Skip to content

Commit

Permalink
[Fleet] Use Kibana Authz for API authorization (#205335)
Browse files Browse the repository at this point in the history
  • Loading branch information
@nchaulet
nchaulet authored Jan 6, 2025
1 parent 2fc2019 commit 0b8ae36
Show file tree
Hide file tree
Showing 26 changed files with 1,025 additions and 383 deletions.
124 changes: 93 additions & 31 deletions oas_docs/bundle.json
View file

Large diffs are not rendered by default.

124 changes: 93 additions & 31 deletions oas_docs/bundle.serverless.json
View file

Large diffs are not rendered by default.

124 changes: 93 additions & 31 deletions oas_docs/output/kibana.serverless.yaml
View file

Large diffs are not rendered by default.

124 changes: 93 additions & 31 deletions oas_docs/output/kibana.yaml
View file

Large diffs are not rendered by default.

32 changes: 32 additions & 0 deletions x-pack/platform/plugins/shared/fleet/server/constants/api_privileges.ts
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/

import { INTEGRATIONS_PLUGIN_ID, PLUGIN_ID } from '../../common';

export const FLEET_API_PRIVILEGES = {
FLEET: {
READ: `${PLUGIN_ID}-read`,
ALL: `${PLUGIN_ID}-all`,
},
AGENTS: {
READ: `${PLUGIN_ID}-agents-read`,
ALL: `${PLUGIN_ID}-agents-all`,
},
AGENT_POLICIES: {
READ: `${PLUGIN_ID}-agent-policies-read`,
ALL: `${PLUGIN_ID}-agent-policies-all`,
},
SETTINGS: {
READ: `${PLUGIN_ID}-settings-read`,
ALL: `${PLUGIN_ID}-settings-all`,
},
INTEGRATIONS: {
READ: `${INTEGRATIONS_PLUGIN_ID}-read`,
ALL: `${INTEGRATIONS_PLUGIN_ID}-all`,
},
SETUP: `fleet-setup`,
};
149 changes: 98 additions & 51 deletions x-pack/platform/plugins/shared/fleet/server/routes/agent/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ import {
PostNewAgentActionResponseSchema,
PostRetrieveAgentsByActionsResponseSchema,
} from '../../types/rest_spec/agent';

import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges';
import { calculateRouteAuthz } from '../../services/security/security';

import { genericErrorResponse } from '../schema/errors';
Expand Down Expand Up @@ -95,8 +95,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
router.versioned
.get({
path: AGENT_API_ROUTES.INFO_PATTERN,
fleetAuthz: {
fleet: { readAgents: true },
security: {
authz: {
requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ],
},
},
summary: `Get an agent`,
description: `Get an agent by ID.`,
Expand Down Expand Up @@ -126,8 +128,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
router.versioned
.put({
path: AGENT_API_ROUTES.UPDATE_PATTERN,
fleetAuthz: {
fleet: { allAgents: true },
security: {
authz: {
requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL],
},
},
summary: `Update an agent`,
description: `Update an agent by ID.`,
Expand Down Expand Up @@ -157,8 +161,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
router.versioned
.post({
path: AGENT_API_ROUTES.BULK_UPDATE_AGENT_TAGS_PATTERN,
fleetAuthz: {
fleet: { allAgents: true },
security: {
authz: {
requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL],
},
},
summary: `Bulk update agent tags`,
options: {
Expand Down Expand Up @@ -187,8 +193,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
router.versioned
.delete({
path: AGENT_API_ROUTES.DELETE_PATTERN,
fleetAuthz: {
fleet: { allAgents: true },
security: {
authz: {
requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL],
},
},
summary: `Delete an agent`,
description: `Delete an agent by ID.`,
Expand Down Expand Up @@ -218,9 +226,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
router.versioned
.get({
path: AGENT_API_ROUTES.LIST_PATTERN,

