From 26a3fffe7da6c661464cd0a2bf39905e52a972ae Mon Sep 17 00:00:00 2001 From: Nicolas Chaulet Date: Tue, 31 Dec 2024 10:53:41 -0500 Subject: [PATCH 01/24] [Fleet] Use Kibana Authz for API authorization --- .../shared/fleet/server/routes/agent/index.ts | 148 ++++++++++++------ .../server/services/security/fleet_router.ts | 2 +- 2 files changed, 99 insertions(+), 51 deletions(-) diff --git a/x-pack/platform/plugins/shared/fleet/server/routes/agent/index.ts b/x-pack/platform/plugins/shared/fleet/server/routes/agent/index.ts index 82893b6590e30..37b55bb7d54bb 100644 --- a/x-pack/platform/plugins/shared/fleet/server/routes/agent/index.ts +++ b/x-pack/platform/plugins/shared/fleet/server/routes/agent/index.ts @@ -55,7 +55,7 @@ import { PostNewAgentActionResponseSchema, PostRetrieveAgentsByActionsResponseSchema, } from '../../types/rest_spec/agent'; - +import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges'; import { calculateRouteAuthz } from '../../services/security/security'; import { genericErrorResponse } from '../schema/errors'; @@ -95,8 +95,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT router.versioned .get({ path: AGENT_API_ROUTES.INFO_PATTERN, - fleetAuthz: { - fleet: { readAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ], + }, }, summary: `Get an agent`, description: `Get an agent by ID.`, @@ -126,8 +128,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT router.versioned .put({ path: AGENT_API_ROUTES.UPDATE_PATTERN, - fleetAuthz: { - fleet: { allAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL], + }, }, summary: `Update an agent`, description: `Update an agent by ID.`, @@ -157,8 +161,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT router.versioned .post({ path: AGENT_API_ROUTES.BULK_UPDATE_AGENT_TAGS_PATTERN, - fleetAuthz: { - fleet: { allAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL], + }, }, summary: `Bulk update agent tags`, options: { @@ -187,8 +193,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT router.versioned .delete({ path: AGENT_API_ROUTES.DELETE_PATTERN, - fleetAuthz: { - fleet: { allAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL], + }, }, summary: `Delete an agent`, description: `Delete an agent by ID.`, @@ -218,9 +226,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT router.versioned .get({ path: AGENT_API_ROUTES.LIST_PATTERN, - - fleetAuthz: { - fleet: { readAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ], + }, }, summary: `Get agents`, options: { @@ -249,8 +258,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT router.versioned .get({ path: AGENT_API_ROUTES.LIST_TAGS_PATTERN, - fleetAuthz: { - fleet: { readAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ], + }, }, summary: `Get agent tags`, options: { @@ -279,8 +290,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT router.versioned .post({ path: AGENT_API_ROUTES.ACTIONS_PATTERN, - fleetAuthz: { - fleet: { allAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL], + }, }, summary: `Create an agent action`, options: { @@ -313,8 +326,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT router.versioned .post({ path: AGENT_API_ROUTES.CANCEL_ACTIONS_PATTERN, - fleetAuthz: { - fleet: { allAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL], + }, }, summary: `Cancel an agent action`, options: { @@ -348,8 +363,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT router.versioned .post({ path: AGENT_API_ROUTES.LIST_PATTERN, - fleetAuthz: { - fleet: { readAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ], + }, }, summary: `Get agents by action ids`, options: { @@ -377,8 +394,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT router.versioned .post({ path: AGENT_API_ROUTES.UNENROLL_PATTERN, - fleetAuthz: { - fleet: { allAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL], + }, }, summary: `Unenroll an agent`, options: { @@ -396,8 +415,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT router.versioned .post({ path: AGENT_API_ROUTES.REASSIGN_PATTERN, - fleetAuthz: { - fleet: { allAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL], + }, }, summary: `Reassign an agent`, options: { @@ -425,8 +446,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT router.versioned .post({ path: AGENT_API_ROUTES.REQUEST_DIAGNOSTICS_PATTERN, - fleetAuthz: { - fleet: { readAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ], + }, }, summary: `Request agent diagnostics`, options: { @@ -454,8 +477,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT router.versioned .post({ path: AGENT_API_ROUTES.BULK_REQUEST_DIAGNOSTICS_PATTERN, - fleetAuthz: { - fleet: { readAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ], + }, }, summary: `Bulk request diagnostics from agents`, options: { @@ -483,8 +508,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT router.versioned .get({ path: AGENT_API_ROUTES.LIST_UPLOADS_PATTERN, - fleetAuthz: { - fleet: { readAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ], + }, }, summary: `Get agent uploads`, options: { @@ -512,8 +539,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT router.versioned .get({ path: AGENT_API_ROUTES.GET_UPLOAD_FILE_PATTERN, - fleetAuthz: { - fleet: { readAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ], + }, }, summary: `Get an uploaded file`, description: `Get a file uploaded by an agent.`, @@ -542,8 +571,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT router.versioned .delete({ path: AGENT_API_ROUTES.DELETE_UPLOAD_FILE_PATTERN, - fleetAuthz: { - fleet: { allAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL], + }, }, summary: `Delete an uploaded file`, description: `Delete a file uploaded by an agent.`, @@ -573,6 +604,7 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT router.versioned .get({ path: AGENT_API_ROUTES.STATUS_PATTERN, + // TODO move to kibana authz https://github.com/elastic/kibana/issues/203170 fleetAuthz: (fleetAuthz: FleetAuthz): boolean => calculateRouteAuthz( fleetAuthz, @@ -604,8 +636,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT router.versioned .get({ path: AGENT_API_ROUTES.DATA_PATTERN, - fleetAuthz: { - fleet: { readAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ], + }, }, summary: `Get incoming agent data`, options: { @@ -634,8 +668,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT router.versioned .post({ path: AGENT_API_ROUTES.UPGRADE_PATTERN, - fleetAuthz: { - fleet: { allAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL], + }, }, summary: `Upgrade an agent`, options: { @@ -663,8 +699,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT router.versioned .post({ path: AGENT_API_ROUTES.BULK_UPGRADE_PATTERN, - fleetAuthz: { - fleet: { allAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL], + }, }, summary: `Bulk upgrade agents`, options: { @@ -693,8 +731,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT router.versioned .get({ path: AGENT_API_ROUTES.ACTION_STATUS_PATTERN, - fleetAuthz: { - fleet: { readAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ], + }, }, summary: `Get an agent action status`, options: { @@ -723,8 +763,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT router.versioned .post({ path: AGENT_API_ROUTES.BULK_REASSIGN_PATTERN, - fleetAuthz: { - fleet: { allAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL], + }, }, summary: `Bulk reassign agents`, options: { @@ -753,8 +795,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT router.versioned .post({ path: AGENT_API_ROUTES.BULK_UNENROLL_PATTERN, - fleetAuthz: { - fleet: { allAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL], + }, }, summary: `Bulk unenroll agents`, options: { @@ -783,8 +827,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT router.versioned .get({ path: AGENT_API_ROUTES.AVAILABLE_VERSIONS_PATTERN, - fleetAuthz: { - fleet: { readAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ], + }, }, summary: `Get available agent versions`, options: { @@ -817,8 +863,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT .get({ path: '/internal/fleet/agents/status_runtime_field', access: 'internal', - fleetAuthz: { - fleet: { readAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ], + }, }, }) .addVersion( diff --git a/x-pack/platform/plugins/shared/fleet/server/services/security/fleet_router.ts b/x-pack/platform/plugins/shared/fleet/server/services/security/fleet_router.ts index b727fa5ec68d1..bf637a5b1faf4 100644 --- a/x-pack/platform/plugins/shared/fleet/server/services/security/fleet_router.ts +++ b/x-pack/platform/plugins/shared/fleet/server/services/security/fleet_router.ts @@ -52,7 +52,7 @@ function withDefaultPublicAccess( return { ...options, access: PUBLIC_API_ACCESS, - security: DEFAULT_FLEET_ROUTE_SECURITY, + security: options.security ? options.security : DEFAULT_FLEET_ROUTE_SECURITY, }; } } From 9937e7e968ab6173ad0714179dfb0e482e99e661 Mon Sep 17 00:00:00 2001 From: Nicolas Chaulet Date: Tue, 31 Dec 2024 14:36:21 -0500 Subject: [PATCH 02/24] fix missing file --- .../fleet/server/constants/api_privileges.ts | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 x-pack/platform/plugins/shared/fleet/server/constants/api_privileges.ts diff --git a/x-pack/platform/plugins/shared/fleet/server/constants/api_privileges.ts b/x-pack/platform/plugins/shared/fleet/server/constants/api_privileges.ts new file mode 100644 index 0000000000000..30e3b57a1c3f6 --- /dev/null +++ b/x-pack/platform/plugins/shared/fleet/server/constants/api_privileges.ts @@ -0,0 +1,15 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { PLUGIN_ID } from '../../common'; + +export const FLEET_API_PRIVILEGES = { + AGENTS: { + READ: `${PLUGIN_ID}-agents-read`, + ALL: `${PLUGIN_ID}-agents-read`, + }, +}; From 5b90785914767ff6975a6e4d2fddecbd087c880b Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Tue, 31 Dec 2024 19:50:10 +0000 Subject: [PATCH 03/24] [CI] Auto-commit changed files from 'node scripts/capture_oas_snapshot --include-path /api/status --include-path /api/alerting/rule/ --include-path /api/alerting/rules --include-path /api/actions --include-path /api/security/role --include-path /api/spaces --include-path /api/fleet --include-path /api/dashboards --update' --- oas_docs/bundle.json | 28 +++++++++++++++++++++++----- oas_docs/bundle.serverless.json | 28 +++++++++++++++++++++++----- 2 files changed, 46 insertions(+), 10 deletions(-) diff --git a/oas_docs/bundle.json b/oas_docs/bundle.json index 3e3d47df01661..a1e83f3e00021 100644 --- a/oas_docs/bundle.json +++ b/oas_docs/bundle.json @@ -15468,6 +15468,7 @@ }, "/api/fleet/agent_status/data": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "get-fleet-agent-status-data", "parameters": [ { @@ -15587,6 +15588,7 @@ }, "/api/fleet/agents": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "get-fleet-agents", "parameters": [ { @@ -16126,6 +16128,7 @@ ] }, "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "post-fleet-agents", "parameters": [ { @@ -16216,6 +16219,7 @@ }, "/api/fleet/agents/action_status": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "get-fleet-agents-action-status", "parameters": [ { @@ -16439,6 +16443,7 @@ }, "/api/fleet/agents/actions/{actionId}/cancel": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "post-fleet-agents-actions-actionid-cancel", "parameters": [ { @@ -16568,6 +16573,7 @@ }, "/api/fleet/agents/available_versions": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "get-fleet-agents-available-versions", "parameters": [], "responses": { @@ -16626,6 +16632,7 @@ }, "/api/fleet/agents/bulk_reassign": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "post-fleet-agents-bulk-reassign", "parameters": [ { @@ -16731,6 +16738,7 @@ }, "/api/fleet/agents/bulk_request_diagnostics": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "post-fleet-agents-bulk-request-diagnostics", "parameters": [ { @@ -16837,6 +16845,7 @@ }, "/api/fleet/agents/bulk_unenroll": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "post-fleet-agents-bulk-unenroll", "parameters": [ { @@ -16948,6 +16957,7 @@ }, "/api/fleet/agents/bulk_update_agent_tags": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "post-fleet-agents-bulk-update-agent-tags", "parameters": [ { @@ -17061,6 +17071,7 @@ }, "/api/fleet/agents/bulk_upgrade": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "post-fleet-agents-bulk-upgrade", "parameters": [ { @@ -17182,7 +17193,7 @@ }, "/api/fleet/agents/files/{fileId}": { "delete": { - "description": "Delete a file uploaded by an agent.", + "description": "Delete a file uploaded by an agent.

[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "delete-fleet-agents-files-fileid", "parameters": [ { @@ -17261,7 +17272,7 @@ }, "/api/fleet/agents/files/{fileId}/{fileName}": { "get": { - "description": "Get a file uploaded by an agent.", + "description": "Get a file uploaded by an agent.

[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "get-fleet-agents-files-fileid-filename", "parameters": [ { @@ -17499,6 +17510,7 @@ }, "/api/fleet/agents/tags": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "get-fleet-agents-tags", "parameters": [ { @@ -17575,7 +17587,7 @@ }, "/api/fleet/agents/{agentId}": { "delete": { - "description": "Delete an agent by ID.", + "description": "Delete an agent by ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "delete-fleet-agents-agentid", "parameters": [ { @@ -17651,7 +17663,7 @@ ] }, "get": { - "description": "Get an agent by ID.", + "description": "Get an agent by ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "get-fleet-agents-agentid", "parameters": [ { @@ -18105,7 +18117,7 @@ ] }, "put": { - "description": "Update an agent by ID.", + "description": "Update an agent by ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "put-fleet-agents-agentid", "parameters": [ { @@ -18584,6 +18596,7 @@ }, "/api/fleet/agents/{agentId}/actions": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "post-fleet-agents-agentid-actions", "parameters": [ { @@ -18788,6 +18801,7 @@ }, "/api/fleet/agents/{agentId}/reassign": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "post-fleet-agents-agentid-reassign", "parameters": [ { @@ -18873,6 +18887,7 @@ }, "/api/fleet/agents/{agentId}/request_diagnostics": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "post-fleet-agents-agentid-request-diagnostics", "parameters": [ { @@ -18969,6 +18984,7 @@ }, "/api/fleet/agents/{agentId}/unenroll": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "post-fleet-agents-agentid-unenroll", "parameters": [ { @@ -19018,6 +19034,7 @@ }, "/api/fleet/agents/{agentId}/upgrade": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "post-fleet-agents-agentid-upgrade", "parameters": [ { @@ -19112,6 +19129,7 @@ }, "/api/fleet/agents/{agentId}/uploads": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "get-fleet-agents-agentid-uploads", "parameters": [ { diff --git a/oas_docs/bundle.serverless.json b/oas_docs/bundle.serverless.json index b188ae0999b0d..21e6eff2480f6 100644 --- a/oas_docs/bundle.serverless.json +++ b/oas_docs/bundle.serverless.json @@ -15468,6 +15468,7 @@ }, "/api/fleet/agent_status/data": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "get-fleet-agent-status-data", "parameters": [ { @@ -15587,6 +15588,7 @@ }, "/api/fleet/agents": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "get-fleet-agents", "parameters": [ { @@ -16126,6 +16128,7 @@ ] }, "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "post-fleet-agents", "parameters": [ { @@ -16216,6 +16219,7 @@ }, "/api/fleet/agents/action_status": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "get-fleet-agents-action-status", "parameters": [ { @@ -16439,6 +16443,7 @@ }, "/api/fleet/agents/actions/{actionId}/cancel": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "post-fleet-agents-actions-actionid-cancel", "parameters": [ { @@ -16568,6 +16573,7 @@ }, "/api/fleet/agents/available_versions": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "get-fleet-agents-available-versions", "parameters": [], "responses": { @@ -16626,6 +16632,7 @@ }, "/api/fleet/agents/bulk_reassign": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "post-fleet-agents-bulk-reassign", "parameters": [ { @@ -16731,6 +16738,7 @@ }, "/api/fleet/agents/bulk_request_diagnostics": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "post-fleet-agents-bulk-request-diagnostics", "parameters": [ { @@ -16837,6 +16845,7 @@ }, "/api/fleet/agents/bulk_unenroll": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "post-fleet-agents-bulk-unenroll", "parameters": [ { @@ -16948,6 +16957,7 @@ }, "/api/fleet/agents/bulk_update_agent_tags": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "post-fleet-agents-bulk-update-agent-tags", "parameters": [ { @@ -17061,6 +17071,7 @@ }, "/api/fleet/agents/bulk_upgrade": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "post-fleet-agents-bulk-upgrade", "parameters": [ { @@ -17182,7 +17193,7 @@ }, "/api/fleet/agents/files/{fileId}": { "delete": { - "description": "Delete a file uploaded by an agent.", + "description": "Delete a file uploaded by an agent.

[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "delete-fleet-agents-files-fileid", "parameters": [ { @@ -17261,7 +17272,7 @@ }, "/api/fleet/agents/files/{fileId}/{fileName}": { "get": { - "description": "Get a file uploaded by an agent.", + "description": "Get a file uploaded by an agent.

[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "get-fleet-agents-files-fileid-filename", "parameters": [ { @@ -17499,6 +17510,7 @@ }, "/api/fleet/agents/tags": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "get-fleet-agents-tags", "parameters": [ { @@ -17575,7 +17587,7 @@ }, "/api/fleet/agents/{agentId}": { "delete": { - "description": "Delete an agent by ID.", + "description": "Delete an agent by ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "delete-fleet-agents-agentid", "parameters": [ { @@ -17651,7 +17663,7 @@ ] }, "get": { - "description": "Get an agent by ID.", + "description": "Get an agent by ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "get-fleet-agents-agentid", "parameters": [ { @@ -18105,7 +18117,7 @@ ] }, "put": { - "description": "Update an agent by ID.", + "description": "Update an agent by ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "put-fleet-agents-agentid", "parameters": [ { @@ -18584,6 +18596,7 @@ }, "/api/fleet/agents/{agentId}/actions": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "post-fleet-agents-agentid-actions", "parameters": [ { @@ -18788,6 +18801,7 @@ }, "/api/fleet/agents/{agentId}/reassign": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "post-fleet-agents-agentid-reassign", "parameters": [ { @@ -18873,6 +18887,7 @@ }, "/api/fleet/agents/{agentId}/request_diagnostics": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "post-fleet-agents-agentid-request-diagnostics", "parameters": [ { @@ -18969,6 +18984,7 @@ }, "/api/fleet/agents/{agentId}/unenroll": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "post-fleet-agents-agentid-unenroll", "parameters": [ { @@ -19018,6 +19034,7 @@ }, "/api/fleet/agents/{agentId}/upgrade": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "post-fleet-agents-agentid-upgrade", "parameters": [ { @@ -19112,6 +19129,7 @@ }, "/api/fleet/agents/{agentId}/uploads": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "get-fleet-agents-agentid-uploads", "parameters": [ { From 1929b007c84a1a65999f015b95f1f59aef5b2da8 Mon Sep 17 00:00:00 2001 From: Nicolas Chaulet Date: Thu, 2 Jan 2025 09:44:14 -0500 Subject: [PATCH 04/24] debug and healthcheck routes --- .../fleet/server/constants/api_privileges.ts | 10 +++++- .../shared/fleet/server/routes/agent/index.ts | 1 - .../shared/fleet/server/routes/debug/index.ts | 32 +++++++++++++++---- .../fleet/server/routes/health_check/index.ts | 8 +++-- 4 files changed, 39 insertions(+), 12 deletions(-) diff --git a/x-pack/platform/plugins/shared/fleet/server/constants/api_privileges.ts b/x-pack/platform/plugins/shared/fleet/server/constants/api_privileges.ts index 30e3b57a1c3f6..be68432aa2093 100644 --- a/x-pack/platform/plugins/shared/fleet/server/constants/api_privileges.ts +++ b/x-pack/platform/plugins/shared/fleet/server/constants/api_privileges.ts @@ -10,6 +10,14 @@ import { PLUGIN_ID } from '../../common'; export const FLEET_API_PRIVILEGES = { AGENTS: { READ: `${PLUGIN_ID}-agents-read`, - ALL: `${PLUGIN_ID}-agents-read`, + ALL: `${PLUGIN_ID}-agents-all`, + }, + AGENT_POLICIES: { + READ: `${PLUGIN_ID}-agent-policies-read`, + ALL: `${PLUGIN_ID}-agent-policies-all`, + }, + SETTINGS: { + READ: `${PLUGIN_ID}-settings-read`, + ALL: `${PLUGIN_ID}-settings-all`, }, }; diff --git a/x-pack/platform/plugins/shared/fleet/server/routes/agent/index.ts b/x-pack/platform/plugins/shared/fleet/server/routes/agent/index.ts index 37b55bb7d54bb..ca9876d74c435 100644 --- a/x-pack/platform/plugins/shared/fleet/server/routes/agent/index.ts +++ b/x-pack/platform/plugins/shared/fleet/server/routes/agent/index.ts @@ -599,7 +599,6 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT }, deleteAgentUploadFileHandler ); - // Get agent status for policy router.versioned .get({ diff --git a/x-pack/platform/plugins/shared/fleet/server/routes/debug/index.ts b/x-pack/platform/plugins/shared/fleet/server/routes/debug/index.ts index bfe2bfd0f0e20..b3baf42552c34 100644 --- a/x-pack/platform/plugins/shared/fleet/server/routes/debug/index.ts +++ b/x-pack/platform/plugins/shared/fleet/server/routes/debug/index.ts @@ -9,7 +9,7 @@ import type { FleetAuthzRouter } from '../../services/security'; import { FLEET_DEBUG_ROUTES } from '../../constants'; import { API_VERSIONS } from '../../../common/constants'; - +import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges'; import { FetchIndexRequestSchema, FetchSavedObjectNamesRequestSchema, @@ -27,8 +27,14 @@ export const registerRoutes = (router: FleetAuthzRouter) => { .post({ path: FLEET_DEBUG_ROUTES.INDEX_PATTERN, access: 'internal', - fleetAuthz: { - fleet: { all: true }, + security: { + authz: { + requiredPrivileges: [ + FLEET_API_PRIVILEGES.AGENTS.ALL, + FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL, + FLEET_API_PRIVILEGES.SETTINGS.ALL, + ], + }, }, }) .addVersion( @@ -43,8 +49,14 @@ export const registerRoutes = (router: FleetAuthzRouter) => { .post({ path: FLEET_DEBUG_ROUTES.SAVED_OBJECTS_PATTERN, access: 'internal', - fleetAuthz: { - fleet: { all: true }, + security: { + authz: { + requiredPrivileges: [ + FLEET_API_PRIVILEGES.AGENTS.ALL, + FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL, + FLEET_API_PRIVILEGES.SETTINGS.ALL, + ], + }, }, }) .addVersion( @@ -59,8 +71,14 @@ export const registerRoutes = (router: FleetAuthzRouter) => { .post({ path: FLEET_DEBUG_ROUTES.SAVED_OBJECT_NAMES_PATTERN, access: 'internal', - fleetAuthz: { - fleet: { all: true }, + security: { + authz: { + requiredPrivileges: [ + FLEET_API_PRIVILEGES.AGENTS.ALL, + FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL, + FLEET_API_PRIVILEGES.SETTINGS.ALL, + ], + }, }, }) .addVersion( diff --git a/x-pack/platform/plugins/shared/fleet/server/routes/health_check/index.ts b/x-pack/platform/plugins/shared/fleet/server/routes/health_check/index.ts index 008340d006829..daffc5552a190 100644 --- a/x-pack/platform/plugins/shared/fleet/server/routes/health_check/index.ts +++ b/x-pack/platform/plugins/shared/fleet/server/routes/health_check/index.ts @@ -7,7 +7,7 @@ import { API_VERSIONS } from '../../../common/constants'; import type { FleetAuthzRouter } from '../../services/security'; - +import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges'; import { APP_API_ROUTES } from '../../constants'; import { PostHealthCheckRequestSchema, PostHealthCheckResponseSchema } from '../../types'; import { genericErrorResponse } from '../schema/errors'; @@ -19,8 +19,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .post({ path: APP_API_ROUTES.HEALTH_CHECK_PATTERN, - fleetAuthz: { - fleet: { allSettings: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.ALL], + }, }, summary: `Check Fleet Server health`, options: { From acde55ad2d6f359847492968c5d87afa90875053 Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Thu, 2 Jan 2025 15:02:36 +0000 Subject: [PATCH 05/24] [CI] Auto-commit changed files from 'node scripts/notice' --- NOTICE.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/NOTICE.txt b/NOTICE.txt index 9cd38e6773d88..312326d7e41a9 100644 --- a/NOTICE.txt +++ b/NOTICE.txt @@ -1,5 +1,5 @@ Kibana source code with Kibana X-Pack source code -Copyright 2012-2024 Elasticsearch B.V. +Copyright 2012-2025 Elasticsearch B.V. --- Adapted from remote-web-worker, which was available under a "MIT" license. From fe40f27bc35db67c27664fc12e7137c52e145bcc Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Thu, 2 Jan 2025 15:08:45 +0000 Subject: [PATCH 06/24] [CI] Auto-commit changed files from 'node scripts/capture_oas_snapshot --include-path /api/status --include-path /api/alerting/rule/ --include-path /api/alerting/rules --include-path /api/actions --include-path /api/security/role --include-path /api/spaces --include-path /api/fleet --include-path /api/dashboards --update' --- oas_docs/bundle.json | 25 +++++++++++++------------ oas_docs/bundle.serverless.json | 25 +++++++++++++------------ 2 files changed, 26 insertions(+), 24 deletions(-) diff --git a/oas_docs/bundle.json b/oas_docs/bundle.json index a1e83f3e00021..7bd99a403cbfa 100644 --- a/oas_docs/bundle.json +++ b/oas_docs/bundle.json @@ -16443,7 +16443,7 @@ }, "/api/fleet/agents/actions/{actionId}/cancel": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "post-fleet-agents-actions-actionid-cancel", "parameters": [ { @@ -16632,7 +16632,7 @@ }, "/api/fleet/agents/bulk_reassign": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "post-fleet-agents-bulk-reassign", "parameters": [ { @@ -16845,7 +16845,7 @@ }, "/api/fleet/agents/bulk_unenroll": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "post-fleet-agents-bulk-unenroll", "parameters": [ { @@ -16957,7 +16957,7 @@ }, "/api/fleet/agents/bulk_update_agent_tags": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "post-fleet-agents-bulk-update-agent-tags", "parameters": [ { @@ -17071,7 +17071,7 @@ }, "/api/fleet/agents/bulk_upgrade": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "post-fleet-agents-bulk-upgrade", "parameters": [ { @@ -17193,7 +17193,7 @@ }, "/api/fleet/agents/files/{fileId}": { "delete": { - "description": "Delete a file uploaded by an agent.

