From 0b8ae3634d8bc7c9320d9c447a66e936a347d34e Mon Sep 17 00:00:00 2001 From: Nicolas Chaulet Date: Mon, 6 Jan 2025 14:41:00 -0500 Subject: [PATCH] [Fleet] Use Kibana Authz for API authorization (#205335) --- oas_docs/bundle.json | 124 +++++++++++---- oas_docs/bundle.serverless.json | 124 +++++++++++---- oas_docs/output/kibana.serverless.yaml | 124 +++++++++++---- oas_docs/output/kibana.yaml | 124 +++++++++++---- .../fleet/server/constants/api_privileges.ts | 32 ++++ .../shared/fleet/server/routes/agent/index.ts | 149 ++++++++++++------ .../fleet/server/routes/agent_policy/index.ts | 122 ++++++++++---- .../shared/fleet/server/routes/app/index.ts | 23 ++- .../fleet/server/routes/data_streams/index.ts | 12 +- .../shared/fleet/server/routes/debug/index.ts | 32 +++- .../server/routes/download_source/index.ts | 46 ++++-- .../server/routes/enrollment_api_key/index.ts | 34 ++-- .../shared/fleet/server/routes/epm/index.ts | 83 ++++++---- .../server/routes/fleet_proxies/index.ts | 32 ++-- .../server/routes/fleet_server_hosts/index.ts | 36 +++-- .../fleet/server/routes/health_check/index.ts | 8 +- .../routes/message_signing_service/index.ts | 11 +- .../fleet/server/routes/output/index.ts | 65 ++++++-- .../server/routes/package_policy/index.ts | 43 +++-- .../server/routes/preconfiguration/index.ts | 23 ++- .../fleet/server/routes/settings/index.ts | 27 ++-- .../shared/fleet/server/routes/setup/index.ts | 47 +++++- .../routes/standalone_agent_api_key/index.ts | 8 +- .../server/routes/uninstall_token/index.ts | 14 +- .../fleet/server/services/package_policy.ts | 63 ++++---- .../server/services/security/fleet_router.ts | 2 +- 26 files changed, 1025 insertions(+), 383 deletions(-) create mode 100644 x-pack/platform/plugins/shared/fleet/server/constants/api_privileges.ts diff --git a/oas_docs/bundle.json b/oas_docs/bundle.json index 84ce538ee1311..067c970ba3da0 100644 --- a/oas_docs/bundle.json +++ b/oas_docs/bundle.json @@ -8595,6 +8595,7 @@ }, "/api/fleet/agent_download_sources": { "get": { + "description": "[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-settings-read].", "operationId": "get-fleet-agent-download-sources", "parameters": [], "responses": { @@ -8690,6 +8691,7 @@ ] }, "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "post-fleet-agent-download-sources", "parameters": [ { @@ -8818,7 +8820,7 @@ }, "/api/fleet/agent_download_sources/{sourceId}": { "delete": { - "description": "Delete an agent binary download source by ID.", + "description": "Delete an agent binary download source by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "delete-fleet-agent-download-sources-sourceid", "parameters": [ { @@ -8891,7 +8893,7 @@ ] }, "get": { - "description": "Get an agent binary download source by ID.", + "description": "Get an agent binary download source by ID.

[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-settings-read].", "operationId": "get-fleet-agent-download-sources-sourceid", "parameters": [ { @@ -8981,7 +8983,7 @@ ] }, "put": { - "description": "Update an agent binary download source by ID.", + "description": "Update an agent binary download source by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "put-fleet-agent-download-sources-sourceid", "parameters": [ { @@ -9118,6 +9120,7 @@ }, "/api/fleet/agent_policies": { "get": { + "description": "[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].", "operationId": "get-fleet-agent-policies", "parameters": [ { @@ -9955,6 +9958,7 @@ ] }, "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].", "operationId": "post-fleet-agent-policies", "parameters": [ { @@ -10955,6 +10959,7 @@ }, "/api/fleet/agent_policies/_bulk_get": { "post": { + "description": "[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].", "operationId": "post-fleet-agent-policies-bulk-get", "parameters": [ { @@ -11741,7 +11746,7 @@ }, "/api/fleet/agent_policies/delete": { "post": { - "description": "Delete an agent policy by ID.", + "description": "Delete an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].", "operationId": "post-fleet-agent-policies-delete", "parameters": [ { @@ -11834,7 +11839,7 @@ }, "/api/fleet/agent_policies/outputs": { "post": { - "description": "Get a list of outputs associated with agent policies.", + "description": "Get a list of outputs associated with agent policies.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-settings-read].", "operationId": "post-fleet-agent-policies-outputs", "parameters": [ { @@ -12007,7 +12012,7 @@ }, "/api/fleet/agent_policies/{agentPolicyId}": { "get": { - "description": "Get an agent policy by ID.", + "description": "Get an agent policy by ID.

[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].", "operationId": "get-fleet-agent-policies-agentpolicyid", "parameters": [ { @@ -12758,7 +12763,7 @@ ] }, "put": { - "description": "Update an agent policy by ID.", + "description": "Update an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].", "operationId": "put-fleet-agent-policies-agentpolicyid", "parameters": [ { @@ -13771,7 +13776,7 @@ }, "/api/fleet/agent_policies/{agentPolicyId}/copy": { "post": { - "description": "Copy an agent policy by ID.", + "description": "Copy an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].", "operationId": "post-fleet-agent-policies-agentpolicyid-copy", "parameters": [ { @@ -14556,7 +14561,7 @@ }, "/api/fleet/agent_policies/{agentPolicyId}/download": { "get": { - "description": "Download an agent policy by ID.", + "description": "Download an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].", "operationId": "get-fleet-agent-policies-agentpolicyid-download", "parameters": [ { @@ -14661,7 +14666,7 @@ }, "/api/fleet/agent_policies/{agentPolicyId}/full": { "get": { - "description": "Get a full agent policy by ID.", + "description": "Get a full agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read].", "operationId": "get-fleet-agent-policies-agentpolicyid-full", "parameters": [ { @@ -15187,7 +15192,7 @@ }, "/api/fleet/agent_policies/{agentPolicyId}/outputs": { "get": { - "description": "Get a list of outputs associated with agent policy by policy id.", + "description": "Get a list of outputs associated with agent policy by policy id.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-settings-read].", "operationId": "get-fleet-agent-policies-agentpolicyid-outputs", "parameters": [ { @@ -15468,6 +15473,7 @@ }, "/api/fleet/agent_status/data": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "get-fleet-agent-status-data", "parameters": [ { @@ -15587,6 +15593,7 @@ }, "/api/fleet/agents": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "get-fleet-agents", "parameters": [ { @@ -16126,6 +16133,7 @@ ] }, "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "post-fleet-agents", "parameters": [ { @@ -16216,6 +16224,7 @@ }, "/api/fleet/agents/action_status": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "get-fleet-agents-action-status", "parameters": [ { @@ -16439,6 +16448,7 @@ }, "/api/fleet/agents/actions/{actionId}/cancel": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "post-fleet-agents-actions-actionid-cancel", "parameters": [ { @@ -16567,6 +16577,7 @@ }, "/api/fleet/agents/available_versions": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "get-fleet-agents-available-versions", "parameters": [], "responses": { @@ -16625,6 +16636,7 @@ }, "/api/fleet/agents/bulk_reassign": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "post-fleet-agents-bulk-reassign", "parameters": [ { @@ -16730,6 +16742,7 @@ }, "/api/fleet/agents/bulk_request_diagnostics": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "post-fleet-agents-bulk-request-diagnostics", "parameters": [ { @@ -16836,6 +16849,7 @@ }, "/api/fleet/agents/bulk_unenroll": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "post-fleet-agents-bulk-unenroll", "parameters": [ { @@ -16947,6 +16961,7 @@ }, "/api/fleet/agents/bulk_update_agent_tags": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "post-fleet-agents-bulk-update-agent-tags", "parameters": [ { @@ -17060,6 +17075,7 @@ }, "/api/fleet/agents/bulk_upgrade": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "post-fleet-agents-bulk-upgrade", "parameters": [ { @@ -17181,7 +17197,7 @@ }, "/api/fleet/agents/files/{fileId}": { "delete": { - "description": "Delete a file uploaded by an agent.", + "description": "Delete a file uploaded by an agent.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "delete-fleet-agents-files-fileid", "parameters": [ { @@ -17260,7 +17276,7 @@ }, "/api/fleet/agents/files/{fileId}/{fileName}": { "get": { - "description": "Get a file uploaded by an agent.", + "description": "Get a file uploaded by an agent.

[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "get-fleet-agents-files-fileid-filename", "parameters": [ { @@ -17324,6 +17340,7 @@ }, "/api/fleet/agents/setup": { "get": { + "description": "[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].", "operationId": "get-fleet-agents-setup", "parameters": [], "responses": { @@ -17411,6 +17428,7 @@ ] }, "post": { + "description": "[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].", "operationId": "post-fleet-agents-setup", "parameters": [ { @@ -17498,6 +17516,7 @@ }, "/api/fleet/agents/tags": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "get-fleet-agents-tags", "parameters": [ { @@ -17574,7 +17593,7 @@ }, "/api/fleet/agents/{agentId}": { "delete": { - "description": "Delete an agent by ID.", + "description": "Delete an agent by ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "delete-fleet-agents-agentid", "parameters": [ { @@ -17650,7 +17669,7 @@ ] }, "get": { - "description": "Get an agent by ID.", + "description": "Get an agent by ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "get-fleet-agents-agentid", "parameters": [ { @@ -18104,7 +18123,7 @@ ] }, "put": { - "description": "Update an agent by ID.", + "description": "Update an agent by ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "put-fleet-agents-agentid", "parameters": [ { @@ -18583,6 +18602,7 @@ }, "/api/fleet/agents/{agentId}/actions": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "post-fleet-agents-agentid-actions", "parameters": [ { @@ -18786,6 +18806,7 @@ }, "/api/fleet/agents/{agentId}/reassign": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "post-fleet-agents-agentid-reassign", "parameters": [ { @@ -18871,6 +18892,7 @@ }, "/api/fleet/agents/{agentId}/request_diagnostics": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "post-fleet-agents-agentid-request-diagnostics", "parameters": [ { @@ -18967,6 +18989,7 @@ }, "/api/fleet/agents/{agentId}/unenroll": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "post-fleet-agents-agentid-unenroll", "parameters": [ { @@ -19016,6 +19039,7 @@ }, "/api/fleet/agents/{agentId}/upgrade": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "post-fleet-agents-agentid-upgrade", "parameters": [ { @@ -19110,6 +19134,7 @@ }, "/api/fleet/agents/{agentId}/uploads": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "get-fleet-agents-agentid-uploads", "parameters": [ { @@ -19289,6 +19314,7 @@ }, "/api/fleet/data_streams": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all, fleet-agent-policies-all, fleet-settings-all].", "operationId": "get-fleet-data-streams", "parameters": [], "responses": { @@ -19433,6 +19459,7 @@ }, "/api/fleet/enrollment_api_keys": { "get": { + "description": "[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-setup].", "operationId": "get-fleet-enrollment-api-keys", "parameters": [ { @@ -19608,6 +19635,7 @@ ] }, "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "post-fleet-enrollment-api-keys", "parameters": [ { @@ -19741,7 +19769,7 @@ }, "/api/fleet/enrollment_api_keys/{keyId}": { "delete": { - "description": "Revoke an enrollment API key by ID by marking it as inactive.", + "description": "Revoke an enrollment API key by ID by marking it as inactive.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "delete-fleet-enrollment-api-keys-keyid", "parameters": [ { @@ -19817,7 +19845,7 @@ ] }, "get": { - "description": "Get an enrollment API key by ID.", + "description": "Get an enrollment API key by ID.

[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-setup].", "operationId": "get-fleet-enrollment-api-keys-keyid", "parameters": [ { @@ -19918,6 +19946,7 @@ }, "/api/fleet/epm/bulk_assets": { "post": { + "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", "operationId": "post-fleet-epm-bulk-assets", "parameters": [ { @@ -20056,6 +20085,7 @@ }, "/api/fleet/epm/categories": { "get": { + "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", "operationId": "get-fleet-epm-categories", "parameters": [ { @@ -20154,6 +20184,7 @@ }, "/api/fleet/epm/custom_integrations": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].", "operationId": "post-fleet-epm-custom-integrations", "parameters": [ { @@ -20350,6 +20381,7 @@ }, "/api/fleet/epm/data_streams": { "get": { + "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", "operationId": "get-fleet-epm-data-streams", "parameters": [ { @@ -20463,6 +20495,7 @@ }, "/api/fleet/epm/packages": { "get": { + "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", "operationId": "get-fleet-epm-packages", "parameters": [ { @@ -21022,6 +21055,7 @@ ] }, "post": { + "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].", "operationId": "post-fleet-epm-packages", "parameters": [ { @@ -21198,6 +21232,7 @@ }, "/api/fleet/epm/packages/_bulk": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].", "operationId": "post-fleet-epm-packages-bulk", "parameters": [ { @@ -21463,6 +21498,7 @@ }, "/api/fleet/epm/packages/installed": { "get": { + "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", "operationId": "get-fleet-epm-packages-installed", "parameters": [ { @@ -21691,6 +21727,7 @@ }, "/api/fleet/epm/packages/limited": { "get": { + "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", "operationId": "get-fleet-epm-packages-limited", "parameters": [], "responses": { @@ -21749,6 +21786,7 @@ }, "/api/fleet/epm/packages/{pkgName}/stats": { "get": { + "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", "operationId": "get-fleet-epm-packages-pkgname-stats", "parameters": [ { @@ -21822,6 +21860,7 @@ }, "/api/fleet/epm/packages/{pkgName}/{pkgVersion}": { "delete": { + "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].", "operationId": "delete-fleet-epm-packages-pkgname-pkgversion", "parameters": [ { @@ -22658,6 +22697,7 @@ ] }, "post": { + "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].", "operationId": "post-fleet-epm-packages-pkgname-pkgversion", "parameters": [ { @@ -22867,6 +22907,7 @@ ] }, "put": { + "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].", "operationId": "put-fleet-epm-packages-pkgname-pkgversion", "parameters": [ { @@ -23662,6 +23703,7 @@ }, "/api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}": { "get": { + "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", "operationId": "get-fleet-epm-packages-pkgname-pkgversion-filepath", "parameters": [ { @@ -23731,6 +23773,7 @@ }, "/api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs": { "get": { + "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", "operationId": "get-fleet-epm-templates-pkgname-pkgversion-inputs", "parameters": [ { @@ -23887,6 +23930,7 @@ }, "/api/fleet/epm/verification_key_id": { "get": { + "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", "operationId": "get-fleet-epm-verification-key-id", "parameters": [], "responses": { @@ -23943,6 +23987,7 @@ }, "/api/fleet/fleet_server_hosts": { "get": { + "description": "[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-settings-read].", "operationId": "get-fleet-fleet-server-hosts", "parameters": [], "responses": { @@ -24047,6 +24092,7 @@ ] }, "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "post-fleet-fleet-server-hosts", "parameters": [ { @@ -24193,7 +24239,7 @@ }, "/api/fleet/fleet_server_hosts/{itemId}": { "delete": { - "description": "Delete a Fleet Server host by ID.", + "description": "Delete a Fleet Server host by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "delete-fleet-fleet-server-hosts-itemid", "parameters": [ { @@ -24266,7 +24312,7 @@ ] }, "get": { - "description": "Get a Fleet Server host by ID.", + "description": "Get a Fleet Server host by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-read].", "operationId": "get-fleet-fleet-server-hosts-itemid", "parameters": [ { @@ -24365,7 +24411,7 @@ ] }, "put": { - "description": "Update a Fleet Server host by ID.", + "description": "Update a Fleet Server host by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "put-fleet-fleet-server-hosts-itemid", "parameters": [ { @@ -24511,6 +24557,7 @@ }, "/api/fleet/health_check": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "post-fleet-health-check", "parameters": [ { @@ -24626,6 +24673,7 @@ }, "/api/fleet/kubernetes": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].", "operationId": "get-fleet-kubernetes", "parameters": [ { @@ -24706,6 +24754,7 @@ }, "/api/fleet/kubernetes/download": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].", "operationId": "get-fleet-kubernetes-download", "parameters": [ { @@ -24802,6 +24851,7 @@ }, "/api/fleet/logstash_api_keys": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "post-fleet-logstash-api-keys", "parameters": [ { @@ -24868,6 +24918,7 @@ }, "/api/fleet/message_signing_service/rotate_key_pair": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all, fleet-agent-policies-all, fleet-settings-all].", "operationId": "post-fleet-message-signing-service-rotate-key-pair", "parameters": [ { @@ -24968,6 +25019,7 @@ }, "/api/fleet/outputs": { "get": { + "description": "[Required authorization] Route required privileges: ANY of [fleet-settings-read OR fleet-agent-policies-read].", "operationId": "get-fleet-outputs", "parameters": [], "responses": { @@ -26051,6 +26103,7 @@ ] }, "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "post-fleet-outputs", "parameters": [ { @@ -28156,7 +28209,7 @@ }, "/api/fleet/outputs/{outputId}": { "delete": { - "description": "Delete output by ID.", + "description": "Delete output by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "delete-fleet-outputs-outputid", "parameters": [ { @@ -28254,7 +28307,7 @@ ] }, "get": { - "description": "Get output by ID.", + "description": "Get output by ID.

[Required authorization] Route required privileges: ANY of [fleet-settings-read OR fleet-agent-policies-read].", "operationId": "get-fleet-outputs-outputid", "parameters": [ { @@ -29332,7 +29385,7 @@ ] }, "put": { - "description": "Update output by ID.", + "description": "Update output by ID.