fleetAuthz: {
fleet: { readAgents: true },
security: {
authz: {
requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ],
},
},
summary: `Get agents`,
options: {
Expand Down Expand Up @@ -249,8 +258,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
router.versioned
.get({
path: AGENT_API_ROUTES.LIST_TAGS_PATTERN,
fleetAuthz: {
fleet: { readAgents: true },
security: {
authz: {
requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ],
},
},
summary: `Get agent tags`,
options: {
Expand Down Expand Up @@ -279,8 +290,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
router.versioned
.post({
path: AGENT_API_ROUTES.ACTIONS_PATTERN,
fleetAuthz: {
fleet: { allAgents: true },
security: {
authz: {
requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL],
},
},
summary: `Create an agent action`,
options: {
Expand Down Expand Up @@ -313,8 +326,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
router.versioned
.post({
path: AGENT_API_ROUTES.CANCEL_ACTIONS_PATTERN,
fleetAuthz: {
fleet: { allAgents: true },
security: {
authz: {
requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL],
},
},
summary: `Cancel an agent action`,
options: {
Expand Down Expand Up @@ -348,8 +363,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
router.versioned
.post({
path: AGENT_API_ROUTES.LIST_PATTERN,
fleetAuthz: {
fleet: { readAgents: true },
security: {
authz: {
requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ],
},
},
summary: `Get agents by action ids`,
options: {
Expand Down Expand Up @@ -377,8 +394,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
router.versioned
.post({
path: AGENT_API_ROUTES.UNENROLL_PATTERN,
fleetAuthz: {
fleet: { allAgents: true },
security: {
authz: {
requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL],
},
},
summary: `Unenroll an agent`,
options: {
Expand All @@ -396,8 +415,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
router.versioned
.post({
path: AGENT_API_ROUTES.REASSIGN_PATTERN,
fleetAuthz: {
fleet: { allAgents: true },
security: {
authz: {
requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL],
},
},
summary: `Reassign an agent`,
options: {
Expand Down Expand Up @@ -425,8 +446,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
router.versioned
.post({
path: AGENT_API_ROUTES.REQUEST_DIAGNOSTICS_PATTERN,
fleetAuthz: {
fleet: { readAgents: true },
security: {
authz: {
requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ],
},
},
summary: `Request agent diagnostics`,
options: {
Expand Down Expand Up @@ -454,8 +477,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
router.versioned
.post({
path: AGENT_API_ROUTES.BULK_REQUEST_DIAGNOSTICS_PATTERN,
fleetAuthz: {
fleet: { readAgents: true },
security: {
authz: {
requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ],
},
},
summary: `Bulk request diagnostics from agents`,
options: {
Expand Down Expand Up @@ -483,8 +508,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
router.versioned
.get({
path: AGENT_API_ROUTES.LIST_UPLOADS_PATTERN,
fleetAuthz: {
fleet: { readAgents: true },
security: {
authz: {
requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ],
},
},
summary: `Get agent uploads`,
options: {
Expand Down Expand Up @@ -512,8 +539,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
router.versioned
.get({
path: AGENT_API_ROUTES.GET_UPLOAD_FILE_PATTERN,
fleetAuthz: {
fleet: { readAgents: true },
security: {
authz: {
requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ],
},
},
summary: `Get an uploaded file`,
description: `Get a file uploaded by an agent.`,
Expand Down Expand Up @@ -542,8 +571,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
router.versioned
.delete({
path: AGENT_API_ROUTES.DELETE_UPLOAD_FILE_PATTERN,
fleetAuthz: {
fleet: { allAgents: true },
security: {
authz: {
requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL],
},
},
summary: `Delete an uploaded file`,
description: `Delete a file uploaded by an agent.`,
Expand All @@ -568,11 +599,11 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
},
deleteAgentUploadFileHandler
);

// Get agent status for policy
router.versioned
.get({
path: AGENT_API_ROUTES.STATUS_PATTERN,
// TODO move to kibana authz https://github.com/elastic/kibana/issues/203170
fleetAuthz: (fleetAuthz: FleetAuthz): boolean =>
calculateRouteAuthz(
fleetAuthz,
Expand Down Expand Up @@ -604,8 +635,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
router.versioned
.get({
path: AGENT_API_ROUTES.DATA_PATTERN,
fleetAuthz: {
fleet: { readAgents: true },
security: {
authz: {
requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ],
},
},
summary: `Get incoming agent data`,
options: {
Expand Down Expand Up @@ -634,8 +667,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
router.versioned
.post({
path: AGENT_API_ROUTES.UPGRADE_PATTERN,
fleetAuthz: {
fleet: { allAgents: true },
security: {
authz: {
requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL],
},
},
summary: `Upgrade an agent`,
options: {
Expand Down Expand Up @@ -663,8 +698,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
router.versioned
.post({
path: AGENT_API_ROUTES.BULK_UPGRADE_PATTERN,
fleetAuthz: {
fleet: { allAgents: true },
security: {
authz: {
requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL],
},
},
summary: `Bulk upgrade agents`,
options: {
Expand Down Expand Up @@ -693,8 +730,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
router.versioned
.get({
path: AGENT_API_ROUTES.ACTION_STATUS_PATTERN,
fleetAuthz: {
fleet: { readAgents: true },
security: {
authz: {
requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ],
},
},
summary: `Get an agent action status`,
options: {
Expand Down Expand Up @@ -723,8 +762,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
router.versioned
.post({
path: AGENT_API_ROUTES.BULK_REASSIGN_PATTERN,
fleetAuthz: {
fleet: { allAgents: true },
security: {
authz: {
requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL],
},
},
summary: `Bulk reassign agents`,
options: {
Expand Down Expand Up @@ -753,8 +794,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
router.versioned
.post({
path: AGENT_API_ROUTES.BULK_UNENROLL_PATTERN,
fleetAuthz: {
fleet: { allAgents: true },
security: {
authz: {
requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL],
},
},
summary: `Bulk unenroll agents`,
options: {
Expand Down Expand Up @@ -783,8 +826,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
router.versioned
.get({
path: AGENT_API_ROUTES.AVAILABLE_VERSIONS_PATTERN,
fleetAuthz: {
fleet: { readAgents: true },
security: {
authz: {
requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ],
},
},
summary: `Get available agent versions`,
options: {
Expand Down Expand Up @@ -817,8 +862,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT
.get({
path: '/internal/fleet/agents/status_runtime_field',
access: 'internal',
fleetAuthz: {
fleet: { readAgents: true },
security: {
authz: {
requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ],
},
},
})
.addVersion(
Expand Down
Loading

0 comments on commit 0b8ae36

Please sign in to comment.