[Fleet] Tighten policy permissions

x-pack/plugins/fleet/common/types/index.ts

@@ -31,6 +31,7 @@ export interface FleetConfigType {
     };
     agentPolicyRolloutRateLimitIntervalMs: number;
     agentPolicyRolloutRateLimitRequestPerInterval: number;
+    agentPolicyTightPermissions: boolean;
   };
 }
 

x-pack/plugins/fleet/common/types/models/agent_policy.ts

@@ -10,6 +10,7 @@ import type { DataType, ValueOf } from '../../types';
 
 import type { PackagePolicy, PackagePolicyPackage } from './package_policy';
 import type { Output } from './output';
+import type { PackagePermissions } from './epm';
 
 export type AgentPolicyStatus = typeof agentPolicyStatuses;
 
@@ -61,13 +62,7 @@ export interface FullAgentPolicyInput {
 }
 
 export interface FullAgentPolicyOutputPermissions {
-  [role: string]: {
-    cluster: string[];
-    indices: Array<{
-      names: string[];
-      privileges: string[];
-    }>;
-  };
+  [role: string]: PackagePermissions;
 }
 
 export interface FullAgentPolicy {

x-pack/plugins/fleet/common/types/models/epm.ts

@@ -256,6 +256,7 @@ export enum RegistryDataStreamKeys {
   ingest_pipeline = 'ingest_pipeline',
   elasticsearch = 'elasticsearch',
   dataset_is_prefix = 'dataset_is_prefix',
+  permissions = 'permissions',
 }
 
 export interface RegistryDataStream {
@@ -271,13 +272,24 @@ export interface RegistryDataStream {
   [RegistryDataStreamKeys.ingest_pipeline]: string;
   [RegistryDataStreamKeys.elasticsearch]?: RegistryElasticsearch;
   [RegistryDataStreamKeys.dataset_is_prefix]?: boolean;
+  [RegistryDataStreamKeys.permissions]?: RegistryDataStreamPermissions;
 }
 
 export interface RegistryElasticsearch {
   'index_template.settings'?: object;
   'index_template.mappings'?: object;
 }
 
+export interface RegistryDataStreamPermissions {
+  cluster?: string[];
+  indices?: string[];
+}
+
+export interface PackagePermissions {
+  cluster?: string[];
+  indices?: Array<{ names: string[]; privileges: string[] }>;
+}
+
 export type RegistryVarType = 'integer' | 'bool' | 'password' | 'text' | 'yaml' | 'string';
 export enum RegistryVarsEntryKeys {
   name = 'name',

x-pack/plugins/fleet/public/applications/fleet/mock/plugin_configuration.ts

@@ -28,6 +28,7 @@ export const createConfigurationMock = (): FleetConfigType => {
       },
       agentPolicyRolloutRateLimitIntervalMs: 100,
       agentPolicyRolloutRateLimitRequestPerInterval: 1000,
+      agentPolicyTightPermissions: false,
     },
   };
 };

x-pack/plugins/fleet/server/index.ts

@@ -76,6 +76,7 @@ export const config: PluginConfigDescriptor = {
       agentPolicyRolloutRateLimitRequestPerInterval: schema.number({
         defaultValue: AGENT_POLICY_ROLLOUT_RATE_LIMIT_REQUEST_PER_INTERVAL,
       }),
+      agentPolicyTightPermissions: schema.boolean({ defaultValue: false }),
     }),
   }),
 };

x-pack/plugins/fleet/server/services/agent_policy.ts

@@ -38,6 +38,7 @@ import {
   AGENT_POLICY_INDEX,
   DEFAULT_FLEET_SERVER_AGENT_POLICY,
 } from '../../common';
+import type { FullAgentPolicyOutputPermissions, PackagePermissions } from '../../common';
 import type {
   DeleteAgentPolicyResponse,
   Settings,
@@ -52,7 +53,7 @@ import {
 } from '../errors';
 import { getFullAgentPolicyKibanaConfig } from '../../common/services/full_agent_policy_kibana_config';
 
-import { getPackageInfo } from './epm/packages';
+import { getPackageInfo, getPackagePermissions } from './epm/packages';
 import { createAgentPolicyAction, getAgentsByKuery } from './agents';
 import { packagePolicyService } from './package_policy';
 import { outputService } from './output';
@@ -64,6 +65,16 @@ import { appContextService } from './app_context';
 
 const SAVED_OBJECT_TYPE = AGENT_POLICY_SAVED_OBJECT_TYPE;
 
