maxmustermann/kibana
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
kibana/x-pack/test/fleet_api_integration
History
John Schulz 810e4ab8e8
[Fleet] Prevent agents from enrolling in a managed policy (#90458) 
## Summary
Add guard to `/agents/enroll` API preventing agents from enrolling in managed policies

closes #90435
- [x] No Agents can be enrolled into this policy by the user.
- [x] The install & enroll commands should print an error to the console if the enroll command fails (due to being a managed policy or any other reason)



#### So how do you associate an agent with a managed policy?
Enroll in an unmanaged policy then set that policy to managed. 

We don't restrict the agent policy, only what other things (agents, integrations) can do if they're associated with a managed policy.

A _force flag_ has been mentioned for some other actions. It might work here as well, but I'd like to handle discussion & implementation of those later.

### Manual testing
<details><summary>Prevent enroll for managed policies</summary>

1. Created a managed agent policy
    ```
    curl --user elastic:changeme -X POST localhost:5601/api/fleet/agent_policies -H 'Content-Type: application/json' -d'{ "name": "User created MANAGED", "namespace": "default", "is_managed": true}' -H 'kbn-xsrf: true'
    {"item":{"id":"3bd07db0-67d0-11eb-b656-21ad68ebfa8a","name":"User created MANAGED","namespace":"default","is_managed":true,"revision":1,"updated_at":"2021-02-05T16:36:01.931Z","updated_by":"elastic"}}
    ```
2. Try `install` command show in the UI
    ```
    sudo ./elastic-agent install -f --kibana-url=http://localhost:5601 --enrollment-token=WmcwTWMzY0IzWlBUUWJJUjZqRDA6UGRZelVlaS1STml1cVdjSUVwSkJRQQ== --insecure
    Password:
    The Elastic Agent is currently in BETA and should not be used in production

    Error: fail to enroll: fail to execute request to Kibana: Status code: 400, Kibana returned an error: Bad Request, message: Cannot enroll in managed policy 3bd07db0-67d0-11eb-b656-21ad68ebfa8a
    Error: enroll command failed with exit code: 1
    ```
3. Observe `Cannot enroll in managed policy 3bd07db0-67d0-11eb-b656-21ad68ebfa8a` error
4. Try `enroll` instead:
    ```
    sudo ./elastic-agent enroll http://localhost:5601 WmcwTWMzY0IzWlBUUWJJUjZqRDA6UGRZelVlaS1STml1cVdjSUVwSkJRQQ== --insecure
    The Elastic Agent is currently in BETA and should not be used in production

    This will replace your current settings. Do you want to continue? [Y/n]:
    Error: fail to enroll: fail to execute request to Kibana: Status code: 400, Kibana returned an error: Bad Request, message: Cannot enroll in managed policy 3bd07db0-67d0-11eb-b656-21ad68ebfa8a
    ```
5. Observe same `Cannot enroll in managed policy 3bd07db0-67d0-11eb-b656-21ad68ebfa8a` error

</details>

<details><summary>Enroll in unmanaged policy, then update it to managed</summary>

Agent policies are `is_managed: false` by default, or we can update the policy to `is_managed: false`, like:

```
curl --user elastic:changeme -X PUT localhost:5601/api/fleet/agent_policies/3bd07db0-67d0-11eb-b656-21ad68ebfa8a -H 'Content-Type: application/json' -d'{ "is_managed": false, "name": "xyz", "namespace": "default" }' -H 'kbn-xsrf: true'
{"item":{"id":"3bd07db0-67d0-11eb-b656-21ad68ebfa8a","name":"xyz","namespace":"default","is_managed":false,"revision":4,"updated_at":"2021-02-05T17:42:05.610Z","updated_by":"elastic","package_policies":[]}}
```

then enroll

```
 sudo ./elastic-agent install -f --kibana-url=http://localhost:5601 --enrollment-token=WmcwTWMzY0IzWlBUUWJJUjZqRDA6UGRZelVlaS1STml1cVdjSUVwSkJRQQ== --insecure
The Elastic Agent is currently in BETA and should not be used in production

Successfully enrolled the Elastic Agent.
Installation was successful and Elastic Agent is running.
```

and set the policy back to managed

```
curl --user elastic:changeme -X PUT localhost:5601/api/fleet/agent_policies/3bd07db0-67d0-11eb-b656-21ad68ebfa8a -H 'Content-Type: application/json' -d'{ "is_managed": true, "name": "xyz", "namespace": "default" }' -H 'kbn-xsrf: true'
{"item":{"id":"3bd07db0-67d0-11eb-b656-21ad68ebfa8a","name":"xyz","namespace":"default","is_managed":true,"revision":5,"updated_at":"2021-02-05T17:44:18.757Z","updated_by":"elastic","package_policies":[]}}
```

with all the restrictions that entails (cannot unenroll, reassign, etc)

```
curl --user elastic:changeme -X PUT 'http://localhost:5601/api/fleet/agents/8169f0a0-67d9-11eb-80f2-73dd45e7318e/reassign'   -X 'PUT'  -H 'kbn-xsrf: abc'  -H 'Content-Type: application/json'   --data-raw '{"policy_id":"729f8440-67cf-11eb-b656-21ad68ebfa8a"}'   
{
  "statusCode": 400,
  "error": "Bad Request",
  "message": "Cannot reassign an agent from managed agent policy 3bd07db0-67d0-11eb-b656-21ad68ebfa8a"
}
```

</details>

### Checklist
- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
2021-02-09 08:54:51 -05:00
..
apis [Fleet] Prevent agents from enrolling in a managed policy (#90458) 2021-02-09 08:54:51 -05:00
config.ts Updating package registry snapshot distribution version (#89776) 2021-02-04 08:40:18 -05:00
helpers.ts Elastic License 2.0 (#90099) 2021-02-03 18:12:39 -08:00