[Fleet] Add updateFleetRoleIfExists()
in order to update fleet_enroll
permissions if role already exists (#88000)
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
This commit is contained in:
parent
58c54b6f85
commit
49d95f6fb1
|
@ -59,6 +59,7 @@ async function createSetupSideEffects(
|
||||||
ensureInstalledDefaultPackages(soClient, callCluster),
|
ensureInstalledDefaultPackages(soClient, callCluster),
|
||||||
outputService.ensureDefaultOutput(soClient),
|
outputService.ensureDefaultOutput(soClient),
|
||||||
agentPolicyService.ensureDefaultAgentPolicy(soClient, esClient),
|
agentPolicyService.ensureDefaultAgentPolicy(soClient, esClient),
|
||||||
|
updateFleetRoleIfExists(callCluster),
|
||||||
settingsService.getSettings(soClient).catch((e: any) => {
|
settingsService.getSettings(soClient).catch((e: any) => {
|
||||||
if (e.isBoom && e.output.statusCode === 404) {
|
if (e.isBoom && e.output.statusCode === 404) {
|
||||||
const defaultSettings = createDefaultSettings();
|
const defaultSettings = createDefaultSettings();
|
||||||
|
@ -126,15 +127,25 @@ async function createSetupSideEffects(
|
||||||
return { isIntialized: true };
|
return { isIntialized: true };
|
||||||
}
|
}
|
||||||
|
|
||||||
export async function setupFleet(
|
async function updateFleetRoleIfExists(callCluster: CallESAsCurrentUser) {
|
||||||
soClient: SavedObjectsClientContract,
|
try {
|
||||||
esClient: ElasticsearchClient,
|
await callCluster('transport.request', {
|
||||||
callCluster: CallESAsCurrentUser,
|
method: 'GET',
|
||||||
options?: { forceRecreate?: boolean }
|
path: `/_security/role/${FLEET_ENROLL_ROLE}`,
|
||||||
) {
|
});
|
||||||
// Create fleet_enroll role
|
} catch (e) {
|
||||||
// This should be done directly in ES at some point
|
if (e.status === 404) {
|
||||||
const res = await callCluster('transport.request', {
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
throw e;
|
||||||
|
}
|
||||||
|
|
||||||
|
return putFleetRole(callCluster);
|
||||||
|
}
|
||||||
|
|
||||||
|
async function putFleetRole(callCluster: CallESAsCurrentUser) {
|
||||||
|
return callCluster('transport.request', {
|
||||||
method: 'PUT',
|
method: 'PUT',
|
||||||
path: `/_security/role/${FLEET_ENROLL_ROLE}`,
|
path: `/_security/role/${FLEET_ENROLL_ROLE}`,
|
||||||
body: {
|
body: {
|
||||||
|
@ -156,6 +167,18 @@ export async function setupFleet(
|
||||||
],
|
],
|
||||||
},
|
},
|
||||||
});
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
export async function setupFleet(
|
||||||
|
soClient: SavedObjectsClientContract,
|
||||||
|
esClient: ElasticsearchClient,
|
||||||
|
callCluster: CallESAsCurrentUser,
|
||||||
|
options?: { forceRecreate?: boolean }
|
||||||
|
) {
|
||||||
|
// Create fleet_enroll role
|
||||||
|
// This should be done directly in ES at some point
|
||||||
|
const res = await putFleetRole(callCluster);
|
||||||
|
|
||||||
// If the role is already created skip the rest unless you have forceRecreate set to true
|
// If the role is already created skip the rest unless you have forceRecreate set to true
|
||||||
if (options?.forceRecreate !== true && res.role.created === false) {
|
if (options?.forceRecreate !== true && res.role.created === false) {
|
||||||
return;
|
return;
|
||||||
|
|
124
x-pack/test/fleet_api_integration/apis/fleet_setup.ts
Normal file
124
x-pack/test/fleet_api_integration/apis/fleet_setup.ts
Normal file
|
@ -0,0 +1,124 @@
|
||||||
|
/*
|
||||||
|
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
||||||
|
* or more contributor license agreements. Licensed under the Elastic License;
|
||||||
|
* you may not use this file except in compliance with the Elastic License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
import expect from '@kbn/expect';
|
||||||
|
import { FtrProviderContext } from '../../api_integration/ftr_provider_context';
|
||||||
|
import { skipIfNoDockerRegistry } from '../helpers';
|
||||||
|
|
||||||
|
export default function (providerContext: FtrProviderContext) {
|
||||||
|
const { getService } = providerContext;