+const DEFAULT_PERMISSIONS: PackagePermissions = {
+  cluster: ['monitor'],
+  indices: [
+    {
+      names: ['logs-*', 'metrics-*', 'traces-*', '.logs-endpoint.diagnostic.collection-*'],
+      privileges: ['auto_configure', 'create_doc'],
+    },
+  ],
+};
+
 class AgentPolicyService {
   private triggerAgentPolicyUpdatedEvent = async (
     soClient: SavedObjectsClientContract,
@@ -739,24 +750,53 @@ class AgentPolicyService {
           }),
     };
 
+    const hasTightPermissions = appContextService.getConfig()?.agents.agentPolicyTightPermissions;
+    let permissions: FullAgentPolicyOutputPermissions;
+
+    if (hasTightPermissions) {
+      permissions = Object.fromEntries(
+        await Promise.all(
+          // Original type is `string[] | PackagePolicy[]`, but TS doesn't allow to `map()` over that.
+          (agentPolicy.package_policies as Array<string | PackagePolicy>).map(
+            async (packagePolicy): Promise<[string, PackagePermissions]> => {
+              if (typeof packagePolicy === 'string' || !packagePolicy.package) {
+                return ['_fallback', DEFAULT_PERMISSIONS];
+              }
+
+              const { name, version } = packagePolicy.package;
+
+              const packagePermissions = await getPackagePermissions(
+                soClient,
+                name,
+                version,
+                packagePolicy.namespace
+              );
+
+              return packagePermissions
+                ? [packagePolicy.name, packagePermissions]
+                : ['_fallback', DEFAULT_PERMISSIONS];
+            }
+          )
+        )
+      );
+      permissions._elastic_agent_checks = {
+        cluster: DEFAULT_PERMISSIONS.cluster,
+      };
+    } else {
+      permissions = {
+        _fallback: DEFAULT_PERMISSIONS,
+      };
+    }
+
     // Only add permissions if output.type is "elasticsearch"
     fullAgentPolicy.output_permissions = Object.keys(fullAgentPolicy.outputs).reduce<
       NonNullable<FullAgentPolicy['output_permissions']>
-    >((permissions, outputName) => {
+    >((p, outputName) => {
       const output = fullAgentPolicy.outputs[outputName];
       if (output && output.type === 'elasticsearch') {
-        permissions[outputName] = {};
-        permissions[outputName]._fallback = {
-          cluster: ['monitor'],
-          indices: [
-            {
-              names: ['logs-*', 'metrics-*', 'traces-*', '.logs-endpoint.diagnostic.collection-*'],
-              privileges: ['auto_configure', 'create_doc'],
-            },
-          ],
-        };
+        p[outputName] = permissions;
       }
-      return permissions;
+      return p;
     }, {});
 
     // only add settings if not in standalone

x-pack/plugins/fleet/server/services/epm/archive/storage.ts

@@ -224,24 +224,20 @@ export const getEsPackage = async (
       );
       const dataStreamManifest = safeLoad(soResDataStreamManifest.attributes.data_utf8);
       const {
-        title: dataStreamTitle,
-        release,
         ingest_pipeline: ingestPipeline,
-        type,
         dataset,
         streams: manifestStreams,
+        ...dataStreamManifestProps
       } = dataStreamManifest;
       const streams = parseAndVerifyStreams(manifestStreams, dataStreamPath);
 
       dataStreams.push({
-        dataset: dataset || `${pkgName}.${dataStreamPath}`,
-        title: dataStreamTitle,
-        release,
         package: pkgName,
+        dataset: dataset || `${pkgName}.${dataStreamPath}`,
         ingest_pipeline: ingestPipeline || 'default',
         path: dataStreamPath,
-        type,
         streams,
+        ...dataStreamManifestProps,
       });
     })
   );

x-pack/plugins/fleet/server/services/epm/packages/index.ts

@@ -24,6 +24,8 @@ export {
   SearchParams,
 } from './get';
 
+export { getPackagePermissions } from './permissions';
+
 export {
   BulkInstallResponse,
   IBulkInstallPackageError,