From fa79140062d4eadbafde8ffed07ea3583027a086 Mon Sep 17 00:00:00 2001 From: Orestis Floros Date: Wed, 11 Dec 2024 15:40:55 +0100 Subject: [PATCH 1/5] Kibana: WIP: conditionally add agentless index permissions --- .../package_policies_to_agent_permissions.ts | 35 +++++++++++++++---- 1 file changed, 28 insertions(+), 7 deletions(-) diff --git a/x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_permissions.ts b/x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_permissions.ts index 0ea580f44bb4d..ba36133622887 100644 --- a/x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_permissions.ts +++ b/x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_permissions.ts @@ -52,6 +52,16 @@ export const ELASTIC_CONNECTORS_INDEX_PERMISSIONS = [ 'view_index_metadata', ]; +export const AGENTLESS_INDEX_PERMISSIONS = [ + 'read', + 'write', + 'monitor', + 'create_index', + 'auto_configure', + 'maintenance', + 'view_index_metadata', +]; + export function storedPackagePoliciesToAgentPermissions( packageInfoCache: Map, agentPolicyNamespace: string, @@ -173,13 +183,10 @@ export function storedPackagePoliciesToAgentPermissions( } // namespace is either the package policy's or the agent policy one const namespace = packagePolicy?.namespace || agentPolicyNamespace; - return [ - packagePolicy.id, - { - indices: dataStreamsForPermissions.map((ds) => getDataStreamPrivileges(ds, namespace)), - ...clusterRoleDescriptor, - }, - ]; + return maybeAddAgentlessPermissions(packagePolicy, { + indices: dataStreamsForPermissions.map((ds) => getDataStreamPrivileges(ds, namespace)), + ...clusterRoleDescriptor, + }); }); return Object.fromEntries(permissionEntries); @@ -244,6 +251,20 @@ function universalProfilingPermissions(packagePolicyId: string): [string, Securi ]; } +function maybeAddAgentlessPermissions( + packagePolicy: PackagePolicy, + existing: SecurityRoleDescriptor +): [string, SecurityRoleDescriptor] { + if (!packagePolicy.supports_agentless) { + return [packagePolicy.id, existing]; + } + existing.indices!.push({ + names: ['agentless-*'], + privileges: AGENTLESS_INDEX_PERMISSIONS, + }); + return [packagePolicy.id, existing]; +} + function apmPermissions(packagePolicyId: string): [string, SecurityRoleDescriptor] { return [ packagePolicyId, From 3a837ac760e53e9c46bfcc50a3ca1614184bbaa7 Mon Sep 17 00:00:00 2001 From: Orestis Floros Date: Wed, 11 Dec 2024 17:50:34 +0100 Subject: [PATCH 2/5] dot-prefix index --- .../agent_policies/package_policies_to_agent_permissions.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_permissions.ts b/x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_permissions.ts index ba36133622887..45149ff2034e2 100644 --- a/x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_permissions.ts +++ b/x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_permissions.ts @@ -259,7 +259,7 @@ function maybeAddAgentlessPermissions( return [packagePolicy.id, existing]; } existing.indices!.push({ - names: ['agentless-*'], + names: ['.agentless-*'], privileges: AGENTLESS_INDEX_PERMISSIONS, }); return [packagePolicy.id, existing]; From ce43257c13d051148dff25464dbf3617a60d1394 Mon Sep 17 00:00:00 2001 From: Orestis Floros Date: Thu, 12 Dec 2024 18:39:08 +0100 Subject: [PATCH 3/5] Revert "dot-prefix index" This reverts commit 3a837ac760e53e9c46bfcc50a3ca1614184bbaa7. --- .../agent_policies/package_policies_to_agent_permissions.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_permissions.ts b/x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_permissions.ts index 45149ff2034e2..ba36133622887 100644 --- a/x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_permissions.ts +++ b/x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_permissions.ts @@ -259,7 +259,7 @@ function maybeAddAgentlessPermissions( return [packagePolicy.id, existing]; } existing.indices!.push({ - names: ['.agentless-*'], + names: ['agentless-*'], privileges: AGENTLESS_INDEX_PERMISSIONS, }); return [packagePolicy.id, existing]; From 3c367e023cd7dfd61aafea713ee13e8dc0747659 Mon Sep 17 00:00:00 2001 From: Orestis Floros Date: Mon, 16 Dec 2024 09:45:44 +0100 Subject: [PATCH 4/5] Reapply "dot-prefix index" This reverts commit ce43257c13d051148dff25464dbf3617a60d1394. --- .../agent_policies/package_policies_to_agent_permissions.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_permissions.ts b/x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_permissions.ts index ba36133622887..45149ff2034e2 100644 --- a/x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_permissions.ts +++ b/x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_permissions.ts @@ -259,7 +259,7 @@ function maybeAddAgentlessPermissions( return [packagePolicy.id, existing]; } existing.indices!.push({ - names: ['agentless-*'], + names: ['.agentless-*'], privileges: AGENTLESS_INDEX_PERMISSIONS, }); return [packagePolicy.id, existing]; From 3f930b274f03e62ddb68b91ea329f4183d3804c5 Mon Sep 17 00:00:00 2001 From: Orestis Floros Date: Mon, 23 Dec 2024 13:07:54 +0100 Subject: [PATCH 5/5] Revert "Reapply "dot-prefix index"" This reverts commit 3c367e023cd7dfd61aafea713ee13e8dc0747659. --- .../agent_policies/package_policies_to_agent_permissions.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_permissions.ts b/x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_permissions.ts index 45149ff2034e2..ba36133622887 100644 --- a/x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_permissions.ts +++ b/x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_permissions.ts @@ -259,7 +259,7 @@ function maybeAddAgentlessPermissions( return [packagePolicy.id, existing]; } existing.indices!.push({ - names: ['.agentless-*'], + names: ['agentless-*'], privileges: AGENTLESS_INDEX_PERMISSIONS, }); return [packagePolicy.id, existing];