[Required authorization] Route required privileges: ANY of [fleet-settings-all OR fleet-agent-policies-all].", "operationId": "put-fleet-outputs-outputid", "parameters": [ { @@ -31422,6 +31475,7 @@ }, "/api/fleet/outputs/{outputId}/health": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-read].", "operationId": "get-fleet-outputs-outputid-health", "parameters": [ { @@ -34175,6 +34229,7 @@ }, "/api/fleet/package_policies/delete": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].", "operationId": "post-fleet-package-policies-delete", "parameters": [ { @@ -34366,7 +34421,7 @@ }, "/api/fleet/package_policies/upgrade": { "post": { - "description": "Upgrade a package policy to a newer package version.", + "description": "Upgrade a package policy to a newer package version.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].", "operationId": "post-fleet-package-policies-upgrade", "parameters": [ { @@ -34479,6 +34534,7 @@ }, "/api/fleet/package_policies/upgrade/dryrun": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, integrations-read].", "operationId": "post-fleet-package-policies-upgrade-dryrun", "parameters": [ { @@ -35664,7 +35720,7 @@ }, "/api/fleet/package_policies/{packagePolicyId}": { "delete": { - "description": "Delete a package policy by ID.", + "description": "Delete a package policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].", "operationId": "delete-fleet-package-policies-packagepolicyid", "parameters": [ { @@ -37685,6 +37741,7 @@ }, "/api/fleet/proxies": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-read].", "operationId": "get-fleet-proxies", "parameters": [], "responses": { @@ -37803,6 +37860,7 @@ ] }, "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "post-fleet-proxies", "parameters": [ { @@ -37977,7 +38035,7 @@ }, "/api/fleet/proxies/{itemId}": { "delete": { - "description": "Delete a proxy by ID", + "description": "Delete a proxy by ID

[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "delete-fleet-proxies-itemid", "parameters": [ { @@ -38050,7 +38108,7 @@ ] }, "get": { - "description": "Get a proxy by ID.", + "description": "Get a proxy by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-read].", "operationId": "get-fleet-proxies-itemid", "parameters": [ { @@ -38163,7 +38221,7 @@ ] }, "put": { - "description": "Update a proxy by ID.", + "description": "Update a proxy by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "put-fleet-proxies-itemid", "parameters": [ { @@ -38341,6 +38399,7 @@ }, "/api/fleet/service_tokens": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "post-fleet-service-tokens", "parameters": [ { @@ -38428,6 +38487,7 @@ }, "/api/fleet/settings": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-read].", "operationId": "get-fleet-settings", "parameters": [], "responses": { @@ -38560,6 +38620,7 @@ ] }, "put": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "put-fleet-settings", "parameters": [ { @@ -38752,6 +38813,7 @@ }, "/api/fleet/setup": { "post": { + "description": "[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].", "operationId": "post-fleet-setup", "parameters": [ { @@ -38858,7 +38920,7 @@ }, "/api/fleet/uninstall_tokens": { "get": { - "description": "List the metadata for the latest uninstall tokens per agent policy.", + "description": "List the metadata for the latest uninstall tokens per agent policy.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "get-fleet-uninstall-tokens", "parameters": [ { @@ -38995,7 +39057,7 @@ }, "/api/fleet/uninstall_tokens/{uninstallTokenId}": { "get": { - "description": "Get one decrypted uninstall token by its ID.", + "description": "Get one decrypted uninstall token by its ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "get-fleet-uninstall-tokens-uninstalltokenid", "parameters": [ { diff --git a/oas_docs/bundle.serverless.json b/oas_docs/bundle.serverless.json index 68f4c181fc541..4a0e3f14391b9 100644 --- a/oas_docs/bundle.serverless.json +++ b/oas_docs/bundle.serverless.json @@ -8595,6 +8595,7 @@ }, "/api/fleet/agent_download_sources": { "get": { + "description": "[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-settings-read].", "operationId": "get-fleet-agent-download-sources", "parameters": [], "responses": { @@ -8690,6 +8691,7 @@ ] }, "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "post-fleet-agent-download-sources", "parameters": [ { @@ -8818,7 +8820,7 @@ }, "/api/fleet/agent_download_sources/{sourceId}": { "delete": { - "description": "Delete an agent binary download source by ID.", + "description": "Delete an agent binary download source by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "delete-fleet-agent-download-sources-sourceid", "parameters": [ { @@ -8891,7 +8893,7 @@ ] }, "get": { - "description": "Get an agent binary download source by ID.", + "description": "Get an agent binary download source by ID.

[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-settings-read].", "operationId": "get-fleet-agent-download-sources-sourceid", "parameters": [ { @@ -8981,7 +8983,7 @@ ] }, "put": { - "description": "Update an agent binary download source by ID.", + "description": "Update an agent binary download source by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "put-fleet-agent-download-sources-sourceid", "parameters": [ { @@ -9118,6 +9120,7 @@ }, "/api/fleet/agent_policies": { "get": { + "description": "[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].", "operationId": "get-fleet-agent-policies", "parameters": [ { @@ -9955,6 +9958,7 @@ ] }, "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].", "operationId": "post-fleet-agent-policies", "parameters": [ { @@ -10955,6 +10959,7 @@ }, "/api/fleet/agent_policies/_bulk_get": { "post": { + "description": "[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].", "operationId": "post-fleet-agent-policies-bulk-get", "parameters": [ { @@ -11741,7 +11746,7 @@ }, "/api/fleet/agent_policies/delete": { "post": { - "description": "Delete an agent policy by ID.", + "description": "Delete an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].", "operationId": "post-fleet-agent-policies-delete", "parameters": [ { @@ -11834,7 +11839,7 @@ }, "/api/fleet/agent_policies/outputs": { "post": { - "description": "Get a list of outputs associated with agent policies.", + "description": "Get a list of outputs associated with agent policies.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-settings-read].", "operationId": "post-fleet-agent-policies-outputs", "parameters": [ { @@ -12007,7 +12012,7 @@ }, "/api/fleet/agent_policies/{agentPolicyId}": { "get": { - "description": "Get an agent policy by ID.", + "description": "Get an agent policy by ID.

[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].", "operationId": "get-fleet-agent-policies-agentpolicyid", "parameters": [ { @@ -12758,7 +12763,7 @@ ] }, "put": { - "description": "Update an agent policy by ID.", + "description": "Update an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].", "operationId": "put-fleet-agent-policies-agentpolicyid", "parameters": [ { @@ -13771,7 +13776,7 @@ }, "/api/fleet/agent_policies/{agentPolicyId}/copy": { "post": { - "description": "Copy an agent policy by ID.", + "description": "Copy an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].", "operationId": "post-fleet-agent-policies-agentpolicyid-copy", "parameters": [ { @@ -14556,7 +14561,7 @@ }, "/api/fleet/agent_policies/{agentPolicyId}/download": { "get": { - "description": "Download an agent policy by ID.", + "description": "Download an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].", "operationId": "get-fleet-agent-policies-agentpolicyid-download", "parameters": [ { @@ -14661,7 +14666,7 @@ }, "/api/fleet/agent_policies/{agentPolicyId}/full": { "get": { - "description": "Get a full agent policy by ID.", + "description": "Get a full agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read].", "operationId": "get-fleet-agent-policies-agentpolicyid-full", "parameters": [ { @@ -15187,7 +15192,7 @@ }, "/api/fleet/agent_policies/{agentPolicyId}/outputs": { "get": { - "description": "Get a list of outputs associated with agent policy by policy id.", + "description": "Get a list of outputs associated with agent policy by policy id.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-settings-read].", "operationId": "get-fleet-agent-policies-agentpolicyid-outputs", "parameters": [ { @@ -15468,6 +15473,7 @@ }, "/api/fleet/agent_status/data": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "get-fleet-agent-status-data", "parameters": [ { @@ -15587,6 +15593,7 @@ }, "/api/fleet/agents": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "get-fleet-agents", "parameters": [ { @@ -16126,6 +16133,7 @@ ] }, "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "post-fleet-agents", "parameters": [ { @@ -16216,6 +16224,7 @@ }, "/api/fleet/agents/action_status": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "get-fleet-agents-action-status", "parameters": [ { @@ -16439,6 +16448,7 @@ }, "/api/fleet/agents/actions/{actionId}/cancel": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "post-fleet-agents-actions-actionid-cancel", "parameters": [ { @@ -16567,6 +16577,7 @@ }, "/api/fleet/agents/available_versions": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "get-fleet-agents-available-versions", "parameters": [], "responses": { @@ -16625,6 +16636,7 @@ }, "/api/fleet/agents/bulk_reassign": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "post-fleet-agents-bulk-reassign", "parameters": [ { @@ -16730,6 +16742,7 @@ }, "/api/fleet/agents/bulk_request_diagnostics": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "post-fleet-agents-bulk-request-diagnostics", "parameters": [ { @@ -16836,6 +16849,7 @@ }, "/api/fleet/agents/bulk_unenroll": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "post-fleet-agents-bulk-unenroll", "parameters": [ { @@ -16947,6 +16961,7 @@ }, "/api/fleet/agents/bulk_update_agent_tags": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "post-fleet-agents-bulk-update-agent-tags", "parameters": [ { @@ -17060,6 +17075,7 @@ }, "/api/fleet/agents/bulk_upgrade": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "post-fleet-agents-bulk-upgrade", "parameters": [ { @@ -17181,7 +17197,7 @@ }, "/api/fleet/agents/files/{fileId}": { "delete": { - "description": "Delete a file uploaded by an agent.", + "description": "Delete a file uploaded by an agent.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "delete-fleet-agents-files-fileid", "parameters": [ { @@ -17260,7 +17276,7 @@ }, "/api/fleet/agents/files/{fileId}/{fileName}": { "get": { - "description": "Get a file uploaded by an agent.", + "description": "Get a file uploaded by an agent.

[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "get-fleet-agents-files-fileid-filename", "parameters": [ { @@ -17324,6 +17340,7 @@ }, "/api/fleet/agents/setup": { "get": { + "description": "[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].", "operationId": "get-fleet-agents-setup", "parameters": [], "responses": { @@ -17411,6 +17428,7 @@ ] }, "post": { + "description": "[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].", "operationId": "post-fleet-agents-setup", "parameters": [ { @@ -17498,6 +17516,7 @@ }, "/api/fleet/agents/tags": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "get-fleet-agents-tags", "parameters": [ { @@ -17574,7 +17593,7 @@ }, "/api/fleet/agents/{agentId}": { "delete": { - "description": "Delete an agent by ID.", + "description": "Delete an agent by ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "delete-fleet-agents-agentid", "parameters": [ { @@ -17650,7 +17669,7 @@ ] }, "get": { - "description": "Get an agent by ID.", + "description": "Get an agent by ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "get-fleet-agents-agentid", "parameters": [ { @@ -18104,7 +18123,7 @@ ] }, "put": { - "description": "Update an agent by ID.", + "description": "Update an agent by ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "put-fleet-agents-agentid", "parameters": [ { @@ -18583,6 +18602,7 @@ }, "/api/fleet/agents/{agentId}/actions": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "post-fleet-agents-agentid-actions", "parameters": [ { @@ -18786,6 +18806,7 @@ }, "/api/fleet/agents/{agentId}/reassign": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "post-fleet-agents-agentid-reassign", "parameters": [ { @@ -18871,6 +18892,7 @@ }, "/api/fleet/agents/{agentId}/request_diagnostics": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "post-fleet-agents-agentid-request-diagnostics", "parameters": [ { @@ -18967,6 +18989,7 @@ }, "/api/fleet/agents/{agentId}/unenroll": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "post-fleet-agents-agentid-unenroll", "parameters": [ { @@ -19016,6 +19039,7 @@ }, "/api/fleet/agents/{agentId}/upgrade": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "post-fleet-agents-agentid-upgrade", "parameters": [ { @@ -19110,6 +19134,7 @@ }, "/api/fleet/agents/{agentId}/uploads": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", "operationId": "get-fleet-agents-agentid-uploads", "parameters": [ { @@ -19289,6 +19314,7 @@ }, "/api/fleet/data_streams": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all, fleet-agent-policies-all, fleet-settings-all].", "operationId": "get-fleet-data-streams", "parameters": [], "responses": { @@ -19433,6 +19459,7 @@ }, "/api/fleet/enrollment_api_keys": { "get": { + "description": "[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-setup].", "operationId": "get-fleet-enrollment-api-keys", "parameters": [ { @@ -19608,6 +19635,7 @@ ] }, "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "post-fleet-enrollment-api-keys", "parameters": [ { @@ -19741,7 +19769,7 @@ }, "/api/fleet/enrollment_api_keys/{keyId}": { "delete": { - "description": "Revoke an enrollment API key by ID by marking it as inactive.", + "description": "Revoke an enrollment API key by ID by marking it as inactive.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "delete-fleet-enrollment-api-keys-keyid", "parameters": [ { @@ -19817,7 +19845,7 @@ ] }, "get": { - "description": "Get an enrollment API key by ID.", + "description": "Get an enrollment API key by ID.

[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-setup].", "operationId": "get-fleet-enrollment-api-keys-keyid", "parameters": [ { @@ -19918,6 +19946,7 @@ }, "/api/fleet/epm/bulk_assets": { "post": { + "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", "operationId": "post-fleet-epm-bulk-assets", "parameters": [ { @@ -20056,6 +20085,7 @@ }, "/api/fleet/epm/categories": { "get": { + "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", "operationId": "get-fleet-epm-categories", "parameters": [ { @@ -20154,6 +20184,7 @@ }, "/api/fleet/epm/custom_integrations": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].", "operationId": "post-fleet-epm-custom-integrations", "parameters": [ { @@ -20350,6 +20381,7 @@ }, "/api/fleet/epm/data_streams": { "get": { + "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", "operationId": "get-fleet-epm-data-streams", "parameters": [ { @@ -20463,6 +20495,7 @@ }, "/api/fleet/epm/packages": { "get": { + "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", "operationId": "get-fleet-epm-packages", "parameters": [ { @@ -21022,6 +21055,7 @@ ] }, "post": { + "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].", "operationId": "post-fleet-epm-packages", "parameters": [ { @@ -21198,6 +21232,7 @@ }, "/api/fleet/epm/packages/_bulk": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].", "operationId": "post-fleet-epm-packages-bulk", "parameters": [ { @@ -21463,6 +21498,7 @@ }, "/api/fleet/epm/packages/installed": { "get": { + "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", "operationId": "get-fleet-epm-packages-installed", "parameters": [ { @@ -21691,6 +21727,7 @@ }, "/api/fleet/epm/packages/limited": { "get": { + "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", "operationId": "get-fleet-epm-packages-limited", "parameters": [], "responses": { @@ -21749,6 +21786,7 @@ }, "/api/fleet/epm/packages/{pkgName}/stats": { "get": { + "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", "operationId": "get-fleet-epm-packages-pkgname-stats", "parameters": [ { @@ -21822,6 +21860,7 @@ }, "/api/fleet/epm/packages/{pkgName}/{pkgVersion}": { "delete": { + "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].", "operationId": "delete-fleet-epm-packages-pkgname-pkgversion", "parameters": [ { @@ -22658,6 +22697,7 @@ ] }, "post": { + "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].", "operationId": "post-fleet-epm-packages-pkgname-pkgversion", "parameters": [ { @@ -22867,6 +22907,7 @@ ] }, "put": { + "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].", "operationId": "put-fleet-epm-packages-pkgname-pkgversion", "parameters": [ { @@ -23662,6 +23703,7 @@ }, "/api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}": { "get": { + "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", "operationId": "get-fleet-epm-packages-pkgname-pkgversion-filepath", "parameters": [ { @@ -23731,6 +23773,7 @@ }, "/api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs": { "get": { + "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", "operationId": "get-fleet-epm-templates-pkgname-pkgversion-inputs", "parameters": [ { @@ -23887,6 +23930,7 @@ }, "/api/fleet/epm/verification_key_id": { "get": { + "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", "operationId": "get-fleet-epm-verification-key-id", "parameters": [], "responses": { @@ -23943,6 +23987,7 @@ }, "/api/fleet/fleet_server_hosts": { "get": { + "description": "[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-settings-read].", "operationId": "get-fleet-fleet-server-hosts", "parameters": [], "responses": { @@ -24047,6 +24092,7 @@ ] }, "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "post-fleet-fleet-server-hosts", "parameters": [ { @@ -24193,7 +24239,7 @@ }, "/api/fleet/fleet_server_hosts/{itemId}": { "delete": { - "description": "Delete a Fleet Server host by ID.", + "description": "Delete a Fleet Server host by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "delete-fleet-fleet-server-hosts-itemid", "parameters": [ { @@ -24266,7 +24312,7 @@ ] }, "get": { - "description": "Get a Fleet Server host by ID.", + "description": "Get a Fleet Server host by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-read].", "operationId": "get-fleet-fleet-server-hosts-itemid", "parameters": [ { @@ -24365,7 +24411,7 @@ ] }, "put": { - "description": "Update a Fleet Server host by ID.", + "description": "Update a Fleet Server host by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "put-fleet-fleet-server-hosts-itemid", "parameters": [ { @@ -24511,6 +24557,7 @@ }, "/api/fleet/health_check": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "post-fleet-health-check", "parameters": [ { @@ -24626,6 +24673,7 @@ }, "/api/fleet/kubernetes": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].", "operationId": "get-fleet-kubernetes", "parameters": [ { @@ -24706,6 +24754,7 @@ }, "/api/fleet/kubernetes/download": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].", "operationId": "get-fleet-kubernetes-download", "parameters": [ { @@ -24802,6 +24851,7 @@ }, "/api/fleet/logstash_api_keys": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "post-fleet-logstash-api-keys", "parameters": [ { @@ -24868,6 +24918,7 @@ }, "/api/fleet/message_signing_service/rotate_key_pair": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all, fleet-agent-policies-all, fleet-settings-all].", "operationId": "post-fleet-message-signing-service-rotate-key-pair", "parameters": [ { @@ -24968,6 +25019,7 @@ }, "/api/fleet/outputs": { "get": { + "description": "[Required authorization] Route required privileges: ANY of [fleet-settings-read OR fleet-agent-policies-read].", "operationId": "get-fleet-outputs", "parameters": [], "responses": { @@ -26051,6 +26103,7 @@ ] }, "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "post-fleet-outputs", "parameters": [ { @@ -28156,7 +28209,7 @@ }, "/api/fleet/outputs/{outputId}": { "delete": { - "description": "Delete output by ID.", + "description": "Delete output by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "delete-fleet-outputs-outputid", "parameters": [ { @@ -28254,7 +28307,7 @@ ] }, "get": { - "description": "Get output by ID.", + "description": "Get output by ID.