[Required authorization] Route required privileges: ALL of [fleet-agents-read].", + "description": "Delete a file uploaded by an agent.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "delete-fleet-agents-files-fileid", "parameters": [ { @@ -17587,7 +17587,7 @@ }, "/api/fleet/agents/{agentId}": { "delete": { - "description": "Delete an agent by ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-read].", + "description": "Delete an agent by ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "delete-fleet-agents-agentid", "parameters": [ { @@ -18117,7 +18117,7 @@ ] }, "put": { - "description": "Update an agent by ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-read].", + "description": "Update an agent by ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "put-fleet-agents-agentid", "parameters": [ { @@ -18596,7 +18596,7 @@ }, "/api/fleet/agents/{agentId}/actions": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "post-fleet-agents-agentid-actions", "parameters": [ { @@ -18801,7 +18801,7 @@ }, "/api/fleet/agents/{agentId}/reassign": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "post-fleet-agents-agentid-reassign", "parameters": [ { @@ -18984,7 +18984,7 @@ }, "/api/fleet/agents/{agentId}/unenroll": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "post-fleet-agents-agentid-unenroll", "parameters": [ { @@ -19034,7 +19034,7 @@ }, "/api/fleet/agents/{agentId}/upgrade": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "post-fleet-agents-agentid-upgrade", "parameters": [ { @@ -24531,6 +24531,7 @@ }, "/api/fleet/health_check": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "post-fleet-health-check", "parameters": [ { diff --git a/oas_docs/bundle.serverless.json b/oas_docs/bundle.serverless.json index 21e6eff2480f6..2094647c04154 100644 --- a/oas_docs/bundle.serverless.json +++ b/oas_docs/bundle.serverless.json @@ -16443,7 +16443,7 @@ }, "/api/fleet/agents/actions/{actionId}/cancel": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "post-fleet-agents-actions-actionid-cancel", "parameters": [ { @@ -16632,7 +16632,7 @@ }, "/api/fleet/agents/bulk_reassign": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "post-fleet-agents-bulk-reassign", "parameters": [ { @@ -16845,7 +16845,7 @@ }, "/api/fleet/agents/bulk_unenroll": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "post-fleet-agents-bulk-unenroll", "parameters": [ { @@ -16957,7 +16957,7 @@ }, "/api/fleet/agents/bulk_update_agent_tags": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "post-fleet-agents-bulk-update-agent-tags", "parameters": [ { @@ -17071,7 +17071,7 @@ }, "/api/fleet/agents/bulk_upgrade": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "post-fleet-agents-bulk-upgrade", "parameters": [ { @@ -17193,7 +17193,7 @@ }, "/api/fleet/agents/files/{fileId}": { "delete": { - "description": "Delete a file uploaded by an agent.

[Required authorization] Route required privileges: ALL of [fleet-agents-read].", + "description": "Delete a file uploaded by an agent.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "delete-fleet-agents-files-fileid", "parameters": [ { @@ -17587,7 +17587,7 @@ }, "/api/fleet/agents/{agentId}": { "delete": { - "description": "Delete an agent by ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-read].", + "description": "Delete an agent by ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "delete-fleet-agents-agentid", "parameters": [ { @@ -18117,7 +18117,7 @@ ] }, "put": { - "description": "Update an agent by ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-read].", + "description": "Update an agent by ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "put-fleet-agents-agentid", "parameters": [ { @@ -18596,7 +18596,7 @@ }, "/api/fleet/agents/{agentId}/actions": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "post-fleet-agents-agentid-actions", "parameters": [ { @@ -18801,7 +18801,7 @@ }, "/api/fleet/agents/{agentId}/reassign": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "post-fleet-agents-agentid-reassign", "parameters": [ { @@ -18984,7 +18984,7 @@ }, "/api/fleet/agents/{agentId}/unenroll": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "post-fleet-agents-agentid-unenroll", "parameters": [ { @@ -19034,7 +19034,7 @@ }, "/api/fleet/agents/{agentId}/upgrade": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "post-fleet-agents-agentid-upgrade", "parameters": [ { @@ -24531,6 +24531,7 @@ }, "/api/fleet/health_check": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "post-fleet-health-check", "parameters": [ { From e54426c32a5c02a29ac14f384dea10e46be5a198 Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Thu, 2 Jan 2025 15:29:02 +0000 Subject: [PATCH 07/24] [CI] Auto-commit changed files from 'make api-docs' --- oas_docs/output/kibana.serverless.yaml | 29 +++++++++++++++++++++----- oas_docs/output/kibana.yaml | 29 +++++++++++++++++++++----- 2 files changed, 48 insertions(+), 10 deletions(-) diff --git a/oas_docs/output/kibana.serverless.yaml b/oas_docs/output/kibana.serverless.yaml index 2a942bc85c3bc..dfde301d5215d 100644 --- a/oas_docs/output/kibana.serverless.yaml +++ b/oas_docs/output/kibana.serverless.yaml @@ -15916,6 +15916,7 @@ paths: x-beta: true /api/fleet/agent_status/data: get: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' operationId: get-fleet-agent-status-data parameters: - in: query @@ -15991,6 +15992,7 @@ paths: x-beta: true /api/fleet/agents: get: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' operationId: get-fleet-agents parameters: - in: query @@ -16370,6 +16372,7 @@ paths: - Elastic Agents x-beta: true post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' operationId: post-fleet-agents parameters: - description: A required header to protect against CSRF attacks @@ -16428,7 +16431,7 @@ paths: x-beta: true /api/fleet/agents/{agentId}: delete: - description: Delete an agent by ID. + description: 'Delete an agent by ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: delete-fleet-agents-agentid parameters: - description: A required header to protect against CSRF attacks @@ -16478,7 +16481,7 @@ paths: - Elastic Agents x-beta: true get: - description: Get an agent by ID. + description: 'Get an agent by ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-read].' operationId: get-fleet-agents-agentid parameters: - in: path @@ -16800,7 +16803,7 @@ paths: - Elastic Agents x-beta: true put: - description: Update an agent by ID. + description: 'Update an agent by ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: put-fleet-agents-agentid parameters: - description: A required header to protect against CSRF attacks @@ -17138,6 +17141,7 @@ paths: x-beta: true /api/fleet/agents/{agentId}/actions: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: post-fleet-agents-agentid-actions parameters: - description: A required header to protect against CSRF attacks @@ -17275,6 +17279,7 @@ paths: x-beta: true /api/fleet/agents/{agentId}/reassign: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: post-fleet-agents-agentid-reassign parameters: - description: A required header to protect against CSRF attacks @@ -17330,6 +17335,7 @@ paths: x-beta: true /api/fleet/agents/{agentId}/request_diagnostics: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' operationId: post-fleet-agents-agentid-request-diagnostics parameters: - description: A required header to protect against CSRF attacks @@ -17392,6 +17398,7 @@ paths: x-beta: true /api/fleet/agents/{agentId}/unenroll: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: post-fleet-agents-agentid-unenroll parameters: - description: A required header to protect against CSRF attacks @@ -17425,6 +17432,7 @@ paths: x-beta: true /api/fleet/agents/{agentId}/upgrade: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: post-fleet-agents-agentid-upgrade parameters: - description: A required header to protect against CSRF attacks @@ -17486,6 +17494,7 @@ paths: x-beta: true /api/fleet/agents/{agentId}/uploads: get: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' operationId: get-fleet-agents-agentid-uploads parameters: - in: path @@ -17559,6 +17568,7 @@ paths: x-beta: true /api/fleet/agents/action_status: get: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' operationId: get-fleet-agents-action-status parameters: - in: query @@ -17717,6 +17727,7 @@ paths: x-beta: true /api/fleet/agents/actions/{actionId}/cancel: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: post-fleet-agents-actions-actionid-cancel parameters: - description: A required header to protect against CSRF attacks @@ -17804,6 +17815,7 @@ paths: x-beta: true /api/fleet/agents/available_versions: get: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' operationId: get-fleet-agents-available-versions parameters: [] responses: @@ -17842,6 +17854,7 @@ paths: x-beta: true /api/fleet/agents/bulk_reassign: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: post-fleet-agents-bulk-reassign parameters: - description: A required header to protect against CSRF attacks @@ -17908,6 +17921,7 @@ paths: x-beta: true /api/fleet/agents/bulk_request_diagnostics: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' operationId: post-fleet-agents-bulk-request-diagnostics parameters: - description: A required header to protect against CSRF attacks @@ -17974,6 +17988,7 @@ paths: x-beta: true /api/fleet/agents/bulk_unenroll: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: post-fleet-agents-bulk-unenroll parameters: - description: A required header to protect against CSRF attacks @@ -18045,6 +18060,7 @@ paths: x-beta: true /api/fleet/agents/bulk_update_agent_tags: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: post-fleet-agents-bulk-update-agent-tags parameters: - description: A required header to protect against CSRF attacks @@ -18116,6 +18132,7 @@ paths: x-beta: true /api/fleet/agents/bulk_upgrade: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: post-fleet-agents-bulk-upgrade parameters: - description: A required header to protect against CSRF attacks @@ -18193,7 +18210,7 @@ paths: x-beta: true /api/fleet/agents/files/{fileId}: delete: - description: Delete a file uploaded by an agent. + description: 'Delete a file uploaded by an agent.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: delete-fleet-agents-files-fileid parameters: - description: A required header to protect against CSRF attacks @@ -18245,7 +18262,7 @@ paths: x-beta: true /api/fleet/agents/files/{fileId}/{fileName}: get: - description: Get a file uploaded by an agent. + description: 'Get a file uploaded by an agent.

[Required authorization] Route required privileges: ALL of [fleet-agents-read].' operationId: get-fleet-agents-files-fileid-filename parameters: - in: path @@ -18404,6 +18421,7 @@ paths: x-beta: true /api/fleet/agents/tags: get: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' operationId: get-fleet-agents-tags parameters: - in: query @@ -22045,6 +22063,7 @@ paths: x-beta: true /api/fleet/health_check: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: post-fleet-health-check parameters: - description: A required header to protect against CSRF attacks diff --git a/oas_docs/output/kibana.yaml b/oas_docs/output/kibana.yaml index 5845ba56ae895..2a89138d5c3e5 100644 --- a/oas_docs/output/kibana.yaml +++ b/oas_docs/output/kibana.yaml @@ -18046,6 +18046,7 @@ paths: - Elastic Agent status /api/fleet/agent_status/data: get: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' operationId: get-fleet-agent-status-data parameters: - in: query @@ -18120,6 +18121,7 @@ paths: - Elastic Agents /api/fleet/agents: get: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' operationId: get-fleet-agents parameters: - in: query @@ -18498,6 +18500,7 @@ paths: tags: - Elastic Agents post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' operationId: post-fleet-agents parameters: - description: A required header to protect against CSRF attacks @@ -18555,7 +18558,7 @@ paths: - Elastic Agents /api/fleet/agents/{agentId}: delete: - description: Delete an agent by ID. + description: 'Delete an agent by ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: delete-fleet-agents-agentid parameters: - description: A required header to protect against CSRF attacks @@ -18604,7 +18607,7 @@ paths: tags: - Elastic Agents get: - description: Get an agent by ID. + description: 'Get an agent by ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-read].' operationId: get-fleet-agents-agentid parameters: - in: path @@ -18925,7 +18928,7 @@ paths: tags: - Elastic Agents put: - description: Update an agent by ID. + description: 'Update an agent by ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: put-fleet-agents-agentid parameters: - description: A required header to protect against CSRF attacks @@ -19262,6 +19265,7 @@ paths: - Elastic Agents /api/fleet/agents/{agentId}/actions: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: post-fleet-agents-agentid-actions parameters: - description: A required header to protect against CSRF attacks @@ -19398,6 +19402,7 @@ paths: - Elastic Agent actions /api/fleet/agents/{agentId}/reassign: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: post-fleet-agents-agentid-reassign parameters: - description: A required header to protect against CSRF attacks @@ -19452,6 +19457,7 @@ paths: - Elastic Agent actions /api/fleet/agents/{agentId}/request_diagnostics: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' operationId: post-fleet-agents-agentid-request-diagnostics parameters: - description: A required header to protect against CSRF attacks @@ -19513,6 +19519,7 @@ paths: - Elastic Agent actions /api/fleet/agents/{agentId}/unenroll: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: post-fleet-agents-agentid-unenroll parameters: - description: A required header to protect against CSRF attacks @@ -19545,6 +19552,7 @@ paths: - Elastic Agent actions /api/fleet/agents/{agentId}/upgrade: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: post-fleet-agents-agentid-upgrade parameters: - description: A required header to protect against CSRF attacks @@ -19605,6 +19613,7 @@ paths: - Elastic Agent actions /api/fleet/agents/{agentId}/uploads: get: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' operationId: get-fleet-agents-agentid-uploads parameters: - in: path @@ -19677,6 +19686,7 @@ paths: - Elastic Agents /api/fleet/agents/action_status: get: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' operationId: get-fleet-agents-action-status parameters: - in: query @@ -19834,6 +19844,7 @@ paths: - Elastic Agent actions /api/fleet/agents/actions/{actionId}/cancel: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: post-fleet-agents-actions-actionid-cancel parameters: - description: A required header to protect against CSRF attacks @@ -19920,6 +19931,7 @@ paths: - Elastic Agent actions /api/fleet/agents/available_versions: get: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' operationId: get-fleet-agents-available-versions parameters: [] responses: @@ -19957,6 +19969,7 @@ paths: - Elastic Agents /api/fleet/agents/bulk_reassign: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: post-fleet-agents-bulk-reassign parameters: - description: A required header to protect against CSRF attacks @@ -20022,6 +20035,7 @@ paths: - Elastic Agent actions /api/fleet/agents/bulk_request_diagnostics: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' operationId: post-fleet-agents-bulk-request-diagnostics parameters: - description: A required header to protect against CSRF attacks @@ -20087,6 +20101,7 @@ paths: - Elastic Agent actions /api/fleet/agents/bulk_unenroll: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: post-fleet-agents-bulk-unenroll parameters: - description: A required header to protect against CSRF attacks @@ -20157,6 +20172,7 @@ paths: - Elastic Agent actions /api/fleet/agents/bulk_update_agent_tags: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: post-fleet-agents-bulk-update-agent-tags parameters: - description: A required header to protect against CSRF attacks @@ -20227,6 +20243,7 @@ paths: - Elastic Agent actions /api/fleet/agents/bulk_upgrade: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: post-fleet-agents-bulk-upgrade parameters: - description: A required header to protect against CSRF attacks @@ -20303,7 +20320,7 @@ paths: - Elastic Agent actions /api/fleet/agents/files/{fileId}: delete: - description: Delete a file uploaded by an agent. + description: 'Delete a file uploaded by an agent.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: delete-fleet-agents-files-fileid parameters: - description: A required header to protect against CSRF attacks @@ -20354,7 +20371,7 @@ paths: - Elastic Agents /api/fleet/agents/files/{fileId}/{fileName}: get: - description: Get a file uploaded by an agent. + description: 'Get a file uploaded by an agent.

