-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Fleet] Add base Fleet authz logic and API #119199
Changes from 1 commit
3f6939b
a5bbfbd
08f8713
ed486ec
f638899
0202106
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
export interface FleetAuthz { | ||
fleet: { | ||
all: boolean; | ||
setup: boolean; | ||
readEnrollmentTokens: boolean; | ||
}; | ||
|
||
integrations: { | ||
readPackageInfo: boolean; | ||
readInstalledPackages: boolean; | ||
installPackages: boolean; | ||
upgradePackages: boolean; | ||
removePackages: boolean; | ||
|
||
readPackageSettings: boolean; | ||
writePackageSettings: boolean; | ||
|
||
readIntegrationPolicies: boolean; | ||
writeIntegrationPolicies: boolean; | ||
}; | ||
} | ||
|
||
interface CalculateParams { | ||
fleet: { | ||
all: boolean; | ||
setup: boolean; | ||
}; | ||
|
||
integrations: { | ||
all: boolean; | ||
read: boolean; | ||
}; | ||
} | ||
|
||
export const calculateAuthz = ({ fleet, integrations }: CalculateParams): FleetAuthz => ({ | ||
fleet: { | ||
all: fleet.all && (integrations.all || integrations.read), | ||
|
||
// These are currently used by Fleet Server setup | ||
setup: fleet.all || fleet.setup, | ||
readEnrollmentTokens: fleet.all || fleet.setup, | ||
}, | ||
|
||
integrations: { | ||
readPackageInfo: fleet.all || fleet.setup || integrations.all || integrations.read, | ||
readInstalledPackages: integrations.all || integrations.read, | ||
installPackages: fleet.all && integrations.all, | ||
upgradePackages: fleet.all && integrations.all, | ||
removePackages: fleet.all && integrations.all, | ||
|
||
readPackageSettings: fleet.all && integrations.all, | ||
writePackageSettings: fleet.all && integrations.all, | ||
|
||
readIntegrationPolicies: fleet.all && integrations.all, | ||
writeIntegrationPolicies: fleet.all && integrations.all, | ||
}, | ||
}); |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -38,8 +38,14 @@ import { Storage } from '../../../../src/plugins/kibana_utils/public'; | |
import type { LicensingPluginSetup } from '../../licensing/public'; | ||
import type { CloudSetup } from '../../cloud/public'; | ||
import type { GlobalSearchPluginSetup } from '../../global_search/public'; | ||
import { PLUGIN_ID, INTEGRATIONS_PLUGIN_ID, setupRouteService, appRoutesService } from '../common'; | ||
import type { CheckPermissionsResponse, PostFleetSetupResponse } from '../common'; | ||
import { | ||
PLUGIN_ID, | ||
INTEGRATIONS_PLUGIN_ID, | ||
setupRouteService, | ||
appRoutesService, | ||
calculateAuthz, | ||
} from '../common'; | ||
import type { CheckPermissionsResponse, PostFleetSetupResponse, FleetAuthz } from '../common'; | ||
|
||
import type { FleetConfigType } from '../common/types'; | ||
|
||
|
@@ -65,6 +71,8 @@ export interface FleetSetup {} | |
* Describes public Fleet plugin contract returned at the `start` stage. | ||
*/ | ||
export interface FleetStart { | ||
/** Authorization for the current user */ | ||
authz: FleetAuthz; | ||
registerExtension: UIExtensionRegistrationCallback; | ||
isInitialized: () => Promise<true>; | ||
} | ||
|
@@ -90,6 +98,7 @@ export interface FleetStartServices extends CoreStart, FleetStartDeps { | |
storage: Storage; | ||
share: SharePluginStart; | ||
cloud?: CloudSetup; | ||
authz: FleetAuthz; | ||
} | ||
|
||
export class FleetPlugin implements Plugin<FleetSetup, FleetStart, FleetSetupDeps, FleetStartDeps> { | ||
|
@@ -103,7 +112,7 @@ export class FleetPlugin implements Plugin<FleetSetup, FleetStart, FleetSetupDep | |
this.kibanaVersion = initializerContext.env.packageInfo.version; | ||
} | ||
|
||
public setup(core: CoreSetup, deps: FleetSetupDeps) { | ||
public setup(core: CoreSetup<FleetStartDeps, FleetStart>, deps: FleetSetupDeps) { | ||
const config = this.config; | ||
const kibanaVersion = this.kibanaVersion; | ||
const extensions = this.extensions; | ||
|
@@ -129,16 +138,13 @@ export class FleetPlugin implements Plugin<FleetSetup, FleetStart, FleetSetupDep | |
order: 9019, | ||
euiIconType: 'logoElastic', | ||
mount: async (params: AppMountParameters) => { | ||
const [coreStartServices, startDepsServices] = (await core.getStartServices()) as [ | ||
CoreStart, | ||
FleetStartDeps, | ||
FleetStart | ||
]; | ||
const [coreStartServices, startDepsServices, fleetStart] = await core.getStartServices(); | ||
const startServices: FleetStartServices = { | ||
...coreStartServices, | ||
...startDepsServices, | ||
storage: this.storage, | ||
cloud: deps.cloud, | ||
authz: fleetStart.authz, | ||
}; | ||
const { renderApp, teardownIntegrations } = await import('./applications/integrations'); | ||
|
||
|
@@ -169,16 +175,13 @@ export class FleetPlugin implements Plugin<FleetSetup, FleetStart, FleetSetupDep | |
euiIconType: 'logoElastic', | ||
appRoute: '/app/fleet', | ||
mount: async (params: AppMountParameters) => { | ||
const [coreStartServices, startDepsServices] = (await core.getStartServices()) as [ | ||
CoreStart, | ||
FleetStartDeps, | ||
FleetStart | ||
]; | ||
const [coreStartServices, startDepsServices, fleetStart] = await core.getStartServices(); | ||
const startServices: FleetStartServices = { | ||
...coreStartServices, | ||
...startDepsServices, | ||
storage: this.storage, | ||
cloud: deps.cloud, | ||
authz: fleetStart.authz, | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This value is available via the |
||
}; | ||
const { renderApp, teardownFleet } = await import('./applications/fleet'); | ||
const unmount = renderApp(startServices, params, config, kibanaVersion, extensions); | ||
|
@@ -243,7 +246,23 @@ export class FleetPlugin implements Plugin<FleetSetup, FleetStart, FleetSetupDep | |
Component: LazyCustomLogsAssetsExtension, | ||
}); | ||
|
||
const { capabilities } = core.application; | ||
const authz = calculateAuthz({ | ||
fleet: { | ||
// Once we have a split privilege, this should be using fleetv2 | ||
// all: capabilities.fleetv2.all as boolean, | ||
all: capabilities.fleet.all as boolean, | ||
setup: false, // browser users will never have setup privileges | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I am kind of confused by this as we currently call the setup from Fleet UI, should we set it to true and change that when we remove that call? |
||
}, | ||
|
||
integrations: { | ||
all: capabilities.fleet.all as boolean, | ||
read: capabilities.fleet.read as boolean, | ||
}, | ||
}); | ||
|
||
return { | ||
authz, | ||
isInitialized: () => { | ||
if (!successPromise) { | ||
successPromise = Promise.resolve().then(async () => { | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This function allows us to have common logic shared across client and server for enforcing access to specific features.