[Required authorization] Route required privileges: ANY of [fleet-settings-read OR fleet-agent-policies-read].", "operationId": "get-fleet-outputs-outputid", "parameters": [ { @@ -29332,7 +29385,7 @@ ] }, "put": { - "description": "Update output by ID.", + "description": "Update output by ID.

[Required authorization] Route required privileges: ANY of [fleet-settings-all OR fleet-agent-policies-all].", "operationId": "put-fleet-outputs-outputid", "parameters": [ { @@ -31422,6 +31475,7 @@ }, "/api/fleet/outputs/{outputId}/health": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-read].", "operationId": "get-fleet-outputs-outputid-health", "parameters": [ { @@ -34175,6 +34229,7 @@ }, "/api/fleet/package_policies/delete": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].", "operationId": "post-fleet-package-policies-delete", "parameters": [ { @@ -34366,7 +34421,7 @@ }, "/api/fleet/package_policies/upgrade": { "post": { - "description": "Upgrade a package policy to a newer package version.", + "description": "Upgrade a package policy to a newer package version.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].", "operationId": "post-fleet-package-policies-upgrade", "parameters": [ { @@ -34479,6 +34534,7 @@ }, "/api/fleet/package_policies/upgrade/dryrun": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, integrations-read].", "operationId": "post-fleet-package-policies-upgrade-dryrun", "parameters": [ { @@ -35664,7 +35720,7 @@ }, "/api/fleet/package_policies/{packagePolicyId}": { "delete": { - "description": "Delete a package policy by ID.", + "description": "Delete a package policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].", "operationId": "delete-fleet-package-policies-packagepolicyid", "parameters": [ { @@ -37685,6 +37741,7 @@ }, "/api/fleet/proxies": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-read].", "operationId": "get-fleet-proxies", "parameters": [], "responses": { @@ -37803,6 +37860,7 @@ ] }, "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "post-fleet-proxies", "parameters": [ { @@ -37977,7 +38035,7 @@ }, "/api/fleet/proxies/{itemId}": { "delete": { - "description": "Delete a proxy by ID", + "description": "Delete a proxy by ID

[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "delete-fleet-proxies-itemid", "parameters": [ { @@ -38050,7 +38108,7 @@ ] }, "get": { - "description": "Get a proxy by ID.", + "description": "Get a proxy by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-read].", "operationId": "get-fleet-proxies-itemid", "parameters": [ { @@ -38163,7 +38221,7 @@ ] }, "put": { - "description": "Update a proxy by ID.", + "description": "Update a proxy by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "put-fleet-proxies-itemid", "parameters": [ { @@ -38341,6 +38399,7 @@ }, "/api/fleet/service_tokens": { "post": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "post-fleet-service-tokens", "parameters": [ { @@ -38428,6 +38487,7 @@ }, "/api/fleet/settings": { "get": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-read].", "operationId": "get-fleet-settings", "parameters": [], "responses": { @@ -38560,6 +38620,7 @@ ] }, "put": { + "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].", "operationId": "put-fleet-settings", "parameters": [ { @@ -38752,6 +38813,7 @@ }, "/api/fleet/setup": { "post": { + "description": "[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].", "operationId": "post-fleet-setup", "parameters": [ { @@ -38858,7 +38920,7 @@ }, "/api/fleet/uninstall_tokens": { "get": { - "description": "List the metadata for the latest uninstall tokens per agent policy.", + "description": "List the metadata for the latest uninstall tokens per agent policy.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "get-fleet-uninstall-tokens", "parameters": [ { @@ -38995,7 +39057,7 @@ }, "/api/fleet/uninstall_tokens/{uninstallTokenId}": { "get": { - "description": "Get one decrypted uninstall token by its ID.", + "description": "Get one decrypted uninstall token by its ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].", "operationId": "get-fleet-uninstall-tokens-uninstalltokenid", "parameters": [ { diff --git a/oas_docs/output/kibana.serverless.yaml b/oas_docs/output/kibana.serverless.yaml index b9c0acda9e793..8af2c5522a740 100644 --- a/oas_docs/output/kibana.serverless.yaml +++ b/oas_docs/output/kibana.serverless.yaml @@ -11199,6 +11199,7 @@ paths: x-beta: true /api/fleet/agent_download_sources: get: + description: '[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-settings-read].' operationId: get-fleet-agent-download-sources parameters: [] responses: @@ -11265,6 +11266,7 @@ paths: - Elastic Agent binary download sources x-beta: true post: + description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: post-fleet-agent-download-sources parameters: - description: A required header to protect against CSRF attacks @@ -11352,7 +11354,7 @@ paths: x-beta: true /api/fleet/agent_download_sources/{sourceId}: delete: - description: Delete an agent binary download source by ID. + description: 'Delete an agent binary download source by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: delete-fleet-agent-download-sources-sourceid parameters: - description: A required header to protect against CSRF attacks @@ -11400,7 +11402,7 @@ paths: - Elastic Agent binary download sources x-beta: true get: - description: Get an agent binary download source by ID. + description: 'Get an agent binary download source by ID.

[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-settings-read].' operationId: get-fleet-agent-download-sources-sourceid parameters: - in: path @@ -11461,7 +11463,7 @@ paths: - Elastic Agent binary download sources x-beta: true put: - description: Update an agent binary download source by ID. + description: 'Update an agent binary download source by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: put-fleet-agent-download-sources-sourceid parameters: - description: A required header to protect against CSRF attacks @@ -11554,6 +11556,7 @@ paths: x-beta: true /api/fleet/agent_policies: get: + description: '[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].' operationId: get-fleet-agent-policies parameters: - in: query @@ -12133,6 +12136,7 @@ paths: - Elastic Agent policies x-beta: true post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].' operationId: post-fleet-agent-policies parameters: - description: A required header to protect against CSRF attacks @@ -12826,6 +12830,7 @@ paths: x-beta: true /api/fleet/agent_policies/_bulk_get: post: + description: '[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].' operationId: post-fleet-agent-policies-bulk-get parameters: - description: A required header to protect against CSRF attacks @@ -13371,7 +13376,7 @@ paths: x-beta: true /api/fleet/agent_policies/{agentPolicyId}: get: - description: Get an agent policy by ID. + description: 'Get an agent policy by ID.

[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].' operationId: get-fleet-agent-policies-agentpolicyid parameters: - in: path @@ -13893,7 +13898,7 @@ paths: - Elastic Agent policies x-beta: true put: - description: Update an agent policy by ID. + description: 'Update an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].' operationId: put-fleet-agent-policies-agentpolicyid parameters: - description: A required header to protect against CSRF attacks @@ -14595,7 +14600,7 @@ paths: x-beta: true /api/fleet/agent_policies/{agentPolicyId}/copy: post: - description: Copy an agent policy by ID. + description: 'Copy an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].' operationId: post-fleet-agent-policies-agentpolicyid-copy parameters: - description: A required header to protect against CSRF attacks @@ -15139,7 +15144,7 @@ paths: x-beta: true /api/fleet/agent_policies/{agentPolicyId}/download: get: - description: Download an agent policy by ID. + description: 'Download an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].' operationId: get-fleet-agent-policies-agentpolicyid-download parameters: - in: path @@ -15206,7 +15211,7 @@ paths: x-beta: true /api/fleet/agent_policies/{agentPolicyId}/full: get: - description: Get a full agent policy by ID. + description: 'Get a full agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read].' operationId: get-fleet-agent-policies-agentpolicyid-full parameters: - in: path @@ -15555,7 +15560,7 @@ paths: x-beta: true /api/fleet/agent_policies/{agentPolicyId}/outputs: get: - description: Get a list of outputs associated with agent policy by policy id. + description: 'Get a list of outputs associated with agent policy by policy id.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-settings-read].' operationId: get-fleet-agent-policies-agentpolicyid-outputs parameters: - in: path @@ -15652,7 +15657,7 @@ paths: x-beta: true /api/fleet/agent_policies/delete: post: - description: Delete an agent policy by ID. + description: 'Delete an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].' operationId: post-fleet-agent-policies-delete parameters: - description: A required header to protect against CSRF attacks @@ -15713,7 +15718,7 @@ paths: x-beta: true /api/fleet/agent_policies/outputs: post: - description: Get a list of outputs associated with agent policies. + description: 'Get a list of outputs associated with agent policies.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-settings-read].' operationId: post-fleet-agent-policies-outputs parameters: - description: A required header to protect against CSRF attacks @@ -15916,6 +15921,7 @@ paths: x-beta: true /api/fleet/agent_status/data: get: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' operationId: get-fleet-agent-status-data parameters: - in: query @@ -15991,6 +15997,7 @@ paths: x-beta: true /api/fleet/agents: get: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' operationId: get-fleet-agents parameters: - in: query @@ -16370,6 +16377,7 @@ paths: - Elastic Agents x-beta: true post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' operationId: post-fleet-agents parameters: - description: A required header to protect against CSRF attacks @@ -16428,7 +16436,7 @@ paths: x-beta: true /api/fleet/agents/{agentId}: delete: - description: Delete an agent by ID. + description: 'Delete an agent by ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: delete-fleet-agents-agentid parameters: - description: A required header to protect against CSRF attacks @@ -16478,7 +16486,7 @@ paths: - Elastic Agents x-beta: true get: - description: Get an agent by ID. + description: 'Get an agent by ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-read].' operationId: get-fleet-agents-agentid parameters: - in: path @@ -16800,7 +16808,7 @@ paths: - Elastic Agents x-beta: true put: - description: Update an agent by ID. + description: 'Update an agent by ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: put-fleet-agents-agentid parameters: - description: A required header to protect against CSRF attacks @@ -17138,6 +17146,7 @@ paths: x-beta: true /api/fleet/agents/{agentId}/actions: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: post-fleet-agents-agentid-actions parameters: - description: A required header to protect against CSRF attacks @@ -17274,6 +17283,7 @@ paths: x-beta: true /api/fleet/agents/{agentId}/reassign: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: post-fleet-agents-agentid-reassign parameters: - description: A required header to protect against CSRF attacks @@ -17329,6 +17339,7 @@ paths: x-beta: true /api/fleet/agents/{agentId}/request_diagnostics: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' operationId: post-fleet-agents-agentid-request-diagnostics parameters: - description: A required header to protect against CSRF attacks @@ -17391,6 +17402,7 @@ paths: x-beta: true /api/fleet/agents/{agentId}/unenroll: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: post-fleet-agents-agentid-unenroll parameters: - description: A required header to protect against CSRF attacks @@ -17424,6 +17436,7 @@ paths: x-beta: true /api/fleet/agents/{agentId}/upgrade: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: post-fleet-agents-agentid-upgrade parameters: - description: A required header to protect against CSRF attacks @@ -17485,6 +17498,7 @@ paths: x-beta: true /api/fleet/agents/{agentId}/uploads: get: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' operationId: get-fleet-agents-agentid-uploads parameters: - in: path @@ -17558,6 +17572,7 @@ paths: x-beta: true /api/fleet/agents/action_status: get: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' operationId: get-fleet-agents-action-status parameters: - in: query @@ -17716,6 +17731,7 @@ paths: x-beta: true /api/fleet/agents/actions/{actionId}/cancel: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: post-fleet-agents-actions-actionid-cancel parameters: - description: A required header to protect against CSRF attacks @@ -17802,6 +17818,7 @@ paths: x-beta: true /api/fleet/agents/available_versions: get: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' operationId: get-fleet-agents-available-versions parameters: [] responses: @@ -17840,6 +17857,7 @@ paths: x-beta: true /api/fleet/agents/bulk_reassign: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: post-fleet-agents-bulk-reassign parameters: - description: A required header to protect against CSRF attacks @@ -17906,6 +17924,7 @@ paths: x-beta: true /api/fleet/agents/bulk_request_diagnostics: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' operationId: post-fleet-agents-bulk-request-diagnostics parameters: - description: A required header to protect against CSRF attacks @@ -17972,6 +17991,7 @@ paths: x-beta: true /api/fleet/agents/bulk_unenroll: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: post-fleet-agents-bulk-unenroll parameters: - description: A required header to protect against CSRF attacks @@ -18043,6 +18063,7 @@ paths: x-beta: true /api/fleet/agents/bulk_update_agent_tags: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: post-fleet-agents-bulk-update-agent-tags parameters: - description: A required header to protect against CSRF attacks @@ -18114,6 +18135,7 @@ paths: x-beta: true /api/fleet/agents/bulk_upgrade: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: post-fleet-agents-bulk-upgrade parameters: - description: A required header to protect against CSRF attacks @@ -18191,7 +18213,7 @@ paths: x-beta: true /api/fleet/agents/files/{fileId}: delete: - description: Delete a file uploaded by an agent. + description: 'Delete a file uploaded by an agent.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: delete-fleet-agents-files-fileid parameters: - description: A required header to protect against CSRF attacks @@ -18243,7 +18265,7 @@ paths: x-beta: true /api/fleet/agents/files/{fileId}/{fileName}: get: - description: Get a file uploaded by an agent. + description: 'Get a file uploaded by an agent.

[Required authorization] Route required privileges: ALL of [fleet-agents-read].' operationId: get-fleet-agents-files-fileid-filename parameters: - in: path @@ -18284,6 +18306,7 @@ paths: x-beta: true /api/fleet/agents/setup: get: + description: '[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].' operationId: get-fleet-agents-setup parameters: [] responses: @@ -18344,6 +18367,7 @@ paths: - Elastic Agents x-beta: true post: + description: '[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].' operationId: post-fleet-agents-setup parameters: - description: A required header to protect against CSRF attacks @@ -18402,6 +18426,7 @@ paths: x-beta: true /api/fleet/agents/tags: get: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' operationId: get-fleet-agents-tags parameters: - in: query @@ -18498,6 +18523,7 @@ paths: x-beta: true /api/fleet/data_streams: get: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all, fleet-agent-policies-all, fleet-settings-all].' operationId: get-fleet-data-streams parameters: [] responses: @@ -18595,6 +18621,7 @@ paths: x-beta: true /api/fleet/enrollment_api_keys: get: + description: '[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-setup].' operationId: get-fleet-enrollment-api-keys parameters: - in: query @@ -18718,6 +18745,7 @@ paths: - Fleet enrollment API keys x-beta: true post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: post-fleet-enrollment-api-keys parameters: - description: A required header to protect against CSRF attacks @@ -18808,7 +18836,7 @@ paths: x-beta: true /api/fleet/enrollment_api_keys/{keyId}: delete: - description: Revoke an enrollment API key by ID by marking it as inactive. + description: 'Revoke an enrollment API key by ID by marking it as inactive.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: delete-fleet-enrollment-api-keys-keyid parameters: - description: A required header to protect against CSRF attacks @@ -18858,7 +18886,7 @@ paths: - Fleet enrollment API keys x-beta: true get: - description: Get an enrollment API key by ID. + description: 'Get an enrollment API key by ID.