[Required authorization] Route required privileges: ALL of [fleet-agents-read].' operationId: get-fleet-agents-files-fileid-filename parameters: - in: path @@ -20510,6 +20527,7 @@ paths: - Elastic Agents /api/fleet/agents/tags: get: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' operationId: get-fleet-agents-tags parameters: - in: query @@ -24121,6 +24139,7 @@ paths: - Fleet Server hosts /api/fleet/health_check: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: post-fleet-health-check parameters: - description: A required header to protect against CSRF attacks From 10c360aa3ddc14514d46672cb1aebf6c999bf046 Mon Sep 17 00:00:00 2001 From: Nicolas Chaulet Date: Thu, 2 Jan 2025 12:48:19 -0500 Subject: [PATCH 08/24] more routes --- .../fleet/server/constants/api_privileges.ts | 1 + .../fleet/server/routes/data_streams/index.ts | 12 +++-- .../server/routes/download_source/index.ts | 46 +++++++++++++----- .../server/routes/enrollment_api_key/index.ts | 34 ++++++++++---- .../server/routes/fleet_proxies/index.ts | 32 ++++++++----- .../server/routes/preconfiguration/index.ts | 21 +++++++-- .../shared/fleet/server/routes/setup/index.ts | 47 ++++++++++++++++--- .../server/routes/uninstall_token/index.ts | 14 ++++-- 8 files changed, 157 insertions(+), 50 deletions(-) diff --git a/x-pack/platform/plugins/shared/fleet/server/constants/api_privileges.ts b/x-pack/platform/plugins/shared/fleet/server/constants/api_privileges.ts index be68432aa2093..8d303d05ee1c2 100644 --- a/x-pack/platform/plugins/shared/fleet/server/constants/api_privileges.ts +++ b/x-pack/platform/plugins/shared/fleet/server/constants/api_privileges.ts @@ -20,4 +20,5 @@ export const FLEET_API_PRIVILEGES = { READ: `${PLUGIN_ID}-settings-read`, ALL: `${PLUGIN_ID}-settings-all`, }, + SETUP: `fleet-setup`, }; diff --git a/x-pack/platform/plugins/shared/fleet/server/routes/data_streams/index.ts b/x-pack/platform/plugins/shared/fleet/server/routes/data_streams/index.ts index 7dc870c394bc8..e51c8ce447317 100644 --- a/x-pack/platform/plugins/shared/fleet/server/routes/data_streams/index.ts +++ b/x-pack/platform/plugins/shared/fleet/server/routes/data_streams/index.ts @@ -7,7 +7,7 @@ import { schema } from '@kbn/config-schema'; import type { FleetAuthzRouter } from '../../services/security'; - +import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges'; import { API_VERSIONS } from '../../../common/constants'; import { DATA_STREAM_API_ROUTES } from '../../constants'; @@ -49,8 +49,14 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .get({ path: DATA_STREAM_API_ROUTES.LIST_PATTERN, - fleetAuthz: { - fleet: { all: true }, + security: { + authz: { + requiredPrivileges: [ + FLEET_API_PRIVILEGES.AGENTS.ALL, + FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL, + FLEET_API_PRIVILEGES.SETTINGS.ALL, + ], + }, }, summary: `Get data streams`, options: { diff --git a/x-pack/platform/plugins/shared/fleet/server/routes/download_source/index.ts b/x-pack/platform/plugins/shared/fleet/server/routes/download_source/index.ts index 687fdcf5f793f..62e97a731fa10 100644 --- a/x-pack/platform/plugins/shared/fleet/server/routes/download_source/index.ts +++ b/x-pack/platform/plugins/shared/fleet/server/routes/download_source/index.ts @@ -21,7 +21,7 @@ import { } from '../../types'; import { genericErrorResponse } from '../schema/errors'; - +import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges'; import { ListResponseSchema } from '../schema/utils'; import { @@ -36,8 +36,17 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .get({ path: DOWNLOAD_SOURCE_API_ROUTES.LIST_PATTERN, - fleetAuthz: (authz) => { - return authz.fleet.readSettings || authz.fleet.readAgentPolicies; + security: { + authz: { + requiredPrivileges: [ + { + anyRequired: [ + FLEET_API_PRIVILEGES.AGENT_POLICIES.READ, + FLEET_API_PRIVILEGES.SETTINGS.READ, + ], + }, + ], + }, }, summary: `Get agent binary download sources`, options: { @@ -65,8 +74,17 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .get({ path: DOWNLOAD_SOURCE_API_ROUTES.INFO_PATTERN, - fleetAuthz: (authz) => { - return authz.fleet.readSettings || authz.fleet.readAgentPolicies; + security: { + authz: { + requiredPrivileges: [ + { + anyRequired: [ + FLEET_API_PRIVILEGES.AGENT_POLICIES.READ, + FLEET_API_PRIVILEGES.SETTINGS.READ, + ], + }, + ], + }, }, summary: `Get an agent binary download source`, description: `Get an agent binary download source by ID.`, @@ -95,8 +113,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .put({ path: DOWNLOAD_SOURCE_API_ROUTES.UPDATE_PATTERN, - fleetAuthz: { - fleet: { allSettings: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.ALL], + }, }, summary: `Update an agent binary download source`, description: `Update an agent binary download source by ID.`, @@ -125,8 +145,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .post({ path: DOWNLOAD_SOURCE_API_ROUTES.CREATE_PATTERN, - fleetAuthz: { - fleet: { allSettings: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.ALL], + }, }, summary: `Create an agent binary download source`, options: { @@ -154,8 +176,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .delete({ path: DOWNLOAD_SOURCE_API_ROUTES.DELETE_PATTERN, - fleetAuthz: { - fleet: { allSettings: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.ALL], + }, }, summary: `Delete an agent binary download source`, description: `Delete an agent binary download source by ID.`, diff --git a/x-pack/platform/plugins/shared/fleet/server/routes/enrollment_api_key/index.ts b/x-pack/platform/plugins/shared/fleet/server/routes/enrollment_api_key/index.ts index e593bac3180fe..fd5ba7091ee2b 100644 --- a/x-pack/platform/plugins/shared/fleet/server/routes/enrollment_api_key/index.ts +++ b/x-pack/platform/plugins/shared/fleet/server/routes/enrollment_api_key/index.ts @@ -22,7 +22,7 @@ import { } from '../../types'; import { genericErrorResponse } from '../schema/errors'; - +import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges'; import { ListResponseSchema } from '../schema/utils'; import { @@ -36,8 +36,14 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .get({ path: ENROLLMENT_API_KEY_ROUTES.INFO_PATTERN, - fleetAuthz: { - fleet: { readEnrollmentTokens: true }, + security: { + authz: { + requiredPrivileges: [ + { + anyRequired: [FLEET_API_PRIVILEGES.AGENTS.ALL, FLEET_API_PRIVILEGES.SETUP], + }, + ], + }, }, summary: `Get an enrollment API key`, description: `Get an enrollment API key by ID.`, @@ -66,8 +72,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .delete({ path: ENROLLMENT_API_KEY_ROUTES.DELETE_PATTERN, - fleetAuthz: { - fleet: { allAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL], + }, }, summary: `Revoke an enrollment API key`, description: `Revoke an enrollment API key by ID by marking it as inactive.`, @@ -96,8 +104,14 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .get({ path: ENROLLMENT_API_KEY_ROUTES.LIST_PATTERN, - fleetAuthz: { - fleet: { readEnrollmentTokens: true }, + security: { + authz: { + requiredPrivileges: [ + { + anyRequired: [FLEET_API_PRIVILEGES.AGENTS.ALL, FLEET_API_PRIVILEGES.SETUP], + }, + ], + }, }, summary: `Get enrollment API keys`, options: { @@ -128,8 +142,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .post({ path: ENROLLMENT_API_KEY_ROUTES.CREATE_PATTERN, - fleetAuthz: { - fleet: { allAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL], + }, }, summary: `Create an enrollment API key`, options: { diff --git a/x-pack/platform/plugins/shared/fleet/server/routes/fleet_proxies/index.ts b/x-pack/platform/plugins/shared/fleet/server/routes/fleet_proxies/index.ts index 1a5ad6ccc764d..09dc7c9800492 100644 --- a/x-pack/platform/plugins/shared/fleet/server/routes/fleet_proxies/index.ts +++ b/x-pack/platform/plugins/shared/fleet/server/routes/fleet_proxies/index.ts @@ -8,7 +8,7 @@ import { schema } from '@kbn/config-schema'; import type { FleetAuthzRouter } from '../../services/security'; import { API_VERSIONS } from '../../../common/constants'; - +import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges'; import { FLEET_PROXY_API_ROUTES } from '../../../common/constants'; import { FleetProxyResponseSchema, @@ -34,8 +34,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .get({ path: FLEET_PROXY_API_ROUTES.LIST_PATTERN, - fleetAuthz: { - fleet: { readSettings: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.READ], + }, }, summary: `Get proxies`, options: { @@ -63,8 +65,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .post({ path: FLEET_PROXY_API_ROUTES.CREATE_PATTERN, - fleetAuthz: { - fleet: { allSettings: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.ALL], + }, }, summary: `Create a proxy`, options: { @@ -92,8 +96,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .put({ path: FLEET_PROXY_API_ROUTES.UPDATE_PATTERN, - fleetAuthz: { - fleet: { allSettings: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.ALL], + }, }, summary: `Update a proxy`, description: `Update a proxy by ID.`, @@ -122,8 +128,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .get({ path: FLEET_PROXY_API_ROUTES.INFO_PATTERN, - fleetAuthz: { - fleet: { readSettings: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.READ], + }, }, summary: `Get a proxy`, description: `Get a proxy by ID.`, @@ -152,8 +160,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .delete({ path: FLEET_PROXY_API_ROUTES.DELETE_PATTERN, - fleetAuthz: { - fleet: { allSettings: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.ALL], + }, }, summary: `Delete a proxy`, description: `Delete a proxy by ID`, diff --git a/x-pack/platform/plugins/shared/fleet/server/routes/preconfiguration/index.ts b/x-pack/platform/plugins/shared/fleet/server/routes/preconfiguration/index.ts index c62c86953acaa..d7682e307fe11 100644 --- a/x-pack/platform/plugins/shared/fleet/server/routes/preconfiguration/index.ts +++ b/x-pack/platform/plugins/shared/fleet/server/routes/preconfiguration/index.ts @@ -9,6 +9,7 @@ import type { FleetAuthzRouter } from '../../services/security'; import { API_VERSIONS } from '../../../common/constants'; +import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges'; import { PRECONFIGURATION_API_ROUTES } from '../../constants'; import { PostResetOnePreconfiguredAgentPoliciesSchema } from '../../types'; @@ -19,8 +20,14 @@ export const registerRoutes = (router: FleetAuthzRouter) => { .post({ path: PRECONFIGURATION_API_ROUTES.RESET_PATTERN, access: 'public', - fleetAuthz: { - fleet: { all: true }, + security: { + authz: { + requiredPrivileges: [ + FLEET_API_PRIVILEGES.AGENTS.ALL, + FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL, + FLEET_API_PRIVILEGES.SETTINGS.ALL, + ], + }, }, }) .addVersion( @@ -35,8 +42,14 @@ export const registerRoutes = (router: FleetAuthzRouter) => { .post({ path: PRECONFIGURATION_API_ROUTES.RESET_ONE_PATTERN, access: 'public', - fleetAuthz: { - fleet: { all: true }, + security: { + authz: { + requiredPrivileges: [ + FLEET_API_PRIVILEGES.AGENTS.ALL, + FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL, + FLEET_API_PRIVILEGES.SETTINGS.ALL, + ], + }, }, }) .addVersion( diff --git a/x-pack/platform/plugins/shared/fleet/server/routes/setup/index.ts b/x-pack/platform/plugins/shared/fleet/server/routes/setup/index.ts index 2f41ff7eb6878..4b7d57787dc92 100644 --- a/x-pack/platform/plugins/shared/fleet/server/routes/setup/index.ts +++ b/x-pack/platform/plugins/shared/fleet/server/routes/setup/index.ts @@ -7,7 +7,7 @@ import { schema } from '@kbn/config-schema'; import type { FleetAuthzRouter } from '../../services/security'; - +import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges'; import { AGENTS_SETUP_API_ROUTES, SETUP_API_ROUTE } from '../../constants'; import { API_VERSIONS } from '../../../common/constants'; @@ -39,8 +39,19 @@ export const registerFleetSetupRoute = (router: FleetAuthzRouter) => { router.versioned .post({ path: SETUP_API_ROUTE, - fleetAuthz: { - fleet: { setup: true }, + security: { + authz: { + requiredPrivileges: [ + { + anyRequired: [ + FLEET_API_PRIVILEGES.AGENTS.READ, + FLEET_API_PRIVILEGES.AGENT_POLICIES.READ, + FLEET_API_PRIVILEGES.AGENT_POLICIES.READ, + FLEET_API_PRIVILEGES.SETUP, + ], + }, + ], + }, }, summary: `Initiate Fleet setup`, options: { @@ -101,8 +112,19 @@ export const registerCreateFleetSetupRoute = (router: FleetAuthzRouter) => { router.versioned .post({ path: AGENTS_SETUP_API_ROUTES.CREATE_PATTERN, - fleetAuthz: { - fleet: { setup: true }, + security: { + authz: { + requiredPrivileges: [ + { + anyRequired: [ + FLEET_API_PRIVILEGES.AGENTS.READ, + FLEET_API_PRIVILEGES.AGENT_POLICIES.READ, + FLEET_API_PRIVILEGES.AGENT_POLICIES.READ, + FLEET_API_PRIVILEGES.SETUP, + ], + }, + ], + }, }, summary: `Initiate agent setup`, options: { @@ -132,8 +154,19 @@ export const registerGetFleetStatusRoute = (router: FleetAuthzRouter) => { router.versioned .get({ path: AGENTS_SETUP_API_ROUTES.INFO_PATTERN, - fleetAuthz: { - fleet: { setup: true }, + security: { + authz: { + requiredPrivileges: [ + { + anyRequired: [ + FLEET_API_PRIVILEGES.AGENTS.READ, + FLEET_API_PRIVILEGES.AGENT_POLICIES.READ, + FLEET_API_PRIVILEGES.AGENT_POLICIES.READ, + FLEET_API_PRIVILEGES.SETUP, + ], + }, + ], + }, }, summary: `Get agent setup info`, options: { diff --git a/x-pack/platform/plugins/shared/fleet/server/routes/uninstall_token/index.ts b/x-pack/platform/plugins/shared/fleet/server/routes/uninstall_token/index.ts index 3c5e25d414b27..9710a657ca232 100644 --- a/x-pack/platform/plugins/shared/fleet/server/routes/uninstall_token/index.ts +++ b/x-pack/platform/plugins/shared/fleet/server/routes/uninstall_token/index.ts @@ -7,7 +7,7 @@ import { UNINSTALL_TOKEN_ROUTES, API_VERSIONS } from '../../../common/constants'; import type { FleetConfigType } from '../../config'; - +import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges'; import type { FleetAuthzRouter } from '../../services/security'; import { GetUninstallTokenRequestSchema, @@ -28,8 +28,10 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .get({ path: UNINSTALL_TOKEN_ROUTES.LIST_PATTERN, - fleetAuthz: { - fleet: { allAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL], + }, }, summary: 'Get metadata for latest uninstall tokens', description: 'List the metadata for the latest uninstall tokens per agent policy.', @@ -58,8 +60,10 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .get({ path: UNINSTALL_TOKEN_ROUTES.INFO_PATTERN, - fleetAuthz: { - fleet: { allAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL], + }, }, summary: 'Get a decrypted uninstall token', description: 'Get one decrypted uninstall token by its ID.', From 567739417e66061424d6b9b46f0d91063c1b38a0 Mon Sep 17 00:00:00 2001 From: Nicolas Chaulet Date: Thu, 2 Jan 2025 14:01:57 -0500 Subject: [PATCH 09/24] more routes --- .../shared/fleet/server/routes/app/index.ts | 23 +++++-- .../fleet/server/routes/output/index.ts | 65 ++++++++++++++----- .../shared/fleet/server/routes/setup/index.ts | 6 +- .../routes/standalone_agent_api_key/index.ts | 8 ++- 4 files changed, 75 insertions(+), 27 deletions(-) diff --git a/x-pack/platform/plugins/shared/fleet/server/routes/app/index.ts b/x-pack/platform/plugins/shared/fleet/server/routes/app/index.ts index e5198ea84a78c..aba2b2ff3acbb 100644 --- a/x-pack/platform/plugins/shared/fleet/server/routes/app/index.ts +++ b/x-pack/platform/plugins/shared/fleet/server/routes/app/index.ts @@ -21,6 +21,7 @@ import { CheckPermissionsRequestSchema, CheckPermissionsResponseSchema } from '. import { enableSpaceAwarenessMigration } from '../../services/spaces/enable_space_awareness'; import { type FleetConfigType } from '../../config'; import { genericErrorResponse } from '../schema/errors'; +import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges'; export const getCheckPermissionsHandler: FleetRequestHandler< unknown, @@ -194,8 +195,14 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType .post({ path: '/internal/fleet/enable_space_awareness', access: 'internal', - fleetAuthz: { - fleet: { all: true }, + security: { + authz: { + requiredPrivileges: [ + FLEET_API_PRIVILEGES.AGENTS.ALL, + FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL, + FLEET_API_PRIVILEGES.SETTINGS.ALL, + ], + }, }, }) .addVersion( @@ -236,8 +243,10 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType .get({ path: APP_API_ROUTES.AGENT_POLICIES_SPACES, access: 'internal', - fleetAuthz: { - fleet: { readAgentPolicies: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENT_POLICIES.READ], + }, }, }) .addVersion( @@ -251,8 +260,10 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .post({ path: APP_API_ROUTES.GENERATE_SERVICE_TOKEN_PATTERN, - fleetAuthz: { - fleet: { allAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL], + }, }, summary: `Create a service token`, options: { diff --git a/x-pack/platform/plugins/shared/fleet/server/routes/output/index.ts b/x-pack/platform/plugins/shared/fleet/server/routes/output/index.ts index dd89eaabf396b..b8b874b10eaaa 100644 --- a/x-pack/platform/plugins/shared/fleet/server/routes/output/index.ts +++ b/x-pack/platform/plugins/shared/fleet/server/routes/output/index.ts @@ -8,7 +8,7 @@ import type { FleetAuthzRouter } from '../../services/security'; import { API_VERSIONS } from '../../../common/constants'; - +import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges'; import { OUTPUT_API_ROUTES } from '../../constants'; import { DeleteOutputRequestSchema, @@ -40,8 +40,17 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .get({ path: OUTPUT_API_ROUTES.LIST_PATTERN, - fleetAuthz: (authz) => { - return authz.fleet.readSettings || authz.fleet.readAgentPolicies; + security: { + authz: { + requiredPrivileges: [ + { + anyRequired: [ + FLEET_API_PRIVILEGES.SETTINGS.READ, + FLEET_API_PRIVILEGES.AGENT_POLICIES.READ, + ], + }, + ], + }, }, summary: 'Get outputs', options: { @@ -68,8 +77,17 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .get({ path: OUTPUT_API_ROUTES.INFO_PATTERN, - fleetAuthz: (authz) => { - return authz.fleet.readSettings || authz.fleet.readAgentPolicies; + security: { + authz: { + requiredPrivileges: [ + { + anyRequired: [ + FLEET_API_PRIVILEGES.SETTINGS.READ, + FLEET_API_PRIVILEGES.AGENT_POLICIES.READ, + ], + }, + ], + }, }, summary: 'Get output', description: 'Get output by ID.', @@ -97,8 +115,17 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .put({ path: OUTPUT_API_ROUTES.UPDATE_PATTERN, - fleetAuthz: (authz) => { - return authz.fleet.allSettings || authz.fleet.allAgentPolicies; + security: { + authz: { + requiredPrivileges: [ + { + anyRequired: [ + FLEET_API_PRIVILEGES.SETTINGS.ALL, + FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL, + ], + }, + ], + }, }, summary: 'Update output', description: 'Update output by ID.', @@ -127,8 +154,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .post({ path: OUTPUT_API_ROUTES.CREATE_PATTERN, - fleetAuthz: { - fleet: { allSettings: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.ALL], + }, }, summary: 'Create output', options: { @@ -156,8 +185,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .delete({ path: OUTPUT_API_ROUTES.DELETE_PATTERN, - fleetAuthz: { - fleet: { allSettings: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.ALL], + }, }, summary: 'Delete output', description: 'Delete output by ID.', @@ -189,8 +220,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .post({ path: OUTPUT_API_ROUTES.LOGSTASH_API_KEY_PATTERN, - fleetAuthz: { - fleet: { allSettings: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.ALL], + }, }, summary: 'Generate a Logstash API key', options: { @@ -218,8 +251,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .get({ path: OUTPUT_API_ROUTES.GET_OUTPUT_HEALTH_PATTERN, - fleetAuthz: { - fleet: { readSettings: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.READ], + }, }, summary: 'Get the latest output health', options: { diff --git a/x-pack/platform/plugins/shared/fleet/server/routes/setup/index.ts b/x-pack/platform/plugins/shared/fleet/server/routes/setup/index.ts index 4b7d57787dc92..1dff6368735e9 100644 --- a/x-pack/platform/plugins/shared/fleet/server/routes/setup/index.ts +++ b/x-pack/platform/plugins/shared/fleet/server/routes/setup/index.ts @@ -46,7 +46,7 @@ export const registerFleetSetupRoute = (router: FleetAuthzRouter) => { anyRequired: [ FLEET_API_PRIVILEGES.AGENTS.READ, FLEET_API_PRIVILEGES.AGENT_POLICIES.READ, - FLEET_API_PRIVILEGES.AGENT_POLICIES.READ, + FLEET_API_PRIVILEGES.SETTINGS.READ, FLEET_API_PRIVILEGES.SETUP, ], }, @@ -119,7 +119,7 @@ export const registerCreateFleetSetupRoute = (router: FleetAuthzRouter) => { anyRequired: [ FLEET_API_PRIVILEGES.AGENTS.READ, FLEET_API_PRIVILEGES.AGENT_POLICIES.READ, - FLEET_API_PRIVILEGES.AGENT_POLICIES.READ, + FLEET_API_PRIVILEGES.SETTINGS.READ, FLEET_API_PRIVILEGES.SETUP, ], }, @@ -161,7 +161,7 @@ export const registerGetFleetStatusRoute = (router: FleetAuthzRouter) => { anyRequired: [ FLEET_API_PRIVILEGES.AGENTS.READ, FLEET_API_PRIVILEGES.AGENT_POLICIES.READ, - FLEET_API_PRIVILEGES.AGENT_POLICIES.READ, + FLEET_API_PRIVILEGES.SETTINGS.READ, FLEET_API_PRIVILEGES.SETUP, ], }, diff --git a/x-pack/platform/plugins/shared/fleet/server/routes/standalone_agent_api_key/index.ts b/x-pack/platform/plugins/shared/fleet/server/routes/standalone_agent_api_key/index.ts index f0103c23e65dd..6014e6ea42a51 100644 --- a/x-pack/platform/plugins/shared/fleet/server/routes/standalone_agent_api_key/index.ts +++ b/x-pack/platform/plugins/shared/fleet/server/routes/standalone_agent_api_key/index.ts @@ -10,7 +10,7 @@ import type { FleetAuthzRouter } from '../../services/security'; import { API_VERSIONS } from '../../../common/constants'; import { CREATE_STANDALONE_AGENT_API_KEY_ROUTE } from '../../constants'; - +import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges'; import { PostStandaloneAgentAPIKeyRequestSchema } from '../../types'; import { createStandaloneAgentApiKeyHandler } from './handler'; @@ -20,8 +20,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { .post({ path: CREATE_STANDALONE_AGENT_API_KEY_ROUTE, access: 'internal', - fleetAuthz: { - fleet: { addAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL], + }, }, }) .addVersion( From 83ac50dfabd687f134e29f9d4a00cc8c788211ac Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Thu, 2 Jan 2025 19:15:45 +0000 Subject: [PATCH 10/24] [CI] Auto-commit changed files from 'node scripts/capture_oas_snapshot --include-path /api/status --include-path /api/alerting/rule/ --include-path /api/alerting/rules --include-path /api/actions --include-path /api/security/role --include-path /api/spaces --include-path /api/fleet --include-path /api/dashboards --update' --- oas_docs/bundle.json | 41 ++++++++++++++++++++++----------- oas_docs/bundle.serverless.json | 41 ++++++++++++++++++++++----------- 2 files changed, 56 insertions(+), 26 deletions(-) diff --git a/oas_docs/bundle.json b/oas_docs/bundle.json index 7bd99a403cbfa..b6d3c3dfe0948 100644 --- a/oas_docs/bundle.json +++ b/oas_docs/bundle.json @@ -8595,6 +8595,7 @@ }, "/api/fleet/agent_download_sources": { "get": { + "description": "[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-settings-read].", "operationId": "get-fleet-agent-download-sources", "parameters": [], "responses": { @@ -8690,6 +8691,7 @@ ] }, "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "post-fleet-agent-download-sources", "parameters": [ { @@ -8818,7 +8820,7 @@ }, "/api/fleet/agent_download_sources/{sourceId}": { "delete": { - "description": "Delete an agent binary download source by ID.", + "description": "Delete an agent binary download source by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "delete-fleet-agent-download-sources-sourceid", "parameters": [ { @@ -8891,7 +8893,7 @@ ] }, "get": { - "description": "Get an agent binary download source by ID.", + "description": "Get an agent binary download source by ID.

[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-settings-read].", "operationId": "get-fleet-agent-download-sources-sourceid", "parameters": [ { @@ -8981,7 +8983,7 @@ ] }, "put": { - "description": "Update an agent binary download source by ID.", + "description": "Update an agent binary download source by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "put-fleet-agent-download-sources-sourceid", "parameters": [ { @@ -17336,6 +17338,7 @@ }, "/api/fleet/agents/setup": { "get": { + "description": "[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].", "operationId": "get-fleet-agents-setup", "parameters": [], "responses": { @@ -17423,6 +17426,7 @@ ] }, "post": { + "description": "[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].", "operationId": "post-fleet-agents-setup", "parameters": [ { @@ -19309,6 +19313,7 @@ }, "/api/fleet/data_streams": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all, fleet-agent-policies-all, fleet-settings-all].", "operationId": "get-fleet-data-streams", "parameters": [], "responses": { @@ -19453,6 +19458,7 @@ }, "/api/fleet/enrollment_api_keys": { "get": { + "description": "[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-setup].", "operationId": "get-fleet-enrollment-api-keys", "parameters": [ { @@ -19628,6 +19634,7 @@ ] }, "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "post-fleet-enrollment-api-keys", "parameters": [ { @@ -19761,7 +19768,7 @@ }, "/api/fleet/enrollment_api_keys/{keyId}": { "delete": { - "description": "Revoke an enrollment API key by ID by marking it as inactive.", + "description": "Revoke an enrollment API key by ID by marking it as inactive.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "delete-fleet-enrollment-api-keys-keyid", "parameters": [ { @@ -19837,7 +19844,7 @@ ] }, "get": { - "description": "Get an enrollment API key by ID.", + "description": "Get an enrollment API key by ID.

[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-setup].", "operationId": "get-fleet-enrollment-api-keys-keyid", "parameters": [ { @@ -24823,6 +24830,7 @@ }, "/api/fleet/logstash_api_keys": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "post-fleet-logstash-api-keys", "parameters": [ { @@ -24989,6 +24997,7 @@ }, "/api/fleet/outputs": { "get": { + "description": "[Required authorization] Route required privileges: ANY of [fleet-settings-read OR fleet-agent-policies-read].", "operationId": "get-fleet-outputs", "parameters": [], "responses": { @@ -26072,6 +26081,7 @@ ] }, "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "post-fleet-outputs", "parameters": [ { @@ -28177,7 +28187,7 @@ }, "/api/fleet/outputs/{outputId}": { "delete": { - "description": "Delete output by ID.", + "description": "Delete output by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "delete-fleet-outputs-outputid", "parameters": [ { @@ -28275,7 +28285,7 @@ ] }, "get": { - "description": "Get output by ID.", + "description": "Get output by ID.

[Required authorization] Route required privileges: ANY of [fleet-settings-read OR fleet-agent-policies-read].", "operationId": "get-fleet-outputs-outputid", "parameters": [ { @@ -29353,7 +29363,7 @@ ] }, "put": { - "description": "Update output by ID.", + "description": "Update output by ID.