|
||||||
|
const supertest = getService('supertest');
|
||||||
|
const es = getService('es');
|
||||||
|
|
||||||
|
describe('fleet_setup', () => {
|
||||||
|
skipIfNoDockerRegistry(providerContext);
|
||||||
|
beforeEach(async () => {
|
||||||
|
try {
|
||||||
|
await es.security.deleteUser({
|
||||||
|
username: 'fleet_enroll',
|
||||||
|
});
|
||||||
|
} catch (e) {
|
||||||
|
if (e.meta?.statusCode !== 404) {
|
||||||
|
throw e;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
try {
|
||||||
|
await es.security.deleteRole({
|
||||||
|
name: 'fleet_enroll',
|
||||||
|
});
|
||||||
|
} catch (e) {
|
||||||
|
if (e.meta?.statusCode !== 404) {
|
||||||
|
throw e;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
});
|
||||||
|
|
||||||
|
it('should not create a fleet_enroll role if one does not already exist', async () => {
|
||||||
|
const { body: apiResponse } = await supertest
|
||||||
|
.post(`/api/fleet/setup`)
|
||||||
|
.set('kbn-xsrf', 'xxxx')
|
||||||
|
.expect(200);
|
||||||
|
|
||||||
|
expect(apiResponse.isInitialized).to.be(true);
|
||||||
|
|
||||||
|
try {
|
||||||
|
await es.security.getUser({
|
||||||
|
username: 'fleet_enroll',
|
||||||
|
});
|
||||||
|
} catch (e) {
|
||||||
|
expect(e.meta?.statusCode).to.eql(404);
|
||||||
|
}
|
||||||
|
});
|
||||||
|
|
||||||
|
it('should update the fleet_enroll role with new index permissions if one does already exist', async () => {
|
||||||
|
try {
|
||||||
|
await es.security.putRole({
|
||||||
|
name: 'fleet_enroll',
|
||||||
|
body: {
|
||||||
|
cluster: ['monitor', 'manage_api_key'],
|
||||||
|
indices: [
|
||||||
|
{
|
||||||
|
names: [
|
||||||
|
'logs-*',
|
||||||
|
'metrics-*',
|
||||||
|
'traces-*',
|
||||||
|
'.ds-logs-*',
|
||||||
|
'.ds-metrics-*',
|
||||||
|
'.ds-traces-*',
|
||||||
|
],
|
||||||
|
privileges: ['write', 'create_index', 'indices:admin/auto_create'],
|
||||||
|
allow_restricted_indices: false,
|
||||||
|
},
|
||||||
|
],
|
||||||
|
applications: [],
|
||||||
|
run_as: [],
|
||||||
|
metadata: {},
|
||||||
|
transient_metadata: { enabled: true },
|
||||||
|
},
|
||||||
|
});
|
||||||
|
} catch (e) {
|
||||||
|
if (e.meta?.statusCode !== 404) {
|
||||||
|
throw e;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
const { body: apiResponse } = await supertest
|
||||||
|
.post(`/api/fleet/setup`)
|
||||||
|
.set('kbn-xsrf', 'xxxx')
|
||||||
|
.expect(200);
|
||||||
|
|
||||||
|
expect(apiResponse.isInitialized).to.be(true);
|
||||||
|
|
||||||
|
const { body: roleResponse } = await es.security.getRole({
|
||||||
|
name: 'fleet_enroll',
|
||||||
|
});
|
||||||
|
expect(roleResponse).to.have.key('fleet_enroll');
|
||||||
|
expect(roleResponse.fleet_enroll).to.eql({
|
||||||
|
cluster: ['monitor', 'manage_api_key'],
|
||||||
|
indices: [
|
||||||
|
{
|
||||||
|
names: [
|
||||||
|
'logs-*',
|
||||||
|
'metrics-*',
|
||||||
|
'traces-*',
|
||||||
|
'.ds-logs-*',
|
||||||
|
'.ds-metrics-*',
|
||||||
|
'.ds-traces-*',
|
||||||
|
'.logs-endpoint.diagnostic.collection-*',
|
||||||
|
'.ds-.logs-endpoint.diagnostic.collection-*',
|
||||||
|
],
|
||||||
|
privileges: ['write', 'create_index', 'indices:admin/auto_create'],
|
||||||
|
allow_restricted_indices: false,
|
||||||
|
},
|
||||||
|
],
|
||||||
|
applications: [],
|
||||||
|
run_as: [],
|
||||||
|
metadata: {},
|
||||||
|
transient_metadata: { enabled: true },
|
||||||
|
});
|
||||||
|
});
|
||||||
|
});
|
||||||
|
}
|
|
@ -7,6 +7,8 @@
|
||||||
export default function ({ loadTestFile }) {
|
export default function ({ loadTestFile }) {
|
||||||
describe('Fleet Endpoints', function () {
|
describe('Fleet Endpoints', function () {
|
||||||
this.tags('ciGroup10');
|
this.tags('ciGroup10');
|
||||||
|
// Fleet setup
|
||||||
|
loadTestFile(require.resolve('./fleet_setup'));
|
||||||
// Agent setup
|
// Agent setup
|
||||||
loadTestFile(require.resolve('./agents_setup'));
|
loadTestFile(require.resolve('./agents_setup'));
|
||||||
// Agents
|
// Agents
|
||||||
|
|
Loading…
Reference in a new issue