Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Fleet][Endpoint][RBAC V2] Update fleet router and config to allow API access via RBAC controls #145361

Merged
merged 68 commits into from
Dec 14, 2022
Merged

[Fleet][Endpoint][RBAC V2] Update fleet router and config to allow API access via RBAC controls #145361

merged 68 commits into from
Dec 14, 2022

Conversation

ashokaditya
Copy link
Member

@ashokaditya ashokaditya commented Nov 16, 2022
edited
Loading

Summary

Note
This PR is adding changes only to some of api/fleet/package_policies
API routes, there will be subsequent PRs after this to update
api/fleet/epm/packages, api/fleet/agent_policeis and,
api/fleet/agent_status.

This PR introduces the framework needed in fleet in order to be able to
support Package level Privileges - meaning: if a user does not have
authorization granted via Fleet and/or Integration privileges, then
package level privileges are check and API access granted. When access
is granted based on Package Privileges, the data is also validated to
ensure that it is limited to the integration package names that were
given authorization to the API.

The following APIs were updated to leverage this new framework:

  • Integration Package Policy list API
  • Integration Package Policy get one API
  • Integration Package Policy update one API
  • Integration Package Policy bulk get API

ℹ️ these API were updated in support of Endpoint use cases needed for
v8.7.

Example of API error for Package policies api:

{
    "statusCode": 403,
    "error": "Forbidden",
    "message": "Authorization denied to [package.name=fleet_server]. Allowed package.name's: endpoint"
}

To test:

  1. Log in as elastic/superuser and create some agent policies.

  2. Under Stack Management, create a role policy_role with the
    following RBAC settings. DO NOT select Fleet -> All or toggle
    Integrations. Leave those RBAC toggles set to None
    Screenshot 2022-11-16 at 14 45 15

  3. Create a user e.g. policy_user and assign them only the above
    role. NOT superuser.

  4. Login with this user and navigate to
    app/security/administration/policy or curl/postman.

  5. Expect to see the following:

  • GET api/fleet/epm/packages?category=security should return a 403
    status.
  • GET
    api/fleet/package_policies?page=1&perPage=10&kuery=ingest-package-policies.package.name%3A%20endpoint
    should return a list of policies.
  • GET /api/fleet/package_policies/<packagePolicyId> should return a
    200 and a signle item that has the policie's details. Note that the
    package name of this item is endpoint.
  • there should be a POST API request matching
    api/fleet/agent_policies/_bulk_get, and should return a 403.
  1. With Policy Management RBAC set to All
  • PUT
    http://localhost:5601/api/fleet/package_policies/<packagePolicyId>
    should return a 200 with the updated policy details as response

Checklist

Co-authored-by: Paul Tavares paul.tavares@elastic.co

@ashokaditya ashokaditya self-assigned this Nov 16, 2022
@ashokaditya ashokaditya added Team:Defend Workflows “EDR Workflows” sub-team of Security Solution OLM Sprint 8.7 candidate release_note:feature Makes this part of the condensed release notes labels Nov 16, 2022
@ashokaditya ashokaditya force-pushed the task/olm-policy-list-api-rbac-4926 branch 9 times, most recently from 020caa1 to b29cd19 Compare November 21, 2022 14:02
This was referenced Nov 21, 2022
Merged
Closed
@ashokaditya ashokaditya force-pushed the task/olm-policy-list-api-rbac-4926 branch 3 times, most recently from c01607f to b82e709 Compare November 23, 2022 07:43
gergoabraham added a commit that referenced this pull request Nov 23, 2022
@gergoabraham
[Security Solution] UI trusted applications RBAC (#145593)
4c6a915 
## Summary

RBAC UI features for Trusted Applications. To test, enable
`endpointRbacEnabled` feature-flag, create a non-superuser user with
_Security: ALL_ privilege and (All | Read | None) sub-privilege for
_Trusted Applications_.
<img width="541" alt="image"
src="https://user-images.githubusercontent.com/39014407/203073992-fb71e293-2cd8-4639-8d61-4867e39ef071.png">

The modification should:
- hide Trusted Apps from Manage navigation items if privilege is NONE,
(note: it is still displayed for non-superusers, if the feature flag is
disabled)
- disable add/edit/delete for Trusted Applications if privilege is READ.