[Required authorization] Route required privileges: ANY of [fleet-settings-all OR fleet-agent-policies-all].", "operationId": "put-fleet-outputs-outputid", "parameters": [ { @@ -31443,6 +31453,7 @@ }, "/api/fleet/outputs/{outputId}/health": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-read].", "operationId": "get-fleet-outputs-outputid-health", "parameters": [ { @@ -37706,6 +37717,7 @@ }, "/api/fleet/proxies": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-read].", "operationId": "get-fleet-proxies", "parameters": [], "responses": { @@ -37824,6 +37836,7 @@ ] }, "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "post-fleet-proxies", "parameters": [ { @@ -37998,7 +38011,7 @@ }, "/api/fleet/proxies/{itemId}": { "delete": { - "description": "Delete a proxy by ID", + "description": "Delete a proxy by ID

[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "delete-fleet-proxies-itemid", "parameters": [ { @@ -38071,7 +38084,7 @@ ] }, "get": { - "description": "Get a proxy by ID.", + "description": "Get a proxy by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-read].", "operationId": "get-fleet-proxies-itemid", "parameters": [ { @@ -38184,7 +38197,7 @@ ] }, "put": { - "description": "Update a proxy by ID.", + "description": "Update a proxy by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "put-fleet-proxies-itemid", "parameters": [ { @@ -38362,6 +38375,7 @@ }, "/api/fleet/service_tokens": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "post-fleet-service-tokens", "parameters": [ { @@ -38773,6 +38787,7 @@ }, "/api/fleet/setup": { "post": { + "description": "[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].", "operationId": "post-fleet-setup", "parameters": [ { @@ -38879,7 +38894,7 @@ }, "/api/fleet/uninstall_tokens": { "get": { - "description": "List the metadata for the latest uninstall tokens per agent policy.", + "description": "List the metadata for the latest uninstall tokens per agent policy.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "get-fleet-uninstall-tokens", "parameters": [ { @@ -39016,7 +39031,7 @@ }, "/api/fleet/uninstall_tokens/{uninstallTokenId}": { "get": { - "description": "Get one decrypted uninstall token by its ID.", + "description": "Get one decrypted uninstall token by its ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "get-fleet-uninstall-tokens-uninstalltokenid", "parameters": [ { diff --git a/oas_docs/bundle.serverless.json b/oas_docs/bundle.serverless.json index 2094647c04154..b239bbfd4cec2 100644 --- a/oas_docs/bundle.serverless.json +++ b/oas_docs/bundle.serverless.json @@ -8595,6 +8595,7 @@ }, "/api/fleet/agent_download_sources": { "get": { + "description": "[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-settings-read].", "operationId": "get-fleet-agent-download-sources", "parameters": [], "responses": { @@ -8690,6 +8691,7 @@ ] }, "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "post-fleet-agent-download-sources", "parameters": [ { @@ -8818,7 +8820,7 @@ }, "/api/fleet/agent_download_sources/{sourceId}": { "delete": { - "description": "Delete an agent binary download source by ID.", + "description": "Delete an agent binary download source by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "delete-fleet-agent-download-sources-sourceid", "parameters": [ { @@ -8891,7 +8893,7 @@ ] }, "get": { - "description": "Get an agent binary download source by ID.", + "description": "Get an agent binary download source by ID.

[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-settings-read].", "operationId": "get-fleet-agent-download-sources-sourceid", "parameters": [ { @@ -8981,7 +8983,7 @@ ] }, "put": { - "description": "Update an agent binary download source by ID.", + "description": "Update an agent binary download source by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "put-fleet-agent-download-sources-sourceid", "parameters": [ { @@ -17336,6 +17338,7 @@ }, "/api/fleet/agents/setup": { "get": { + "description": "[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].", "operationId": "get-fleet-agents-setup", "parameters": [], "responses": { @@ -17423,6 +17426,7 @@ ] }, "post": { + "description": "[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].", "operationId": "post-fleet-agents-setup", "parameters": [ { @@ -19309,6 +19313,7 @@ }, "/api/fleet/data_streams": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all, fleet-agent-policies-all, fleet-settings-all].", "operationId": "get-fleet-data-streams", "parameters": [], "responses": { @@ -19453,6 +19458,7 @@ }, "/api/fleet/enrollment_api_keys": { "get": { + "description": "[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-setup].", "operationId": "get-fleet-enrollment-api-keys", "parameters": [ { @@ -19628,6 +19634,7 @@ ] }, "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "post-fleet-enrollment-api-keys", "parameters": [ { @@ -19761,7 +19768,7 @@ }, "/api/fleet/enrollment_api_keys/{keyId}": { "delete": { - "description": "Revoke an enrollment API key by ID by marking it as inactive.", + "description": "Revoke an enrollment API key by ID by marking it as inactive.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "delete-fleet-enrollment-api-keys-keyid", "parameters": [ { @@ -19837,7 +19844,7 @@ ] }, "get": { - "description": "Get an enrollment API key by ID.", + "description": "Get an enrollment API key by ID.

[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-setup].", "operationId": "get-fleet-enrollment-api-keys-keyid", "parameters": [ { @@ -24823,6 +24830,7 @@ }, "/api/fleet/logstash_api_keys": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "post-fleet-logstash-api-keys", "parameters": [ { @@ -24989,6 +24997,7 @@ }, "/api/fleet/outputs": { "get": { + "description": "[Required authorization] Route required privileges: ANY of [fleet-settings-read OR fleet-agent-policies-read].", "operationId": "get-fleet-outputs", "parameters": [], "responses": { @@ -26072,6 +26081,7 @@ ] }, "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "post-fleet-outputs", "parameters": [ { @@ -28177,7 +28187,7 @@ }, "/api/fleet/outputs/{outputId}": { "delete": { - "description": "Delete output by ID.", + "description": "Delete output by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "delete-fleet-outputs-outputid", "parameters": [ { @@ -28275,7 +28285,7 @@ ] }, "get": { - "description": "Get output by ID.", + "description": "Get output by ID.

[Required authorization] Route required privileges: ANY of [fleet-settings-read OR fleet-agent-policies-read].", "operationId": "get-fleet-outputs-outputid", "parameters": [ { @@ -29353,7 +29363,7 @@ ] }, "put": { - "description": "Update output by ID.", + "description": "Update output by ID.

[Required authorization] Route required privileges: ANY of [fleet-settings-all OR fleet-agent-policies-all].", "operationId": "put-fleet-outputs-outputid", "parameters": [ { @@ -31443,6 +31453,7 @@ }, "/api/fleet/outputs/{outputId}/health": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-read].", "operationId": "get-fleet-outputs-outputid-health", "parameters": [ { @@ -37706,6 +37717,7 @@ }, "/api/fleet/proxies": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-read].", "operationId": "get-fleet-proxies", "parameters": [], "responses": { @@ -37824,6 +37836,7 @@ ] }, "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "post-fleet-proxies", "parameters": [ { @@ -37998,7 +38011,7 @@ }, "/api/fleet/proxies/{itemId}": { "delete": { - "description": "Delete a proxy by ID", + "description": "Delete a proxy by ID

[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "delete-fleet-proxies-itemid", "parameters": [ { @@ -38071,7 +38084,7 @@ ] }, "get": { - "description": "Get a proxy by ID.", + "description": "Get a proxy by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-read].", "operationId": "get-fleet-proxies-itemid", "parameters": [ { @@ -38184,7 +38197,7 @@ ] }, "put": { - "description": "Update a proxy by ID.", + "description": "Update a proxy by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "put-fleet-proxies-itemid", "parameters": [ { @@ -38362,6 +38375,7 @@ }, "/api/fleet/service_tokens": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "post-fleet-service-tokens", "parameters": [ { @@ -38773,6 +38787,7 @@ }, "/api/fleet/setup": { "post": { + "description": "[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].", "operationId": "post-fleet-setup", "parameters": [ { @@ -38879,7 +38894,7 @@ }, "/api/fleet/uninstall_tokens": { "get": { - "description": "List the metadata for the latest uninstall tokens per agent policy.", + "description": "List the metadata for the latest uninstall tokens per agent policy.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "get-fleet-uninstall-tokens", "parameters": [ { @@ -39016,7 +39031,7 @@ }, "/api/fleet/uninstall_tokens/{uninstallTokenId}": { "get": { - "description": "Get one decrypted uninstall token by its ID.", + "description": "Get one decrypted uninstall token by its ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "get-fleet-uninstall-tokens-uninstalltokenid", "parameters": [ { From 10275a04f985703995eb3ee36e5849bbf20bd42c Mon Sep 17 00:00:00 2001 From: Nicolas Chaulet Date: Thu, 2 Jan 2025 14:35:20 -0500 Subject: [PATCH 11/24] more routes --- .../server/routes/fleet_server_hosts/index.ts | 36 +++++++++++++------ .../routes/message_signing_service/index.ts | 11 ++++-- 2 files changed, 34 insertions(+), 13 deletions(-) diff --git a/x-pack/platform/plugins/shared/fleet/server/routes/fleet_server_hosts/index.ts b/x-pack/platform/plugins/shared/fleet/server/routes/fleet_server_hosts/index.ts index 667a617659492..a57f6fe86e8e3 100644 --- a/x-pack/platform/plugins/shared/fleet/server/routes/fleet_server_hosts/index.ts +++ b/x-pack/platform/plugins/shared/fleet/server/routes/fleet_server_hosts/index.ts @@ -21,7 +21,7 @@ import { } from '../../types'; import { genericErrorResponse } from '../schema/errors'; - +import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges'; import { ListResponseSchema } from '../schema/utils'; import { @@ -36,8 +36,14 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .get({ path: FLEET_SERVER_HOST_API_ROUTES.LIST_PATTERN, - fleetAuthz: (authz) => { - return authz.fleet.addAgents || authz.fleet.addFleetServers || authz.fleet.readSettings; + security: { + authz: { + requiredPrivileges: [ + { + anyRequired: [FLEET_API_PRIVILEGES.AGENTS.ALL, FLEET_API_PRIVILEGES.SETTINGS.READ], + }, + ], + }, }, summary: `Get Fleet Server hosts`, options: { @@ -64,8 +70,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .post({ path: FLEET_SERVER_HOST_API_ROUTES.CREATE_PATTERN, - fleetAuthz: { - fleet: { allSettings: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.ALL], + }, }, summary: `Create a Fleet Server host`, options: { @@ -92,8 +100,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .get({ path: FLEET_SERVER_HOST_API_ROUTES.INFO_PATTERN, - fleetAuthz: { - fleet: { readSettings: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.READ], + }, }, summary: `Get a Fleet Server host`, description: `Get a Fleet Server host by ID.`, @@ -121,8 +131,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .delete({ path: FLEET_SERVER_HOST_API_ROUTES.DELETE_PATTERN, - fleetAuthz: { - fleet: { allSettings: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.ALL], + }, }, summary: `Delete a Fleet Server host`, description: `Delete a Fleet Server host by ID.`, @@ -153,8 +165,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .put({ path: FLEET_SERVER_HOST_API_ROUTES.UPDATE_PATTERN, - fleetAuthz: { - fleet: { allSettings: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.ALL], + }, }, summary: `Update a Fleet Server host`, description: `Update a Fleet Server host by ID.`, diff --git a/x-pack/platform/plugins/shared/fleet/server/routes/message_signing_service/index.ts b/x-pack/platform/plugins/shared/fleet/server/routes/message_signing_service/index.ts index 645e7070f901a..470ba0531bba2 100644 --- a/x-pack/platform/plugins/shared/fleet/server/routes/message_signing_service/index.ts +++ b/x-pack/platform/plugins/shared/fleet/server/routes/message_signing_service/index.ts @@ -10,6 +10,7 @@ import type { FleetAuthzRouter } from '../../services/security'; import { API_VERSIONS } from '../../../common/constants'; import { MESSAGE_SIGNING_SERVICE_API_ROUTES } from '../../constants'; import { RotateKeyPairSchema } from '../../types'; +import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges'; import { genericErrorResponse } from '../schema/errors'; @@ -20,8 +21,14 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .post({ path: MESSAGE_SIGNING_SERVICE_API_ROUTES.ROTATE_KEY_PAIR, - fleetAuthz: { - fleet: { all: true }, + security: { + authz: { + requiredPrivileges: [ + FLEET_API_PRIVILEGES.AGENTS.ALL, + FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL, + FLEET_API_PRIVILEGES.SETTINGS.ALL, + ], + }, }, summary: 'Rotate a Fleet message signing key pair', options: { From df86a0e910e6658a12a994f517766b13bf3b2ac0 Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Thu, 2 Jan 2025 19:52:37 +0000 Subject: [PATCH 12/24] [CI] Auto-commit changed files from 'node scripts/capture_oas_snapshot --include-path /api/status --include-path /api/alerting/rule/ --include-path /api/alerting/rules --include-path /api/actions --include-path /api/security/role --include-path /api/spaces --include-path /api/fleet --include-path /api/dashboards --update' --- oas_docs/bundle.json | 9 ++++++--- oas_docs/bundle.serverless.json | 9 ++++++--- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/oas_docs/bundle.json b/oas_docs/bundle.json index b6d3c3dfe0948..c214cb1ab0e2d 100644 --- a/oas_docs/bundle.json +++ b/oas_docs/bundle.json @@ -23970,6 +23970,7 @@ }, "/api/fleet/fleet_server_hosts": { "get": { + "description": "[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-settings-read].", "operationId": "get-fleet-fleet-server-hosts", "parameters": [], "responses": { @@ -24074,6 +24075,7 @@ ] }, "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "post-fleet-fleet-server-hosts", "parameters": [ { @@ -24220,7 +24222,7 @@ }, "/api/fleet/fleet_server_hosts/{itemId}": { "delete": { - "description": "Delete a Fleet Server host by ID.", + "description": "Delete a Fleet Server host by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "delete-fleet-fleet-server-hosts-itemid", "parameters": [ { @@ -24293,7 +24295,7 @@ ] }, "get": { - "description": "Get a Fleet Server host by ID.", + "description": "Get a Fleet Server host by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-read].", "operationId": "get-fleet-fleet-server-hosts-itemid", "parameters": [ { @@ -24392,7 +24394,7 @@ ] }, "put": { - "description": "Update a Fleet Server host by ID.", + "description": "Update a Fleet Server host by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "put-fleet-fleet-server-hosts-itemid", "parameters": [ { @@ -24897,6 +24899,7 @@ }, "/api/fleet/message_signing_service/rotate_key_pair": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all, fleet-agent-policies-all, fleet-settings-all].", "operationId": "post-fleet-message-signing-service-rotate-key-pair", "parameters": [ { diff --git a/oas_docs/bundle.serverless.json b/oas_docs/bundle.serverless.json index b239bbfd4cec2..c9367f5b7dea7 100644 --- a/oas_docs/bundle.serverless.json +++ b/oas_docs/bundle.serverless.json @@ -23970,6 +23970,7 @@ }, "/api/fleet/fleet_server_hosts": { "get": { + "description": "[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-settings-read].", "operationId": "get-fleet-fleet-server-hosts", "parameters": [], "responses": { @@ -24074,6 +24075,7 @@ ] }, "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "post-fleet-fleet-server-hosts", "parameters": [ { @@ -24220,7 +24222,7 @@ }, "/api/fleet/fleet_server_hosts/{itemId}": { "delete": { - "description": "Delete a Fleet Server host by ID.", + "description": "Delete a Fleet Server host by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "delete-fleet-fleet-server-hosts-itemid", "parameters": [ { @@ -24293,7 +24295,7 @@ ] }, "get": { - "description": "Get a Fleet Server host by ID.", + "description": "Get a Fleet Server host by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-read].", "operationId": "get-fleet-fleet-server-hosts-itemid", "parameters": [ { @@ -24392,7 +24394,7 @@ ] }, "put": { - "description": "Update a Fleet Server host by ID.", + "description": "Update a Fleet Server host by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "put-fleet-fleet-server-hosts-itemid", "parameters": [ { @@ -24897,6 +24899,7 @@ }, "/api/fleet/message_signing_service/rotate_key_pair": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all, fleet-agent-policies-all, fleet-settings-all].", "operationId": "post-fleet-message-signing-service-rotate-key-pair", "parameters": [ { From b20687c3814e4dc90a1400432b7bd0aa6c40990f Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Thu, 2 Jan 2025 20:31:32 +0000 Subject: [PATCH 13/24] [CI] Auto-commit changed files from 'make api-docs' --- oas_docs/output/kibana.serverless.yaml | 50 +++++++++++++++++--------- oas_docs/output/kibana.yaml | 50 +++++++++++++++++--------- 2 files changed, 68 insertions(+), 32 deletions(-) diff --git a/oas_docs/output/kibana.serverless.yaml b/oas_docs/output/kibana.serverless.yaml index dfde301d5215d..bb62044e6de9f 100644 --- a/oas_docs/output/kibana.serverless.yaml +++ b/oas_docs/output/kibana.serverless.yaml @@ -11199,6 +11199,7 @@ paths: x-beta: true /api/fleet/agent_download_sources: get: + description: '[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-settings-read].' operationId: get-fleet-agent-download-sources parameters: [] responses: @@ -11265,6 +11266,7 @@ paths: - Elastic Agent binary download sources x-beta: true post: + description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: post-fleet-agent-download-sources parameters: - description: A required header to protect against CSRF attacks @@ -11352,7 +11354,7 @@ paths: x-beta: true /api/fleet/agent_download_sources/{sourceId}: delete: - description: Delete an agent binary download source by ID. + description: 'Delete an agent binary download source by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: delete-fleet-agent-download-sources-sourceid parameters: - description: A required header to protect against CSRF attacks @@ -11400,7 +11402,7 @@ paths: - Elastic Agent binary download sources x-beta: true get: - description: Get an agent binary download source by ID. + description: 'Get an agent binary download source by ID.

[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-settings-read].' operationId: get-fleet-agent-download-sources-sourceid parameters: - in: path @@ -11461,7 +11463,7 @@ paths: - Elastic Agent binary download sources x-beta: true put: - description: Update an agent binary download source by ID. + description: 'Update an agent binary download source by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: put-fleet-agent-download-sources-sourceid parameters: - description: A required header to protect against CSRF attacks @@ -18303,6 +18305,7 @@ paths: x-beta: true /api/fleet/agents/setup: get: + description: '[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].' operationId: get-fleet-agents-setup parameters: [] responses: @@ -18363,6 +18366,7 @@ paths: - Elastic Agents x-beta: true post: + description: '[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].' operationId: post-fleet-agents-setup parameters: - description: A required header to protect against CSRF attacks @@ -18518,6 +18522,7 @@ paths: x-beta: true /api/fleet/data_streams: get: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all, fleet-agent-policies-all, fleet-settings-all].' operationId: get-fleet-data-streams parameters: [] responses: @@ -18615,6 +18620,7 @@ paths: x-beta: true /api/fleet/enrollment_api_keys: get: + description: '[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-setup].' operationId: get-fleet-enrollment-api-keys parameters: - in: query @@ -18738,6 +18744,7 @@ paths: - Fleet enrollment API keys x-beta: true post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: post-fleet-enrollment-api-keys parameters: - description: A required header to protect against CSRF attacks @@ -18828,7 +18835,7 @@ paths: x-beta: true /api/fleet/enrollment_api_keys/{keyId}: delete: - description: Revoke an enrollment API key by ID by marking it as inactive. + description: 'Revoke an enrollment API key by ID by marking it as inactive.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: delete-fleet-enrollment-api-keys-keyid parameters: - description: A required header to protect against CSRF attacks @@ -18878,7 +18885,7 @@ paths: - Fleet enrollment API keys x-beta: true get: - description: Get an enrollment API key by ID. + description: 'Get an enrollment API key by ID.

[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-setup].' operationId: get-fleet-enrollment-api-keys-keyid parameters: - in: path @@ -21679,6 +21686,7 @@ paths: x-beta: true /api/fleet/fleet_server_hosts: get: + description: '[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-settings-read].' operationId: get-fleet-fleet-server-hosts parameters: [] responses: @@ -21751,6 +21759,7 @@ paths: - Fleet Server hosts x-beta: true post: + description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: post-fleet-fleet-server-hosts parameters: - description: A required header to protect against CSRF attacks @@ -21850,7 +21859,7 @@ paths: x-beta: true /api/fleet/fleet_server_hosts/{itemId}: delete: - description: Delete a Fleet Server host by ID. + description: 'Delete a Fleet Server host by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: delete-fleet-fleet-server-hosts-itemid parameters: - description: A required header to protect against CSRF attacks @@ -21898,7 +21907,7 @@ paths: - Fleet Server hosts x-beta: true get: - description: Get a Fleet Server host by ID. + description: 'Get a Fleet Server host by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-read].' operationId: get-fleet-fleet-server-hosts-itemid parameters: - in: path @@ -21965,7 +21974,7 @@ paths: - Fleet Server hosts x-beta: true put: - description: Update a Fleet Server host by ID. + description: 'Update a Fleet Server host by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: put-fleet-fleet-server-hosts-itemid parameters: - description: A required header to protect against CSRF attacks @@ -22250,6 +22259,7 @@ paths: x-beta: true /api/fleet/logstash_api_keys: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: post-fleet-logstash-api-keys parameters: - description: A required header to protect against CSRF attacks @@ -22293,6 +22303,7 @@ paths: x-beta: true /api/fleet/message_signing_service/rotate_key_pair: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all, fleet-agent-policies-all, fleet-settings-all].' operationId: post-fleet-message-signing-service-rotate-key-pair parameters: - description: A required header to protect against CSRF attacks @@ -22358,6 +22369,7 @@ paths: x-beta: true /api/fleet/outputs: get: + description: '[Required authorization] Route required privileges: ANY of [fleet-settings-read OR fleet-agent-policies-read].' operationId: get-fleet-outputs parameters: [] responses: @@ -23083,6 +23095,7 @@ paths: - Fleet outputs x-beta: true post: + description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: post-fleet-outputs parameters: - description: A required header to protect against CSRF attacks @@ -24489,7 +24502,7 @@ paths: x-beta: true /api/fleet/outputs/{outputId}: delete: - description: Delete output by ID. + description: 'Delete output by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: delete-fleet-outputs-outputid parameters: - description: A required header to protect against CSRF attacks @@ -24553,7 +24566,7 @@ paths: - Fleet outputs x-beta: true get: - description: Get output by ID. + description: 'Get output by ID.

[Required authorization] Route required privileges: ANY of [fleet-settings-read OR fleet-agent-policies-read].' operationId: get-fleet-outputs-outputid parameters: - in: path @@ -25273,7 +25286,7 @@ paths: - Fleet outputs x-beta: true put: - description: Update output by ID. + description: 'Update output by ID.

[Required authorization] Route required privileges: ANY of [fleet-settings-all OR fleet-agent-policies-all].' operationId: put-fleet-outputs-outputid parameters: - description: A required header to protect against CSRF attacks @@ -26664,6 +26677,7 @@ paths: x-beta: true /api/fleet/outputs/{outputId}/health: get: + description: '[Required authorization] Route required privileges: ALL of [fleet-settings-read].' operationId: get-fleet-outputs-outputid-health parameters: - in: path @@ -30799,6 +30813,7 @@ paths: x-beta: true /api/fleet/proxies: get: + description: '[Required authorization] Route required privileges: ALL of [fleet-settings-read].' operationId: get-fleet-proxies parameters: [] responses: @@ -30877,6 +30892,7 @@ paths: - Fleet proxies x-beta: true post: + description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: post-fleet-proxies parameters: - description: A required header to protect against CSRF attacks @@ -30988,7 +31004,7 @@ paths: x-beta: true /api/fleet/proxies/{itemId}: delete: - description: Delete a proxy by ID + description: 'Delete a proxy by ID

[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: delete-fleet-proxies-itemid parameters: - description: A required header to protect against CSRF attacks @@ -31036,7 +31052,7 @@ paths: - Fleet proxies x-beta: true get: - description: Get a proxy by ID. + description: 'Get a proxy by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-read].' operationId: get-fleet-proxies-itemid parameters: - in: path @@ -31109,7 +31125,7 @@ paths: - Fleet proxies x-beta: true put: - description: Update a proxy by ID. + description: 'Update a proxy by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: put-fleet-proxies-itemid parameters: - description: A required header to protect against CSRF attacks @@ -31223,6 +31239,7 @@ paths: x-beta: true /api/fleet/service_tokens: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: post-fleet-service-tokens parameters: - description: A required header to protect against CSRF attacks @@ -31495,6 +31512,7 @@ paths: x-beta: true /api/fleet/setup: post: + description: '[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].' operationId: post-fleet-setup parameters: - description: A required header to protect against CSRF attacks @@ -31565,7 +31583,7 @@ paths: x-beta: true /api/fleet/uninstall_tokens: get: - description: List the metadata for the latest uninstall tokens per agent policy. + description: 'List the metadata for the latest uninstall tokens per agent policy.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: get-fleet-uninstall-tokens parameters: - description: Partial match filtering for policy IDs @@ -31658,7 +31676,7 @@ paths: x-beta: true /api/fleet/uninstall_tokens/{uninstallTokenId}: get: - description: Get one decrypted uninstall token by its ID. + description: 'Get one decrypted uninstall token by its ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: get-fleet-uninstall-tokens-uninstalltokenid parameters: - in: path diff --git a/oas_docs/output/kibana.yaml b/oas_docs/output/kibana.yaml index 2a89138d5c3e5..150eb180d1cc9 100644 --- a/oas_docs/output/kibana.yaml +++ b/oas_docs/output/kibana.yaml @@ -13346,6 +13346,7 @@ paths: - Security Exceptions API /api/fleet/agent_download_sources: get: + description: '[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-settings-read].' operationId: get-fleet-agent-download-sources parameters: [] responses: @@ -13411,6 +13412,7 @@ paths: tags: - Elastic Agent binary download sources post: + description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: post-fleet-agent-download-sources parameters: - description: A required header to protect against CSRF attacks @@ -13497,7 +13499,7 @@ paths: - Elastic Agent binary download sources /api/fleet/agent_download_sources/{sourceId}: delete: - description: Delete an agent binary download source by ID. + description: 'Delete an agent binary download source by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: delete-fleet-agent-download-sources-sourceid parameters: - description: A required header to protect against CSRF attacks @@ -13544,7 +13546,7 @@ paths: tags: - Elastic Agent binary download sources get: - description: Get an agent binary download source by ID. + description: 'Get an agent binary download source by ID.

