[Fleet] Remove superuser requirement to access Fleet

[mostlyjason]

One blocker for many users using Fleet and Integrations is the requirement for the superuser role. This requires users to have broad permissions in order to use Fleet and Integrations which is a security problem. We should remove this requirement and rely on users having the Kibana privilege to access "Fleet and Integrations" (potentially with a built-in role).

Blockers:

Implementation scope

• Add helper APIs for doing authz checks [Fleet] Add base Fleet authz logic and API #119199
  • In order to facilitate other teams that call Fleet APIs we want to provide some helper APIs for checking the current
    user's authorization to Fleet.
• [Fleet] Update calculateAuthz calls to respect superuser for now #119973
• [Fleet] Exposed service to manipulate fleet-* should use internal ES client #116182
• Add requireAllSpaces and disable options to FeatureKibanaPrivileges #118001
• Split the Fleet and Integration privileges (example branch: main...joshdover:rm-superuser/split-priv)
  • Configure the two privileges correctly - @criamico [Fleet] Add support for non-superuser access to Fleet and Integrations #122347
    • Fleet:
      • id: 'fleetv2'
      • "All" should grant all access to all saved object types
      • Should have requireAllSpaces: true on all and read
      • Should have disabled: true on read
      • Should have a privilegesTooltip that explains that "All Spaces" is required for Fleet access
    • Integrations:
      • id: 'fleet'
      • "All" and "Read" should only grant read access to package and package asset SO types
  • Remove superuser checks - @criamico [Fleet] Add support for non-superuser access to Fleet and Integrations #122347
    • On routes [here] (https://github.com/elastic/kibana/blob/3f6939be9d9c0cd8ea65c65406a9dff8eca62a3b/x-pack/plugins/fleet/server/plugin.ts/#L286) - done in 119017
    • In UI here
      • Note: that we do want a similar UI to be shown when a user has All to Fleet but None to Integrations, so you may not want to remove all of this yet. See below for details.
  • Implement authz checks on each route according to [the spreadsheet here - Option C] - @nchaulet (https://docs.google.com/spreadsheets/d/1b0wnr0rj2ZqQiYOJa2sbKiOyoS3AgfcW2jYw2_Lemgo/edit#gid=0) [Fleet] Use Fleet authz for fleet server routes security instead of enforcing superuser #119795
    • Ensure that the upload package API still requires superuser
    • Agent routes (which use the .fleet-* indices) will need to start using the internal ES client. You should be able to piggy back off [Fleet] Add scoped AgentService #119017 and reuse that service within our own code. If needed to cut scope, just switching to the internal ES client and adding the authz checks should be sufficient. @nchaulet would you be able to help here?

UX changes

For all disabled buttons, a tooltip should also be added that indicates the user needs additional permissions. An example:

• Make UI adjustments for when user has "All" Fleet but "None" for integrations

  • Add blocking UI in Fleet app:

• Make UI adjustments for when user has "All" Fleet but only "Read" for integrations

  • Prevent users from adding integrations
  • Disable "Add integration" button on agent policy detail view
    
  • Disable "Add " button CTA on integration detail view
    
  • Prevent users from updating integrations
    • Hide settings tab of integration detail view
    • Disable "Upgrade" button on integration policy table on "Policies" tab of integration detail view
      
    • Disable "Upgrade" button on integration policy table on agent policy detail view
      
    • Action buttons on agent policies table allow the user to add, remove and upgrade integrations, so all the options in them should be disabled. It was decided to completely hide these actions.
  • Prevent users from removing integration policies
    • Disable "Delete integration" item on integration policy table of "Policies" tab of integration detail view
      
    • Disable "Delete integration" item on integration policy table on agent policy detail view
      
  • Prevent users from reading or writing global integration settings
    • Hide the "advanced" tab from integration detail view
      

• When end users and kibana_system try to set up fleet server and they don't already have a fleet server set up:
  - [x] app/fleet/agents should show this callout:
  
  - [x] In the Add agents fly out, under Enroll Fleet tab, the same message should be displayed
  - [x] if these users have already a fleet server these two areas should stay the same

Notes

Preserving BWC with users granted access to Integrations app in 7.16

This is required to avoid breaking read access to Integrations since we allowed users with "read" to this privilege
to be able to view the integrations app even if they did not have superuser, starting in 7.16. Since there is no
existing mechanism to update the privileges stored in existing user roles, we should be careful change the privilege id
field in a way that won't break these existing roles:

• We should rename (change the name property) the existing combined privilege with the id: 'fleet' to
  Integrations and use this privilege to drive access to Integrations going forward. The id should not change.
• The privilege we add for Fleet should have the id: 'fleetv2'.
• In the future we can migrate the above, but no such ability exists today. We'll consider this technical debt for now
  and hide this detail behind the FleetAuthz abstraction.