[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-setup].' operationId: get-fleet-enrollment-api-keys-keyid parameters: - in: path @@ -18927,6 +18955,7 @@ paths: x-beta: true /api/fleet/epm/bulk_assets: post: + description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' operationId: post-fleet-epm-bulk-assets parameters: - description: A required header to protect against CSRF attacks @@ -19018,6 +19047,7 @@ paths: x-beta: true /api/fleet/epm/categories: get: + description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' operationId: get-fleet-epm-categories parameters: - in: query @@ -19082,6 +19112,7 @@ paths: x-beta: true /api/fleet/epm/custom_integrations: post: + description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].' operationId: post-fleet-epm-custom-integrations parameters: - description: A required header to protect against CSRF attacks @@ -19217,6 +19248,7 @@ paths: x-beta: true /api/fleet/epm/data_streams: get: + description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' operationId: get-fleet-epm-data-streams parameters: - in: query @@ -19292,6 +19324,7 @@ paths: x-beta: true /api/fleet/epm/packages: get: + description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' operationId: get-fleet-epm-packages parameters: - in: query @@ -19684,6 +19717,7 @@ paths: - Elastic Package Manager (EPM) x-beta: true post: + description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].' operationId: post-fleet-epm-packages parameters: - description: A required header to protect against CSRF attacks @@ -19804,6 +19838,7 @@ paths: x-beta: true /api/fleet/epm/packages/_bulk: post: + description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].' operationId: post-fleet-epm-packages-bulk parameters: - description: A required header to protect against CSRF attacks @@ -19979,6 +20014,7 @@ paths: x-beta: true /api/fleet/epm/packages/{pkgName}/{pkgVersion}: delete: + description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].' operationId: delete-fleet-epm-packages-pkgname-pkgversion parameters: - description: A required header to protect against CSRF attacks @@ -20558,6 +20594,7 @@ paths: - Elastic Package Manager (EPM) x-beta: true post: + description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].' operationId: post-fleet-epm-packages-pkgname-pkgversion parameters: - description: A required header to protect against CSRF attacks @@ -20700,6 +20737,7 @@ paths: - Elastic Package Manager (EPM) x-beta: true put: + description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].' operationId: put-fleet-epm-packages-pkgname-pkgversion parameters: - description: A required header to protect against CSRF attacks @@ -21162,6 +21200,7 @@ paths: x-beta: true /api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}: get: + description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' operationId: get-fleet-epm-packages-pkgname-pkgversion-filepath parameters: - in: path @@ -21291,6 +21330,7 @@ paths: x-beta: true /api/fleet/epm/packages/{pkgName}/stats: get: + description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' operationId: get-fleet-epm-packages-pkgname-stats parameters: - in: path @@ -21338,6 +21378,7 @@ paths: x-beta: true /api/fleet/epm/packages/installed: get: + description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' operationId: get-fleet-epm-packages-installed parameters: - in: query @@ -21484,6 +21525,7 @@ paths: x-beta: true /api/fleet/epm/packages/limited: get: + description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' operationId: get-fleet-epm-packages-limited parameters: [] responses: @@ -21522,6 +21564,7 @@ paths: x-beta: true /api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs: get: + description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' operationId: get-fleet-epm-templates-pkgname-pkgversion-inputs parameters: - in: path @@ -21622,6 +21665,7 @@ paths: x-beta: true /api/fleet/epm/verification_key_id: get: + description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' operationId: get-fleet-epm-verification-key-id parameters: [] responses: @@ -21659,6 +21703,7 @@ paths: x-beta: true /api/fleet/fleet_server_hosts: get: + description: '[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-settings-read].' operationId: get-fleet-fleet-server-hosts parameters: [] responses: @@ -21731,6 +21776,7 @@ paths: - Fleet Server hosts x-beta: true post: + description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: post-fleet-fleet-server-hosts parameters: - description: A required header to protect against CSRF attacks @@ -21830,7 +21876,7 @@ paths: x-beta: true /api/fleet/fleet_server_hosts/{itemId}: delete: - description: Delete a Fleet Server host by ID. + description: 'Delete a Fleet Server host by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: delete-fleet-fleet-server-hosts-itemid parameters: - description: A required header to protect against CSRF attacks @@ -21878,7 +21924,7 @@ paths: - Fleet Server hosts x-beta: true get: - description: Get a Fleet Server host by ID. + description: 'Get a Fleet Server host by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-read].' operationId: get-fleet-fleet-server-hosts-itemid parameters: - in: path @@ -21945,7 +21991,7 @@ paths: - Fleet Server hosts x-beta: true put: - description: Update a Fleet Server host by ID. + description: 'Update a Fleet Server host by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: put-fleet-fleet-server-hosts-itemid parameters: - description: A required header to protect against CSRF attacks @@ -22043,6 +22089,7 @@ paths: x-beta: true /api/fleet/health_check: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: post-fleet-health-check parameters: - description: A required header to protect against CSRF attacks @@ -22117,6 +22164,7 @@ paths: x-beta: true /api/fleet/kubernetes: get: + description: '[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].' operationId: get-fleet-kubernetes parameters: - in: query @@ -22168,6 +22216,7 @@ paths: x-beta: true /api/fleet/kubernetes/download: get: + description: '[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].' operationId: get-fleet-kubernetes-download parameters: - in: query @@ -22229,6 +22278,7 @@ paths: x-beta: true /api/fleet/logstash_api_keys: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: post-fleet-logstash-api-keys parameters: - description: A required header to protect against CSRF attacks @@ -22272,6 +22322,7 @@ paths: x-beta: true /api/fleet/message_signing_service/rotate_key_pair: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all, fleet-agent-policies-all, fleet-settings-all].' operationId: post-fleet-message-signing-service-rotate-key-pair parameters: - description: A required header to protect against CSRF attacks @@ -22337,6 +22388,7 @@ paths: x-beta: true /api/fleet/outputs: get: + description: '[Required authorization] Route required privileges: ANY of [fleet-settings-read OR fleet-agent-policies-read].' operationId: get-fleet-outputs parameters: [] responses: @@ -23062,6 +23114,7 @@ paths: - Fleet outputs x-beta: true post: + description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: post-fleet-outputs parameters: - description: A required header to protect against CSRF attacks @@ -24468,7 +24521,7 @@ paths: x-beta: true /api/fleet/outputs/{outputId}: delete: - description: Delete output by ID. + description: 'Delete output by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: delete-fleet-outputs-outputid parameters: - description: A required header to protect against CSRF attacks @@ -24532,7 +24585,7 @@ paths: - Fleet outputs x-beta: true get: - description: Get output by ID. + description: 'Get output by ID.

[Required authorization] Route required privileges: ANY of [fleet-settings-read OR fleet-agent-policies-read].' operationId: get-fleet-outputs-outputid parameters: - in: path @@ -25252,7 +25305,7 @@ paths: - Fleet outputs x-beta: true put: - description: Update output by ID. + description: 'Update output by ID.

[Required authorization] Route required privileges: ANY of [fleet-settings-all OR fleet-agent-policies-all].' operationId: put-fleet-outputs-outputid parameters: - description: A required header to protect against CSRF attacks @@ -26643,6 +26696,7 @@ paths: x-beta: true /api/fleet/outputs/{outputId}/health: get: + description: '[Required authorization] Route required privileges: ALL of [fleet-settings-read].' operationId: get-fleet-outputs-outputid-health parameters: - in: path @@ -28454,7 +28508,7 @@ paths: x-beta: true /api/fleet/package_policies/{packagePolicyId}: delete: - description: Delete a package policy by ID. + description: 'Delete a package policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].' operationId: delete-fleet-package-policies-packagepolicyid parameters: - description: A required header to protect against CSRF attacks @@ -29782,6 +29836,7 @@ paths: x-beta: true /api/fleet/package_policies/delete: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].' operationId: post-fleet-package-policies-delete parameters: - description: A required header to protect against CSRF attacks @@ -29911,7 +29966,7 @@ paths: x-beta: true /api/fleet/package_policies/upgrade: post: - description: Upgrade a package policy to a newer package version. + description: 'Upgrade a package policy to a newer package version.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].' operationId: post-fleet-package-policies-upgrade parameters: - description: A required header to protect against CSRF attacks @@ -29985,6 +30040,7 @@ paths: x-beta: true /api/fleet/package_policies/upgrade/dryrun: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, integrations-read].' operationId: post-fleet-package-policies-upgrade-dryrun parameters: - description: A required header to protect against CSRF attacks @@ -30778,6 +30834,7 @@ paths: x-beta: true /api/fleet/proxies: get: + description: '[Required authorization] Route required privileges: ALL of [fleet-settings-read].' operationId: get-fleet-proxies parameters: [] responses: @@ -30856,6 +30913,7 @@ paths: - Fleet proxies x-beta: true post: + description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: post-fleet-proxies parameters: - description: A required header to protect against CSRF attacks @@ -30967,7 +31025,7 @@ paths: x-beta: true /api/fleet/proxies/{itemId}: delete: - description: Delete a proxy by ID + description: 'Delete a proxy by ID

[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: delete-fleet-proxies-itemid parameters: - description: A required header to protect against CSRF attacks @@ -31015,7 +31073,7 @@ paths: - Fleet proxies x-beta: true get: - description: Get a proxy by ID. + description: 'Get a proxy by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-read].' operationId: get-fleet-proxies-itemid parameters: - in: path @@ -31088,7 +31146,7 @@ paths: - Fleet proxies x-beta: true put: - description: Update a proxy by ID. + description: 'Update a proxy by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: put-fleet-proxies-itemid parameters: - description: A required header to protect against CSRF attacks @@ -31202,6 +31260,7 @@ paths: x-beta: true /api/fleet/service_tokens: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: post-fleet-service-tokens parameters: - description: A required header to protect against CSRF attacks @@ -31259,6 +31318,7 @@ paths: x-beta: true /api/fleet/settings: get: + description: '[Required authorization] Route required privileges: ALL of [fleet-settings-read].' operationId: get-fleet-settings parameters: [] responses: @@ -31347,6 +31407,7 @@ paths: - Fleet internals x-beta: true put: + description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: put-fleet-settings parameters: - description: A required header to protect against CSRF attacks @@ -31474,6 +31535,7 @@ paths: x-beta: true /api/fleet/setup: post: + description: '[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].' operationId: post-fleet-setup parameters: - description: A required header to protect against CSRF attacks @@ -31544,7 +31606,7 @@ paths: x-beta: true /api/fleet/uninstall_tokens: get: - description: List the metadata for the latest uninstall tokens per agent policy. + description: 'List the metadata for the latest uninstall tokens per agent policy.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: get-fleet-uninstall-tokens parameters: - description: Partial match filtering for policy IDs @@ -31637,7 +31699,7 @@ paths: x-beta: true /api/fleet/uninstall_tokens/{uninstallTokenId}: get: - description: Get one decrypted uninstall token by its ID. + description: 'Get one decrypted uninstall token by its ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: get-fleet-uninstall-tokens-uninstalltokenid parameters: - in: path diff --git a/oas_docs/output/kibana.yaml b/oas_docs/output/kibana.yaml index 38cc5ab0e932f..692e97f6f7e63 100644 --- a/oas_docs/output/kibana.yaml +++ b/oas_docs/output/kibana.yaml @@ -13346,6 +13346,7 @@ paths: - Security Exceptions API /api/fleet/agent_download_sources: get: + description: '[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-settings-read].' operationId: get-fleet-agent-download-sources parameters: [] responses: @@ -13411,6 +13412,7 @@ paths: tags: - Elastic Agent binary download sources post: + description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: post-fleet-agent-download-sources parameters: - description: A required header to protect against CSRF attacks @@ -13497,7 +13499,7 @@ paths: - Elastic Agent binary download sources /api/fleet/agent_download_sources/{sourceId}: delete: - description: Delete an agent binary download source by ID. + description: 'Delete an agent binary download source by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: delete-fleet-agent-download-sources-sourceid parameters: - description: A required header to protect against CSRF attacks @@ -13544,7 +13546,7 @@ paths: tags: - Elastic Agent binary download sources get: - description: Get an agent binary download source by ID. + description: 'Get an agent binary download source by ID.

[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-settings-read].' operationId: get-fleet-agent-download-sources-sourceid parameters: - in: path @@ -13604,7 +13606,7 @@ paths: tags: - Elastic Agent binary download sources put: - description: Update an agent binary download source by ID. + description: 'Update an agent binary download source by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: put-fleet-agent-download-sources-sourceid parameters: - description: A required header to protect against CSRF attacks @@ -13696,6 +13698,7 @@ paths: - Elastic Agent binary download sources /api/fleet/agent_policies: get: + description: '[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].' operationId: get-fleet-agent-policies parameters: - in: query @@ -14274,6 +14277,7 @@ paths: tags: - Elastic Agent policies post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].' operationId: post-fleet-agent-policies parameters: - description: A required header to protect against CSRF attacks @@ -14966,6 +14970,7 @@ paths: - Elastic Agent policies /api/fleet/agent_policies/_bulk_get: post: + description: '[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].' operationId: post-fleet-agent-policies-bulk-get parameters: - description: A required header to protect against CSRF attacks @@ -15510,7 +15515,7 @@ paths: - Elastic Agent policies /api/fleet/agent_policies/{agentPolicyId}: get: - description: Get an agent policy by ID. + description: 'Get an agent policy by ID.

[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].' operationId: get-fleet-agent-policies-agentpolicyid parameters: - in: path @@ -16031,7 +16036,7 @@ paths: tags: - Elastic Agent policies put: - description: Update an agent policy by ID. + description: 'Update an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].' operationId: put-fleet-agent-policies-agentpolicyid parameters: - description: A required header to protect against CSRF attacks @@ -16732,7 +16737,7 @@ paths: - Elastic Agent policies /api/fleet/agent_policies/{agentPolicyId}/copy: post: - description: Copy an agent policy by ID. + description: 'Copy an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].' operationId: post-fleet-agent-policies-agentpolicyid-copy parameters: - description: A required header to protect against CSRF attacks @@ -17275,7 +17280,7 @@ paths: - Elastic Agent policies /api/fleet/agent_policies/{agentPolicyId}/download: get: - description: Download an agent policy by ID. + description: 'Download an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].' operationId: get-fleet-agent-policies-agentpolicyid-download parameters: - in: path @@ -17341,7 +17346,7 @@ paths: - Elastic Agent policies /api/fleet/agent_policies/{agentPolicyId}/full: get: - description: Get a full agent policy by ID. + description: 'Get a full agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read].' operationId: get-fleet-agent-policies-agentpolicyid-full parameters: - in: path @@ -17689,7 +17694,7 @@ paths: - Elastic Agent policies /api/fleet/agent_policies/{agentPolicyId}/outputs: get: - description: Get a list of outputs associated with agent policy by policy id. + description: 'Get a list of outputs associated with agent policy by policy id.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-settings-read].' operationId: get-fleet-agent-policies-agentpolicyid-outputs parameters: - in: path @@ -17785,7 +17790,7 @@ paths: - Elastic Agent policies /api/fleet/agent_policies/delete: post: - description: Delete an agent policy by ID. + description: 'Delete an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].' operationId: post-fleet-agent-policies-delete parameters: - description: A required header to protect against CSRF attacks @@ -17845,7 +17850,7 @@ paths: - Elastic Agent policies /api/fleet/agent_policies/outputs: post: - description: Get a list of outputs associated with agent policies. + description: 'Get a list of outputs associated with agent policies.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-settings-read].' operationId: post-fleet-agent-policies-outputs parameters: - description: A required header to protect against CSRF attacks @@ -18046,6 +18051,7 @@ paths: - Elastic Agent status /api/fleet/agent_status/data: get: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' operationId: get-fleet-agent-status-data parameters: - in: query @@ -18120,6 +18126,7 @@ paths: - Elastic Agents /api/fleet/agents: get: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' operationId: get-fleet-agents parameters: - in: query @@ -18498,6 +18505,7 @@ paths: tags: - Elastic Agents post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' operationId: post-fleet-agents parameters: - description: A required header to protect against CSRF attacks @@ -18555,7 +18563,7 @@ paths: - Elastic Agents /api/fleet/agents/{agentId}: delete: - description: Delete an agent by ID. + description: 'Delete an agent by ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: delete-fleet-agents-agentid parameters: - description: A required header to protect against CSRF attacks @@ -18604,7 +18612,7 @@ paths: tags: - Elastic Agents get: - description: Get an agent by ID. + description: 'Get an agent by ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-read].' operationId: get-fleet-agents-agentid parameters: - in: path @@ -18925,7 +18933,7 @@ paths: tags: - Elastic Agents put: - description: Update an agent by ID. + description: 'Update an agent by ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: put-fleet-agents-agentid parameters: - description: A required header to protect against CSRF attacks @@ -19262,6 +19270,7 @@ paths: - Elastic Agents /api/fleet/agents/{agentId}/actions: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: post-fleet-agents-agentid-actions parameters: - description: A required header to protect against CSRF attacks @@ -19397,6 +19406,7 @@ paths: - Elastic Agent actions /api/fleet/agents/{agentId}/reassign: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: post-fleet-agents-agentid-reassign parameters: - description: A required header to protect against CSRF attacks @@ -19451,6 +19461,7 @@ paths: - Elastic Agent actions /api/fleet/agents/{agentId}/request_diagnostics: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' operationId: post-fleet-agents-agentid-request-diagnostics parameters: - description: A required header to protect against CSRF attacks @@ -19512,6 +19523,7 @@ paths: - Elastic Agent actions /api/fleet/agents/{agentId}/unenroll: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: post-fleet-agents-agentid-unenroll parameters: - description: A required header to protect against CSRF attacks @@ -19544,6 +19556,7 @@ paths: - Elastic Agent actions /api/fleet/agents/{agentId}/upgrade: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: post-fleet-agents-agentid-upgrade parameters: - description: A required header to protect against CSRF attacks @@ -19604,6 +19617,7 @@ paths: - Elastic Agent actions /api/fleet/agents/{agentId}/uploads: get: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' operationId: get-fleet-agents-agentid-uploads parameters: - in: path @@ -19676,6 +19690,7 @@ paths: - Elastic Agents /api/fleet/agents/action_status: get: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' operationId: get-fleet-agents-action-status parameters: - in: query @@ -19833,6 +19848,7 @@ paths: - Elastic Agent actions /api/fleet/agents/actions/{actionId}/cancel: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: post-fleet-agents-actions-actionid-cancel parameters: - description: A required header to protect against CSRF attacks @@ -19918,6 +19934,7 @@ paths: - Elastic Agent actions /api/fleet/agents/available_versions: get: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' operationId: get-fleet-agents-available-versions parameters: [] responses: @@ -19955,6 +19972,7 @@ paths: - Elastic Agents /api/fleet/agents/bulk_reassign: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: post-fleet-agents-bulk-reassign parameters: - description: A required header to protect against CSRF attacks @@ -20020,6 +20038,7 @@ paths: - Elastic Agent actions /api/fleet/agents/bulk_request_diagnostics: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' operationId: post-fleet-agents-bulk-request-diagnostics parameters: - description: A required header to protect against CSRF attacks @@ -20085,6 +20104,7 @@ paths: - Elastic Agent actions /api/fleet/agents/bulk_unenroll: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: post-fleet-agents-bulk-unenroll parameters: - description: A required header to protect against CSRF attacks @@ -20155,6 +20175,7 @@ paths: - Elastic Agent actions /api/fleet/agents/bulk_update_agent_tags: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: post-fleet-agents-bulk-update-agent-tags parameters: - description: A required header to protect against CSRF attacks @@ -20225,6 +20246,7 @@ paths: - Elastic Agent actions /api/fleet/agents/bulk_upgrade: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: post-fleet-agents-bulk-upgrade parameters: - description: A required header to protect against CSRF attacks @@ -20301,7 +20323,7 @@ paths: - Elastic Agent actions /api/fleet/agents/files/{fileId}: delete: - description: Delete a file uploaded by an agent. + description: 'Delete a file uploaded by an agent.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: delete-fleet-agents-files-fileid parameters: - description: A required header to protect against CSRF attacks @@ -20352,7 +20374,7 @@ paths: - Elastic Agents /api/fleet/agents/files/{fileId}/{fileName}: get: - description: Get a file uploaded by an agent. + description: 'Get a file uploaded by an agent.