[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-settings-read].' operationId: get-fleet-agent-download-sources-sourceid parameters: - in: path @@ -13604,7 +13606,7 @@ paths: tags: - Elastic Agent binary download sources put: - description: Update an agent binary download source by ID. + description: 'Update an agent binary download source by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: put-fleet-agent-download-sources-sourceid parameters: - description: A required header to protect against CSRF attacks @@ -20411,6 +20413,7 @@ paths: - Elastic Agents /api/fleet/agents/setup: get: + description: '[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].' operationId: get-fleet-agents-setup parameters: [] responses: @@ -20470,6 +20473,7 @@ paths: tags: - Elastic Agents post: + description: '[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].' operationId: post-fleet-agents-setup parameters: - description: A required header to protect against CSRF attacks @@ -20622,6 +20626,7 @@ paths: - Fleet internals /api/fleet/data_streams: get: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all, fleet-agent-policies-all, fleet-settings-all].' operationId: get-fleet-data-streams parameters: [] responses: @@ -20718,6 +20723,7 @@ paths: - Data streams /api/fleet/enrollment_api_keys: get: + description: '[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-setup].' operationId: get-fleet-enrollment-api-keys parameters: - in: query @@ -20840,6 +20846,7 @@ paths: tags: - Fleet enrollment API keys post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: post-fleet-enrollment-api-keys parameters: - description: A required header to protect against CSRF attacks @@ -20929,7 +20936,7 @@ paths: - Fleet enrollment API keys /api/fleet/enrollment_api_keys/{keyId}: delete: - description: Revoke an enrollment API key by ID by marking it as inactive. + description: 'Revoke an enrollment API key by ID by marking it as inactive.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: delete-fleet-enrollment-api-keys-keyid parameters: - description: A required header to protect against CSRF attacks @@ -20978,7 +20985,7 @@ paths: tags: - Fleet enrollment API keys get: - description: Get an enrollment API key by ID. + description: 'Get an enrollment API key by ID.

[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-setup].' operationId: get-fleet-enrollment-api-keys-keyid parameters: - in: path @@ -23760,6 +23767,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/fleet_server_hosts: get: + description: '[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-settings-read].' operationId: get-fleet-fleet-server-hosts parameters: [] responses: @@ -23831,6 +23839,7 @@ paths: tags: - Fleet Server hosts post: + description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: post-fleet-fleet-server-hosts parameters: - description: A required header to protect against CSRF attacks @@ -23929,7 +23938,7 @@ paths: - Fleet Server hosts /api/fleet/fleet_server_hosts/{itemId}: delete: - description: Delete a Fleet Server host by ID. + description: 'Delete a Fleet Server host by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: delete-fleet-fleet-server-hosts-itemid parameters: - description: A required header to protect against CSRF attacks @@ -23976,7 +23985,7 @@ paths: tags: - Fleet Server hosts get: - description: Get a Fleet Server host by ID. + description: 'Get a Fleet Server host by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-read].' operationId: get-fleet-fleet-server-hosts-itemid parameters: - in: path @@ -24042,7 +24051,7 @@ paths: tags: - Fleet Server hosts put: - description: Update a Fleet Server host by ID. + description: 'Update a Fleet Server host by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: put-fleet-fleet-server-hosts-itemid parameters: - description: A required header to protect against CSRF attacks @@ -24323,6 +24332,7 @@ paths: - Elastic Agent policies /api/fleet/logstash_api_keys: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: post-fleet-logstash-api-keys parameters: - description: A required header to protect against CSRF attacks @@ -24365,6 +24375,7 @@ paths: - Fleet outputs /api/fleet/message_signing_service/rotate_key_pair: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all, fleet-agent-policies-all, fleet-settings-all].' operationId: post-fleet-message-signing-service-rotate-key-pair parameters: - description: A required header to protect against CSRF attacks @@ -24429,6 +24440,7 @@ paths: - Message Signing Service /api/fleet/outputs: get: + description: '[Required authorization] Route required privileges: ANY of [fleet-settings-read OR fleet-agent-policies-read].' operationId: get-fleet-outputs parameters: [] responses: @@ -25153,6 +25165,7 @@ paths: tags: - Fleet outputs post: + description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: post-fleet-outputs parameters: - description: A required header to protect against CSRF attacks @@ -26558,7 +26571,7 @@ paths: - Fleet outputs /api/fleet/outputs/{outputId}: delete: - description: Delete output by ID. + description: 'Delete output by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: delete-fleet-outputs-outputid parameters: - description: A required header to protect against CSRF attacks @@ -26621,7 +26634,7 @@ paths: tags: - Fleet outputs get: - description: Get output by ID. + description: 'Get output by ID.

[Required authorization] Route required privileges: ANY of [fleet-settings-read OR fleet-agent-policies-read].' operationId: get-fleet-outputs-outputid parameters: - in: path @@ -27340,7 +27353,7 @@ paths: tags: - Fleet outputs put: - description: Update output by ID. + description: 'Update output by ID.

[Required authorization] Route required privileges: ANY of [fleet-settings-all OR fleet-agent-policies-all].' operationId: put-fleet-outputs-outputid parameters: - description: A required header to protect against CSRF attacks @@ -28730,6 +28743,7 @@ paths: - Fleet outputs /api/fleet/outputs/{outputId}/health: get: + description: '[Required authorization] Route required privileges: ALL of [fleet-settings-read].' operationId: get-fleet-outputs-outputid-health parameters: - in: path @@ -32855,6 +32869,7 @@ paths: - Fleet package policies /api/fleet/proxies: get: + description: '[Required authorization] Route required privileges: ALL of [fleet-settings-read].' operationId: get-fleet-proxies parameters: [] responses: @@ -32932,6 +32947,7 @@ paths: tags: - Fleet proxies post: + description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: post-fleet-proxies parameters: - description: A required header to protect against CSRF attacks @@ -33042,7 +33058,7 @@ paths: - Fleet proxies /api/fleet/proxies/{itemId}: delete: - description: Delete a proxy by ID + description: 'Delete a proxy by ID

[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: delete-fleet-proxies-itemid parameters: - description: A required header to protect against CSRF attacks @@ -33089,7 +33105,7 @@ paths: tags: - Fleet proxies get: - description: Get a proxy by ID. + description: 'Get a proxy by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-read].' operationId: get-fleet-proxies-itemid parameters: - in: path @@ -33161,7 +33177,7 @@ paths: tags: - Fleet proxies put: - description: Update a proxy by ID. + description: 'Update a proxy by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: put-fleet-proxies-itemid parameters: - description: A required header to protect against CSRF attacks @@ -33274,6 +33290,7 @@ paths: - Fleet proxies /api/fleet/service_tokens: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: post-fleet-service-tokens parameters: - description: A required header to protect against CSRF attacks @@ -33543,6 +33560,7 @@ paths: - Fleet internals /api/fleet/setup: post: + description: '[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].' operationId: post-fleet-setup parameters: - description: A required header to protect against CSRF attacks @@ -33612,7 +33630,7 @@ paths: - Fleet internals /api/fleet/uninstall_tokens: get: - description: List the metadata for the latest uninstall tokens per agent policy. + description: 'List the metadata for the latest uninstall tokens per agent policy.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: get-fleet-uninstall-tokens parameters: - description: Partial match filtering for policy IDs @@ -33704,7 +33722,7 @@ paths: - Fleet uninstall tokens /api/fleet/uninstall_tokens/{uninstallTokenId}: get: - description: Get one decrypted uninstall token by its ID. + description: 'Get one decrypted uninstall token by its ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: get-fleet-uninstall-tokens-uninstalltokenid parameters: - in: path From fd368b3bf5b2034d310f3077b0694b8df0eff40f Mon Sep 17 00:00:00 2001 From: Nicolas Chaulet Date: Fri, 3 Jan 2025 08:55:49 -0500 Subject: [PATCH 14/24] more routes --- .../fleet/server/constants/api_privileges.ts | 6 +- .../fleet/server/routes/agent_policy/index.ts | 110 +++++++++++++----- .../shared/fleet/server/routes/epm/index.ts | 75 ++++++------ .../server/routes/package_policy/index.ts | 43 +++++-- .../fleet/server/routes/settings/index.ts | 27 +++-- .../fleet/server/services/package_policy.ts | 63 +++++----- 6 files changed, 211 insertions(+), 113 deletions(-) diff --git a/x-pack/platform/plugins/shared/fleet/server/constants/api_privileges.ts b/x-pack/platform/plugins/shared/fleet/server/constants/api_privileges.ts index 8d303d05ee1c2..62c0e7a6ceae5 100644 --- a/x-pack/platform/plugins/shared/fleet/server/constants/api_privileges.ts +++ b/x-pack/platform/plugins/shared/fleet/server/constants/api_privileges.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { PLUGIN_ID } from '../../common'; +import { INTEGRATIONS_PLUGIN_ID, PLUGIN_ID } from '../../common'; export const FLEET_API_PRIVILEGES = { AGENTS: { @@ -20,5 +20,9 @@ export const FLEET_API_PRIVILEGES = { READ: `${PLUGIN_ID}-settings-read`, ALL: `${PLUGIN_ID}-settings-all`, }, + INTEGRATIONS: { + READ: `${INTEGRATIONS_PLUGIN_ID}-read`, + ALL: `${INTEGRATIONS_PLUGIN_ID}-all`, + }, SETUP: `fleet-setup`, }; diff --git a/x-pack/platform/plugins/shared/fleet/server/routes/agent_policy/index.ts b/x-pack/platform/plugins/shared/fleet/server/routes/agent_policy/index.ts index 0d0dc6ae68c25..7d93f98267e59 100644 --- a/x-pack/platform/plugins/shared/fleet/server/routes/agent_policy/index.ts +++ b/x-pack/platform/plugins/shared/fleet/server/routes/agent_policy/index.ts @@ -9,7 +9,7 @@ import { schema } from '@kbn/config-schema'; import type { FleetAuthzRouter } from '../../services/security'; import { API_VERSIONS } from '../../../common/constants'; - +import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges'; import { AGENT_POLICY_API_ROUTES } from '../../constants'; import { GetAgentPoliciesRequestSchema, @@ -60,9 +60,17 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .get({ path: AGENT_POLICY_API_ROUTES.LIST_PATTERN, - fleetAuthz: (authz) => { - // Allow to retrieve agent policies metadata (no full) for user with only read agents permissions - return authz.fleet.readAgentPolicies || authz.fleet.readAgents; + security: { + authz: { + requiredPrivileges: [ + { + anyRequired: [ + FLEET_API_PRIVILEGES.AGENT_POLICIES.READ, + FLEET_API_PRIVILEGES.AGENTS.READ, + ], + }, + ], + }, }, summary: `Get agent policies`, options: { @@ -91,9 +99,17 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .post({ path: AGENT_POLICY_API_ROUTES.BULK_GET_PATTERN, - fleetAuthz: (authz) => { - // Allow to retrieve agent policies metadata (no full) for user with only read agents permissions - return authz.fleet.readAgentPolicies || authz.fleet.readAgents; + security: { + authz: { + requiredPrivileges: [ + { + anyRequired: [ + FLEET_API_PRIVILEGES.AGENT_POLICIES.READ, + FLEET_API_PRIVILEGES.AGENTS.READ, + ], + }, + ], + }, }, summary: `Bulk get agent policies`, options: { @@ -122,9 +138,17 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .get({ path: AGENT_POLICY_API_ROUTES.INFO_PATTERN, - fleetAuthz: (authz) => { - // Allow to retrieve agent policies metadata (no full) for user with only read agents permissions - return authz.fleet.readAgentPolicies || authz.fleet.readAgents; + security: { + authz: { + requiredPrivileges: [ + { + anyRequired: [ + FLEET_API_PRIVILEGES.AGENT_POLICIES.READ, + FLEET_API_PRIVILEGES.AGENTS.READ, + ], + }, + ], + }, }, summary: `Get an agent policy`, description: `Get an agent policy by ID.`, @@ -154,8 +178,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .post({ path: AGENT_POLICY_API_ROUTES.CREATE_PATTERN, - fleetAuthz: { - fleet: { allAgentPolicies: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL], + }, }, summary: `Create an agent policy`, options: { @@ -184,8 +210,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .put({ path: AGENT_POLICY_API_ROUTES.UPDATE_PATTERN, - fleetAuthz: { - fleet: { allAgentPolicies: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL], + }, }, summary: `Update an agent policy`, description: `Update an agent policy by ID.`, @@ -215,8 +243,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .post({ path: AGENT_POLICY_API_ROUTES.COPY_PATTERN, - fleetAuthz: { - fleet: { allAgentPolicies: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL], + }, }, summary: `Copy an agent policy`, description: `Copy an agent policy by ID.`, @@ -246,8 +276,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .post({ path: AGENT_POLICY_API_ROUTES.DELETE_PATTERN, - fleetAuthz: { - fleet: { allAgentPolicies: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL], + }, }, summary: `Delete an agent policy`, description: `Delete an agent policy by ID.`, @@ -277,8 +309,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .get({ path: AGENT_POLICY_API_ROUTES.FULL_INFO_PATTERN, - fleetAuthz: { - fleet: { readAgentPolicies: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENT_POLICIES.READ], + }, }, summary: `Get a full agent policy`, description: `Get a full agent policy by ID.`, @@ -308,8 +342,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .get({ path: AGENT_POLICY_API_ROUTES.FULL_INFO_DOWNLOAD_PATTERN, - fleetAuthz: { - fleet: { readAgentPolicies: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENT_POLICIES.READ], + }, }, enableQueryVersion: true, summary: `Download an agent policy`, @@ -343,8 +379,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .get({ path: K8S_API_ROUTES.K8S_INFO_PATTERN, - fleetAuthz: { - fleet: { readAgentPolicies: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENT_POLICIES.READ], + }, }, summary: `Get a full K8s agent manifest`, options: { @@ -373,8 +411,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .get({ path: K8S_API_ROUTES.K8S_DOWNLOAD_PATTERN, - fleetAuthz: { - fleet: { readAgentPolicies: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENT_POLICIES.READ], + }, }, enableQueryVersion: true, summary: `Download an agent manifest`, @@ -406,8 +446,13 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .post({ path: AGENT_POLICY_API_ROUTES.LIST_OUTPUTS_PATTERN, - fleetAuthz: (authz) => { - return authz.fleet.readAgentPolicies && authz.fleet.readSettings; + security: { + authz: { + requiredPrivileges: [ + FLEET_API_PRIVILEGES.AGENT_POLICIES.READ, + FLEET_API_PRIVILEGES.SETTINGS.READ, + ], + }, }, summary: `Get outputs for agent policies`, description: `Get a list of outputs associated with agent policies.`, @@ -436,8 +481,13 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .get({ path: AGENT_POLICY_API_ROUTES.INFO_OUTPUTS_PATTERN, - fleetAuthz: (authz) => { - return authz.fleet.readAgentPolicies && authz.fleet.readSettings; + security: { + authz: { + requiredPrivileges: [ + FLEET_API_PRIVILEGES.AGENT_POLICIES.READ, + FLEET_API_PRIVILEGES.SETTINGS.READ, + ], + }, }, summary: `Get outputs for an agent policy`, description: `Get a list of outputs associated with agent policy by policy id.`, diff --git a/x-pack/platform/plugins/shared/fleet/server/routes/epm/index.ts b/x-pack/platform/plugins/shared/fleet/server/routes/epm/index.ts index 787b02b69c3e8..f832c571fc253 100644 --- a/x-pack/platform/plugins/shared/fleet/server/routes/epm/index.ts +++ b/x-pack/platform/plugins/shared/fleet/server/routes/epm/index.ts @@ -5,8 +5,9 @@ * 2.0. */ -import { parseExperimentalConfigValue } from '../../../common/experimental_features'; +import type { RouteSecurity } from '@kbn/core-http-server'; +import { parseExperimentalConfigValue } from '../../../common/experimental_features'; import { API_VERSIONS } from '../../../common/constants'; import type { FleetAuthz } from '../../../common'; @@ -57,7 +58,7 @@ import { ReauthorizeTransformResponseSchema, } from '../../types'; import type { FleetConfigType } from '../../config'; - +import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges'; import { genericErrorResponse } from '../schema/errors'; import { @@ -91,8 +92,19 @@ export const INSTALL_PACKAGES_AUTHZ: FleetAuthzRouteConfig['fleetAuthz'] = { integrations: { installPackages: true }, }; -export const READ_PACKAGE_INFO_AUTHZ: FleetAuthzRouteConfig['fleetAuthz'] = { - integrations: { readPackageInfo: true }, +export const INSTALL_PACKAGES_SECURITY: RouteSecurity = { + authz: { + requiredPrivileges: [ + FLEET_API_PRIVILEGES.INTEGRATIONS.ALL, + FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL, + ], + }, +}; + +export const READ_PACKAGE_INFO_SECURITY: RouteSecurity = { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.INTEGRATIONS.READ], + }, }; export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType) => { @@ -101,7 +113,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .get({ path: EPM_API_ROUTES.CATEGORIES_PATTERN, - fleetAuthz: READ_PACKAGE_INFO_AUTHZ, + security: READ_PACKAGE_INFO_SECURITY, summary: `Get package categories`, options: { tags: ['oas-tag:Elastic Package Manager (EPM)'], @@ -128,7 +140,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .get({ path: EPM_API_ROUTES.LIST_PATTERN, - fleetAuthz: READ_PACKAGE_INFO_AUTHZ, + security: READ_PACKAGE_INFO_SECURITY, summary: `Get packages`, options: { tags: ['oas-tag:Elastic Package Manager (EPM)'], @@ -155,7 +167,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .get({ path: EPM_API_ROUTES.INSTALLED_LIST_PATTERN, - fleetAuthz: READ_PACKAGE_INFO_AUTHZ, + security: READ_PACKAGE_INFO_SECURITY, summary: `Get installed packages`, options: { tags: ['oas-tag:Elastic Package Manager (EPM)'], @@ -182,7 +194,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .get({ path: EPM_API_ROUTES.LIMITED_LIST_PATTERN, - fleetAuthz: READ_PACKAGE_INFO_AUTHZ, + security: READ_PACKAGE_INFO_SECURITY, summary: `Get a limited package list`, options: { tags: ['oas-tag:Elastic Package Manager (EPM)'], @@ -209,7 +221,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .get({ path: EPM_API_ROUTES.STATS_PATTERN, - fleetAuthz: READ_PACKAGE_INFO_AUTHZ, + security: READ_PACKAGE_INFO_SECURITY, summary: `Get package stats`, options: { tags: ['oas-tag:Elastic Package Manager (EPM)'], @@ -236,7 +248,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .get({ path: EPM_API_ROUTES.INPUTS_PATTERN, - fleetAuthz: READ_PACKAGE_INFO_AUTHZ, + security: READ_PACKAGE_INFO_SECURITY, summary: `Get an inputs template`, options: { tags: ['oas-tag:Elastic Package Manager (EPM)'], @@ -263,7 +275,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .get({ path: EPM_API_ROUTES.FILEPATH_PATTERN, - fleetAuthz: READ_PACKAGE_INFO_AUTHZ, + security: READ_PACKAGE_INFO_SECURITY, summary: `Get a package file`, options: { tags: ['oas-tag:Elastic Package Manager (EPM)'], @@ -290,6 +302,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .get({ path: EPM_API_ROUTES.INFO_PATTERN, + // TODO move to kibana authz https://github.com/elastic/kibana/issues/203170 fleetAuthz: (fleetAuthz: FleetAuthz): boolean => calculateRouteAuthz(fleetAuthz, getRouteRequiredAuthz('get', EPM_API_ROUTES.INFO_PATTERN)) .granted, @@ -319,9 +332,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .put({ path: EPM_API_ROUTES.INFO_PATTERN, - fleetAuthz: { - integrations: { writePackageSettings: true }, - }, + security: INSTALL_PACKAGES_SECURITY, summary: `Update package settings`, options: { tags: ['oas-tag:Elastic Package Manager (EPM)'], @@ -348,7 +359,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .post({ path: EPM_API_ROUTES.INSTALL_FROM_REGISTRY_PATTERN, - fleetAuthz: INSTALL_PACKAGES_AUTHZ, + security: INSTALL_PACKAGES_SECURITY, summary: `Install a package from the registry`, options: { tags: ['oas-tag:Elastic Package Manager (EPM)'], @@ -376,9 +387,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .post({ path: EPM_API_ROUTES.INSTALL_KIBANA_ASSETS_PATTERN, - fleetAuthz: { - integrations: { installPackages: true }, - }, + security: INSTALL_PACKAGES_SECURITY, summary: `Install Kibana assets for a package`, options: { tags: ['oas-tag:Elastic Package Manager (EPM)'], @@ -405,9 +414,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .delete({ path: EPM_API_ROUTES.DELETE_KIBANA_ASSETS_PATTERN, - fleetAuthz: { - integrations: { installPackages: true }, - }, + security: INSTALL_PACKAGES_SECURITY, summary: `Delete Kibana assets for a package`, options: { tags: ['oas-tag:Elastic Package Manager (EPM)'], @@ -435,9 +442,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .post({ path: EPM_API_ROUTES.BULK_INSTALL_PATTERN, - fleetAuthz: { - integrations: { installPackages: true, upgradePackages: true }, - }, + security: INSTALL_PACKAGES_SECURITY, summary: `Bulk install packages`, options: { tags: ['oas-tag:Elastic Package Manager (EPM)'], @@ -473,9 +478,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType }, tags: [`oas-tag:Elastic Package Manager (EPM)`], }, - fleetAuthz: { - integrations: { uploadPackages: true }, - }, + security: INSTALL_PACKAGES_SECURITY, summary: `Install a package by upload`, }) .addVersion( @@ -499,7 +502,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .post({ path: EPM_API_ROUTES.CUSTOM_INTEGRATIONS_PATTERN, - fleetAuthz: INSTALL_PACKAGES_AUTHZ, + security: INSTALL_PACKAGES_SECURITY, summary: `Create a custom integration`, options: { tags: ['oas-tag:Elastic Package Manager (EPM)'], @@ -526,8 +529,13 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .delete({ path: EPM_API_ROUTES.DELETE_PATTERN, - fleetAuthz: { - integrations: { removePackages: true }, + security: { + authz: { + requiredPrivileges: [ + FLEET_API_PRIVILEGES.INTEGRATIONS.ALL, + FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL, + ], + }, }, summary: `Delete a package`, options: { @@ -556,7 +564,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .get({ path: EPM_API_ROUTES.VERIFICATION_KEY_ID, - fleetAuthz: READ_PACKAGE_INFO_AUTHZ, + security: READ_PACKAGE_INFO_SECURITY, summary: `Get a package signature verification key ID`, options: { tags: ['oas-tag:Elastic Package Manager (EPM)'], @@ -583,7 +591,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .get({ path: EPM_API_ROUTES.DATA_STREAMS_PATTERN, - fleetAuthz: READ_PACKAGE_INFO_AUTHZ, + security: READ_PACKAGE_INFO_SECURITY, summary: `Get data streams`, options: { tags: ['oas-tag:Data streams'], @@ -610,7 +618,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .post({ path: EPM_API_ROUTES.BULK_ASSETS_PATTERN, - fleetAuthz: READ_PACKAGE_INFO_AUTHZ, + security: READ_PACKAGE_INFO_SECURITY, summary: `Bulk get assets`, options: { tags: ['oas-tag:Elastic Package Manager (EPM)'], @@ -639,6 +647,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .post({ path: EPM_API_ROUTES.REAUTHORIZE_TRANSFORMS, + // TODO move to kibana authz https://github.com/elastic/kibana/issues/203170 fleetAuthz: { ...INSTALL_PACKAGES_AUTHZ, packagePrivileges: { diff --git a/x-pack/platform/plugins/shared/fleet/server/routes/package_policy/index.ts b/x-pack/platform/plugins/shared/fleet/server/routes/package_policy/index.ts index 8a547f4127f97..6252a362b12d2 100644 --- a/x-pack/platform/plugins/shared/fleet/server/routes/package_policy/index.ts +++ b/x-pack/platform/plugins/shared/fleet/server/routes/package_policy/index.ts @@ -7,9 +7,8 @@ import { schema } from '@kbn/config-schema'; import { getRouteRequiredAuthz } from '../../services/security'; - +import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges'; import type { FleetAuthzRouter } from '../../services/security'; - import type { FleetAuthz } from '../../../common'; import { API_VERSIONS } from '../../../common/constants'; import { PACKAGE_POLICY_API_ROUTES } from '../../constants'; @@ -56,6 +55,7 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .get({ path: PACKAGE_POLICY_API_ROUTES.LIST_PATTERN, + // TODO move to kibana authz https://github.com/elastic/kibana/issues/203170 fleetAuthz: (fleetAuthz: FleetAuthz): boolean => calculateRouteAuthz( fleetAuthz, @@ -88,6 +88,7 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .post({ path: PACKAGE_POLICY_API_ROUTES.BULK_GET_PATTERN, + // TODO move to kibana authz https://github.com/elastic/kibana/issues/203170 fleetAuthz: (fleetAuthz: FleetAuthz): boolean => calculateRouteAuthz( fleetAuthz, @@ -123,6 +124,7 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .get({ path: PACKAGE_POLICY_API_ROUTES.INFO_PATTERN, + // TODO move to kibana authz https://github.com/elastic/kibana/issues/203170 fleetAuthz: (fleetAuthz: FleetAuthz): boolean => calculateRouteAuthz( fleetAuthz, @@ -218,6 +220,7 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .put({ path: PACKAGE_POLICY_API_ROUTES.UPDATE_PATTERN, + // TODO move to kibana authz https://github.com/elastic/kibana/issues/203170 fleetAuthz: (fleetAuthz: FleetAuthz): boolean => calculateRouteAuthz( fleetAuthz, @@ -258,8 +261,13 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .post({ path: PACKAGE_POLICY_API_ROUTES.DELETE_PATTERN, - fleetAuthz: { - integrations: { writeIntegrationPolicies: true }, + security: { + authz: { + requiredPrivileges: [ + FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL, + FLEET_API_PRIVILEGES.INTEGRATIONS.ALL, + ], + }, }, summary: 'Bulk delete package policies', options: { @@ -287,8 +295,13 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .delete({ path: PACKAGE_POLICY_API_ROUTES.INFO_PATTERN, - fleetAuthz: { - integrations: { writeIntegrationPolicies: true }, + security: { + authz: { + requiredPrivileges: [ + FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL, + FLEET_API_PRIVILEGES.INTEGRATIONS.ALL, + ], + }, }, summary: 'Delete a package policy', description: 'Delete a package policy by ID.', @@ -318,8 +331,13 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .post({ path: PACKAGE_POLICY_API_ROUTES.UPGRADE_PATTERN, - fleetAuthz: { - integrations: { writeIntegrationPolicies: true }, + security: { + authz: { + requiredPrivileges: [ + FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL, + FLEET_API_PRIVILEGES.INTEGRATIONS.ALL, + ], + }, }, summary: 'Upgrade a package policy', description: 'Upgrade a package policy to a newer package version.', @@ -349,8 +367,13 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .post({ path: PACKAGE_POLICY_API_ROUTES.DRYRUN_PATTERN, - fleetAuthz: { - integrations: { readIntegrationPolicies: true }, + security: { + authz: { + requiredPrivileges: [ + FLEET_API_PRIVILEGES.AGENT_POLICIES.READ, + FLEET_API_PRIVILEGES.INTEGRATIONS.READ, + ], + }, }, summary: 'Dry run a package policy upgrade', options: { diff --git a/x-pack/platform/plugins/shared/fleet/server/routes/settings/index.ts b/x-pack/platform/plugins/shared/fleet/server/routes/settings/index.ts index 04e6c2a955634..c307fce8aa900 100644 --- a/x-pack/platform/plugins/shared/fleet/server/routes/settings/index.ts +++ b/x-pack/platform/plugins/shared/fleet/server/routes/settings/index.ts @@ -20,7 +20,7 @@ import { GetEnrollmentSettingsResponseSchema, } from '../../types'; import type { FleetConfigType } from '../../config'; - +import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges'; import { genericErrorResponse, notFoundResponse } from '../schema/errors'; import { getEnrollmentSettingsHandler } from './enrollment_settings_handler'; @@ -39,6 +39,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType .get({ path: SETTINGS_API_ROUTES.SPACE_INFO_PATTERN, fleetAuthz: (authz) => { + // TODO move to kibana authz https://github.com/elastic/kibana/issues/203170 return ( authz.fleet.readSettings || authz.integrations.writeIntegrationPolicies || @@ -65,8 +66,10 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .put({ path: SETTINGS_API_ROUTES.SPACE_UPDATE_PATTERN, - fleetAuthz: { - fleet: { allSettings: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.ALL], + }, }, summary: `Create space settings`, }) @@ -89,8 +92,10 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .get({ path: SETTINGS_API_ROUTES.INFO_PATTERN, - fleetAuthz: { - fleet: { readSettings: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.READ], + }, }, summary: `Get settings`, options: { @@ -120,8 +125,10 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .put({ path: SETTINGS_API_ROUTES.UPDATE_PATTERN, - fleetAuthz: { - fleet: { allSettings: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.ALL], + }, }, summary: `Update settings`, options: { @@ -151,8 +158,10 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .get({ path: SETTINGS_API_ROUTES.ENROLLMENT_INFO_PATTERN, - fleetAuthz: (authz) => { - return authz.fleet.addAgents || authz.fleet.addFleetServers; + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL], + }, }, summary: `Get enrollment settings`, options: { diff --git a/x-pack/platform/plugins/shared/fleet/server/services/package_policy.ts b/x-pack/platform/plugins/shared/fleet/server/services/package_policy.ts index 32ec4c90b4319..3ff369994c5c7 100644 --- a/x-pack/platform/plugins/shared/fleet/server/services/package_policy.ts +++ b/x-pack/platform/plugins/shared/fleet/server/services/package_policy.ts @@ -152,6 +152,7 @@ import type { PackagePolicyClientFetchAllItemIdsOptions } from './package_policy import { validatePolicyNamespaceForSpace } from './spaces/policy_namespaces'; import { isSpaceAwarenessEnabled, isSpaceAwarenessMigrationPending } from './spaces/helpers'; import { updatePackagePolicySpaces } from './spaces/package_policy'; +import { runWithCache } from './epm/packages/cache'; export type InputsOverride = Partial & { vars?: Array; @@ -1694,40 +1695,42 @@ class PackagePolicyClientImpl implements PackagePolicyClient { packagePolicy?: PackagePolicy, pkgVersion?: string ): Promise { - const result: UpgradePackagePolicyResponse = []; + return runWithCache(async () => { + const result: UpgradePackagePolicyResponse = []; - for (const id of ids) { - try { - const { - packagePolicy: currentPackagePolicy, - packageInfo, - experimentalDataStreamFeatures, - } = await this.getUpgradePackagePolicyInfo(soClient, id, packagePolicy, pkgVersion); - - if (currentPackagePolicy.is_managed && !options?.force) { - throw new PackagePolicyRestrictionRelatedError(`Cannot upgrade package policy ${id}`); - } + for (const id of ids) { + try { + const { + packagePolicy: currentPackagePolicy, + packageInfo, + experimentalDataStreamFeatures, + } = await this.getUpgradePackagePolicyInfo(soClient, id, packagePolicy, pkgVersion); + + if (currentPackagePolicy.is_managed && !options?.force) { + throw new PackagePolicyRestrictionRelatedError(`Cannot upgrade package policy ${id}`); + } - await this.doUpgrade( - soClient, - esClient, - id, - currentPackagePolicy, - result, - packageInfo, - experimentalDataStreamFeatures, - options - ); - } catch (error) { - result.push({ - id, - success: false, - ...fleetErrorToResponseOptions(error), - }); + await this.doUpgrade( + soClient, + esClient, + id, + currentPackagePolicy, + result, + packageInfo, + experimentalDataStreamFeatures, + options + ); + } catch (error) { + result.push({ + id, + success: false, + ...fleetErrorToResponseOptions(error), + }); + } } - } - return result; + return result; + }); } private async doUpgrade( From 68418db32d0329591a49fb8ab635bff8a2b7fdb2 Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Fri, 3 Jan 2025 14:15:59 +0000 Subject: [PATCH 15/24] [CI] Auto-commit changed files from 'node scripts/capture_oas_snapshot --include-path /api/status --include-path /api/alerting/rule/ --include-path /api/alerting/rules --include-path /api/actions --include-path /api/security/role --include-path /api/spaces --include-path /api/fleet --include-path /api/dashboards --update' --- oas_docs/bundle.json | 45 +++++++++++++++++++++++++-------- oas_docs/bundle.serverless.json | 45 +++++++++++++++++++++++++-------- 2 files changed, 70 insertions(+), 20 deletions(-) diff --git a/oas_docs/bundle.json b/oas_docs/bundle.json index c214cb1ab0e2d..87752736d5bad 100644 --- a/oas_docs/bundle.json +++ b/oas_docs/bundle.json @@ -9120,6 +9120,7 @@ }, "/api/fleet/agent_policies": { "get": { + "description": "[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read].", "operationId": "get-fleet-agent-policies", "parameters": [ { @@ -9957,6 +9958,7 @@ ] }, "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].", "operationId": "post-fleet-agent-policies", "parameters": [ { @@ -10957,6 +10959,7 @@ }, "/api/fleet/agent_policies/_bulk_get": { "post": { + "description": "[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read].", "operationId": "post-fleet-agent-policies-bulk-get", "parameters": [ { @@ -11743,7 +11746,7 @@ }, "/api/fleet/agent_policies/delete": { "post": { - "description": "Delete an agent policy by ID.", + "description": "Delete an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].", "operationId": "post-fleet-agent-policies-delete", "parameters": [ { @@ -11836,7 +11839,7 @@ }, "/api/fleet/agent_policies/outputs": { "post": { - "description": "Get a list of outputs associated with agent policies.", + "description": "Get a list of outputs associated with agent policies.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-settings-read].", "operationId": "post-fleet-agent-policies-outputs", "parameters": [ { @@ -12009,7 +12012,7 @@ }, "/api/fleet/agent_policies/{agentPolicyId}": { "get": { - "description": "Get an agent policy by ID.", + "description": "Get an agent policy by ID.