## ⚠️  Note
This PR focuses on _Read_ and _None_. The sub-privilege _All_ does not
work perfectly at the moment, because of unauthorised API calls. A
follow-up PR will fix this, after this PR is merged:
#145361

### Checklist

Delete any items that are not applicable to this PR.
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
@ashokaditya ashokaditya force-pushed the task/olm-policy-list-api-rbac-4926 branch 5 times, most recently from e2d3807 to e7a4db3 Compare November 29, 2022 12:38
@ashokaditya ashokaditya changed the title [Security Solution][Endpoint][RBAC V2] Policy list management RBAC v2 [Security Solution][Fleet][Endpoint][RBAC V2] Update fleet API route config to allow route access via RBAC controls Nov 29, 2022
@ashokaditya ashokaditya force-pushed the task/olm-policy-list-api-rbac-4926 branch from e7a4db3 to 7f5102a Compare November 29, 2022 13:30
@ashokaditya ashokaditya mentioned this pull request Dec 16, 2022
Merged
2 tasks
ashokaditya added a commit to ashokaditya/kibana that referenced this pull request Dec 19, 2022
@ashokaditya
add roles for tests
e5a5feb 
refs elastic/pull/145361
fixes elastic/security-team/issues/5617
ashokaditya added a commit to ashokaditya/kibana that referenced this pull request Dec 19, 2022
@ashokaditya
add rbac feature flag to config
496eb32 
refs elastic/pull/145361
ashokaditya added a commit to ashokaditya/kibana that referenced this pull request Dec 19, 2022
@ashokaditya
add tests for get API requests
4cd7abe 
refs elastic/pull/145361
ashokaditya added a commit to ashokaditya/kibana that referenced this pull request Dec 19, 2022
@ashokaditya
add tests for update API
ea7034f 
refs elastic/pull/145361
@ashokaditya ashokaditya deleted the task/olm-policy-list-api-rbac-4926 branch December 21, 2022 16:03
ashokaditya added a commit to ashokaditya/kibana that referenced this pull request Dec 22, 2022
@ashokaditya
update route to use calculateRouteAuthz
09bfc30 
refs elastic/pull/145361
refs elastic/security-team/issues/5539
fixes elastic/security-team/issues/5620
ashokaditya added a commit to ashokaditya/kibana that referenced this pull request Dec 22, 2022
@ashokaditya
add success test cases for endpoint pkg. privilege
8ba1efe 
refs  elastic/pull/145361
ashokaditya added a commit to ashokaditya/kibana that referenced this pull request Dec 23, 2022
@ashokaditya
update policy tests for RBAC package privileges
b18f445 
refs elastic/pull/145361
ashokaditya added a commit that referenced this pull request Jan 3, 2023
@ashokaditya @hop-dev @kibanamachine
[Fleet][RBAC v2] Add tests for fleet API changes (#147611)
55f6006 
## Summary

Tests related to changes in /pull/145361


### Checklist

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

Co-authored-by: Mark Hopkin <mark.hopkin@elastic.co>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
ashokaditya added a commit that referenced this pull request Jan 3, 2023
@ashokaditya @kibanamachine
[Fleet][RBAC v2] Update agent_status route to use `calculateRouteAu…
72d2f75 
…thz` (#147696)

## Summary

Follow up PR to update `api/fleet/agent_status` route.
refs /pull/145361
refs elastic/security-team/issues/5539

### Checklist

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios

### For maintainers

- [x] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@paul-tavares paul-tavares paul-tavares left review comments

@nchaulet nchaulet nchaulet approved these changes

@juliaElastic juliaElastic juliaElastic approved these changes

Assignees

@ashokaditya ashokaditya

Labels
backport:skip This commit does not require backporting OLM Sprint release_note:feature Makes this part of the condensed release notes Team:Defend Workflows “EDR Workflows” sub-team of Security Solution Team:Fleet Team label for Observability Data Collection Fleet team v8.7.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@ashokaditya @juliaElastic @elasticmachine @paul-tavares @kibana-ci @nchaulet @kibanamachine @kevinlog