[elasticmachine]

Pinging @elastic/fleet (Team:Fleet)

[joshdover]

@mostlyjason @dborodyansky I've updated the issue description to note all of the small UI elements that need to be adjusted when the user does not have access to appropriate actions. Currently I'm proposing that we simply disable each element, but I do wonder if we should do something more to explain why the button is disabled.

For the buttons, I think we can do the same thing that we're doing on the "Add " integration CTA:

However for the dropdown menus, I wonder if a tooltip is even possible or could be confusing. Any suggestions here? For example, we need to prevent the user from clicking "Delete integration" here:

[dborodyansky]

@joshdover Does the privilege limitation apply only to "delete", not "edit". If both, then hiding the [...] menu entirely would be expected.

[joshdover]

@joshdover Does the privilege limitation apply only to "delete", not "edit". If both, then hiding the [...] menu entirely would be expected.

Good point on that one, agreed we should hide the entire list, bad example on my part. How about this one where the "Add Agent" option will be available? Note that when there are already agents enrolled, the other "Add Agent" CTA button is not visible.

[dborodyansky]

How about this one where the "Add Agent" option will be available?

Hiding unavailable actions within the menu seems appropriate in this case. There are some guidelines in the works which recommend hiding controls within tables for which a user may not have privileges.

[dikshachauhan-qasource]

Hi @jen-huang @joshdover

We have performed testing today around this feature and found two below bugs.

• [Fleet] No tool tip is displayed for disabled 'Add integration' button under Policy detail page when user has only Read rights for Integrations. #126139
• Advanced Tab is available to Non-super user having only Read rights for Integrations under Endpoint Security. #126148

Further, we are in progress of test content creation for this ticket at TestRail and will share links for test cases created by tomorrow.

Thanks
QAS

[dikshachauhan-qasource]

Hi @mostlyjason

We have created below 17 test cases for this feature ticket at Testrail:

• https://elastic.testrail.io/index.php?/cases/view/165612
• https://elastic.testrail.io/index.php?/cases/view/165613
• https://elastic.testrail.io/index.php?/cases/view/165619
• https://elastic.testrail.io/index.php?/cases/view/165620
• https://elastic.testrail.io/index.php?/cases/view/165621
• https://elastic.testrail.io/index.php?/cases/view/165622
• https://elastic.testrail.io/index.php?/cases/view/165623
• https://elastic.testrail.io/index.php?/cases/view/165627
• https://elastic.testrail.io/index.php?/cases/view/165632
• https://elastic.testrail.io/index.php?/cases/view/165633
• https://elastic.testrail.io/index.php?/cases/view/165634
• https://elastic.testrail.io/index.php?/cases/view/165635
• https://elastic.testrail.io/index.php?/cases/view/165636
• https://elastic.testrail.io/index.php?/cases/view/165637
• https://elastic.testrail.io/index.php?/cases/view/165638
• https://elastic.testrail.io/index.php?/cases/view/165639
• https://elastic.testrail.io/index.php?/cases/view/165640

Further, I have one query for last UI change:

When end users and kibana_system try to set up fleet server and they don't already have a fleet server set up:
- [x] app/fleet/agents should show this callout:

• How this will work at Cloud for non-super user when Integration server section is excluded while creating deployments.
  Currently it shows "Edit deployment page" to both users: Non-super user & Super user. Is it expected.

Thanks
QAS

[joshdover]

• Currently it shows "Edit deployment page" to both users: Non-super user & Super user. Is it expected.

We should probably hide this as non-superusers may not have access to the Cloud console, but I also know that is changing recently with the addition of more user roles on Cloud. @mostlyjason we could probably use your input here.

[mostlyjason]

I think we should show it to both since we don't know whether the signed in user in kibana has access to the cloud console or not. It doesn't matter if they are a superuser in Kibana since Elastic Cloud has separate privileges. If they sign into Elasticsearch directly using user/pass or SSO, they may not be signed into Elastic Cloud. After the link they can sign in with Elastic Cloud if needed or ask a cloud admin for help.