[Required authorization] Route required privileges: ALL of [fleet-agents-read].' operationId: get-fleet-agents-files-fileid-filename parameters: - in: path @@ -20392,6 +20414,7 @@ paths: - Elastic Agents /api/fleet/agents/setup: get: + description: '[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].' operationId: get-fleet-agents-setup parameters: [] responses: @@ -20451,6 +20474,7 @@ paths: tags: - Elastic Agents post: + description: '[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].' operationId: post-fleet-agents-setup parameters: - description: A required header to protect against CSRF attacks @@ -20508,6 +20532,7 @@ paths: - Elastic Agents /api/fleet/agents/tags: get: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' operationId: get-fleet-agents-tags parameters: - in: query @@ -20602,6 +20627,7 @@ paths: - Fleet internals /api/fleet/data_streams: get: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all, fleet-agent-policies-all, fleet-settings-all].' operationId: get-fleet-data-streams parameters: [] responses: @@ -20698,6 +20724,7 @@ paths: - Data streams /api/fleet/enrollment_api_keys: get: + description: '[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-setup].' operationId: get-fleet-enrollment-api-keys parameters: - in: query @@ -20820,6 +20847,7 @@ paths: tags: - Fleet enrollment API keys post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: post-fleet-enrollment-api-keys parameters: - description: A required header to protect against CSRF attacks @@ -20909,7 +20937,7 @@ paths: - Fleet enrollment API keys /api/fleet/enrollment_api_keys/{keyId}: delete: - description: Revoke an enrollment API key by ID by marking it as inactive. + description: 'Revoke an enrollment API key by ID by marking it as inactive.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: delete-fleet-enrollment-api-keys-keyid parameters: - description: A required header to protect against CSRF attacks @@ -20958,7 +20986,7 @@ paths: tags: - Fleet enrollment API keys get: - description: Get an enrollment API key by ID. + description: 'Get an enrollment API key by ID.

[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-setup].' operationId: get-fleet-enrollment-api-keys-keyid parameters: - in: path @@ -21026,6 +21054,7 @@ paths: - Fleet enrollment API keys /api/fleet/epm/bulk_assets: post: + description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' operationId: post-fleet-epm-bulk-assets parameters: - description: A required header to protect against CSRF attacks @@ -21116,6 +21145,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/categories: get: + description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' operationId: get-fleet-epm-categories parameters: - in: query @@ -21179,6 +21209,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/custom_integrations: post: + description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].' operationId: post-fleet-epm-custom-integrations parameters: - description: A required header to protect against CSRF attacks @@ -21313,6 +21344,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/data_streams: get: + description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' operationId: get-fleet-epm-data-streams parameters: - in: query @@ -21387,6 +21419,7 @@ paths: - Data streams /api/fleet/epm/packages: get: + description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' operationId: get-fleet-epm-packages parameters: - in: query @@ -21778,6 +21811,7 @@ paths: tags: - Elastic Package Manager (EPM) post: + description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].' operationId: post-fleet-epm-packages parameters: - description: A required header to protect against CSRF attacks @@ -21897,6 +21931,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/packages/_bulk: post: + description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].' operationId: post-fleet-epm-packages-bulk parameters: - description: A required header to protect against CSRF attacks @@ -22071,6 +22106,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/packages/{pkgName}/{pkgVersion}: delete: + description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].' operationId: delete-fleet-epm-packages-pkgname-pkgversion parameters: - description: A required header to protect against CSRF attacks @@ -22648,6 +22684,7 @@ paths: tags: - Elastic Package Manager (EPM) post: + description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].' operationId: post-fleet-epm-packages-pkgname-pkgversion parameters: - description: A required header to protect against CSRF attacks @@ -22789,6 +22826,7 @@ paths: tags: - Elastic Package Manager (EPM) put: + description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].' operationId: put-fleet-epm-packages-pkgname-pkgversion parameters: - description: A required header to protect against CSRF attacks @@ -23250,6 +23288,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}: get: + description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' operationId: get-fleet-epm-packages-pkgname-pkgversion-filepath parameters: - in: path @@ -23377,6 +23416,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/packages/{pkgName}/stats: get: + description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' operationId: get-fleet-epm-packages-pkgname-stats parameters: - in: path @@ -23423,6 +23463,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/packages/installed: get: + description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' operationId: get-fleet-epm-packages-installed parameters: - in: query @@ -23568,6 +23609,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/packages/limited: get: + description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' operationId: get-fleet-epm-packages-limited parameters: [] responses: @@ -23605,6 +23647,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs: get: + description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' operationId: get-fleet-epm-templates-pkgname-pkgversion-inputs parameters: - in: path @@ -23704,6 +23747,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/verification_key_id: get: + description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' operationId: get-fleet-epm-verification-key-id parameters: [] responses: @@ -23740,6 +23784,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/fleet_server_hosts: get: + description: '[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-settings-read].' operationId: get-fleet-fleet-server-hosts parameters: [] responses: @@ -23811,6 +23856,7 @@ paths: tags: - Fleet Server hosts post: + description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: post-fleet-fleet-server-hosts parameters: - description: A required header to protect against CSRF attacks @@ -23909,7 +23955,7 @@ paths: - Fleet Server hosts /api/fleet/fleet_server_hosts/{itemId}: delete: - description: Delete a Fleet Server host by ID. + description: 'Delete a Fleet Server host by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: delete-fleet-fleet-server-hosts-itemid parameters: - description: A required header to protect against CSRF attacks @@ -23956,7 +24002,7 @@ paths: tags: - Fleet Server hosts get: - description: Get a Fleet Server host by ID. + description: 'Get a Fleet Server host by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-read].' operationId: get-fleet-fleet-server-hosts-itemid parameters: - in: path @@ -24022,7 +24068,7 @@ paths: tags: - Fleet Server hosts put: - description: Update a Fleet Server host by ID. + description: 'Update a Fleet Server host by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: put-fleet-fleet-server-hosts-itemid parameters: - description: A required header to protect against CSRF attacks @@ -24119,6 +24165,7 @@ paths: - Fleet Server hosts /api/fleet/health_check: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: post-fleet-health-check parameters: - description: A required header to protect against CSRF attacks @@ -24192,6 +24239,7 @@ paths: - Fleet internals /api/fleet/kubernetes: get: + description: '[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].' operationId: get-fleet-kubernetes parameters: - in: query @@ -24242,6 +24290,7 @@ paths: - Elastic Agent policies /api/fleet/kubernetes/download: get: + description: '[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].' operationId: get-fleet-kubernetes-download parameters: - in: query @@ -24302,6 +24351,7 @@ paths: - Elastic Agent policies /api/fleet/logstash_api_keys: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: post-fleet-logstash-api-keys parameters: - description: A required header to protect against CSRF attacks @@ -24344,6 +24394,7 @@ paths: - Fleet outputs /api/fleet/message_signing_service/rotate_key_pair: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all, fleet-agent-policies-all, fleet-settings-all].' operationId: post-fleet-message-signing-service-rotate-key-pair parameters: - description: A required header to protect against CSRF attacks @@ -24408,6 +24459,7 @@ paths: - Message Signing Service /api/fleet/outputs: get: + description: '[Required authorization] Route required privileges: ANY of [fleet-settings-read OR fleet-agent-policies-read].' operationId: get-fleet-outputs parameters: [] responses: @@ -25132,6 +25184,7 @@ paths: tags: - Fleet outputs post: + description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: post-fleet-outputs parameters: - description: A required header to protect against CSRF attacks @@ -26537,7 +26590,7 @@ paths: - Fleet outputs /api/fleet/outputs/{outputId}: delete: - description: Delete output by ID. + description: 'Delete output by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: delete-fleet-outputs-outputid parameters: - description: A required header to protect against CSRF attacks @@ -26600,7 +26653,7 @@ paths: tags: - Fleet outputs get: - description: Get output by ID. + description: 'Get output by ID.

[Required authorization] Route required privileges: ANY of [fleet-settings-read OR fleet-agent-policies-read].' operationId: get-fleet-outputs-outputid parameters: - in: path @@ -27319,7 +27372,7 @@ paths: tags: - Fleet outputs put: - description: Update output by ID. + description: 'Update output by ID.

[Required authorization] Route required privileges: ANY of [fleet-settings-all OR fleet-agent-policies-all].' operationId: put-fleet-outputs-outputid parameters: - description: A required header to protect against CSRF attacks @@ -28709,6 +28762,7 @@ paths: - Fleet outputs /api/fleet/outputs/{outputId}/health: get: + description: '[Required authorization] Route required privileges: ALL of [fleet-settings-read].' operationId: get-fleet-outputs-outputid-health parameters: - in: path @@ -30516,7 +30570,7 @@ paths: - Fleet package policies /api/fleet/package_policies/{packagePolicyId}: delete: - description: Delete a package policy by ID. + description: 'Delete a package policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].' operationId: delete-fleet-package-policies-packagepolicyid parameters: - description: A required header to protect against CSRF attacks @@ -31841,6 +31895,7 @@ paths: - Fleet package policies /api/fleet/package_policies/delete: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].' operationId: post-fleet-package-policies-delete parameters: - description: A required header to protect against CSRF attacks @@ -31969,7 +32024,7 @@ paths: - Fleet package policies /api/fleet/package_policies/upgrade: post: - description: Upgrade a package policy to a newer package version. + description: 'Upgrade a package policy to a newer package version.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].' operationId: post-fleet-package-policies-upgrade parameters: - description: A required header to protect against CSRF attacks @@ -32042,6 +32097,7 @@ paths: - Fleet package policies /api/fleet/package_policies/upgrade/dryrun: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, integrations-read].' operationId: post-fleet-package-policies-upgrade-dryrun parameters: - description: A required header to protect against CSRF attacks @@ -32834,6 +32890,7 @@ paths: - Fleet package policies /api/fleet/proxies: get: + description: '[Required authorization] Route required privileges: ALL of [fleet-settings-read].' operationId: get-fleet-proxies parameters: [] responses: @@ -32911,6 +32968,7 @@ paths: tags: - Fleet proxies post: + description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: post-fleet-proxies parameters: - description: A required header to protect against CSRF attacks @@ -33021,7 +33079,7 @@ paths: - Fleet proxies /api/fleet/proxies/{itemId}: delete: - description: Delete a proxy by ID + description: 'Delete a proxy by ID