[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read].", "operationId": "get-fleet-agent-policies-agentpolicyid", "parameters": [ { @@ -12760,7 +12763,7 @@ ] }, "put": { - "description": "Update an agent policy by ID.", + "description": "Update an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].", "operationId": "put-fleet-agent-policies-agentpolicyid", "parameters": [ { @@ -13773,7 +13776,7 @@ }, "/api/fleet/agent_policies/{agentPolicyId}/copy": { "post": { - "description": "Copy an agent policy by ID.", + "description": "Copy an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].", "operationId": "post-fleet-agent-policies-agentpolicyid-copy", "parameters": [ { @@ -14558,7 +14561,7 @@ }, "/api/fleet/agent_policies/{agentPolicyId}/download": { "get": { - "description": "Download an agent policy by ID.", + "description": "Download an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read].", "operationId": "get-fleet-agent-policies-agentpolicyid-download", "parameters": [ { @@ -14663,7 +14666,7 @@ }, "/api/fleet/agent_policies/{agentPolicyId}/full": { "get": { - "description": "Get a full agent policy by ID.", + "description": "Get a full agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read].", "operationId": "get-fleet-agent-policies-agentpolicyid-full", "parameters": [ { @@ -15189,7 +15192,7 @@ }, "/api/fleet/agent_policies/{agentPolicyId}/outputs": { "get": { - "description": "Get a list of outputs associated with agent policy by policy id.", + "description": "Get a list of outputs associated with agent policy by policy id.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-settings-read].", "operationId": "get-fleet-agent-policies-agentpolicyid-outputs", "parameters": [ { @@ -19945,6 +19948,7 @@ }, "/api/fleet/epm/bulk_assets": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [integrations-read].", "operationId": "post-fleet-epm-bulk-assets", "parameters": [ { @@ -20083,6 +20087,7 @@ }, "/api/fleet/epm/categories": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [integrations-read].", "operationId": "get-fleet-epm-categories", "parameters": [ { @@ -20181,6 +20186,7 @@ }, "/api/fleet/epm/custom_integrations": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].", "operationId": "post-fleet-epm-custom-integrations", "parameters": [ { @@ -20377,6 +20383,7 @@ }, "/api/fleet/epm/data_streams": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [integrations-read].", "operationId": "get-fleet-epm-data-streams", "parameters": [ { @@ -20490,6 +20497,7 @@ }, "/api/fleet/epm/packages": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [integrations-read].", "operationId": "get-fleet-epm-packages", "parameters": [ { @@ -21049,6 +21057,7 @@ ] }, "post": { + "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].", "operationId": "post-fleet-epm-packages", "parameters": [ { @@ -21225,6 +21234,7 @@ }, "/api/fleet/epm/packages/_bulk": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].", "operationId": "post-fleet-epm-packages-bulk", "parameters": [ { @@ -21490,6 +21500,7 @@ }, "/api/fleet/epm/packages/installed": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [integrations-read].", "operationId": "get-fleet-epm-packages-installed", "parameters": [ { @@ -21718,6 +21729,7 @@ }, "/api/fleet/epm/packages/limited": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [integrations-read].", "operationId": "get-fleet-epm-packages-limited", "parameters": [], "responses": { @@ -21776,6 +21788,7 @@ }, "/api/fleet/epm/packages/{pkgName}/stats": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [integrations-read].", "operationId": "get-fleet-epm-packages-pkgname-stats", "parameters": [ { @@ -21849,6 +21862,7 @@ }, "/api/fleet/epm/packages/{pkgName}/{pkgVersion}": { "delete": { + "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].", "operationId": "delete-fleet-epm-packages-pkgname-pkgversion", "parameters": [ { @@ -22685,6 +22699,7 @@ ] }, "post": { + "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].", "operationId": "post-fleet-epm-packages-pkgname-pkgversion", "parameters": [ { @@ -22894,6 +22909,7 @@ ] }, "put": { + "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].", "operationId": "put-fleet-epm-packages-pkgname-pkgversion", "parameters": [ { @@ -23689,6 +23705,7 @@ }, "/api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [integrations-read].", "operationId": "get-fleet-epm-packages-pkgname-pkgversion-filepath", "parameters": [ { @@ -23758,6 +23775,7 @@ }, "/api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [integrations-read].", "operationId": "get-fleet-epm-templates-pkgname-pkgversion-inputs", "parameters": [ { @@ -23914,6 +23932,7 @@ }, "/api/fleet/epm/verification_key_id": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [integrations-read].", "operationId": "get-fleet-epm-verification-key-id", "parameters": [], "responses": { @@ -24656,6 +24675,7 @@ }, "/api/fleet/kubernetes": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read].", "operationId": "get-fleet-kubernetes", "parameters": [ { @@ -24736,6 +24756,7 @@ }, "/api/fleet/kubernetes/download": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read].", "operationId": "get-fleet-kubernetes-download", "parameters": [ { @@ -34210,6 +34231,7 @@ }, "/api/fleet/package_policies/delete": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].", "operationId": "post-fleet-package-policies-delete", "parameters": [ { @@ -34401,7 +34423,7 @@ }, "/api/fleet/package_policies/upgrade": { "post": { - "description": "Upgrade a package policy to a newer package version.", + "description": "Upgrade a package policy to a newer package version.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].", "operationId": "post-fleet-package-policies-upgrade", "parameters": [ { @@ -34514,6 +34536,7 @@ }, "/api/fleet/package_policies/upgrade/dryrun": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, integrations-read].", "operationId": "post-fleet-package-policies-upgrade-dryrun", "parameters": [ { @@ -35699,7 +35722,7 @@ }, "/api/fleet/package_policies/{packagePolicyId}": { "delete": { - "description": "Delete a package policy by ID.", + "description": "Delete a package policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].", "operationId": "delete-fleet-package-policies-packagepolicyid", "parameters": [ { @@ -38466,6 +38489,7 @@ }, "/api/fleet/settings": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-read].", "operationId": "get-fleet-settings", "parameters": [], "responses": { @@ -38598,6 +38622,7 @@ ] }, "put": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "put-fleet-settings", "parameters": [ { diff --git a/oas_docs/bundle.serverless.json b/oas_docs/bundle.serverless.json index c9367f5b7dea7..17c0d473eec8c 100644 --- a/oas_docs/bundle.serverless.json +++ b/oas_docs/bundle.serverless.json @@ -9120,6 +9120,7 @@ }, "/api/fleet/agent_policies": { "get": { + "description": "[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read].", "operationId": "get-fleet-agent-policies", "parameters": [ { @@ -9957,6 +9958,7 @@ ] }, "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].", "operationId": "post-fleet-agent-policies", "parameters": [ { @@ -10957,6 +10959,7 @@ }, "/api/fleet/agent_policies/_bulk_get": { "post": { + "description": "[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read].", "operationId": "post-fleet-agent-policies-bulk-get", "parameters": [ { @@ -11743,7 +11746,7 @@ }, "/api/fleet/agent_policies/delete": { "post": { - "description": "Delete an agent policy by ID.", + "description": "Delete an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].", "operationId": "post-fleet-agent-policies-delete", "parameters": [ { @@ -11836,7 +11839,7 @@ }, "/api/fleet/agent_policies/outputs": { "post": { - "description": "Get a list of outputs associated with agent policies.", + "description": "Get a list of outputs associated with agent policies.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-settings-read].", "operationId": "post-fleet-agent-policies-outputs", "parameters": [ { @@ -12009,7 +12012,7 @@ }, "/api/fleet/agent_policies/{agentPolicyId}": { "get": { - "description": "Get an agent policy by ID.", + "description": "Get an agent policy by ID.

[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read].", "operationId": "get-fleet-agent-policies-agentpolicyid", "parameters": [ { @@ -12760,7 +12763,7 @@ ] }, "put": { - "description": "Update an agent policy by ID.", + "description": "Update an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].", "operationId": "put-fleet-agent-policies-agentpolicyid", "parameters": [ { @@ -13773,7 +13776,7 @@ }, "/api/fleet/agent_policies/{agentPolicyId}/copy": { "post": { - "description": "Copy an agent policy by ID.", + "description": "Copy an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].", "operationId": "post-fleet-agent-policies-agentpolicyid-copy", "parameters": [ { @@ -14558,7 +14561,7 @@ }, "/api/fleet/agent_policies/{agentPolicyId}/download": { "get": { - "description": "Download an agent policy by ID.", + "description": "Download an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read].", "operationId": "get-fleet-agent-policies-agentpolicyid-download", "parameters": [ { @@ -14663,7 +14666,7 @@ }, "/api/fleet/agent_policies/{agentPolicyId}/full": { "get": { - "description": "Get a full agent policy by ID.", + "description": "Get a full agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read].", "operationId": "get-fleet-agent-policies-agentpolicyid-full", "parameters": [ { @@ -15189,7 +15192,7 @@ }, "/api/fleet/agent_policies/{agentPolicyId}/outputs": { "get": { - "description": "Get a list of outputs associated with agent policy by policy id.", + "description": "Get a list of outputs associated with agent policy by policy id.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-settings-read].", "operationId": "get-fleet-agent-policies-agentpolicyid-outputs", "parameters": [ { @@ -19945,6 +19948,7 @@ }, "/api/fleet/epm/bulk_assets": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [integrations-read].", "operationId": "post-fleet-epm-bulk-assets", "parameters": [ { @@ -20083,6 +20087,7 @@ }, "/api/fleet/epm/categories": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [integrations-read].", "operationId": "get-fleet-epm-categories", "parameters": [ { @@ -20181,6 +20186,7 @@ }, "/api/fleet/epm/custom_integrations": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].", "operationId": "post-fleet-epm-custom-integrations", "parameters": [ { @@ -20377,6 +20383,7 @@ }, "/api/fleet/epm/data_streams": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [integrations-read].", "operationId": "get-fleet-epm-data-streams", "parameters": [ { @@ -20490,6 +20497,7 @@ }, "/api/fleet/epm/packages": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [integrations-read].", "operationId": "get-fleet-epm-packages", "parameters": [ { @@ -21049,6 +21057,7 @@ ] }, "post": { + "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].", "operationId": "post-fleet-epm-packages", "parameters": [ { @@ -21225,6 +21234,7 @@ }, "/api/fleet/epm/packages/_bulk": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].", "operationId": "post-fleet-epm-packages-bulk", "parameters": [ { @@ -21490,6 +21500,7 @@ }, "/api/fleet/epm/packages/installed": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [integrations-read].", "operationId": "get-fleet-epm-packages-installed", "parameters": [ { @@ -21718,6 +21729,7 @@ }, "/api/fleet/epm/packages/limited": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [integrations-read].", "operationId": "get-fleet-epm-packages-limited", "parameters": [], "responses": { @@ -21776,6 +21788,7 @@ }, "/api/fleet/epm/packages/{pkgName}/stats": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [integrations-read].", "operationId": "get-fleet-epm-packages-pkgname-stats", "parameters": [ { @@ -21849,6 +21862,7 @@ }, "/api/fleet/epm/packages/{pkgName}/{pkgVersion}": { "delete": { + "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].", "operationId": "delete-fleet-epm-packages-pkgname-pkgversion", "parameters": [ { @@ -22685,6 +22699,7 @@ ] }, "post": { + "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].", "operationId": "post-fleet-epm-packages-pkgname-pkgversion", "parameters": [ { @@ -22894,6 +22909,7 @@ ] }, "put": { + "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].", "operationId": "put-fleet-epm-packages-pkgname-pkgversion", "parameters": [ { @@ -23689,6 +23705,7 @@ }, "/api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [integrations-read].", "operationId": "get-fleet-epm-packages-pkgname-pkgversion-filepath", "parameters": [ { @@ -23758,6 +23775,7 @@ }, "/api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [integrations-read].", "operationId": "get-fleet-epm-templates-pkgname-pkgversion-inputs", "parameters": [ { @@ -23914,6 +23932,7 @@ }, "/api/fleet/epm/verification_key_id": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [integrations-read].", "operationId": "get-fleet-epm-verification-key-id", "parameters": [], "responses": { @@ -24656,6 +24675,7 @@ }, "/api/fleet/kubernetes": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read].", "operationId": "get-fleet-kubernetes", "parameters": [ { @@ -24736,6 +24756,7 @@ }, "/api/fleet/kubernetes/download": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read].", "operationId": "get-fleet-kubernetes-download", "parameters": [ { @@ -34210,6 +34231,7 @@ }, "/api/fleet/package_policies/delete": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].", "operationId": "post-fleet-package-policies-delete", "parameters": [ { @@ -34401,7 +34423,7 @@ }, "/api/fleet/package_policies/upgrade": { "post": { - "description": "Upgrade a package policy to a newer package version.", + "description": "Upgrade a package policy to a newer package version.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].", "operationId": "post-fleet-package-policies-upgrade", "parameters": [ { @@ -34514,6 +34536,7 @@ }, "/api/fleet/package_policies/upgrade/dryrun": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, integrations-read].", "operationId": "post-fleet-package-policies-upgrade-dryrun", "parameters": [ { @@ -35699,7 +35722,7 @@ }, "/api/fleet/package_policies/{packagePolicyId}": { "delete": { - "description": "Delete a package policy by ID.", + "description": "Delete a package policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].", "operationId": "delete-fleet-package-policies-packagepolicyid", "parameters": [ { @@ -38466,6 +38489,7 @@ }, "/api/fleet/settings": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-read].", "operationId": "get-fleet-settings", "parameters": [], "responses": { @@ -38598,6 +38622,7 @@ ] }, "put": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "put-fleet-settings", "parameters": [ { From 61fcdad979cf51bc9a85556f57bc28490ea26d0c Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Fri, 3 Jan 2025 14:32:33 +0000 Subject: [PATCH 16/24] [CI] Auto-commit changed files from 'make api-docs' --- oas_docs/output/kibana.serverless.yaml | 45 ++++++++++++++++++++------ oas_docs/output/kibana.yaml | 45 ++++++++++++++++++++------ 2 files changed, 70 insertions(+), 20 deletions(-) diff --git a/oas_docs/output/kibana.serverless.yaml b/oas_docs/output/kibana.serverless.yaml index bb62044e6de9f..ee3c49aeacea2 100644 --- a/oas_docs/output/kibana.serverless.yaml +++ b/oas_docs/output/kibana.serverless.yaml @@ -11556,6 +11556,7 @@ paths: x-beta: true /api/fleet/agent_policies: get: + description: '[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read].' operationId: get-fleet-agent-policies parameters: - in: query @@ -12135,6 +12136,7 @@ paths: - Elastic Agent policies x-beta: true post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].' operationId: post-fleet-agent-policies parameters: - description: A required header to protect against CSRF attacks @@ -12828,6 +12830,7 @@ paths: x-beta: true /api/fleet/agent_policies/_bulk_get: post: + description: '[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read].' operationId: post-fleet-agent-policies-bulk-get parameters: - description: A required header to protect against CSRF attacks @@ -13373,7 +13376,7 @@ paths: x-beta: true /api/fleet/agent_policies/{agentPolicyId}: get: - description: Get an agent policy by ID. + description: 'Get an agent policy by ID.

