forked from elastic/kibana
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Fleet] RBAC - Make read agent actions space aware (elastic#189519)
## Summary Relates to elastic#185040 This PR makes the following Fleet agents API space aware (behind `useSpaceAwareness` feature flag): * `GET /agents/action_status` * `POST /agents/{agentId}/actions` I have already started work on `POST /agents/{agentId}/actions/{actionId}/cancel` but I think it would best grouped with `POST /agents/{agentId}/upgrade` and `POST /agents/bulk_upgrade` in a separate PR. ### Details #### GET /agents/action_status⚠️ I have implemented the following logic in the action status service: * If the `useSpaceAwareness` feature flag is disabled, there is no change. * In the default space, actions with `namespaces: ['default']` and those with no `namespaces` property are returned. * In a custom space, only actions with `namespaces: ['spaceName']` are returned. This is to ensure older actions with no `namespaces` property are not lost. Feedback on this approach would be awesome. NB: only tag update agent actions and agent policy update actions have a `namespaces` property at the moment. #### POST /agents/{agentId}/actions * If the `useSpaceAwareness` feature flag is enabled, the action fails if the agent is not in the current space. * The `namespaces` property is populated when the action is created. #### Other This PR also fixes an issue with setting `namespaces` in agent actions for tags update in the default space (this is because I didn't realise `soClient.getCurrentNamespace()` returns `undefined` in the default space).⚠️ I also modified the `isAgentInNamespace` helper to return `true` in the default space for agents with no explicitly set namespaces. Finally, this PR introduces the following helpers: * `getCurrentNamespace(soClient)`: this helper returns the string `default` instead of `undefined` in the default space, which seems to be the behaviour we want most of the time. * `addNamespaceFilteringToQuery`: this helper extends the ES queries used in the action status service to conditionally add filtering by namespace as described above. It should be reusable for other endpoints as well. * The `isAgentInNamespace` and `agentsKueryNamespaceFilter` were moved into the `fleet/server/services/spaces` folder where other space-related helpers live. ### Testing 1. In order to test `GET /agents/action_status`, the best would be to have a custom space and create a mix of agent and agent policy actions across the default and the custom spaces, for instance: * Agent policy updates (change the policy description) * Update agent tags (creates agent actions with set `namespaces`) * Unenroll agents (creates agent actions with no `namespaces` property) Then check the output of `GET /agents/action_status` from the Dev Tools and the UI (agent activity flyout): * Agent policy actions should only be listed in the relevant space. * Update agent tags actions should only be listed in the relevant space. * Other actions should only be listed in the default space. 2. Test `POST /agents/{agentId}/actions` from the Dev Tools with any action type, e.g. `"UNENROLL"`: * If the agent is not in the current space, it should return not found. * If the agent is in the current space, it should create an action with the correct `namespaces` property. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed
- Loading branch information
1 parent
e67b460
commit 718f6c3
Showing
20 changed files
with
859 additions
and
187 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.