[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: delete-fleet-proxies-itemid parameters: - description: A required header to protect against CSRF attacks @@ -33068,7 +33126,7 @@ paths: tags: - Fleet proxies get: - description: Get a proxy by ID. + description: 'Get a proxy by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-read].' operationId: get-fleet-proxies-itemid parameters: - in: path @@ -33140,7 +33198,7 @@ paths: tags: - Fleet proxies put: - description: Update a proxy by ID. + description: 'Update a proxy by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: put-fleet-proxies-itemid parameters: - description: A required header to protect against CSRF attacks @@ -33253,6 +33311,7 @@ paths: - Fleet proxies /api/fleet/service_tokens: post: + description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: post-fleet-service-tokens parameters: - description: A required header to protect against CSRF attacks @@ -33309,6 +33368,7 @@ paths: - Fleet service tokens /api/fleet/settings: get: + description: '[Required authorization] Route required privileges: ALL of [fleet-settings-read].' operationId: get-fleet-settings parameters: [] responses: @@ -33396,6 +33456,7 @@ paths: tags: - Fleet internals put: + description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].' operationId: put-fleet-settings parameters: - description: A required header to protect against CSRF attacks @@ -33522,6 +33583,7 @@ paths: - Fleet internals /api/fleet/setup: post: + description: '[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].' operationId: post-fleet-setup parameters: - description: A required header to protect against CSRF attacks @@ -33591,7 +33653,7 @@ paths: - Fleet internals /api/fleet/uninstall_tokens: get: - description: List the metadata for the latest uninstall tokens per agent policy. + description: 'List the metadata for the latest uninstall tokens per agent policy.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: get-fleet-uninstall-tokens parameters: - description: Partial match filtering for policy IDs @@ -33683,7 +33745,7 @@ paths: - Fleet uninstall tokens /api/fleet/uninstall_tokens/{uninstallTokenId}: get: - description: Get one decrypted uninstall token by its ID. + description: 'Get one decrypted uninstall token by its ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].' operationId: get-fleet-uninstall-tokens-uninstalltokenid parameters: - in: path diff --git a/x-pack/platform/plugins/shared/fleet/server/constants/api_privileges.ts b/x-pack/platform/plugins/shared/fleet/server/constants/api_privileges.ts new file mode 100644 index 0000000000000..ab2cdedc3520e --- /dev/null +++ b/x-pack/platform/plugins/shared/fleet/server/constants/api_privileges.ts @@ -0,0 +1,32 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { INTEGRATIONS_PLUGIN_ID, PLUGIN_ID } from '../../common'; + +export const FLEET_API_PRIVILEGES = { + FLEET: { + READ: `${PLUGIN_ID}-read`, + ALL: `${PLUGIN_ID}-all`, + }, + AGENTS: { + READ: `${PLUGIN_ID}-agents-read`, + ALL: `${PLUGIN_ID}-agents-all`, + }, + AGENT_POLICIES: { + READ: `${PLUGIN_ID}-agent-policies-read`, + ALL: `${PLUGIN_ID}-agent-policies-all`, + }, + SETTINGS: { + READ: `${PLUGIN_ID}-settings-read`, + ALL: `${PLUGIN_ID}-settings-all`, + }, + INTEGRATIONS: { + READ: `${INTEGRATIONS_PLUGIN_ID}-read`, + ALL: `${INTEGRATIONS_PLUGIN_ID}-all`, + }, + SETUP: `fleet-setup`, +}; diff --git a/x-pack/platform/plugins/shared/fleet/server/routes/agent/index.ts b/x-pack/platform/plugins/shared/fleet/server/routes/agent/index.ts index 82893b6590e30..ca9876d74c435 100644 --- a/x-pack/platform/plugins/shared/fleet/server/routes/agent/index.ts +++ b/x-pack/platform/plugins/shared/fleet/server/routes/agent/index.ts @@ -55,7 +55,7 @@ import { PostNewAgentActionResponseSchema, PostRetrieveAgentsByActionsResponseSchema, } from '../../types/rest_spec/agent'; - +import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges'; import { calculateRouteAuthz } from '../../services/security/security'; import { genericErrorResponse } from '../schema/errors'; @@ -95,8 +95,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT router.versioned .get({ path: AGENT_API_ROUTES.INFO_PATTERN, - fleetAuthz: { - fleet: { readAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ], + }, }, summary: `Get an agent`, description: `Get an agent by ID.`, @@ -126,8 +128,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT router.versioned .put({ path: AGENT_API_ROUTES.UPDATE_PATTERN, - fleetAuthz: { - fleet: { allAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL], + }, }, summary: `Update an agent`, description: `Update an agent by ID.`, @@ -157,8 +161,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT router.versioned .post({ path: AGENT_API_ROUTES.BULK_UPDATE_AGENT_TAGS_PATTERN, - fleetAuthz: { - fleet: { allAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL], + }, }, summary: `Bulk update agent tags`, options: { @@ -187,8 +193,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT router.versioned .delete({ path: AGENT_API_ROUTES.DELETE_PATTERN, - fleetAuthz: { - fleet: { allAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL], + }, }, summary: `Delete an agent`, description: `Delete an agent by ID.`, @@ -218,9 +226,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT router.versioned .get({ path: AGENT_API_ROUTES.LIST_PATTERN, - - fleetAuthz: { - fleet: { readAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ], + }, }, summary: `Get agents`, options: { @@ -249,8 +258,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT router.versioned .get({ path: AGENT_API_ROUTES.LIST_TAGS_PATTERN, - fleetAuthz: { - fleet: { readAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ], + }, }, summary: `Get agent tags`, options: { @@ -279,8 +290,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT router.versioned .post({ path: AGENT_API_ROUTES.ACTIONS_PATTERN, - fleetAuthz: { - fleet: { allAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL], + }, }, summary: `Create an agent action`, options: { @@ -313,8 +326,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT router.versioned .post({ path: AGENT_API_ROUTES.CANCEL_ACTIONS_PATTERN, - fleetAuthz: { - fleet: { allAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL], + }, }, summary: `Cancel an agent action`, options: { @@ -348,8 +363,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT router.versioned .post({ path: AGENT_API_ROUTES.LIST_PATTERN, - fleetAuthz: { - fleet: { readAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ], + }, }, summary: `Get agents by action ids`, options: { @@ -377,8 +394,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT router.versioned .post({ path: AGENT_API_ROUTES.UNENROLL_PATTERN, - fleetAuthz: { - fleet: { allAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL], + }, }, summary: `Unenroll an agent`, options: { @@ -396,8 +415,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT router.versioned .post({ path: AGENT_API_ROUTES.REASSIGN_PATTERN, - fleetAuthz: { - fleet: { allAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL], + }, }, summary: `Reassign an agent`, options: { @@ -425,8 +446,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT router.versioned .post({ path: AGENT_API_ROUTES.REQUEST_DIAGNOSTICS_PATTERN, - fleetAuthz: { - fleet: { readAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ], + }, }, summary: `Request agent diagnostics`, options: { @@ -454,8 +477,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT router.versioned .post({ path: AGENT_API_ROUTES.BULK_REQUEST_DIAGNOSTICS_PATTERN, - fleetAuthz: { - fleet: { readAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ], + }, }, summary: `Bulk request diagnostics from agents`, options: { @@ -483,8 +508,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT router.versioned .get({ path: AGENT_API_ROUTES.LIST_UPLOADS_PATTERN, - fleetAuthz: { - fleet: { readAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ], + }, }, summary: `Get agent uploads`, options: { @@ -512,8 +539,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT router.versioned .get({ path: AGENT_API_ROUTES.GET_UPLOAD_FILE_PATTERN, - fleetAuthz: { - fleet: { readAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ], + }, }, summary: `Get an uploaded file`, description: `Get a file uploaded by an agent.`, @@ -542,8 +571,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT router.versioned .delete({ path: AGENT_API_ROUTES.DELETE_UPLOAD_FILE_PATTERN, - fleetAuthz: { - fleet: { allAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL], + }, }, summary: `Delete an uploaded file`, description: `Delete a file uploaded by an agent.`, @@ -568,11 +599,11 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT }, deleteAgentUploadFileHandler ); - // Get agent status for policy router.versioned .get({ path: AGENT_API_ROUTES.STATUS_PATTERN, + // TODO move to kibana authz https://github.com/elastic/kibana/issues/203170 fleetAuthz: (fleetAuthz: FleetAuthz): boolean => calculateRouteAuthz( fleetAuthz, @@ -604,8 +635,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT router.versioned .get({ path: AGENT_API_ROUTES.DATA_PATTERN, - fleetAuthz: { - fleet: { readAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ], + }, }, summary: `Get incoming agent data`, options: { @@ -634,8 +667,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT router.versioned .post({ path: AGENT_API_ROUTES.UPGRADE_PATTERN, - fleetAuthz: { - fleet: { allAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL], + }, }, summary: `Upgrade an agent`, options: { @@ -663,8 +698,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT router.versioned .post({ path: AGENT_API_ROUTES.BULK_UPGRADE_PATTERN, - fleetAuthz: { - fleet: { allAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL], + }, }, summary: `Bulk upgrade agents`, options: { @@ -693,8 +730,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT router.versioned .get({ path: AGENT_API_ROUTES.ACTION_STATUS_PATTERN, - fleetAuthz: { - fleet: { readAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ], + }, }, summary: `Get an agent action status`, options: { @@ -723,8 +762,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT router.versioned .post({ path: AGENT_API_ROUTES.BULK_REASSIGN_PATTERN, - fleetAuthz: { - fleet: { allAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL], + }, }, summary: `Bulk reassign agents`, options: { @@ -753,8 +794,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT router.versioned .post({ path: AGENT_API_ROUTES.BULK_UNENROLL_PATTERN, - fleetAuthz: { - fleet: { allAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL], + }, }, summary: `Bulk unenroll agents`, options: { @@ -783,8 +826,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT router.versioned .get({ path: AGENT_API_ROUTES.AVAILABLE_VERSIONS_PATTERN, - fleetAuthz: { - fleet: { readAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ], + }, }, summary: `Get available agent versions`, options: { @@ -817,8 +862,10 @@ export const registerAPIRoutes = (router: FleetAuthzRouter, config: FleetConfigT .get({ path: '/internal/fleet/agents/status_runtime_field', access: 'internal', - fleetAuthz: { - fleet: { readAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.READ], + }, }, }) .addVersion( diff --git a/x-pack/platform/plugins/shared/fleet/server/routes/agent_policy/index.ts b/x-pack/platform/plugins/shared/fleet/server/routes/agent_policy/index.ts index 0d0dc6ae68c25..9450b5e0da089 100644 --- a/x-pack/platform/plugins/shared/fleet/server/routes/agent_policy/index.ts +++ b/x-pack/platform/plugins/shared/fleet/server/routes/agent_policy/index.ts @@ -9,7 +9,7 @@ import { schema } from '@kbn/config-schema'; import type { FleetAuthzRouter } from '../../services/security'; import { API_VERSIONS } from '../../../common/constants'; - +import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges'; import { AGENT_POLICY_API_ROUTES } from '../../constants'; import { GetAgentPoliciesRequestSchema, @@ -60,9 +60,18 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .get({ path: AGENT_POLICY_API_ROUTES.LIST_PATTERN, - fleetAuthz: (authz) => { - // Allow to retrieve agent policies metadata (no full) for user with only read agents permissions - return authz.fleet.readAgentPolicies || authz.fleet.readAgents; + security: { + authz: { + requiredPrivileges: [ + { + anyRequired: [ + FLEET_API_PRIVILEGES.AGENT_POLICIES.READ, + FLEET_API_PRIVILEGES.AGENTS.READ, + FLEET_API_PRIVILEGES.SETUP, + ], + }, + ], + }, }, summary: `Get agent policies`, options: { @@ -91,9 +100,18 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .post({ path: AGENT_POLICY_API_ROUTES.BULK_GET_PATTERN, - fleetAuthz: (authz) => { - // Allow to retrieve agent policies metadata (no full) for user with only read agents permissions - return authz.fleet.readAgentPolicies || authz.fleet.readAgents; + security: { + authz: { + requiredPrivileges: [ + { + anyRequired: [ + FLEET_API_PRIVILEGES.AGENT_POLICIES.READ, + FLEET_API_PRIVILEGES.AGENTS.READ, + FLEET_API_PRIVILEGES.SETUP, + ], + }, + ], + }, }, summary: `Bulk get agent policies`, options: { @@ -122,9 +140,18 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .get({ path: AGENT_POLICY_API_ROUTES.INFO_PATTERN, - fleetAuthz: (authz) => { - // Allow to retrieve agent policies metadata (no full) for user with only read agents permissions - return authz.fleet.readAgentPolicies || authz.fleet.readAgents; + security: { + authz: { + requiredPrivileges: [ + { + anyRequired: [ + FLEET_API_PRIVILEGES.AGENT_POLICIES.READ, + FLEET_API_PRIVILEGES.AGENTS.READ, + FLEET_API_PRIVILEGES.SETUP, + ], + }, + ], + }, }, summary: `Get an agent policy`, description: `Get an agent policy by ID.`, @@ -154,8 +181,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .post({ path: AGENT_POLICY_API_ROUTES.CREATE_PATTERN, - fleetAuthz: { - fleet: { allAgentPolicies: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL], + }, }, summary: `Create an agent policy`, options: { @@ -184,8 +213,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .put({ path: AGENT_POLICY_API_ROUTES.UPDATE_PATTERN, - fleetAuthz: { - fleet: { allAgentPolicies: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL], + }, }, summary: `Update an agent policy`, description: `Update an agent policy by ID.`, @@ -215,8 +246,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .post({ path: AGENT_POLICY_API_ROUTES.COPY_PATTERN, - fleetAuthz: { - fleet: { allAgentPolicies: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL], + }, }, summary: `Copy an agent policy`, description: `Copy an agent policy by ID.`, @@ -246,8 +279,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .post({ path: AGENT_POLICY_API_ROUTES.DELETE_PATTERN, - fleetAuthz: { - fleet: { allAgentPolicies: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL], + }, }, summary: `Delete an agent policy`, description: `Delete an agent policy by ID.`, @@ -277,8 +312,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .get({ path: AGENT_POLICY_API_ROUTES.FULL_INFO_PATTERN, - fleetAuthz: { - fleet: { readAgentPolicies: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENT_POLICIES.READ], + }, }, summary: `Get a full agent policy`, description: `Get a full agent policy by ID.`, @@ -308,8 +345,13 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .get({ path: AGENT_POLICY_API_ROUTES.FULL_INFO_DOWNLOAD_PATTERN, - fleetAuthz: { - fleet: { readAgentPolicies: true }, + security: { + authz: { + requiredPrivileges: [ + FLEET_API_PRIVILEGES.AGENT_POLICIES.READ, + FLEET_API_PRIVILEGES.SETUP, + ], + }, }, enableQueryVersion: true, summary: `Download an agent policy`, @@ -343,8 +385,13 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .get({ path: K8S_API_ROUTES.K8S_INFO_PATTERN, - fleetAuthz: { - fleet: { readAgentPolicies: true }, + security: { + authz: { + requiredPrivileges: [ + FLEET_API_PRIVILEGES.AGENT_POLICIES.READ, + FLEET_API_PRIVILEGES.SETUP, + ], + }, }, summary: `Get a full K8s agent manifest`, options: { @@ -373,8 +420,13 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .get({ path: K8S_API_ROUTES.K8S_DOWNLOAD_PATTERN, - fleetAuthz: { - fleet: { readAgentPolicies: true }, + security: { + authz: { + requiredPrivileges: [ + FLEET_API_PRIVILEGES.AGENT_POLICIES.READ, + FLEET_API_PRIVILEGES.SETUP, + ], + }, }, enableQueryVersion: true, summary: `Download an agent manifest`, @@ -406,8 +458,13 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .post({ path: AGENT_POLICY_API_ROUTES.LIST_OUTPUTS_PATTERN, - fleetAuthz: (authz) => { - return authz.fleet.readAgentPolicies && authz.fleet.readSettings; + security: { + authz: { + requiredPrivileges: [ + FLEET_API_PRIVILEGES.AGENT_POLICIES.READ, + FLEET_API_PRIVILEGES.SETTINGS.READ, + ], + }, }, summary: `Get outputs for agent policies`, description: `Get a list of outputs associated with agent policies.`, @@ -436,8 +493,13 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .get({ path: AGENT_POLICY_API_ROUTES.INFO_OUTPUTS_PATTERN, - fleetAuthz: (authz) => { - return authz.fleet.readAgentPolicies && authz.fleet.readSettings; + security: { + authz: { + requiredPrivileges: [ + FLEET_API_PRIVILEGES.AGENT_POLICIES.READ, + FLEET_API_PRIVILEGES.SETTINGS.READ, + ], + }, }, summary: `Get outputs for an agent policy`, description: `Get a list of outputs associated with agent policy by policy id.