[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read].' operationId: get-fleet-agent-policies-agentpolicyid parameters: - in: path @@ -13895,7 +13898,7 @@ paths: - Elastic Agent policies x-beta: true put: - description: Update an agent policy by ID. + description: 'Update an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].' operationId: put-fleet-agent-policies-agentpolicyid parameters: - description: A required header to protect against CSRF attacks @@ -14597,7 +14600,7 @@ paths: x-beta: true /api/fleet/agent_policies/{agentPolicyId}/copy: post: - description: Copy an agent policy by ID. + description: 'Copy an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].' operationId: post-fleet-agent-policies-agentpolicyid-copy parameters: - description: A required header to protect against CSRF attacks @@ -15141,7 +15144,7 @@ paths: x-beta: true /api/fleet/agent_policies/{agentPolicyId}/download: get: - description: Download an agent policy by ID. + description: 'Download an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read].' operationId: get-fleet-agent-policies-agentpolicyid-download parameters: - in: path @@ -15208,7 +15211,7 @@ paths: x-beta: true /api/fleet/agent_policies/{agentPolicyId}/full: get: - description: Get a full agent policy by ID. + description: 'Get a full agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read].' operationId: get-fleet-agent-policies-agentpolicyid-full parameters: - in: path @@ -15557,7 +15560,7 @@ paths: x-beta: true /api/fleet/agent_policies/{agentPolicyId}/outputs: get: - description: Get a list of outputs associated with agent policy by policy id. + description: 'Get a list of outputs associated with agent policy by policy id.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-settings-read].' operationId: get-fleet-agent-policies-agentpolicyid-outputs parameters: - in: path @@ -15654,7 +15657,7 @@ paths: x-beta: true /api/fleet/agent_policies/delete: post: - description: Delete an agent policy by ID. + description: 'Delete an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].' operationId: post-fleet-agent-policies-delete parameters: - description: A required header to protect against CSRF attacks @@ -15715,7 +15718,7 @@ paths: x-beta: true /api/fleet/agent_policies/outputs: post: - description: Get a list of outputs associated with agent policies. + description: 'Get a list of outputs associated with agent policies.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-settings-read].' operationId: post-fleet-agent-policies-outputs parameters: - description: A required header to protect against CSRF attacks @@ -18954,6 +18957,7 @@ paths: x-beta: true /api/fleet/epm/bulk_assets: post: + description: '[Required authorization] Route required privileges: ALL of [integrations-read].' operationId: post-fleet-epm-bulk-assets parameters: - description: A required header to protect against CSRF attacks @@ -19045,6 +19049,7 @@ paths: x-beta: true /api/fleet/epm/categories: get: + description: '[Required authorization] Route required privileges: ALL of [integrations-read].' operationId: get-fleet-epm-categories parameters: - in: query @@ -19109,6 +19114,7 @@ paths: x-beta: true /api/fleet/epm/custom_integrations: post: + description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].' operationId: post-fleet-epm-custom-integrations parameters: - description: A required header to protect against CSRF attacks @@ -19244,6 +19250,7 @@ paths: x-beta: true /api/fleet/epm/data_streams: get: + description: '[Required authorization] Route required privileges: ALL of [integrations-read].' operationId: get-fleet-epm-data-streams parameters: - in: query @@ -19319,6 +19326,7 @@ paths: x-beta: true /api/fleet/epm/packages: get: + description: '[Required authorization] Route required privileges: ALL of [integrations-read].' operationId: get-fleet-epm-packages parameters: - in: query @@ -19711,6 +19719,7 @@ paths: - Elastic Package Manager (EPM) x-beta: true post: + description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].' operationId: post-fleet-epm-packages parameters: - description: A required header to protect against CSRF attacks @@ -19831,6 +19840,7 @@ paths: x-beta: true /api/fleet/epm/packages/_bulk: post: + description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].' operationId: post-fleet-epm-packages-bulk parameters: - description: A required header to protect against CSRF attacks @@ -20006,6 +20016,7 @@ paths: x-beta: true /api/fleet/epm/packages/{pkgName}/{pkgVersion}: delete: + description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].' operationId: delete-fleet-epm-packages-pkgname-pkgversion parameters: - description: A required header to protect against CSRF attacks @@ -20585,6 +20596,7 @@ paths: - Elastic Package Manager (EPM) x-beta: true post: + description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].' operationId: post-fleet-epm-packages-pkgname-pkgversion parameters: - description: A required header to protect against CSRF attacks @@ -20727,6 +20739,7 @@ paths: - Elastic Package Manager (EPM) x-beta: true put: + description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].' operationId: put-fleet-epm-packages-pkgname-pkgversion parameters: - description: A required header to protect against CSRF attacks @@ -21189,6 +21202,7 @@ paths: x-beta: true /api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}: get: + description: '[Required authorization] Route required privileges: ALL of [integrations-read].' operationId: get-fleet-epm-packages-pkgname-pkgversion-filepath parameters: - in: path @@ -21318,6 +21332,7 @@ paths: x-beta: true /api/fleet/epm/packages/{pkgName}/stats: get: + description: '[Required authorization] Route required privileges: ALL of [integrations-read].' operationId: get-fleet-epm-packages-pkgname-stats parameters: - in: path @@ -21365,6 +21380,7 @@ paths: x-beta: true /api/fleet/epm/packages/installed: get: + description: '[Required authorization] Route required privileges: ALL of [integrations-read].' operationId: get-fleet-epm-packages-installed parameters: - in: query @@ -21511,6 +21527,7 @@ paths: x-beta: true /api/fleet/epm/packages/limited: get: + description: '[Required authorization] Route required privileges: ALL of [integrations-read].' operationId: get-fleet-epm-packages-limited parameters: [] responses: @@ -21549,6 +21566,7 @@ paths: x-beta: true /api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs: get: + description: '[Required authorization] Route required privileges: ALL of [integrations-read].' operationId: get-fleet-epm-templates-pkgname-pkgversion-inputs parameters: - in: path @@ -21649,6 +21667,7 @@ paths: x-beta: true /api/fleet/epm/verification_key_id: get: + description: '[Required authorization] Route required privileges: ALL of [integrations-read].' operationId: get-fleet-epm-verification-key-id parameters: [] responses: @@ -22147,6 +22166,7 @@ paths: x-beta: true /api/fleet/kubernetes: get: + description: '[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read].' operationId: get-fleet-kubernetes parameters: - in: query @@ -22198,6 +22218,7 @@ paths: x-beta: true /api/fleet/kubernetes/download: get: + description: '[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read].' operationId: get-fleet-kubernetes-download parameters: - in: query @@ -28489,7 +28510,7 @@ paths: x-beta: true /api/fleet/package_policies/{packagePolicyId}: delete: - description: Delete a package policy by ID. + description: 'Delete a package policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].' operationId: delete-fleet-package-policies-packagepolicyid parameters: - description: A required header to protect against CSRF attacks @@ -29817,6 +29838,7 @@ paths: x-beta: true /api/fleet/package_policies/delete: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].' operationId: post-fleet-package-policies-delete parameters: - description: A required header to protect against CSRF attacks @@ -29946,7 +29968,7 @@ paths: x-beta: true /api/fleet/package_policies/upgrade: post: - description: Upgrade a package policy to a newer package version. + description: 'Upgrade a package policy to a newer package version.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].' operationId: post-fleet-package-policies-upgrade parameters: - description: A required header to protect against CSRF attacks @@ -30020,6 +30042,7 @@ paths: x-beta: true /api/fleet/package_policies/upgrade/dryrun: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, integrations-read].' operationId: post-fleet-package-policies-upgrade-dryrun parameters: - description: A required header to protect against CSRF attacks @@ -31297,6 +31320,7 @@ paths: x-beta: true /api/fleet/settings: get: + description: '[Required authorization] Route required privileges: ALL of [fleet-settings-read].' operationId: get-fleet-settings parameters: [] responses: @@ -31385,6 +31409,7 @@ paths: - Fleet internals x-beta: true put: + description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: put-fleet-settings parameters: - description: A required header to protect against CSRF attacks diff --git a/oas_docs/output/kibana.yaml b/oas_docs/output/kibana.yaml index 150eb180d1cc9..33f7d849de6de 100644 --- a/oas_docs/output/kibana.yaml +++ b/oas_docs/output/kibana.yaml @@ -13698,6 +13698,7 @@ paths: - Elastic Agent binary download sources /api/fleet/agent_policies: get: + description: '[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read].' operationId: get-fleet-agent-policies parameters: - in: query @@ -14276,6 +14277,7 @@ paths: tags: - Elastic Agent policies post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].' operationId: post-fleet-agent-policies parameters: - description: A required header to protect against CSRF attacks @@ -14968,6 +14970,7 @@ paths: - Elastic Agent policies /api/fleet/agent_policies/_bulk_get: post: + description: '[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read].' operationId: post-fleet-agent-policies-bulk-get parameters: - description: A required header to protect against CSRF attacks @@ -15512,7 +15515,7 @@ paths: - Elastic Agent policies /api/fleet/agent_policies/{agentPolicyId}: get: - description: Get an agent policy by ID. + description: 'Get an agent policy by ID.

