @@ -41,6 +42,15 @@ export const UNIVERSAL_PROFILING_PERMISSIONS = [ 'view_index_metadata', ]; +export const ELASTIC_CONNECTORS_INDEX_PERMISSIONS = [ + 'read', + 'write', + 'monitor', + 'create_index', + 'auto_configure', + 'maintenance', +]; + export function storedPackagePoliciesToAgentPermissions( packageInfoCache: Map, agentPolicyNamespace: string, @@ -79,6 +89,10 @@ export function storedPackagePoliciesToAgentPermissions( return apmPermissions(packagePolicy.id); } + if (pkg.name === FLEET_CONNECTORS_PACKAGE) { + return connectorServicePermissions(packagePolicy.id); + } + const dataStreams = getNormalizedDataStreams(pkg); if (!dataStreams || dataStreams.length === 0) { return [packagePolicy.name, undefined]; @@ -247,3 +261,22 @@ function apmPermissions(packagePolicyId: string): [string, SecurityRoleDescripto }, ]; } + +function connectorServicePermissions(packagePolicyId: string): [string, SecurityRoleDescriptor] { + return [ + packagePolicyId, + { + cluster: ['manage_connector'], + indices: [ + { + names: ['.elastic-connectors*'], + privileges: ELASTIC_CONNECTORS_INDEX_PERMISSIONS, + }, + { + names: ['content-*', '.search-acl-filter-*'], + privileges: ELASTIC_CONNECTORS_INDEX_PERMISSIONS, + }, + ], + }, + ]; +}