`, diff --git a/x-pack/platform/plugins/shared/fleet/server/routes/app/index.ts b/x-pack/platform/plugins/shared/fleet/server/routes/app/index.ts index e5198ea84a78c..aba2b2ff3acbb 100644 --- a/x-pack/platform/plugins/shared/fleet/server/routes/app/index.ts +++ b/x-pack/platform/plugins/shared/fleet/server/routes/app/index.ts @@ -21,6 +21,7 @@ import { CheckPermissionsRequestSchema, CheckPermissionsResponseSchema } from '. import { enableSpaceAwarenessMigration } from '../../services/spaces/enable_space_awareness'; import { type FleetConfigType } from '../../config'; import { genericErrorResponse } from '../schema/errors'; +import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges'; export const getCheckPermissionsHandler: FleetRequestHandler< unknown, @@ -194,8 +195,14 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType .post({ path: '/internal/fleet/enable_space_awareness', access: 'internal', - fleetAuthz: { - fleet: { all: true }, + security: { + authz: { + requiredPrivileges: [ + FLEET_API_PRIVILEGES.AGENTS.ALL, + FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL, + FLEET_API_PRIVILEGES.SETTINGS.ALL, + ], + }, }, }) .addVersion( @@ -236,8 +243,10 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType .get({ path: APP_API_ROUTES.AGENT_POLICIES_SPACES, access: 'internal', - fleetAuthz: { - fleet: { readAgentPolicies: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENT_POLICIES.READ], + }, }, }) .addVersion( @@ -251,8 +260,10 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .post({ path: APP_API_ROUTES.GENERATE_SERVICE_TOKEN_PATTERN, - fleetAuthz: { - fleet: { allAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL], + }, }, summary: `Create a service token`, options: { diff --git a/x-pack/platform/plugins/shared/fleet/server/routes/data_streams/index.ts b/x-pack/platform/plugins/shared/fleet/server/routes/data_streams/index.ts index 7dc870c394bc8..e51c8ce447317 100644 --- a/x-pack/platform/plugins/shared/fleet/server/routes/data_streams/index.ts +++ b/x-pack/platform/plugins/shared/fleet/server/routes/data_streams/index.ts @@ -7,7 +7,7 @@ import { schema } from '@kbn/config-schema'; import type { FleetAuthzRouter } from '../../services/security'; - +import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges'; import { API_VERSIONS } from '../../../common/constants'; import { DATA_STREAM_API_ROUTES } from '../../constants'; @@ -49,8 +49,14 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .get({ path: DATA_STREAM_API_ROUTES.LIST_PATTERN, - fleetAuthz: { - fleet: { all: true }, + security: { + authz: { + requiredPrivileges: [ + FLEET_API_PRIVILEGES.AGENTS.ALL, + FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL, + FLEET_API_PRIVILEGES.SETTINGS.ALL, + ], + }, }, summary: `Get data streams`, options: { diff --git a/x-pack/platform/plugins/shared/fleet/server/routes/debug/index.ts b/x-pack/platform/plugins/shared/fleet/server/routes/debug/index.ts index bfe2bfd0f0e20..b3baf42552c34 100644 --- a/x-pack/platform/plugins/shared/fleet/server/routes/debug/index.ts +++ b/x-pack/platform/plugins/shared/fleet/server/routes/debug/index.ts @@ -9,7 +9,7 @@ import type { FleetAuthzRouter } from '../../services/security'; import { FLEET_DEBUG_ROUTES } from '../../constants'; import { API_VERSIONS } from '../../../common/constants'; - +import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges'; import { FetchIndexRequestSchema, FetchSavedObjectNamesRequestSchema, @@ -27,8 +27,14 @@ export const registerRoutes = (router: FleetAuthzRouter) => { .post({ path: FLEET_DEBUG_ROUTES.INDEX_PATTERN, access: 'internal', - fleetAuthz: { - fleet: { all: true }, + security: { + authz: { + requiredPrivileges: [ + FLEET_API_PRIVILEGES.AGENTS.ALL, + FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL, + FLEET_API_PRIVILEGES.SETTINGS.ALL, + ], + }, }, }) .addVersion( @@ -43,8 +49,14 @@ export const registerRoutes = (router: FleetAuthzRouter) => { .post({ path: FLEET_DEBUG_ROUTES.SAVED_OBJECTS_PATTERN, access: 'internal', - fleetAuthz: { - fleet: { all: true }, + security: { + authz: { + requiredPrivileges: [ + FLEET_API_PRIVILEGES.AGENTS.ALL, + FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL, + FLEET_API_PRIVILEGES.SETTINGS.ALL, + ], + }, }, }) .addVersion( @@ -59,8 +71,14 @@ export const registerRoutes = (router: FleetAuthzRouter) => { .post({ path: FLEET_DEBUG_ROUTES.SAVED_OBJECT_NAMES_PATTERN, access: 'internal', - fleetAuthz: { - fleet: { all: true }, + security: { + authz: { + requiredPrivileges: [ + FLEET_API_PRIVILEGES.AGENTS.ALL, + FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL, + FLEET_API_PRIVILEGES.SETTINGS.ALL, + ], + }, }, }) .addVersion( diff --git a/x-pack/platform/plugins/shared/fleet/server/routes/download_source/index.ts b/x-pack/platform/plugins/shared/fleet/server/routes/download_source/index.ts index 687fdcf5f793f..62e97a731fa10 100644 --- a/x-pack/platform/plugins/shared/fleet/server/routes/download_source/index.ts +++ b/x-pack/platform/plugins/shared/fleet/server/routes/download_source/index.ts @@ -21,7 +21,7 @@ import { } from '../../types'; import { genericErrorResponse } from '../schema/errors'; - +import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges'; import { ListResponseSchema } from '../schema/utils'; import { @@ -36,8 +36,17 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .get({ path: DOWNLOAD_SOURCE_API_ROUTES.LIST_PATTERN, - fleetAuthz: (authz) => { - return authz.fleet.readSettings || authz.fleet.readAgentPolicies; + security: { + authz: { + requiredPrivileges: [ + { + anyRequired: [ + FLEET_API_PRIVILEGES.AGENT_POLICIES.READ, + FLEET_API_PRIVILEGES.SETTINGS.READ, + ], + }, + ], + }, }, summary: `Get agent binary download sources`, options: { @@ -65,8 +74,17 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .get({ path: DOWNLOAD_SOURCE_API_ROUTES.INFO_PATTERN, - fleetAuthz: (authz) => { - return authz.fleet.readSettings || authz.fleet.readAgentPolicies; + security: { + authz: { + requiredPrivileges: [ + { + anyRequired: [ + FLEET_API_PRIVILEGES.AGENT_POLICIES.READ, + FLEET_API_PRIVILEGES.SETTINGS.READ, + ], + }, + ], + }, }, summary: `Get an agent binary download source`, description: `Get an agent binary download source by ID.`, @@ -95,8 +113,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .put({ path: DOWNLOAD_SOURCE_API_ROUTES.UPDATE_PATTERN, - fleetAuthz: { - fleet: { allSettings: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.ALL], + }, }, summary: `Update an agent binary download source`, description: `Update an agent binary download source by ID.`, @@ -125,8 +145,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .post({ path: DOWNLOAD_SOURCE_API_ROUTES.CREATE_PATTERN, - fleetAuthz: { - fleet: { allSettings: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.ALL], + }, }, summary: `Create an agent binary download source`, options: { @@ -154,8 +176,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .delete({ path: DOWNLOAD_SOURCE_API_ROUTES.DELETE_PATTERN, - fleetAuthz: { - fleet: { allSettings: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.ALL], + }, }, summary: `Delete an agent binary download source`, description: `Delete an agent binary download source by ID.`, diff --git a/x-pack/platform/plugins/shared/fleet/server/routes/enrollment_api_key/index.ts b/x-pack/platform/plugins/shared/fleet/server/routes/enrollment_api_key/index.ts index e593bac3180fe..fd5ba7091ee2b 100644 --- a/x-pack/platform/plugins/shared/fleet/server/routes/enrollment_api_key/index.ts +++ b/x-pack/platform/plugins/shared/fleet/server/routes/enrollment_api_key/index.ts @@ -22,7 +22,7 @@ import { } from '../../types'; import { genericErrorResponse } from '../schema/errors'; - +import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges'; import { ListResponseSchema } from '../schema/utils'; import { @@ -36,8 +36,14 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .get({ path: ENROLLMENT_API_KEY_ROUTES.INFO_PATTERN, - fleetAuthz: { - fleet: { readEnrollmentTokens: true }, + security: { + authz: { + requiredPrivileges: [ + { + anyRequired: [FLEET_API_PRIVILEGES.AGENTS.ALL, FLEET_API_PRIVILEGES.SETUP], + }, + ], + }, }, summary: `Get an enrollment API key`, description: `Get an enrollment API key by ID.`, @@ -66,8 +72,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .delete({ path: ENROLLMENT_API_KEY_ROUTES.DELETE_PATTERN, - fleetAuthz: { - fleet: { allAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL], + }, }, summary: `Revoke an enrollment API key`, description: `Revoke an enrollment API key by ID by marking it as inactive.`, @@ -96,8 +104,14 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .get({ path: ENROLLMENT_API_KEY_ROUTES.LIST_PATTERN, - fleetAuthz: { - fleet: { readEnrollmentTokens: true }, + security: { + authz: { + requiredPrivileges: [ + { + anyRequired: [FLEET_API_PRIVILEGES.AGENTS.ALL, FLEET_API_PRIVILEGES.SETUP], + }, + ], + }, }, summary: `Get enrollment API keys`, options: { @@ -128,8 +142,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .post({ path: ENROLLMENT_API_KEY_ROUTES.CREATE_PATTERN, - fleetAuthz: { - fleet: { allAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL], + }, }, summary: `Create an enrollment API key`, options: { diff --git a/x-pack/platform/plugins/shared/fleet/server/routes/epm/index.ts b/x-pack/platform/plugins/shared/fleet/server/routes/epm/index.ts index 787b02b69c3e8..49658b45ce2f8 100644 --- a/x-pack/platform/plugins/shared/fleet/server/routes/epm/index.ts +++ b/x-pack/platform/plugins/shared/fleet/server/routes/epm/index.ts @@ -5,8 +5,9 @@ * 2.0. */ -import { parseExperimentalConfigValue } from '../../../common/experimental_features'; +import type { RouteSecurity } from '@kbn/core-http-server'; +import { parseExperimentalConfigValue } from '../../../common/experimental_features'; import { API_VERSIONS } from '../../../common/constants'; import type { FleetAuthz } from '../../../common'; @@ -57,7 +58,7 @@ import { ReauthorizeTransformResponseSchema, } from '../../types'; import type { FleetConfigType } from '../../config'; - +import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges'; import { genericErrorResponse } from '../schema/errors'; import { @@ -91,17 +92,40 @@ export const INSTALL_PACKAGES_AUTHZ: FleetAuthzRouteConfig['fleetAuthz'] = { integrations: { installPackages: true }, }; +export const INSTALL_PACKAGES_SECURITY: RouteSecurity = { + authz: { + requiredPrivileges: [ + FLEET_API_PRIVILEGES.INTEGRATIONS.ALL, + FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL, + ], + }, +}; + export const READ_PACKAGE_INFO_AUTHZ: FleetAuthzRouteConfig['fleetAuthz'] = { integrations: { readPackageInfo: true }, }; +export const READ_PACKAGE_INFO_SECURITY: RouteSecurity = { + authz: { + requiredPrivileges: [ + { + anyRequired: [ + FLEET_API_PRIVILEGES.INTEGRATIONS.READ, + FLEET_API_PRIVILEGES.SETUP, + FLEET_API_PRIVILEGES.FLEET.ALL, + ], + }, + ], + }, +}; + export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType) => { const experimentalFeatures = parseExperimentalConfigValue(config.enableExperimental); router.versioned .get({ path: EPM_API_ROUTES.CATEGORIES_PATTERN, - fleetAuthz: READ_PACKAGE_INFO_AUTHZ, + security: READ_PACKAGE_INFO_SECURITY, summary: `Get package categories`, options: { tags: ['oas-tag:Elastic Package Manager (EPM)'], @@ -128,7 +152,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .get({ path: EPM_API_ROUTES.LIST_PATTERN, - fleetAuthz: READ_PACKAGE_INFO_AUTHZ, + security: READ_PACKAGE_INFO_SECURITY, summary: `Get packages`, options: { tags: ['oas-tag:Elastic Package Manager (EPM)'], @@ -155,7 +179,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .get({ path: EPM_API_ROUTES.INSTALLED_LIST_PATTERN, - fleetAuthz: READ_PACKAGE_INFO_AUTHZ, + security: READ_PACKAGE_INFO_SECURITY, summary: `Get installed packages`, options: { tags: ['oas-tag:Elastic Package Manager (EPM)'], @@ -182,7 +206,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .get({ path: EPM_API_ROUTES.LIMITED_LIST_PATTERN, - fleetAuthz: READ_PACKAGE_INFO_AUTHZ, + security: READ_PACKAGE_INFO_SECURITY, summary: `Get a limited package list`, options: { tags: ['oas-tag:Elastic Package Manager (EPM)'], @@ -209,7 +233,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .get({ path: EPM_API_ROUTES.STATS_PATTERN, - fleetAuthz: READ_PACKAGE_INFO_AUTHZ, + security: READ_PACKAGE_INFO_SECURITY, summary: `Get package stats`, options: { tags: ['oas-tag:Elastic Package Manager (EPM)'], @@ -236,7 +260,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .get({ path: EPM_API_ROUTES.INPUTS_PATTERN, - fleetAuthz: READ_PACKAGE_INFO_AUTHZ, + security: READ_PACKAGE_INFO_SECURITY, summary: `Get an inputs template`, options: { tags: ['oas-tag:Elastic Package Manager (EPM)'], @@ -263,7 +287,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .get({ path: EPM_API_ROUTES.FILEPATH_PATTERN, - fleetAuthz: READ_PACKAGE_INFO_AUTHZ, + security: READ_PACKAGE_INFO_SECURITY, summary: `Get a package file`, options: { tags: ['oas-tag:Elastic Package Manager (EPM)'], @@ -290,6 +314,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .get({ path: EPM_API_ROUTES.INFO_PATTERN, + // TODO move to kibana authz https://github.com/elastic/kibana/issues/203170 fleetAuthz: (fleetAuthz: FleetAuthz): boolean => calculateRouteAuthz(fleetAuthz, getRouteRequiredAuthz('get', EPM_API_ROUTES.INFO_PATTERN)) .granted, @@ -319,9 +344,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .put({ path: EPM_API_ROUTES.INFO_PATTERN, - fleetAuthz: { - integrations: { writePackageSettings: true }, - }, + security: INSTALL_PACKAGES_SECURITY, summary: `Update package settings`, options: { tags: ['oas-tag:Elastic Package Manager (EPM)'], @@ -348,7 +371,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .post({ path: EPM_API_ROUTES.INSTALL_FROM_REGISTRY_PATTERN, - fleetAuthz: INSTALL_PACKAGES_AUTHZ, + security: INSTALL_PACKAGES_SECURITY, summary: `Install a package from the registry`, options: { tags: ['oas-tag:Elastic Package Manager (EPM)'], @@ -376,9 +399,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .post({ path: EPM_API_ROUTES.INSTALL_KIBANA_ASSETS_PATTERN, - fleetAuthz: { - integrations: { installPackages: true }, - }, + security: INSTALL_PACKAGES_SECURITY, summary: `Install Kibana assets for a package`, options: { tags: ['oas-tag:Elastic Package Manager (EPM)'], @@ -405,9 +426,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .delete({ path: EPM_API_ROUTES.DELETE_KIBANA_ASSETS_PATTERN, - fleetAuthz: { - integrations: { installPackages: true }, - }, + security: INSTALL_PACKAGES_SECURITY, summary: `Delete Kibana assets for a package`, options: { tags: ['oas-tag:Elastic Package Manager (EPM)'], @@ -435,9 +454,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .post({ path: EPM_API_ROUTES.BULK_INSTALL_PATTERN, - fleetAuthz: { - integrations: { installPackages: true, upgradePackages: true }, - }, + security: INSTALL_PACKAGES_SECURITY, summary: `Bulk install packages`, options: { tags: ['oas-tag:Elastic Package Manager (EPM)'], @@ -473,9 +490,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType }, tags: [`oas-tag:Elastic Package Manager (EPM)`], }, - fleetAuthz: { - integrations: { uploadPackages: true }, - }, + security: INSTALL_PACKAGES_SECURITY, summary: `Install a package by upload`, }) .addVersion( @@ -499,7 +514,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .post({ path: EPM_API_ROUTES.CUSTOM_INTEGRATIONS_PATTERN, - fleetAuthz: INSTALL_PACKAGES_AUTHZ, + security: INSTALL_PACKAGES_SECURITY, summary: `Create a custom integration`, options: { tags: ['oas-tag:Elastic Package Manager (EPM)'], @@ -526,8 +541,13 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .delete({ path: EPM_API_ROUTES.DELETE_PATTERN, - fleetAuthz: { - integrations: { removePackages: true }, + security: { + authz: { + requiredPrivileges: [ + FLEET_API_PRIVILEGES.INTEGRATIONS.ALL, + FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL, + ], + }, }, summary: `Delete a package`, options: { @@ -556,7 +576,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .get({ path: EPM_API_ROUTES.VERIFICATION_KEY_ID, - fleetAuthz: READ_PACKAGE_INFO_AUTHZ, + security: READ_PACKAGE_INFO_SECURITY, summary: `Get a package signature verification key ID`, options: { tags: ['oas-tag:Elastic Package Manager (EPM)'], @@ -583,7 +603,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .get({ path: EPM_API_ROUTES.DATA_STREAMS_PATTERN, - fleetAuthz: READ_PACKAGE_INFO_AUTHZ, + security: READ_PACKAGE_INFO_SECURITY, summary: `Get data streams`, options: { tags: ['oas-tag:Data streams'], @@ -610,7 +630,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .post({ path: EPM_API_ROUTES.BULK_ASSETS_PATTERN, - fleetAuthz: READ_PACKAGE_INFO_AUTHZ, + security: READ_PACKAGE_INFO_SECURITY, summary: `Bulk get assets`, options: { tags: ['oas-tag:Elastic Package Manager (EPM)'], @@ -639,6 +659,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .post({ path: EPM_API_ROUTES.REAUTHORIZE_TRANSFORMS, + // TODO move to kibana authz https://github.com/elastic/kibana/issues/203170 fleetAuthz: { ...INSTALL_PACKAGES_AUTHZ, packagePrivileges: { diff --git a/x-pack/platform/plugins/shared/fleet/server/routes/fleet_proxies/index.ts b/x-pack/platform/plugins/shared/fleet/server/routes/fleet_proxies/index.ts index 1a5ad6ccc764d..09dc7c9800492 100644 --- a/x-pack/platform/plugins/shared/fleet/server/routes/fleet_proxies/index.ts +++ b/x-pack/platform/plugins/shared/fleet/server/routes/fleet_proxies/index.ts @@ -8,7 +8,7 @@ import { schema } from '@kbn/config-schema'; import type { FleetAuthzRouter } from '../../services/security'; import { API_VERSIONS } from '../../../common/constants'; - +import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges'; import { FLEET_PROXY_API_ROUTES } from '../../../common/constants'; import { FleetProxyResponseSchema, @@ -34,8 +34,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .get({ path: FLEET_PROXY_API_ROUTES.LIST_PATTERN, - fleetAuthz: { - fleet: { readSettings: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.READ], + }, }, summary: `Get proxies`, options: { @@ -63,8 +65,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .post({ path: FLEET_PROXY_API_ROUTES.CREATE_PATTERN, - fleetAuthz: { - fleet: { allSettings: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.ALL], + }, }, summary: `Create a proxy`, options: { @@ -92,8 +96,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .put({ path: FLEET_PROXY_API_ROUTES.UPDATE_PATTERN, - fleetAuthz: { - fleet: { allSettings: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.ALL], + }, }, summary: `Update a proxy`, description: `Update a proxy by ID.`, @@ -122,8 +128,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .get({ path: FLEET_PROXY_API_ROUTES.INFO_PATTERN, - fleetAuthz: { - fleet: { readSettings: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.READ], + }, }, summary: `Get a proxy`, description: `Get a proxy by ID.`, @@ -152,8 +160,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .delete({ path: FLEET_PROXY_API_ROUTES.DELETE_PATTERN, - fleetAuthz: { - fleet: { allSettings: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.ALL], + }, }, summary: `Delete a proxy`, description: `Delete a proxy by ID`, diff --git a/x-pack/platform/plugins/shared/fleet/server/routes/fleet_server_hosts/index.ts b/x-pack/platform/plugins/shared/fleet/server/routes/fleet_server_hosts/index.ts index 667a617659492..a57f6fe86e8e3 100644 --- a/x-pack/platform/plugins/shared/fleet/server/routes/fleet_server_hosts/index.ts +++ b/x-pack/platform/plugins/shared/fleet/server/routes/fleet_server_hosts/index.ts @@ -21,7 +21,7 @@ import { } from '../../types'; import { genericErrorResponse } from '../schema/errors'; - +import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges'; import { ListResponseSchema } from '../schema/utils'; import { @@ -36,8 +36,14 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .get({ path: FLEET_SERVER_HOST_API_ROUTES.LIST_PATTERN, - fleetAuthz: (authz) => { - return authz.fleet.addAgents || authz.fleet.addFleetServers || authz.fleet.readSettings; + security: { + authz: { + requiredPrivileges: [ + { + anyRequired: [FLEET_API_PRIVILEGES.AGENTS.ALL, FLEET_API_PRIVILEGES.SETTINGS.READ], + }, + ], + }, }, summary: `Get Fleet Server hosts`, options: { @@ -64,8 +70,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .post({ path: FLEET_SERVER_HOST_API_ROUTES.CREATE_PATTERN, - fleetAuthz: { - fleet: { allSettings: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.ALL], + }, }, summary: `Create a Fleet Server host`, options: { @@ -92,8 +100,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .get({ path: FLEET_SERVER_HOST_API_ROUTES.INFO_PATTERN, - fleetAuthz: { - fleet: { readSettings: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.READ], + }, }, summary: `Get a Fleet Server host`, description: `Get a Fleet Server host by ID.`, @@ -121,8 +131,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .delete({ path: FLEET_SERVER_HOST_API_ROUTES.DELETE_PATTERN, - fleetAuthz: { - fleet: { allSettings: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.ALL], + }, }, summary: `Delete a Fleet Server host`, description: `Delete a Fleet Server host by ID.`, @@ -153,8 +165,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .put({ path: FLEET_SERVER_HOST_API_ROUTES.UPDATE_PATTERN, - fleetAuthz: { - fleet: { allSettings: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.ALL], + }, }, summary: `Update a Fleet Server host`, description: `Update a Fleet Server host by ID.