Skip to content

Commit

Permalink
[Fleet] Require AgentPolicies:All to add a fleet server (elastic#193014)
Browse files Browse the repository at this point in the history
(cherry picked from commit 193935c)
  • Loading branch information
nchaulet committed Sep 17, 2024
1 parent 259bfca commit 729f781
Show file tree
Hide file tree
Showing 3 changed files with 56 additions and 2 deletions.
3 changes: 2 additions & 1 deletion x-pack/plugins/fleet/common/authz.ts
Original file line number Diff line number Diff line change
Expand Up @@ -117,7 +117,8 @@ export const calculateAuthz = ({
allSettings: fleet.settings?.all ?? false,
allAgentPolicies: fleet.agentPolicies?.all ?? false,
addAgents: fleet.agents?.all ?? false,
addFleetServers: (fleet.agents?.all && fleet.settings?.all) ?? false,
addFleetServers:
(fleet.agents?.all && fleet.agentPolicies?.all && fleet.settings?.all) ?? false,
// Setup is needed to access the Fleet UI
setup:
hasFleetAll ||
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ export const FleetServerHostsSection: React.FunctionComponent<FleetServerHostsSe
fleetServerHosts={fleetServerHosts}
deleteFleetServerHost={deleteFleetServerHost}
/>
{authz.fleet.allSettings && authz.fleet.allAgents ? (
{authz.fleet.addFleetServers ? (
<>
<EuiSpacer size="s" />
<EuiButtonEmpty
Expand Down
53 changes: 53 additions & 0 deletions x-pack/plugins/fleet/server/services/security/security.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -886,4 +886,57 @@ describe('getAuthzFromRequest', () => {
expect(res.fleet.readAgents).toBe(false);
});
});

describe('Fleet addFleetServer', () => {
beforeEach(() => {
mockSecurity.authz.mode.useRbacForRequest.mockReturnValue(true);
});
it('should authorize user with Fleet:Agents:All Fleet:AgentsPolicies:All Fleet:Settings:All', async () => {
checkPrivileges.mockResolvedValue({
privileges: {
kibana: [
{
resource: 'default',
privilege: 'api:fleet-agents-all',
authorized: true,
},
{
resource: 'default',
privilege: 'api:fleet-agent-policies-all',
authorized: true,
},
{
resource: 'default',
privilege: 'api:fleet-settings-all',
authorized: true,
},
],
elasticsearch: {} as any,
},
hasAllRequested: true,
username: 'test',
});
const res = await getAuthzFromRequest({} as any);
expect(res.fleet.addFleetServers).toBe(true);
});

it('should not authorize user with only Fleet:Agents:All', async () => {
checkPrivileges.mockResolvedValue({
privileges: {
kibana: [
{
resource: 'default',
privilege: 'api:fleet-agents-all',
authorized: true,
},
],
elasticsearch: {} as any,
},
hasAllRequested: true,
username: 'test',
});
const res = await getAuthzFromRequest({} as any);
expect(res.fleet.addFleetServers).toBe(false);
});
});
});

0 comments on commit 729f781

Please sign in to comment.