Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Fleet] Use Kibana Authz for API authorization #205335

Open
wants to merge 33 commits into
base: main
Choose a base branch
from
Open

[Fleet] Use Kibana Authz for API authorization #205335

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
33 commits
Select commit Hold shift + click to select a range
26a3fff
[Fleet] Use Kibana Authz for API authorization
nchaulet Dec 31, 2024
fbcfaf5
Merge branch 'main' of github.com:elastic/kibana into feature-kibana-…
nchaulet Dec 31, 2024
9937e7e
fix missing file
nchaulet Dec 31, 2024
5b90785
[CI] Auto-commit changed files from 'node scripts/capture_oas_snapsho…
kibanamachine Dec 31, 2024
1929b00
debug and healthcheck routes
nchaulet Jan 2, 2025
4ad3fd1
Merge branch 'feature-kibana-authz' of github.com:nchaulet/kibana int…
nchaulet Jan 2, 2025
acde55a
[CI] Auto-commit changed files from 'node scripts/notice'
kibanamachine Jan 2, 2025
fe40f27
[CI] Auto-commit changed files from 'node scripts/capture_oas_snapsho…
kibanamachine Jan 2, 2025
e54426c
[CI] Auto-commit changed files from 'make api-docs'
kibanamachine Jan 2, 2025
10c360a
more routes
nchaulet Jan 2, 2025
08cdcf7
Merge branch 'feature-kibana-authz' of github.com:nchaulet/kibana int…
nchaulet Jan 2, 2025
5677394
more routes
nchaulet Jan 2, 2025
83ac50d
[CI] Auto-commit changed files from 'node scripts/capture_oas_snapsho…
kibanamachine Jan 2, 2025
10275a0
more routes
nchaulet Jan 2, 2025
df86a0e
[CI] Auto-commit changed files from 'node scripts/capture_oas_snapsho…
kibanamachine Jan 2, 2025
b20687c
[CI] Auto-commit changed files from 'make api-docs'
kibanamachine Jan 2, 2025
fd368b3
more routes
nchaulet Jan 3, 2025
4575e46
Merge branch 'feature-kibana-authz' of github.com:nchaulet/kibana int…
nchaulet Jan 3, 2025
68418db
[CI] Auto-commit changed files from 'node scripts/capture_oas_snapsho…
kibanamachine Jan 3, 2025
61fcdad
[CI] Auto-commit changed files from 'make api-docs'
kibanamachine Jan 3, 2025
4e2e0ab
fix type
nchaulet Jan 3, 2025
4dfc110
Merge branch 'feature-kibana-authz' of github.com:nchaulet/kibana int…
nchaulet Jan 3, 2025
76835ff
fix after review
nchaulet Jan 3, 2025
4750de1
Merge branch 'main' into feature-kibana-authz
elasticmachine Jan 3, 2025
8550be3
fix missing commit
nchaulet Jan 3, 2025
1b4d262
Merge branch 'feature-kibana-authz' of github.com:nchaulet/kibana int…
nchaulet Jan 3, 2025
3108828
[CI] Auto-commit changed files from 'node scripts/capture_oas_snapsho…
kibanamachine Jan 3, 2025
5ae1d59
[CI] Auto-commit changed files from 'make api-docs'
kibanamachine Jan 3, 2025
6827555
fix agent policy fleet server access
nchaulet Jan 3, 2025
57c16ef
Merge branch 'feature-kibana-authz' of github.com:nchaulet/kibana int…
nchaulet Jan 3, 2025
94bd539
[CI] Auto-commit changed files from 'node scripts/capture_oas_snapsho…
kibanamachine Jan 3, 2025
f37f632
[CI] Auto-commit changed files from 'make api-docs'
kibanamachine Jan 3, 2025
f0d6e57
Merge branch 'main' into feature-kibana-authz
elasticmachine Jan 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
124 changes: 93 additions & 31 deletions oas_docs/bundle.json
View file
Open in desktop

Large diffs are not rendered by default.

124 changes: 93 additions & 31 deletions oas_docs/bundle.serverless.json
View file
Open in desktop

Large diffs are not rendered by default.

124 changes: 93 additions & 31 deletions oas_docs/output/kibana.serverless.yaml
View file
Open in desktop

Large diffs are not rendered by default.

124 changes: 93 additions & 31 deletions oas_docs/output/kibana.yaml
View file
Open in desktop

Large diffs are not rendered by default.

