Skip to content

Commit

Permalink
[APM] Add permissions for "input-only" package (#166234)
Browse files Browse the repository at this point in the history 
Closes: #164936

This grants the necessary permissions to APM Server when running under
fleet.
  • Loading branch information
@sorenlouv
sorenlouv authored Sep 25, 2023
1 parent 1066eb3 commit 4662960
Show file tree
Hide file tree
Showing 9 changed files with 566 additions and 182 deletions.
12 changes: 3 additions & 9 deletions x-pack/plugins/fleet/common/types/models/agent_policy.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@
* 2.0.
*/

import type { SecurityRoleDescriptor } from '@elastic/elasticsearch/lib/api/typesWithBodyKey';

import type { agentPolicyStatuses } from '../../constants';
import type { MonitoringType, PolicySecretReference, ValueOf } from '..';

Expand Down Expand Up @@ -77,15 +79,7 @@ export interface FullAgentPolicyInput {
[key: string]: any;
}

export interface FullAgentPolicyOutputPermissions {
[packagePolicyName: string]: {
cluster?: string[];
indices?: Array<{
names: string[];
privileges: string[];
}>;
};
}
export type FullAgentPolicyOutputPermissions = Record<string, SecurityRoleDescriptor>;

export type FullAgentPolicyOutput = Pick<Output, 'type' | 'hosts' | 'ca_sha256'> & {
proxy_url?: string;
Expand Down
28 changes: 2 additions & 26 deletions x-pack/plugins/fleet/server/integration_tests/cloud_preconfiguration.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -312,31 +312,11 @@ describe('Fleet preconfiguration reset', () => {
cluster: ['cluster:monitor/main'],
indices: [
{
names: ['logs-apm.app-default'],
names: ['traces-*', 'logs-*', 'metrics-*'],
privileges: ['auto_configure', 'create_doc'],
},
{
names: ['metrics-apm.app.*-default'],
privileges: ['auto_configure', 'create_doc'],
},
{
names: ['logs-apm.error-default'],
privileges: ['auto_configure', 'create_doc'],
},
{
names: ['metrics-apm.internal-default'],
privileges: ['auto_configure', 'create_doc'],
},
{
names: ['metrics-apm.profiling-default'],
privileges: ['auto_configure', 'create_doc'],
},
{
names: ['traces-apm.rum-default'],
privileges: ['auto_configure', 'create_doc'],
},
{
names: ['traces-apm.sampled-default'],
names: ['traces-apm.sampled-*'],
privileges: [
'auto_configure',
'create_doc',
Expand All @@ -345,10 +325,6 @@ describe('Fleet preconfiguration reset', () => {
'read',
],
},
{
names: ['traces-apm-default'],
privileges: ['auto_configure', 'create_doc'],
},
],
},
},
Expand Down
100 changes: 93 additions & 7 deletions ...lugins/fleet/server/services/agent_policies/package_policies_to_agent_permissions.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -239,26 +239,66 @@ packageInfoCache.set('profiler_collector-8.9.0-preview', {
},
});

packageInfoCache.set('apm-8.9.0-preview', {
format_version: '2.7.0',
name: 'apm',
title: 'APM',
version: '8.9.0-preview',
license: 'basic',
description: 'APM Server integration',
type: 'integration',
release: 'beta',
categories: ['observability'],
icons: [],
owner: { github: 'elastic/apm-server' },
data_streams: [],
latestVersion: '8.9.0-preview',
status: 'not_installed',
assets: {
kibana: {
csp_rule_template: [],
dashboard: [],
visualization: [],
search: [],
index_pattern: [],
map: [],
lens: [],
security_rule: [],
ml_module: [],
tag: [],
osquery_pack_asset: [],
osquery_saved_query: [],
},
elasticsearch: {
component_template: [],
ingest_pipeline: [],
ilm_policy: [],
transform: [],
index_template: [],
data_stream_ilm_policy: [],
ml_model: [],
},
},
});

describe('storedPackagePoliciesToAgentPermissions()', () => {
it('Returns `undefined` if there are no package policies', async () => {
const permissions = await storedPackagePoliciesToAgentPermissions(packageInfoCache, []);
expect(permissions).toBeUndefined();
});

it('Throw an error if package policies is not an array', async () => {
await expect(() =>
storedPackagePoliciesToAgentPermissions(packageInfoCache, undefined)
).rejects.toThrow(
it('Throw an error if package policies is not an array', () => {
expect(() => storedPackagePoliciesToAgentPermissions(packageInfoCache, undefined)).toThrow(
/storedPackagePoliciesToAgentPermissions should be called with a PackagePolicy/
);
});

it('Returns the default permissions if a package policy does not have a package', async () => {
await expect(() =>
it('Returns the default permissions if a package policy does not have a package', () => {
expect(() =>
storedPackagePoliciesToAgentPermissions(packageInfoCache, [
{ name: 'foo', package: undefined } as PackagePolicy,
])
).rejects.toThrow(/No package for package policy foo/);
).toThrow(/No package for package policy foo/);
});

it('Returns the permissions for the enabled inputs', async () => {
Expand Down Expand Up @@ -545,6 +585,52 @@ describe('storedPackagePoliciesToAgentPermissions()', () => {
},
});
});

it('returns the correct permissions for the APM package', async () => {
const packagePolicies: PackagePolicy[] = [
{
id: 'package-policy-uuid-test-123',
name: 'test-policy',
namespace: '',
enabled: true,
package: { name: 'apm', version: '8.9.0-preview', title: 'Test Package' },
inputs: [
{
type: 'pf-elastic-collector',
enabled: true,
streams: [],
},
],
created_at: '',
updated_at: '',
created_by: '',
updated_by: '',
revision: 1,
policy_id: '',
},
];

const permissions = await storedPackagePoliciesToAgentPermissions(
packageInfoCache,
packagePolicies
);

expect(permissions).toMatchObject({
'package-policy-uuid-test-123': {
cluster: ['cluster:monitor/main'],
indices: [
{
names: ['traces-*', 'logs-*', 'metrics-*'],
privileges: ['auto_configure', 'create_doc'],
},
{
names: ['traces-apm.sampled-*'],
privileges: ['auto_configure', 'create_doc', 'maintenance', 'monitor', 'read'],
},
],
},
});
});
});

describe('getDataStreamPrivileges()', () => {
Expand Down
Loading

0 comments on commit 4662960

Please sign in to comment.