enhancement(4889): added check to abort enrolling if user is privileg…

[kaanyalti]

• Enhancement

What does this PR do?

This PR updates the enroll command so that it provides a more descriptive error message to the user in the case a root user tries to enroll an unprivileged agent.

Why is it important?

Provides users with clearer information.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• [ ] I have made corresponding changes to the documentation
• [ ] I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in ./changelog/fragments using the changelog tool
• [ ] I have added an integration test or an E2E test

How to test this PR locally

• Create an agent policy, install and enroll and agent in unprivileged mode
• Unenroll the agent
• Try to enroll the agent with root user, validate the error message

Related issues

• Closes Actionable error message when attempting to enroll an unprivileged Agent as a privileged user #4889

[mergify]

This pull request does not have a backport label. Could you fix it @kaanyalti? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-./d./d is the label to automatically backport to the 8./d branch. /d is the digit

[mergify]

backport-v8.x has been added to help with the transition to the new branch 8.x.
If you don't need it please use backport-skip label and remove the backport-8.x label.

[elasticmachine]

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)

[blakerouse]

I did not see the original filled issue for this and I would have made a comment there. I know this is coming late, but I believe this is the wrong approach.

If you call enroll as root, you can easily tell if Elastic Agent is installed without communicating with the daemon. You can read the user/group from the executing binary from the filesystem, because you are root.

You can then just ReExec the enroll command directly using the user you retrieved from reading from the disk. You need to read user from the filesystem as @michalpristas is adding the ability to use a custom user, so you cannot rely on the idea that the user is always the same.

This change also will allow a root user to call enroll and have the enroll work correctly as the unprivileged user.

[kaanyalti]

Would you be ok with implementing your suggestion in another issue? The goal of this implementation is just to provide a descriptive error message back to the user. Would this implementation break anything for our users? I do agree what you're suggesting is a better solution.

[blakerouse]

I just think the implementation suggestion I provided would replace this work in the PR, not really making this work required.

[kaanyalti]

Yes it would, and I am now thinking that the current implementation is tricky to get working with delayed enrolls. I started looking into your suggestion and will be replacing this PR.

[blakerouse]

I don't think it works the same even if the user is in that group. Because the file ownership will be incorrect.

Providing specific error message based on the platform would be a better approach.

[blakerouse]

I just think the implementation suggestion I provided would replace this work in the PR, not really making this work required.

[elastic-sonarqube]

Quality Gate passed

Issues
1 New issue
1 Fixed issue
0 Accepted issues

Measures
0 Security Hotspots
46.2% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

[kaanyalti]

Closed in favor of #6144