`, diff --git a/x-pack/platform/plugins/shared/fleet/server/routes/health_check/index.ts b/x-pack/platform/plugins/shared/fleet/server/routes/health_check/index.ts index 008340d006829..daffc5552a190 100644 --- a/x-pack/platform/plugins/shared/fleet/server/routes/health_check/index.ts +++ b/x-pack/platform/plugins/shared/fleet/server/routes/health_check/index.ts @@ -7,7 +7,7 @@ import { API_VERSIONS } from '../../../common/constants'; import type { FleetAuthzRouter } from '../../services/security'; - +import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges'; import { APP_API_ROUTES } from '../../constants'; import { PostHealthCheckRequestSchema, PostHealthCheckResponseSchema } from '../../types'; import { genericErrorResponse } from '../schema/errors'; @@ -19,8 +19,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .post({ path: APP_API_ROUTES.HEALTH_CHECK_PATTERN, - fleetAuthz: { - fleet: { allSettings: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.ALL], + }, }, summary: `Check Fleet Server health`, options: { diff --git a/x-pack/platform/plugins/shared/fleet/server/routes/message_signing_service/index.ts b/x-pack/platform/plugins/shared/fleet/server/routes/message_signing_service/index.ts index 645e7070f901a..470ba0531bba2 100644 --- a/x-pack/platform/plugins/shared/fleet/server/routes/message_signing_service/index.ts +++ b/x-pack/platform/plugins/shared/fleet/server/routes/message_signing_service/index.ts @@ -10,6 +10,7 @@ import type { FleetAuthzRouter } from '../../services/security'; import { API_VERSIONS } from '../../../common/constants'; import { MESSAGE_SIGNING_SERVICE_API_ROUTES } from '../../constants'; import { RotateKeyPairSchema } from '../../types'; +import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges'; import { genericErrorResponse } from '../schema/errors'; @@ -20,8 +21,14 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .post({ path: MESSAGE_SIGNING_SERVICE_API_ROUTES.ROTATE_KEY_PAIR, - fleetAuthz: { - fleet: { all: true }, + security: { + authz: { + requiredPrivileges: [ + FLEET_API_PRIVILEGES.AGENTS.ALL, + FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL, + FLEET_API_PRIVILEGES.SETTINGS.ALL, + ], + }, }, summary: 'Rotate a Fleet message signing key pair', options: { diff --git a/x-pack/platform/plugins/shared/fleet/server/routes/output/index.ts b/x-pack/platform/plugins/shared/fleet/server/routes/output/index.ts index dd89eaabf396b..b8b874b10eaaa 100644 --- a/x-pack/platform/plugins/shared/fleet/server/routes/output/index.ts +++ b/x-pack/platform/plugins/shared/fleet/server/routes/output/index.ts @@ -8,7 +8,7 @@ import type { FleetAuthzRouter } from '../../services/security'; import { API_VERSIONS } from '../../../common/constants'; - +import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges'; import { OUTPUT_API_ROUTES } from '../../constants'; import { DeleteOutputRequestSchema, @@ -40,8 +40,17 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .get({ path: OUTPUT_API_ROUTES.LIST_PATTERN, - fleetAuthz: (authz) => { - return authz.fleet.readSettings || authz.fleet.readAgentPolicies; + security: { + authz: { + requiredPrivileges: [ + { + anyRequired: [ + FLEET_API_PRIVILEGES.SETTINGS.READ, + FLEET_API_PRIVILEGES.AGENT_POLICIES.READ, + ], + }, + ], + }, }, summary: 'Get outputs', options: { @@ -68,8 +77,17 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .get({ path: OUTPUT_API_ROUTES.INFO_PATTERN, - fleetAuthz: (authz) => { - return authz.fleet.readSettings || authz.fleet.readAgentPolicies; + security: { + authz: { + requiredPrivileges: [ + { + anyRequired: [ + FLEET_API_PRIVILEGES.SETTINGS.READ, + FLEET_API_PRIVILEGES.AGENT_POLICIES.READ, + ], + }, + ], + }, }, summary: 'Get output', description: 'Get output by ID.', @@ -97,8 +115,17 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .put({ path: OUTPUT_API_ROUTES.UPDATE_PATTERN, - fleetAuthz: (authz) => { - return authz.fleet.allSettings || authz.fleet.allAgentPolicies; + security: { + authz: { + requiredPrivileges: [ + { + anyRequired: [ + FLEET_API_PRIVILEGES.SETTINGS.ALL, + FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL, + ], + }, + ], + }, }, summary: 'Update output', description: 'Update output by ID.', @@ -127,8 +154,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .post({ path: OUTPUT_API_ROUTES.CREATE_PATTERN, - fleetAuthz: { - fleet: { allSettings: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.ALL], + }, }, summary: 'Create output', options: { @@ -156,8 +185,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .delete({ path: OUTPUT_API_ROUTES.DELETE_PATTERN, - fleetAuthz: { - fleet: { allSettings: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.ALL], + }, }, summary: 'Delete output', description: 'Delete output by ID.', @@ -189,8 +220,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .post({ path: OUTPUT_API_ROUTES.LOGSTASH_API_KEY_PATTERN, - fleetAuthz: { - fleet: { allSettings: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.ALL], + }, }, summary: 'Generate a Logstash API key', options: { @@ -218,8 +251,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .get({ path: OUTPUT_API_ROUTES.GET_OUTPUT_HEALTH_PATTERN, - fleetAuthz: { - fleet: { readSettings: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.READ], + }, }, summary: 'Get the latest output health', options: { diff --git a/x-pack/platform/plugins/shared/fleet/server/routes/package_policy/index.ts b/x-pack/platform/plugins/shared/fleet/server/routes/package_policy/index.ts index 8a547f4127f97..6252a362b12d2 100644 --- a/x-pack/platform/plugins/shared/fleet/server/routes/package_policy/index.ts +++ b/x-pack/platform/plugins/shared/fleet/server/routes/package_policy/index.ts @@ -7,9 +7,8 @@ import { schema } from '@kbn/config-schema'; import { getRouteRequiredAuthz } from '../../services/security'; - +import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges'; import type { FleetAuthzRouter } from '../../services/security'; - import type { FleetAuthz } from '../../../common'; import { API_VERSIONS } from '../../../common/constants'; import { PACKAGE_POLICY_API_ROUTES } from '../../constants'; @@ -56,6 +55,7 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .get({ path: PACKAGE_POLICY_API_ROUTES.LIST_PATTERN, + // TODO move to kibana authz https://github.com/elastic/kibana/issues/203170 fleetAuthz: (fleetAuthz: FleetAuthz): boolean => calculateRouteAuthz( fleetAuthz, @@ -88,6 +88,7 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .post({ path: PACKAGE_POLICY_API_ROUTES.BULK_GET_PATTERN, + // TODO move to kibana authz https://github.com/elastic/kibana/issues/203170 fleetAuthz: (fleetAuthz: FleetAuthz): boolean => calculateRouteAuthz( fleetAuthz, @@ -123,6 +124,7 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .get({ path: PACKAGE_POLICY_API_ROUTES.INFO_PATTERN, + // TODO move to kibana authz https://github.com/elastic/kibana/issues/203170 fleetAuthz: (fleetAuthz: FleetAuthz): boolean => calculateRouteAuthz( fleetAuthz, @@ -218,6 +220,7 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .put({ path: PACKAGE_POLICY_API_ROUTES.UPDATE_PATTERN, + // TODO move to kibana authz https://github.com/elastic/kibana/issues/203170 fleetAuthz: (fleetAuthz: FleetAuthz): boolean => calculateRouteAuthz( fleetAuthz, @@ -258,8 +261,13 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .post({ path: PACKAGE_POLICY_API_ROUTES.DELETE_PATTERN, - fleetAuthz: { - integrations: { writeIntegrationPolicies: true }, + security: { + authz: { + requiredPrivileges: [ + FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL, + FLEET_API_PRIVILEGES.INTEGRATIONS.ALL, + ], + }, }, summary: 'Bulk delete package policies', options: { @@ -287,8 +295,13 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .delete({ path: PACKAGE_POLICY_API_ROUTES.INFO_PATTERN, - fleetAuthz: { - integrations: { writeIntegrationPolicies: true }, + security: { + authz: { + requiredPrivileges: [ + FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL, + FLEET_API_PRIVILEGES.INTEGRATIONS.ALL, + ], + }, }, summary: 'Delete a package policy', description: 'Delete a package policy by ID.', @@ -318,8 +331,13 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .post({ path: PACKAGE_POLICY_API_ROUTES.UPGRADE_PATTERN, - fleetAuthz: { - integrations: { writeIntegrationPolicies: true }, + security: { + authz: { + requiredPrivileges: [ + FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL, + FLEET_API_PRIVILEGES.INTEGRATIONS.ALL, + ], + }, }, summary: 'Upgrade a package policy', description: 'Upgrade a package policy to a newer package version.', @@ -349,8 +367,13 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .post({ path: PACKAGE_POLICY_API_ROUTES.DRYRUN_PATTERN, - fleetAuthz: { - integrations: { readIntegrationPolicies: true }, + security: { + authz: { + requiredPrivileges: [ + FLEET_API_PRIVILEGES.AGENT_POLICIES.READ, + FLEET_API_PRIVILEGES.INTEGRATIONS.READ, + ], + }, }, summary: 'Dry run a package policy upgrade', options: { diff --git a/x-pack/platform/plugins/shared/fleet/server/routes/preconfiguration/index.ts b/x-pack/platform/plugins/shared/fleet/server/routes/preconfiguration/index.ts index c62c86953acaa..0438050f43741 100644 --- a/x-pack/platform/plugins/shared/fleet/server/routes/preconfiguration/index.ts +++ b/x-pack/platform/plugins/shared/fleet/server/routes/preconfiguration/index.ts @@ -9,6 +9,7 @@ import type { FleetAuthzRouter } from '../../services/security'; import { API_VERSIONS } from '../../../common/constants'; +import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges'; import { PRECONFIGURATION_API_ROUTES } from '../../constants'; import { PostResetOnePreconfiguredAgentPoliciesSchema } from '../../types'; @@ -19,8 +20,15 @@ export const registerRoutes = (router: FleetAuthzRouter) => { .post({ path: PRECONFIGURATION_API_ROUTES.RESET_PATTERN, access: 'public', - fleetAuthz: { - fleet: { all: true }, + security: { + authz: { + requiredPrivileges: [ + FLEET_API_PRIVILEGES.AGENTS.ALL, + FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL, + FLEET_API_PRIVILEGES.SETTINGS.ALL, + FLEET_API_PRIVILEGES.INTEGRATIONS.READ, + ], + }, }, }) .addVersion( @@ -35,8 +43,15 @@ export const registerRoutes = (router: FleetAuthzRouter) => { .post({ path: PRECONFIGURATION_API_ROUTES.RESET_ONE_PATTERN, access: 'public', - fleetAuthz: { - fleet: { all: true }, + security: { + authz: { + requiredPrivileges: [ + FLEET_API_PRIVILEGES.AGENTS.ALL, + FLEET_API_PRIVILEGES.AGENT_POLICIES.ALL, + FLEET_API_PRIVILEGES.SETTINGS.ALL, + FLEET_API_PRIVILEGES.INTEGRATIONS.READ, + ], + }, }, }) .addVersion( diff --git a/x-pack/platform/plugins/shared/fleet/server/routes/settings/index.ts b/x-pack/platform/plugins/shared/fleet/server/routes/settings/index.ts index 04e6c2a955634..c307fce8aa900 100644 --- a/x-pack/platform/plugins/shared/fleet/server/routes/settings/index.ts +++ b/x-pack/platform/plugins/shared/fleet/server/routes/settings/index.ts @@ -20,7 +20,7 @@ import { GetEnrollmentSettingsResponseSchema, } from '../../types'; import type { FleetConfigType } from '../../config'; - +import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges'; import { genericErrorResponse, notFoundResponse } from '../schema/errors'; import { getEnrollmentSettingsHandler } from './enrollment_settings_handler'; @@ -39,6 +39,7 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType .get({ path: SETTINGS_API_ROUTES.SPACE_INFO_PATTERN, fleetAuthz: (authz) => { + // TODO move to kibana authz https://github.com/elastic/kibana/issues/203170 return ( authz.fleet.readSettings || authz.integrations.writeIntegrationPolicies || @@ -65,8 +66,10 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .put({ path: SETTINGS_API_ROUTES.SPACE_UPDATE_PATTERN, - fleetAuthz: { - fleet: { allSettings: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.ALL], + }, }, summary: `Create space settings`, }) @@ -89,8 +92,10 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .get({ path: SETTINGS_API_ROUTES.INFO_PATTERN, - fleetAuthz: { - fleet: { readSettings: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.READ], + }, }, summary: `Get settings`, options: { @@ -120,8 +125,10 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .put({ path: SETTINGS_API_ROUTES.UPDATE_PATTERN, - fleetAuthz: { - fleet: { allSettings: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.SETTINGS.ALL], + }, }, summary: `Update settings`, options: { @@ -151,8 +158,10 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .get({ path: SETTINGS_API_ROUTES.ENROLLMENT_INFO_PATTERN, - fleetAuthz: (authz) => { - return authz.fleet.addAgents || authz.fleet.addFleetServers; + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL], + }, }, summary: `Get enrollment settings`, options: { diff --git a/x-pack/platform/plugins/shared/fleet/server/routes/setup/index.ts b/x-pack/platform/plugins/shared/fleet/server/routes/setup/index.ts index 2f41ff7eb6878..1dff6368735e9 100644 --- a/x-pack/platform/plugins/shared/fleet/server/routes/setup/index.ts +++ b/x-pack/platform/plugins/shared/fleet/server/routes/setup/index.ts @@ -7,7 +7,7 @@ import { schema } from '@kbn/config-schema'; import type { FleetAuthzRouter } from '../../services/security'; - +import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges'; import { AGENTS_SETUP_API_ROUTES, SETUP_API_ROUTE } from '../../constants'; import { API_VERSIONS } from '../../../common/constants'; @@ -39,8 +39,19 @@ export const registerFleetSetupRoute = (router: FleetAuthzRouter) => { router.versioned .post({ path: SETUP_API_ROUTE, - fleetAuthz: { - fleet: { setup: true }, + security: { + authz: { + requiredPrivileges: [ + { + anyRequired: [ + FLEET_API_PRIVILEGES.AGENTS.READ, + FLEET_API_PRIVILEGES.AGENT_POLICIES.READ, + FLEET_API_PRIVILEGES.SETTINGS.READ, + FLEET_API_PRIVILEGES.SETUP, + ], + }, + ], + }, }, summary: `Initiate Fleet setup`, options: { @@ -101,8 +112,19 @@ export const registerCreateFleetSetupRoute = (router: FleetAuthzRouter) => { router.versioned .post({ path: AGENTS_SETUP_API_ROUTES.CREATE_PATTERN, - fleetAuthz: { - fleet: { setup: true }, + security: { + authz: { + requiredPrivileges: [ + { + anyRequired: [ + FLEET_API_PRIVILEGES.AGENTS.READ, + FLEET_API_PRIVILEGES.AGENT_POLICIES.READ, + FLEET_API_PRIVILEGES.SETTINGS.READ, + FLEET_API_PRIVILEGES.SETUP, + ], + }, + ], + }, }, summary: `Initiate agent setup`, options: { @@ -132,8 +154,19 @@ export const registerGetFleetStatusRoute = (router: FleetAuthzRouter) => { router.versioned .get({ path: AGENTS_SETUP_API_ROUTES.INFO_PATTERN, - fleetAuthz: { - fleet: { setup: true }, + security: { + authz: { + requiredPrivileges: [ + { + anyRequired: [ + FLEET_API_PRIVILEGES.AGENTS.READ, + FLEET_API_PRIVILEGES.AGENT_POLICIES.READ, + FLEET_API_PRIVILEGES.SETTINGS.READ, + FLEET_API_PRIVILEGES.SETUP, + ], + }, + ], + }, }, summary: `Get agent setup info`, options: { diff --git a/x-pack/platform/plugins/shared/fleet/server/routes/standalone_agent_api_key/index.ts b/x-pack/platform/plugins/shared/fleet/server/routes/standalone_agent_api_key/index.ts index f0103c23e65dd..6014e6ea42a51 100644 --- a/x-pack/platform/plugins/shared/fleet/server/routes/standalone_agent_api_key/index.ts +++ b/x-pack/platform/plugins/shared/fleet/server/routes/standalone_agent_api_key/index.ts @@ -10,7 +10,7 @@ import type { FleetAuthzRouter } from '../../services/security'; import { API_VERSIONS } from '../../../common/constants'; import { CREATE_STANDALONE_AGENT_API_KEY_ROUTE } from '../../constants'; - +import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges'; import { PostStandaloneAgentAPIKeyRequestSchema } from '../../types'; import { createStandaloneAgentApiKeyHandler } from './handler'; @@ -20,8 +20,10 @@ export const registerRoutes = (router: FleetAuthzRouter) => { .post({ path: CREATE_STANDALONE_AGENT_API_KEY_ROUTE, access: 'internal', - fleetAuthz: { - fleet: { addAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL], + }, }, }) .addVersion( diff --git a/x-pack/platform/plugins/shared/fleet/server/routes/uninstall_token/index.ts b/x-pack/platform/plugins/shared/fleet/server/routes/uninstall_token/index.ts index 3c5e25d414b27..9710a657ca232 100644 --- a/x-pack/platform/plugins/shared/fleet/server/routes/uninstall_token/index.ts +++ b/x-pack/platform/plugins/shared/fleet/server/routes/uninstall_token/index.ts @@ -7,7 +7,7 @@ import { UNINSTALL_TOKEN_ROUTES, API_VERSIONS } from '../../../common/constants'; import type { FleetConfigType } from '../../config'; - +import { FLEET_API_PRIVILEGES } from '../../constants/api_privileges'; import type { FleetAuthzRouter } from '../../services/security'; import { GetUninstallTokenRequestSchema, @@ -28,8 +28,10 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .get({ path: UNINSTALL_TOKEN_ROUTES.LIST_PATTERN, - fleetAuthz: { - fleet: { allAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL], + }, }, summary: 'Get metadata for latest uninstall tokens', description: 'List the metadata for the latest uninstall tokens per agent policy.', @@ -58,8 +60,10 @@ export const registerRoutes = (router: FleetAuthzRouter, config: FleetConfigType router.versioned .get({ path: UNINSTALL_TOKEN_ROUTES.INFO_PATTERN, - fleetAuthz: { - fleet: { allAgents: true }, + security: { + authz: { + requiredPrivileges: [FLEET_API_PRIVILEGES.AGENTS.ALL], + }, }, summary: 'Get a decrypted uninstall token', description: 'Get one decrypted uninstall token by its ID.', diff --git a/x-pack/platform/plugins/shared/fleet/server/services/package_policy.ts b/x-pack/platform/plugins/shared/fleet/server/services/package_policy.ts index 32ec4c90b4319..3ff369994c5c7 100644 --- a/x-pack/platform/plugins/shared/fleet/server/services/package_policy.ts +++ b/x-pack/platform/plugins/shared/fleet/server/services/package_policy.ts @@ -152,6 +152,7 @@ import type { PackagePolicyClientFetchAllItemIdsOptions } from './package_policy import { validatePolicyNamespaceForSpace } from './spaces/policy_namespaces'; import { isSpaceAwarenessEnabled, isSpaceAwarenessMigrationPending } from './spaces/helpers'; import { updatePackagePolicySpaces } from './spaces/package_policy'; +import { runWithCache } from './epm/packages/cache'; export type InputsOverride = Partial & { vars?: Array; @@ -1694,40 +1695,42 @@ class PackagePolicyClientImpl implements PackagePolicyClient { packagePolicy?: PackagePolicy, pkgVersion?: string ): Promise { - const result: UpgradePackagePolicyResponse = []; + return runWithCache(async () => { + const result: UpgradePackagePolicyResponse = []; - for (const id of ids) { - try { - const { - packagePolicy: currentPackagePolicy, - packageInfo, - experimentalDataStreamFeatures, - } = await this.getUpgradePackagePolicyInfo(soClient, id, packagePolicy, pkgVersion); - - if (currentPackagePolicy.is_managed && !options?.force) { - throw new PackagePolicyRestrictionRelatedError(`Cannot upgrade package policy ${id}`); - } + for (const id of ids) { + try { + const { + packagePolicy: currentPackagePolicy, + packageInfo, + experimentalDataStreamFeatures, + } = await this.getUpgradePackagePolicyInfo(soClient, id, packagePolicy, pkgVersion); + + if (currentPackagePolicy.is_managed && !options?.force) { + throw new PackagePolicyRestrictionRelatedError(`Cannot upgrade package policy ${id}`); + } - await this.doUpgrade( - soClient, - esClient, - id, - currentPackagePolicy, - result, - packageInfo, - experimentalDataStreamFeatures, - options - ); - } catch (error) { - result.push({ - id, - success: false, - ...fleetErrorToResponseOptions(error), - }); + await this.doUpgrade( + soClient, + esClient, + id, + currentPackagePolicy, + result, + packageInfo, + experimentalDataStreamFeatures, + options + ); + } catch (error) { + result.push({ + id, + success: false, + ...fleetErrorToResponseOptions(error), + }); + } } - } - return result; + return result; + }); } private async doUpgrade( diff --git a/x-pack/platform/plugins/shared/fleet/server/services/security/fleet_router.ts b/x-pack/platform/plugins/shared/fleet/server/services/security/fleet_router.ts index b727fa5ec68d1..bf637a5b1faf4 100644 --- a/x-pack/platform/plugins/shared/fleet/server/services/security/fleet_router.ts +++ b/x-pack/platform/plugins/shared/fleet/server/services/security/fleet_router.ts @@ -52,7 +52,7 @@ function withDefaultPublicAccess( return { ...options, access: PUBLIC_API_ACCESS, - security: DEFAULT_FLEET_ROUTE_SECURITY, + security: options.security ? options.security : DEFAULT_FLEET_ROUTE_SECURITY, }; } }