32 changes: 32 additions & 0 deletions x-pack/platform/plugins/shared/fleet/server/constants/api_privileges.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/

import { INTEGRATIONS_PLUGIN_ID, PLUGIN_ID } from '../../common';

export const FLEET_API_PRIVILEGES = {
FLEET: {
READ: `${PLUGIN_ID}-read`,
ALL: `${PLUGIN_ID}-all`,
},
AGENTS: {
READ: `${PLUGIN_ID}-agents-read`,
ALL: `${PLUGIN_ID}-agents-all`,
},
AGENT_POLICIES: {
READ: `${PLUGIN_ID}-agent-policies-read`,
ALL: `${PLUGIN_ID}-agent-policies-all`,
},
SETTINGS: {
READ: `${PLUGIN_ID}-settings-read`,
ALL: `${PLUGIN_ID}-settings-all`,
},
INTEGRATIONS: {
READ: `${INTEGRATIONS_PLUGIN_ID}-read`,
ALL: `${INTEGRATIONS_PLUGIN_ID}-all`,
},
SETUP: `fleet-setup`,
};
149 changes: 98 additions & 51 deletions x-pack/platform/plugins/shared/fleet/server/routes/agent/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ import {
PostNewAgentActionResponseSchema,
PostRetrieveAgentsByActionsResponseSchema,
} from '../../types/rest_spec/agent';

import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges';
import { calculateRouteAuthz } from '../../services/security/security';

import { genericErrorResponse } from '../schema/errors';
Expand Down Expand Up @@ -95,8 +95,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
router.versioned
.get({
path: AGENT_API_ROUTES.INFO_PATTERN,
fleetAuthz: {
fleet: { readAgents: true },
security: {
authz: {
requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ],
},
},
summary: `Get an agent`,
description: `Get an agent by ID.`,
Expand Down Expand Up @@ -126,8 +128,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
router.versioned
.put({
path: AGENT_API_ROUTES.UPDATE_PATTERN,
fleetAuthz: {
fleet: { allAgents: true },
security: {
authz: {
requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL],
},
},
summary: `Update an agent`,
description: `Update an agent by ID.`,
Expand Down Expand Up @@ -157,8 +161,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
router.versioned
.post({
path: AGENT_API_ROUTES.BULK_UPDATE_AGENT_TAGS_PATTERN,
fleetAuthz: {
fleet: { allAgents: true },
security: {
authz: {
requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL],
},
},
summary: `Bulk update agent tags`,
options: {
Expand Down Expand Up @@ -187,8 +193,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
router.versioned
.delete({
path: AGENT_API_ROUTES.DELETE_PATTERN,
fleetAuthz: {
fleet: { allAgents: true },
security: {
authz: {
requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL],
},
},
summary: `Delete an agent`,
description: `Delete an agent by ID.`,
Expand Down Expand Up @@ -218,9 +226,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
router.versioned
.get({
path: AGENT_API_ROUTES.LIST_PATTERN,

fleetAuthz: {
fleet: { readAgents: true },
security: {
authz: {
requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ],
},
},
summary: `Get agents`,
options: {
Expand Down Expand Up @@ -249,8 +258,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
router.versioned
.get({
path: AGENT_API_ROUTES.LIST_TAGS_PATTERN,
fleetAuthz: {
fleet: { readAgents: true },
security: {
authz: {
requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ],
},
},
summary: `Get agent tags`,
options: {
Expand Down Expand Up @@ -279,8 +290,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
router.versioned
.post({
path: AGENT_API_ROUTES.ACTIONS_PATTERN,
fleetAuthz: {
fleet: { allAgents: true },
security: {
authz: {
requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL],
},
},
summary: `Create an agent action`,
options: {
Expand Down Expand Up @@ -313,8 +326,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
router.versioned
.post({
path: AGENT_API_ROUTES.CANCEL_ACTIONS_PATTERN,
fleetAuthz: {
fleet: { allAgents: true },
security: {
authz: {
requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL],
},
},
summary: `Cancel an agent action`,
options: {
Expand Down Expand Up @@ -348,8 +363,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
router.versioned
.post({
path: AGENT_API_ROUTES.LIST_PATTERN,
fleetAuthz: {
fleet: { readAgents: true },
security: {
authz: {
requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ],
},
},
summary: `Get agents by action ids`,
options: {
Expand Down Expand Up @@ -377,8 +394,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
router.versioned
.post({
path: AGENT_API_ROUTES.UNENROLL_PATTERN,
fleetAuthz: {
fleet: { allAgents: true },
security: {
authz: {
requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL],
},
},
summary: `Unenroll an agent`,
options: {
Expand All @@ -396,8 +415,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
router.versioned
.post({
path: AGENT_API_ROUTES.REASSIGN_PATTERN,
fleetAuthz: {
fleet: { allAgents: true },
security: {
authz: {
requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL],
},
},
summary: `Reassign an agent`,
options: {
Expand Down Expand Up @@ -425,8 +446,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
router.versioned
.post({
path: AGENT_API_ROUTES.REQUEST_DIAGNOSTICS_PATTERN,
fleetAuthz: {
fleet: { readAgents: true },
security: {
authz: {
requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ],
},
},
summary: `Request agent diagnostics`,
options: {
Expand Down Expand Up @@ -454,8 +477,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
router.versioned
.post({
path: AGENT_API_ROUTES.BULK_REQUEST_DIAGNOSTICS_PATTERN,
fleetAuthz: {
fleet: { readAgents: true },
security: {
authz: {
requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ],
},
},
summary: `Bulk request diagnostics from agents`,
options: {
Expand Down Expand Up @@ -483,8 +508,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
router.versioned
.get({
path: AGENT_API_ROUTES.LIST_UPLOADS_PATTERN,
fleetAuthz: {
fleet: { readAgents: true },
security: {
authz: {
requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ],
},
},
summary: `Get agent uploads`,
options: {
Expand Down Expand Up @@ -512,8 +539,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
router.versioned
.get({
path: AGENT_API_ROUTES.GET_UPLOAD_FILE_PATTERN,
fleetAuthz: {
fleet: { readAgents: true },
security: {
authz: {
requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ],
},
},
summary: `Get an uploaded file`,
description: `Get a file uploaded by an agent.`,
Expand Down Expand Up @@ -542,8 +571,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
router.versioned
.delete({
path: AGENT_API_ROUTES.DELETE_UPLOAD_FILE_PATTERN,
fleetAuthz: {
fleet: { allAgents: true },
security: {
authz: {
requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL],
},
},
summary: `Delete an uploaded file`,
description: `Delete a file uploaded by an agent.`,
Expand All @@ -568,11 +599,11 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
},
deleteAgentUploadFileHandler
);