[dikshachauhan-qasource]

Hi All

We have executed below feature run, on this PR at testrail for created testcases:

• Remove SuperUser Access to Fleet

We will retest the failed testcases on BC4 and add the results once, reported issues are fixed.

Thanks
QAS

[zez3]

This does not seem to work in 8.1 on my deployment.

I get wrong permissions

and
do I really need to give all spaces to my limited users?

[joshdover]

@zez3 Fleet does not currently support Spaces so to make this explicit, we require that when you grant access to Fleet, you do so across all Spaces. This does not mean that you need to give access to all features across all Spaces, only for Fleet.

In the screenshot above, you have not granted access to Fleet, it's still checked as None on the right. You will also need to grant access to Integrations. It should look like this:

[zez3]

@joshdover

@zez3 Fleet does not currently support Spaces so to make this explicit, we require that when you grant access to Fleet, you do so across all Spaces. This does not mean that you need to give access to all features across all Spaces, only for Fleet.

I understand this and would accept this workaround but...

In the screenshot above, you have not granted access to Fleet, it's still checked as None on the right.

the None(ViewOnly) is read only("feature_fleet.read"), I saw(#125836) an open issue for renaming this to Read.

I don't need nor want to allow write (All) permission to my users. I need for them to see that the agent that they just installed is alive and it has a policy assigned.
Ideally only the ones that belong to them. I am currently using the namespaces in index name in roles to enforce that.

here are my current permisions

{
  "MYSPACE" : {
    "cluster" : [ ],
    "indices" : [
      {
        "names" : [
          "logs-mylogs*"
        ],
        "privileges" : [
          "read",
          "read_cross_cluster",
          "view_index_metadata",
          "index"
        ],
        "field_security" : {
          "grant" : [
            "*"
          ],
          "except" : [ ]
        },
        "query" : """ {"match_phrase": {"match_my_phrase"}}""",
        "allow_restricted_indices" : false
      }
    ],
    "applications" : [
      {
        "application" : "kibana-.kibana",
        "privileges" : [
          "feature_canvas.all",
          "feature_maps.all",
          "feature_ml.read",
          "feature_graph.all",
          "feature_visualize.all",
          "feature_dashboard.minimal_all",
          "feature_dashboard.url_create",
          "feature_dashboard.store_search_session",
          "feature_discover.minimal_all",
          "feature_discover.url_create",
          "feature_discover.store_search_session",
          "feature_logs.read",
          "feature_infrastructure.read",
          "feature_apm.read",
          "feature_uptime.read",
          "feature_observabilityCases.read",
          "feature_fleet.read",
          "feature_stackAlerts.all",
          "feature_actions.all",
          "feature_siem.read",
          "feature_advancedSettings.read",
          "feature_indexPatterns.read",
          "feature_savedObjectsTagging.read",
          "feature_savedObjectsManagement.all"
        ],
        "resources" : [
          "space:*"
        ]
      }
    ],
    "run_as" : [ ],
    "metadata" : { },
    "transient_metadata" : {
      "enabled" : true
    }
  }
}

The Integrations looks good as read-only.

[joshdover]

the None is read only("feature_fleet.read"), I saw(cannot find it now) an open issue for renaming this to Read.

I don't need nor want to allow write (All) permission to my users. I need for them to see that the agent that they just installed is alive and it has a policy assigned.

Got it, thanks for explaining what you're looking for. We do not yet support a read-only mode for Fleet, that is a separate feature that we are prioritizing (we don't have a public tracking issue for this right now).

You are right that the privilege name shows up as feature_fleet.read when you select "Read" for the Integrations privilege. This is less than ideal, but a shortcut we had to take to avoid a breaking change for now. So privileges named as "Integrations" in the UI are actually stored in the role on the API as "fleet" while privileges named as "Fleet" in the UI are stored as "fleetv2". This is working as expected for now and is something we'll clean up in the future.

So to summarize:

• You can grant a user "Read" or "All" access to Integrations in 8.1+ and this will show up in the API as feature_fleet.read or feature_fleet.all but it actually is used for Integrations and not for Fleet
• You can grant a user "All" access to Fleet in 8.1+ and this will show up in the API as feature_fleetv2.all. We do not yet support read-only access to Fleet, but we plan to in a future release.
• In 8.1, users no longer have to have the superuser role in order to access the Fleet app, and instead can access the app if they are granted the "All" privilege for Fleet (feature_fleetv2.all). This is an improvement over prior releases where granting access to the "Fleet & Integrations" privilege was not sufficient to use the Fleet app.