[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read].' operationId: get-fleet-agent-policies-agentpolicyid parameters: - in: path @@ -16033,7 +16036,7 @@ paths: tags: - Elastic Agent policies put: - description: Update an agent policy by ID. + description: 'Update an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].' operationId: put-fleet-agent-policies-agentpolicyid parameters: - description: A required header to protect against CSRF attacks @@ -16734,7 +16737,7 @@ paths: - Elastic Agent policies /api/fleet/agent_policies/{agentPolicyId}/copy: post: - description: Copy an agent policy by ID. + description: 'Copy an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].' operationId: post-fleet-agent-policies-agentpolicyid-copy parameters: - description: A required header to protect against CSRF attacks @@ -17277,7 +17280,7 @@ paths: - Elastic Agent policies /api/fleet/agent_policies/{agentPolicyId}/download: get: - description: Download an agent policy by ID. + description: 'Download an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read].' operationId: get-fleet-agent-policies-agentpolicyid-download parameters: - in: path @@ -17343,7 +17346,7 @@ paths: - Elastic Agent policies /api/fleet/agent_policies/{agentPolicyId}/full: get: - description: Get a full agent policy by ID. + description: 'Get a full agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read].' operationId: get-fleet-agent-policies-agentpolicyid-full parameters: - in: path @@ -17691,7 +17694,7 @@ paths: - Elastic Agent policies /api/fleet/agent_policies/{agentPolicyId}/outputs: get: - description: Get a list of outputs associated with agent policy by policy id. + description: 'Get a list of outputs associated with agent policy by policy id.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-settings-read].' operationId: get-fleet-agent-policies-agentpolicyid-outputs parameters: - in: path @@ -17787,7 +17790,7 @@ paths: - Elastic Agent policies /api/fleet/agent_policies/delete: post: - description: Delete an agent policy by ID. + description: 'Delete an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].' operationId: post-fleet-agent-policies-delete parameters: - description: A required header to protect against CSRF attacks @@ -17847,7 +17850,7 @@ paths: - Elastic Agent policies /api/fleet/agent_policies/outputs: post: - description: Get a list of outputs associated with agent policies. + description: 'Get a list of outputs associated with agent policies.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-settings-read].' operationId: post-fleet-agent-policies-outputs parameters: - description: A required header to protect against CSRF attacks @@ -21053,6 +21056,7 @@ paths: - Fleet enrollment API keys /api/fleet/epm/bulk_assets: post: + description: '[Required authorization] Route required privileges: ALL of [integrations-read].' operationId: post-fleet-epm-bulk-assets parameters: - description: A required header to protect against CSRF attacks @@ -21143,6 +21147,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/categories: get: + description: '[Required authorization] Route required privileges: ALL of [integrations-read].' operationId: get-fleet-epm-categories parameters: - in: query @@ -21206,6 +21211,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/custom_integrations: post: + description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].' operationId: post-fleet-epm-custom-integrations parameters: - description: A required header to protect against CSRF attacks @@ -21340,6 +21346,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/data_streams: get: + description: '[Required authorization] Route required privileges: ALL of [integrations-read].' operationId: get-fleet-epm-data-streams parameters: - in: query @@ -21414,6 +21421,7 @@ paths: - Data streams /api/fleet/epm/packages: get: + description: '[Required authorization] Route required privileges: ALL of [integrations-read].' operationId: get-fleet-epm-packages parameters: - in: query @@ -21805,6 +21813,7 @@ paths: tags: - Elastic Package Manager (EPM) post: + description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].' operationId: post-fleet-epm-packages parameters: - description: A required header to protect against CSRF attacks @@ -21924,6 +21933,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/packages/_bulk: post: + description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].' operationId: post-fleet-epm-packages-bulk parameters: - description: A required header to protect against CSRF attacks @@ -22098,6 +22108,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/packages/{pkgName}/{pkgVersion}: delete: + description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].' operationId: delete-fleet-epm-packages-pkgname-pkgversion parameters: - description: A required header to protect against CSRF attacks @@ -22675,6 +22686,7 @@ paths: tags: - Elastic Package Manager (EPM) post: + description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].' operationId: post-fleet-epm-packages-pkgname-pkgversion parameters: - description: A required header to protect against CSRF attacks @@ -22816,6 +22828,7 @@ paths: tags: - Elastic Package Manager (EPM) put: + description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].' operationId: put-fleet-epm-packages-pkgname-pkgversion parameters: - description: A required header to protect against CSRF attacks @@ -23277,6 +23290,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}: get: + description: '[Required authorization] Route required privileges: ALL of [integrations-read].' operationId: get-fleet-epm-packages-pkgname-pkgversion-filepath parameters: - in: path @@ -23404,6 +23418,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/packages/{pkgName}/stats: get: + description: '[Required authorization] Route required privileges: ALL of [integrations-read].' operationId: get-fleet-epm-packages-pkgname-stats parameters: - in: path @@ -23450,6 +23465,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/packages/installed: get: + description: '[Required authorization] Route required privileges: ALL of [integrations-read].' operationId: get-fleet-epm-packages-installed parameters: - in: query @@ -23595,6 +23611,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/packages/limited: get: + description: '[Required authorization] Route required privileges: ALL of [integrations-read].' operationId: get-fleet-epm-packages-limited parameters: [] responses: @@ -23632,6 +23649,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs: get: + description: '[Required authorization] Route required privileges: ALL of [integrations-read].' operationId: get-fleet-epm-templates-pkgname-pkgversion-inputs parameters: - in: path @@ -23731,6 +23749,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/verification_key_id: get: + description: '[Required authorization] Route required privileges: ALL of [integrations-read].' operationId: get-fleet-epm-verification-key-id parameters: [] responses: @@ -24222,6 +24241,7 @@ paths: - Fleet internals /api/fleet/kubernetes: get: + description: '[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read].' operationId: get-fleet-kubernetes parameters: - in: query @@ -24272,6 +24292,7 @@ paths: - Elastic Agent policies /api/fleet/kubernetes/download: get: + description: '[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read].' operationId: get-fleet-kubernetes-download parameters: - in: query @@ -30551,7 +30572,7 @@ paths: - Fleet package policies /api/fleet/package_policies/{packagePolicyId}: delete: - description: Delete a package policy by ID. + description: 'Delete a package policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].' operationId: delete-fleet-package-policies-packagepolicyid parameters: - description: A required header to protect against CSRF attacks @@ -31876,6 +31897,7 @@ paths: - Fleet package policies /api/fleet/package_policies/delete: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].' operationId: post-fleet-package-policies-delete parameters: - description: A required header to protect against CSRF attacks @@ -32004,7 +32026,7 @@ paths: - Fleet package policies /api/fleet/package_policies/upgrade: post: - description: Upgrade a package policy to a newer package version. + description: 'Upgrade a package policy to a newer package version.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].' operationId: post-fleet-package-policies-upgrade parameters: - description: A required header to protect against CSRF attacks @@ -32077,6 +32099,7 @@ paths: - Fleet package policies /api/fleet/package_policies/upgrade/dryrun: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, integrations-read].' operationId: post-fleet-package-policies-upgrade-dryrun parameters: - description: A required header to protect against CSRF attacks @@ -33347,6 +33370,7 @@ paths: - Fleet service tokens /api/fleet/settings: get: + description: '[Required authorization] Route required privileges: ALL of [fleet-settings-read].' operationId: get-fleet-settings parameters: [] responses: @@ -33434,6 +33458,7 @@ paths: tags: - Fleet internals put: + description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: put-fleet-settings parameters: - description: A required header to protect against CSRF attacks From 4e2e0ab9ef540327c5c1655d7c9eff6538124b5a Mon Sep 17 00:00:00 2001 From: Nicolas Chaulet Date: Fri, 3 Jan 2025 10:25:30 -0500 Subject: [PATCH 17/24] fix type --- .../platform/plugins/shared/fleet/server/routes/epm/index.ts | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/x-pack/platform/plugins/shared/fleet/server/routes/epm/index.ts b/x-pack/platform/plugins/shared/fleet/server/routes/epm/index.ts index f832c571fc253..80b3dc3b581c6 100644 --- a/x-pack/platform/plugins/shared/fleet/server/routes/epm/index.ts +++ b/x-pack/platform/plugins/shared/fleet/server/routes/epm/index.ts @@ -101,6 +101,10 @@ export const INSTALL_PACKAGES_SECURITY: RouteSecurity = { }, }; +export const READ_PACKAGE_INFO_AUTHZ: FleetAuthzRouteConfig['fleetAuthz'] = { + integrations: { readPackageInfo: true }, +}; + export const READ_PACKAGE_INFO_SECURITY: RouteSecurity = { authz: { requiredPrivileges: [FLEET_API_PRIVILEGES.INTEGRATIONS.READ], From 76835ffa89687ae18fced37ed43cb7a6e4e3265b Mon Sep 17 00:00:00 2001 From: Nicolas Chaulet Date: Fri, 3 Jan 2025 10:39:54 -0500 Subject: [PATCH 18/24] fix after review --- .../plugins/shared/fleet/server/routes/epm/index.ts | 10 +++++++++- .../fleet/server/routes/preconfiguration/index.ts | 2 ++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/x-pack/platform/plugins/shared/fleet/server/routes/epm/index.ts b/x-pack/platform/plugins/shared/fleet/server/routes/epm/index.ts index 80b3dc3b581c6..49658b45ce2f8 100644 --- a/x-pack/platform/plugins/shared/fleet/server/routes/epm/index.ts +++ b/x-pack/platform/plugins/shared/fleet/server/routes/epm/index.ts @@ -107,7 +107,15 @@ export const READ_PACKAGE_INFO_AUTHZ: FleetAuthzRouteConfig['fleetAuthz'] = { export const READ_PACKAGE_INFO_SECURITY: RouteSecurity = { authz: { - requiredPrivileges: [FLEET_API_PRIVILEGES.INTEGRATIONS.READ], + requiredPrivileges: [ + { + anyRequired: [ + FLEET_API_PRIVILEGES.INTEGRATIONS.READ, + FLEET_API_PRIVILEGES.SETUP, + FLEET_API_PRIVILEGES.FLEET.ALL, + ], + }, + ], }, }; diff --git a/x-pack/platform/plugins/shared/fleet/server/routes/preconfiguration/index.ts b/x-pack/platform/plugins/shared/fleet/server/routes/preconfiguration/index.ts index d7682e307fe11..0438050f43741 100644 --- a/x-pack/platform/plugins/shared/fleet/server/routes/preconfiguration/index.ts +++ b/x-pack/platform/plugins/shared/fleet/server/routes/preconfiguration/index.ts @@ -26,6 +26,7 @@ export const registerRoutes = (router: FleetAuthzRouter) => { FLEET_API_PRIVILEGES.AGENTS.ALL, FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL, FLEET_API_PRIVILEGES.SETTINGS.ALL, + FLEET_API_PRIVILEGES.INTEGRATIONS.READ, ], }, }, @@ -48,6 +49,7 @@ export const registerRoutes = (router: FleetAuthzRouter) => { FLEET_API_PRIVILEGES.AGENTS.ALL, FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL, FLEET_API_PRIVILEGES.SETTINGS.ALL, + FLEET_API_PRIVILEGES.INTEGRATIONS.READ, ], }, }, From 8550be3d3440d1264c6cbc12292c878093286276 Mon Sep 17 00:00:00 2001 From: Nicolas Chaulet Date: Fri, 3 Jan 2025 10:54:46 -0500 Subject: [PATCH 19/24] fix missing commit --- .../plugins/shared/fleet/server/constants/api_privileges.ts | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/x-pack/platform/plugins/shared/fleet/server/constants/api_privileges.ts b/x-pack/platform/plugins/shared/fleet/server/constants/api_privileges.ts index 62c0e7a6ceae5..ab2cdedc3520e 100644 --- a/x-pack/platform/plugins/shared/fleet/server/constants/api_privileges.ts +++ b/x-pack/platform/plugins/shared/fleet/server/constants/api_privileges.ts @@ -8,6 +8,10 @@ import { INTEGRATIONS_PLUGIN_ID, PLUGIN_ID } from '../../common'; export const FLEET_API_PRIVILEGES = { + FLEET: { + READ: `${PLUGIN_ID}-read`, + ALL: `${PLUGIN_ID}-all`, + }, AGENTS: { READ: `${PLUGIN_ID}-agents-read`, ALL: `${PLUGIN_ID}-agents-all`, From 31088288cb4ae384e51c833b4e8bdf190b13270e Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Fri, 3 Jan 2025 16:09:03 +0000 Subject: [PATCH 20/24] [CI] Auto-commit changed files from 'node scripts/capture_oas_snapshot --include-path /api/status --include-path /api/alerting/rule/ --include-path /api/alerting/rules --include-path /api/actions --include-path /api/security/role --include-path /api/spaces --include-path /api/fleet --include-path /api/dashboards --update' --- oas_docs/bundle.json | 20 ++++++++++---------- oas_docs/bundle.serverless.json | 20 ++++++++++---------- 2 files changed, 20 insertions(+), 20 deletions(-) diff --git a/oas_docs/bundle.json b/oas_docs/bundle.json index 87752736d5bad..2439cdab61d44 100644 --- a/oas_docs/bundle.json +++ b/oas_docs/bundle.json @@ -19948,7 +19948,7 @@ }, "/api/fleet/epm/bulk_assets": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [integrations-read].", + "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", "operationId": "post-fleet-epm-bulk-assets", "parameters": [ { @@ -20087,7 +20087,7 @@ }, "/api/fleet/epm/categories": { "get": { - "description": "[Required authorization] Route required privileges: ALL of [integrations-read].", + "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", "operationId": "get-fleet-epm-categories", "parameters": [ { @@ -20383,7 +20383,7 @@ }, "/api/fleet/epm/data_streams": { "get": { - "description": "[Required authorization] Route required privileges: ALL of [integrations-read].", + "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", "operationId": "get-fleet-epm-data-streams", "parameters": [ { @@ -20497,7 +20497,7 @@ }, "/api/fleet/epm/packages": { "get": { - "description": "[Required authorization] Route required privileges: ALL of [integrations-read].", + "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", "operationId": "get-fleet-epm-packages", "parameters": [ { @@ -21500,7 +21500,7 @@ }, "/api/fleet/epm/packages/installed": { "get": { - "description": "[Required authorization] Route required privileges: ALL of [integrations-read].", + "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", "operationId": "get-fleet-epm-packages-installed", "parameters": [ { @@ -21729,7 +21729,7 @@ }, "/api/fleet/epm/packages/limited": { "get": { - "description": "[Required authorization] Route required privileges: ALL of [integrations-read].", + "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", "operationId": "get-fleet-epm-packages-limited", "parameters": [], "responses": { @@ -21788,7 +21788,7 @@ }, "/api/fleet/epm/packages/{pkgName}/stats": { "get": { - "description": "[Required authorization] Route required privileges: ALL of [integrations-read].", + "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", "operationId": "get-fleet-epm-packages-pkgname-stats", "parameters": [ { @@ -23705,7 +23705,7 @@ }, "/api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}": { "get": { - "description": "[Required authorization] Route required privileges: ALL of [integrations-read].", + "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", "operationId": "get-fleet-epm-packages-pkgname-pkgversion-filepath", "parameters": [ { @@ -23775,7 +23775,7 @@ }, "/api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs": { "get": { - "description": "[Required authorization] Route required privileges: ALL of [integrations-read].", + "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", "operationId": "get-fleet-epm-templates-pkgname-pkgversion-inputs", "parameters": [ { @@ -23932,7 +23932,7 @@ }, "/api/fleet/epm/verification_key_id": { "get": { - "description": "[Required authorization] Route required privileges: ALL of [integrations-read].", + "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", "operationId": "get-fleet-epm-verification-key-id", "parameters": [], "responses": { diff --git a/oas_docs/bundle.serverless.json b/oas_docs/bundle.serverless.json index 17c0d473eec8c..cfaae830b610b 100644 --- a/oas_docs/bundle.serverless.json +++ b/oas_docs/bundle.serverless.json @@ -19948,7 +19948,7 @@ }, "/api/fleet/epm/bulk_assets": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [integrations-read].", + "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", "operationId": "post-fleet-epm-bulk-assets", "parameters": [ { @@ -20087,7 +20087,7 @@ }, "/api/fleet/epm/categories": { "get": { - "description": "[Required authorization] Route required privileges: ALL of [integrations-read].", + "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", "operationId": "get-fleet-epm-categories", "parameters": [ { @@ -20383,7 +20383,7 @@ }, "/api/fleet/epm/data_streams": { "get": { - "description": "[Required authorization] Route required privileges: ALL of [integrations-read].", + "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", "operationId": "get-fleet-epm-data-streams", "parameters": [ { @@ -20497,7 +20497,7 @@ }, "/api/fleet/epm/packages": { "get": { - "description": "[Required authorization] Route required privileges: ALL of [integrations-read].", + "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", "operationId": "get-fleet-epm-packages", "parameters": [ { @@ -21500,7 +21500,7 @@ }, "/api/fleet/epm/packages/installed": { "get": { - "description": "[Required authorization] Route required privileges: ALL of [integrations-read].", + "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", "operationId": "get-fleet-epm-packages-installed", "parameters": [ { @@ -21729,7 +21729,7 @@ }, "/api/fleet/epm/packages/limited": { "get": { - "description": "[Required authorization] Route required privileges: ALL of [integrations-read].", + "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", "operationId": "get-fleet-epm-packages-limited", "parameters": [], "responses": { @@ -21788,7 +21788,7 @@ }, "/api/fleet/epm/packages/{pkgName}/stats": { "get": { - "description": "[Required authorization] Route required privileges: ALL of [integrations-read].", + "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", "operationId": "get-fleet-epm-packages-pkgname-stats", "parameters": [ { @@ -23705,7 +23705,7 @@ }, "/api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}": { "get": { - "description": "[Required authorization] Route required privileges: ALL of [integrations-read].", + "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", "operationId": "get-fleet-epm-packages-pkgname-pkgversion-filepath", "parameters": [ { @@ -23775,7 +23775,7 @@ }, "/api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs": { "get": { - "description": "[Required authorization] Route required privileges: ALL of [integrations-read].", + "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", "operationId": "get-fleet-epm-templates-pkgname-pkgversion-inputs", "parameters": [ { @@ -23932,7 +23932,7 @@ }, "/api/fleet/epm/verification_key_id": { "get": { - "description": "[Required authorization] Route required privileges: ALL of [integrations-read].", + "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", "operationId": "get-fleet-epm-verification-key-id", "parameters": [], "responses": { From 5ae1d59f28e2f6dc965337238737e9e9b2523e7e Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Fri, 3 Jan 2025 16:26:04 +0000 Subject: [PATCH 21/24] [CI] Auto-commit changed files from 'make api-docs' --- oas_docs/output/kibana.serverless.yaml | 20 ++++++++++---------- oas_docs/output/kibana.yaml | 20 ++++++++++---------- 2 files changed, 20 insertions(+), 20 deletions(-) diff --git a/oas_docs/output/kibana.serverless.yaml b/oas_docs/output/kibana.serverless.yaml index b21cab52453c1..281df6dfd2c2c 100644 --- a/oas_docs/output/kibana.serverless.yaml +++ b/oas_docs/output/kibana.serverless.yaml @@ -18957,7 +18957,7 @@ paths: x-beta: true /api/fleet/epm/bulk_assets: post: - description: '[Required authorization] Route required privileges: ALL of [integrations-read].' + description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' operationId: post-fleet-epm-bulk-assets parameters: - description: A required header to protect against CSRF attacks @@ -19049,7 +19049,7 @@ paths: x-beta: true /api/fleet/epm/categories: get: - description: '[Required authorization] Route required privileges: ALL of [integrations-read].' + description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' operationId: get-fleet-epm-categories parameters: - in: query @@ -19250,7 +19250,7 @@ paths: x-beta: true /api/fleet/epm/data_streams: get: - description: '[Required authorization] Route required privileges: ALL of [integrations-read].' + description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' operationId: get-fleet-epm-data-streams parameters: - in: query @@ -19326,7 +19326,7 @@ paths: x-beta: true /api/fleet/epm/packages: get: - description: '[Required authorization] Route required privileges: ALL of [integrations-read].' + description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' operationId: get-fleet-epm-packages parameters: - in: query @@ -21202,7 +21202,7 @@ paths: x-beta: true /api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}: get: - description: '[Required authorization] Route required privileges: ALL of [integrations-read].' + description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' operationId: get-fleet-epm-packages-pkgname-pkgversion-filepath parameters: - in: path @@ -21332,7 +21332,7 @@ paths: x-beta: true /api/fleet/epm/packages/{pkgName}/stats: get: - description: '[Required authorization] Route required privileges: ALL of [integrations-read].' + description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' operationId: get-fleet-epm-packages-pkgname-stats parameters: - in: path @@ -21380,7 +21380,7 @@ paths: x-beta: true /api/fleet/epm/packages/installed: get: - description: '[Required authorization] Route required privileges: ALL of [integrations-read].' + description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' operationId: get-fleet-epm-packages-installed parameters: - in: query @@ -21527,7 +21527,7 @@ paths: x-beta: true /api/fleet/epm/packages/limited: get: - description: '[Required authorization] Route required privileges: ALL of [integrations-read].' + description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' operationId: get-fleet-epm-packages-limited parameters: [] responses: @@ -21566,7 +21566,7 @@ paths: x-beta: true /api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs: get: - description: '[Required authorization] Route required privileges: ALL of [integrations-read].' + description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' operationId: get-fleet-epm-templates-pkgname-pkgversion-inputs parameters: - in: path @@ -21667,7 +21667,7 @@ paths: x-beta: true /api/fleet/epm/verification_key_id: get: - description: '[Required authorization] Route required privileges: ALL of [integrations-read].' + description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' operationId: get-fleet-epm-verification-key-id parameters: [] responses: diff --git a/oas_docs/output/kibana.yaml b/oas_docs/output/kibana.yaml index bbc5c0cb54d6e..80630ba852e80 100644 --- a/oas_docs/output/kibana.yaml +++ b/oas_docs/output/kibana.yaml @@ -21056,7 +21056,7 @@ paths: - Fleet enrollment API keys /api/fleet/epm/bulk_assets: post: - description: '[Required authorization] Route required privileges: ALL of [integrations-read].' + description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' operationId: post-fleet-epm-bulk-assets parameters: - description: A required header to protect against CSRF attacks @@ -21147,7 +21147,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/categories: get: - description: '[Required authorization] Route required privileges: ALL of [integrations-read].' + description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' operationId: get-fleet-epm-categories parameters: - in: query @@ -21346,7 +21346,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/data_streams: get: - description: '[Required authorization] Route required privileges: ALL of [integrations-read].' + description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' operationId: get-fleet-epm-data-streams parameters: - in: query @@ -21421,7 +21421,7 @@ paths: - Data streams /api/fleet/epm/packages: get: - description: '[Required authorization] Route required privileges: ALL of [integrations-read].' + description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' operationId: get-fleet-epm-packages parameters: - in: query @@ -23290,7 +23290,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}: get: - description: '[Required authorization] Route required privileges: ALL of [integrations-read].' + description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' operationId: get-fleet-epm-packages-pkgname-pkgversion-filepath parameters: - in: path @@ -23418,7 +23418,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/packages/{pkgName}/stats: get: - description: '[Required authorization] Route required privileges: ALL of [integrations-read].' + description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' operationId: get-fleet-epm-packages-pkgname-stats parameters: - in: path @@ -23465,7 +23465,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/packages/installed: get: - description: '[Required authorization] Route required privileges: ALL of [integrations-read].' + description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' operationId: get-fleet-epm-packages-installed parameters: - in: query @@ -23611,7 +23611,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/packages/limited: get: - description: '[Required authorization] Route required privileges: ALL of [integrations-read].' + description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' operationId: get-fleet-epm-packages-limited parameters: [] responses: @@ -23649,7 +23649,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs: get: - description: '[Required authorization] Route required privileges: ALL of [integrations-read].' + description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' operationId: get-fleet-epm-templates-pkgname-pkgversion-inputs parameters: - in: path @@ -23749,7 +23749,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/verification_key_id: get: - description: '[Required authorization] Route required privileges: ALL of [integrations-read].' + description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' operationId: get-fleet-epm-verification-key-id parameters: [] responses: From 682755501d69fdadd4cb62144f20033bfb4fc84a Mon Sep 17 00:00:00 2001 From: Nicolas Chaulet Date: Fri, 3 Jan 2025 13:37:37 -0500 Subject: [PATCH 22/24] fix agent policy fleet server access --- .../fleet/server/routes/agent_policy/index.ts | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/x-pack/platform/plugins/shared/fleet/server/routes/agent_policy/index.ts b/x-pack/platform/plugins/shared/fleet/server/routes/agent_policy/index.ts index 7d93f98267e59..9450b5e0da089 100644 --- a/x-pack/platform/plugins/shared/fleet/server/routes/agent_policy/index.ts +++ b/x-pack/platform/plugins/shared/fleet/server/routes/agent_policy/index.ts @@ -67,6 +67,7 @@ export const registerRoutes = (router: FleetAuthzRouter) => { anyRequired: [ FLEET_API_PRIVILEGES.AGENT_POLICIES.READ, FLEET_API_PRIVILEGES.AGENTS.READ, + FLEET_API_PRIVILEGES.SETUP, ], }, ], @@ -106,6 +107,7 @@ export const registerRoutes = (router: FleetAuthzRouter) => { anyRequired: [ FLEET_API_PRIVILEGES.AGENT_POLICIES.READ, FLEET_API_PRIVILEGES.AGENTS.READ, + FLEET_API_PRIVILEGES.SETUP, ], }, ], @@ -145,6 +147,7 @@ export const registerRoutes = (router: FleetAuthzRouter) => { anyRequired: [ FLEET_API_PRIVILEGES.AGENT_POLICIES.READ, FLEET_API_PRIVILEGES.AGENTS.READ, + FLEET_API_PRIVILEGES.SETUP, ], }, ], @@ -344,7 +347,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { path: AGENT_POLICY_API_ROUTES.FULL_INFO_DOWNLOAD_PATTERN, security: { authz: { - requiredPrivileges: [FLEET_API_PRIVILEGES.AGENT_POLICIES.READ], + requiredPrivileges: [ + FLEET_API_PRIVILEGES.AGENT_POLICIES.READ, + FLEET_API_PRIVILEGES.SETUP, + ], }, }, enableQueryVersion: true, @@ -381,7 +387,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { path: K8S_API_ROUTES.K8S_INFO_PATTERN, security: { authz: { - requiredPrivileges: [FLEET_API_PRIVILEGES.AGENT_POLICIES.READ], + requiredPrivileges: [ + FLEET_API_PRIVILEGES.AGENT_POLICIES.READ, + FLEET_API_PRIVILEGES.SETUP, + ], }, }, summary: `Get a full K8s agent manifest`, @@ -413,7 +422,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { path: K8S_API_ROUTES.K8S_DOWNLOAD_PATTERN, security: { authz: { - requiredPrivileges: [FLEET_API_PRIVILEGES.AGENT_POLICIES.READ], + requiredPrivileges: [ + FLEET_API_PRIVILEGES.AGENT_POLICIES.READ, + FLEET_API_PRIVILEGES.SETUP, + ], }, }, enableQueryVersion: true, From 94bd539593421ae7152a628a36f2513f81a7fff1 Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Fri, 3 Jan 2025 18:54:27 +0000 Subject: [PATCH 23/24] [CI] Auto-commit changed files from 'node scripts/capture_oas_snapshot --include-path /api/status --include-path /api/alerting/rule/ --include-path /api/alerting/rules --include-path /api/actions --include-path /api/security/role --include-path /api/spaces --include-path /api/fleet --include-path /api/dashboards --update' --- oas_docs/bundle.json | 12 ++++++------ oas_docs/bundle.serverless.json | 12 ++++++------ 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/oas_docs/bundle.json b/oas_docs/bundle.json index 2439cdab61d44..c6f0da0659e20 100644 --- a/oas_docs/bundle.json +++ b/oas_docs/bundle.json @@ -9120,7 +9120,7 @@ }, "/api/fleet/agent_policies": { "get": { - "description": "[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read].", + "description": "[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].", "operationId": "get-fleet-agent-policies", "parameters": [ { @@ -10959,7 +10959,7 @@ }, "/api/fleet/agent_policies/_bulk_get": { "post": { - "description": "[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read].", + "description": "[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].", "operationId": "post-fleet-agent-policies-bulk-get", "parameters": [ { @@ -12012,7 +12012,7 @@ }, "/api/fleet/agent_policies/{agentPolicyId}": { "get": { - "description": "Get an agent policy by ID.

[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read].", + "description": "Get an agent policy by ID.

[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].", "operationId": "get-fleet-agent-policies-agentpolicyid", "parameters": [ { @@ -14561,7 +14561,7 @@ }, "/api/fleet/agent_policies/{agentPolicyId}/download": { "get": { - "description": "Download an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read].", + "description": "Download an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].", "operationId": "get-fleet-agent-policies-agentpolicyid-download", "parameters": [ { @@ -24675,7 +24675,7 @@ }, "/api/fleet/kubernetes": { "get": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read].", + "description": "[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].", "operationId": "get-fleet-kubernetes", "parameters": [ { @@ -24756,7 +24756,7 @@ }, "/api/fleet/kubernetes/download": { "get": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read].", + "description": "[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].", "operationId": "get-fleet-kubernetes-download", "parameters": [ { diff --git a/oas_docs/bundle.serverless.json b/oas_docs/bundle.serverless.json index cfaae830b610b..0164ff66c96c9 100644 --- a/oas_docs/bundle.serverless.json +++ b/oas_docs/bundle.serverless.json @@ -9120,7 +9120,7 @@ }, "/api/fleet/agent_policies": { "get": { - "description": "[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read].", + "description": "[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].", "operationId": "get-fleet-agent-policies", "parameters": [ { @@ -10959,7 +10959,7 @@ }, "/api/fleet/agent_policies/_bulk_get": { "post": { - "description": "[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read].", + "description": "[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].", "operationId": "post-fleet-agent-policies-bulk-get", "parameters": [ { @@ -12012,7 +12012,7 @@ }, "/api/fleet/agent_policies/{agentPolicyId}": { "get": { - "description": "Get an agent policy by ID.

[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read].", + "description": "Get an agent policy by ID.

[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].", "operationId": "get-fleet-agent-policies-agentpolicyid", "parameters": [ { @@ -14561,7 +14561,7 @@ }, "/api/fleet/agent_policies/{agentPolicyId}/download": { "get": { - "description": "Download an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read].", + "description": "Download an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].", "operationId": "get-fleet-agent-policies-agentpolicyid-download", "parameters": [ { @@ -24675,7 +24675,7 @@ }, "/api/fleet/kubernetes": { "get": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read].", + "description": "[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].", "operationId": "get-fleet-kubernetes", "parameters": [ { @@ -24756,7 +24756,7 @@ }, "/api/fleet/kubernetes/download": { "get": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read].", + "description": "[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].", "operationId": "get-fleet-kubernetes-download", "parameters": [ { From f37f63252fedb28acdbbe3547281f467be824a9f Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Fri, 3 Jan 2025 19:09:32 +0000 Subject: [PATCH 24/24] [CI] Auto-commit changed files from 'make api-docs' --- oas_docs/output/kibana.serverless.yaml | 12 ++++++------ oas_docs/output/kibana.yaml | 12 ++++++------ 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/oas_docs/output/kibana.serverless.yaml b/oas_docs/output/kibana.serverless.yaml index 281df6dfd2c2c..95be596f030c7 100644 --- a/oas_docs/output/kibana.serverless.yaml +++ b/oas_docs/output/kibana.serverless.yaml @@ -11556,7 +11556,7 @@ paths: x-beta: true /api/fleet/agent_policies: get: - description: '[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read].' + description: '[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].' operationId: get-fleet-agent-policies parameters: - in: query @@ -12830,7 +12830,7 @@ paths: x-beta: true /api/fleet/agent_policies/_bulk_get: post: - description: '[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read].' + description: '[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].' operationId: post-fleet-agent-policies-bulk-get parameters: - description: A required header to protect against CSRF attacks @@ -13376,7 +13376,7 @@ paths: x-beta: true /api/fleet/agent_policies/{agentPolicyId}: get: - description: 'Get an agent policy by ID.

[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read].' + description: 'Get an agent policy by ID.

[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].' operationId: get-fleet-agent-policies-agentpolicyid parameters: - in: path @@ -15144,7 +15144,7 @@ paths: x-beta: true /api/fleet/agent_policies/{agentPolicyId}/download: get: - description: 'Download an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read].' + description: 'Download an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].' operationId: get-fleet-agent-policies-agentpolicyid-download parameters: - in: path @@ -22166,7 +22166,7 @@ paths: x-beta: true /api/fleet/kubernetes: get: - description: '[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read].' + description: '[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].' operationId: get-fleet-kubernetes parameters: - in: query @@ -22218,7 +22218,7 @@ paths: x-beta: true /api/fleet/kubernetes/download: get: - description: '[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read].' + description: '[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].' operationId: get-fleet-kubernetes-download parameters: - in: query diff --git a/oas_docs/output/kibana.yaml b/oas_docs/output/kibana.yaml index 80630ba852e80..a9e3576374ae3 100644 --- a/oas_docs/output/kibana.yaml +++ b/oas_docs/output/kibana.yaml @@ -13698,7 +13698,7 @@ paths: - Elastic Agent binary download sources /api/fleet/agent_policies: get: - description: '[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read].' + description: '[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].' operationId: get-fleet-agent-policies parameters: - in: query @@ -14970,7 +14970,7 @@ paths: - Elastic Agent policies /api/fleet/agent_policies/_bulk_get: post: - description: '[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read].' + description: '[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].' operationId: post-fleet-agent-policies-bulk-get parameters: - description: A required header to protect against CSRF attacks @@ -15515,7 +15515,7 @@ paths: - Elastic Agent policies /api/fleet/agent_policies/{agentPolicyId}: get: - description: 'Get an agent policy by ID.

[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read].' + description: 'Get an agent policy by ID.

[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].' operationId: get-fleet-agent-policies-agentpolicyid parameters: - in: path @@ -17280,7 +17280,7 @@ paths: - Elastic Agent policies /api/fleet/agent_policies/{agentPolicyId}/download: get: - description: 'Download an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read].' + description: 'Download an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].' operationId: get-fleet-agent-policies-agentpolicyid-download parameters: - in: path @@ -24241,7 +24241,7 @@ paths: - Fleet internals /api/fleet/kubernetes: get: - description: '[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read].' + description: '[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].' operationId: get-fleet-kubernetes parameters: - in: query @@ -24292,7 +24292,7 @@ paths: - Elastic Agent policies /api/fleet/kubernetes/download: get: - description: '[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read].' + description: '[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].' operationId: get-fleet-kubernetes-download parameters: - in: query