// Get agent status for policy
router.versioned
.get({
path: AGENT_API_ROUTES.STATUS_PATTERN,
// TODO move to kibana authz https://github.com/elastic/kibana/issues/203170
fleetAuthz: (fleetAuthz: FleetAuthz): boolean =>
calculateRouteAuthz(
fleetAuthz,
Expand Down Expand Up @@ -604,8 +635,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
router.versioned
.get({
path: AGENT_API_ROUTES.DATA_PATTERN,
fleetAuthz: {
fleet: { readAgents: true },
security: {
authz: {
requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ],
},
},
summary: `Get incoming agent data`,
options: {
Expand Down Expand Up @@ -634,8 +667,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
router.versioned
.post({
path: AGENT_API_ROUTES.UPGRADE_PATTERN,
fleetAuthz: {
fleet: { allAgents: true },
security: {
authz: {
requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL],
},
},
summary: `Upgrade an agent`,
options: {
Expand Down Expand Up @@ -663,8 +698,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
router.versioned
.post({
path: AGENT_API_ROUTES.BULK_UPGRADE_PATTERN,
fleetAuthz: {
fleet: { allAgents: true },
security: {
authz: {
requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL],
},
},
summary: `Bulk upgrade agents`,
options: {
Expand Down Expand Up @@ -693,8 +730,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
router.versioned
.get({
path: AGENT_API_ROUTES.ACTION_STATUS_PATTERN,
fleetAuthz: {
fleet: { readAgents: true },
security: {
authz: {
requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ],
},
},
summary: `Get an agent action status`,
options: {
Expand Down Expand Up @@ -723,8 +762,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
router.versioned
.post({
path: AGENT_API_ROUTES.BULK_REASSIGN_PATTERN,
fleetAuthz: {
fleet: { allAgents: true },
security: {
authz: {
requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL],
},
},
summary: `Bulk reassign agents`,
options: {
Expand Down Expand Up @@ -753,8 +794,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
router.versioned
.post({
path: AGENT_API_ROUTES.BULK_UNENROLL_PATTERN,
fleetAuthz: {
fleet: { allAgents: true },
security: {
authz: {
requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL],
},
},
summary: `Bulk unenroll agents`,
options: {
Expand Down Expand Up @@ -783,8 +826,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
router.versioned
.get({
path: AGENT_API_ROUTES.AVAILABLE_VERSIONS_PATTERN,
fleetAuthz: {
fleet: { readAgents: true },
security: {
authz: {
requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ],
},
},
summary: `Get available agent versions`,
options: {
Expand Down Expand Up @@ -817,8 +862,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
.get({
path: '/internal/fleet/agents/status_runtime_field',
access: 'internal',
fleetAuthz: {
fleet: { readAgents: true },
security: {
authz: {
requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ],
},
},
})
.addVersion(
Expand Down
Loading