Go to file

John Schulz 9e7e1e1708 [Fleet] Managed Agent Policy (#88688 ) ## Summary Introduces the concept of a managed agent policy. Resolves most of the acceptance criteria from #76843. Remaining to be done in follow up PRs - [x] Define hosted Agent Policy concept in Fleet. - [x] Flag in policy? _yes, added `is_managed: boolean`_ in agent policy SO - [x] Should not built only for cloud, an admin should be able to set theses restrictions. - [x] We should have an API to configure it _Can `POST` and `PUT` to `/api/fleet/agent_policies/{policy_id}`_ - [x] Integration should be editable, we expect integration author to do the right thing and limit what can be edited. - [x] Research if we can ensure the right behavior of Hosted Agent policy and restrict the super user. - [ ] Capabilities restrictions - [ ] An Agent enrolled in an Hosted Agent policy should not be able to be upgraded. - [x] An Agent enrolled in an Hosted Agent policy should not be able to be unenrolled. - [ ] No Agents cannot be enrolled into this policy by the user. - Hide the enrollment key? - Need to figure out the workflow. - [x] An Agent enrolled in an Hosted Agent policy should not be able to be reassigned to a different configuration. - [x] As a user I should be prevented to do theses action. _No user-level checks. Only Agent Policy. No UI changes, but API errors are shown for failed actions like reassigning_ - [x] As an API user I should receive error messages. - [x] If making a single "flag" is easier/faster let's do it. _Currently single `is_managed` property on agent policy SO._ Checks are implemented in service layer (is agent enrolled in a managed policy?) No UI-specific changes added but UI is affected because HTTP requests (like `api/fleet/agents/{agentId}/reassign`) can fail. See screenshots below. Tests at service (`yarn test:jest`) and http (`yarn test ftr`) layers for each of create policy, update policy, unenroll agent, and reassign agent Bulk actions currently filter out restricted items. A follow-up PR will change them to throw an error and cause the request to fail. ## Managed Policy Can create (`POST`) and update (`PUT`) an agent policy with an `is_managed` property. Each new saved object will have an `is_managed` property (default `false`) <details><summary>HTTP commands</summary> #### Create (`is_managed: false` by default) ``` curl --user elastic:changeme -X POST localhost:5601/api/fleet/agent_policies -H 'Content-Type: application/json' -d'{ "name": "User created policy", "namespace": "default"}' -H 'kbn-xsrf: true' {"item":{"id":"edc236a0-5cbb-11eb-ab2c-0134aecb4ce8","name":"User created policy","namespace":"default","is_managed":false,"revision":1,"updated_at":"2021-01-22T14:12:58.250Z","updated_by":"elastic"}} ``` #### Create with `is_managed: true` ``` curl --user elastic:changeme -X POST localhost:5601/api/fleet/agent_policies -H 'Content-Type: application/json' -d'{ "name": "User created policy", "namespace": "default"}' -H 'kbn-xsrf: true' {"item":{"id":"67c785b0-662e-11eb-bf6b-4790dc0178c0","name":"User created policy","namespace":"default","is_managed":false,"revision":1,"updated_at":"2021-02-03T14:45:06.059Z","updated_by":"elastic"}} ``` #### Update with `is_managed: true` ``` curl --user elastic:changeme -X PUT -H 'Content-Type: application/json' -H 'kbn-xsrf: 1234' localhost:5601/api/fleet/agent_policies/67c785b0-662e-11eb-bf6b-4790dc0178c0 -d '{ "name":"User created policy","namespace":"default","is_managed":true }' {"item":{"id":"67c785b0-662e-11eb-bf6b-4790dc0178c0","name":"User created policy","namespace":"default","is_managed":true,"revision":2,"updated_at":"2021-02-03T14:47:28.471Z","updated_by":"elastic","package_policies":[]}} ``` </details> ## Enroll behavior is not changed/addressed in this PR. Agents can still be enrolled in managed policies ## Unenroll Agent from managed policy behavior #### Enrolled in managed agent policy, cannot be unenrolled ``` curl --user elastic:changeme -X POST http://localhost:5601/api/fleet/agents/441d4a40-6710-11eb-8f57-db14e8e41cff/unenroll -H 'kbn-xsrf: 1234' \| jq { "statusCode": 400, "error": "Bad Request", "message": "Cannot unenroll 441d4a40-6710-11eb-8f57-db14e8e41cff from a managed agent policy af9b4970-6701-11eb-b55a-899b78cb64da" } ``` <details><summary>Screenshots for managed & unmanaged policies</summary> #### Enrolled in managed agent policy, cannot be unenrolled <img width="1931" alt="Screen Shot 2021-01-19 at 1 22 53 PM" src="https://user-images.githubusercontent.com/57655/105081614-67d05980-5a60-11eb-8faa-07e4e722a5b5.png"> <img width="1199" alt="Screen Shot 2021-01-19 at 1 30 26 PM" src="https://user-images.githubusercontent.com/57655/105081617-67d05980-5a60-11eb-9099-832dc6e04eca.png"> <img width="1971" alt="Screen Shot 2021-01-19 at 1 30 42 PM" src="https://user-images.githubusercontent.com/57655/105081618-67d05980-5a60-11eb-9a84-b80b6295ba19.png"> #### Enrolled agent policy is not managed, agent can be unenrolled<img width="1917" alt="Screen Shot 2021-01-19 at 1 44 12 PM" src="https://user-images.githubusercontent.com/57655/105081951-e3caa180-5a60-11eb-9308-7741b8986e8e.png"> <img width="2183" alt="Screen Shot 2021-01-19 at 1 44 19 PM" src="https://user-images.githubusercontent.com/57655/105081952-e3caa180-5a60-11eb-9833-1c721be0a107.png"> </details> ## Reassign agent #### No agent can be reassigned to a managed policy ``` curl --user elastic:changeme -X 'PUT' 'http://localhost:5601/api/fleet/agents/482760d0-6710-11eb-8f57-db14e8e41cff/reassign' -H 'kbn-xsrf: xxx' -H 'Content-Type: application/json' -d '{"policy_id":"af9b4970-6701-11eb-b55a-899b78cb64da"}' { "statusCode": 400, "error": "Bad Request", "message": "Cannot reassign an agent to managed agent policy 94129590-6707-11eb-b55a-899b78cb64da" } ``` <details><summary>Screenshots</summary> <img width="1350" alt="Screen Shot 2021-02-04 at 2 14 51 PM" src="https://user-images.githubusercontent.com/57655/106943490-8044a300-66f3-11eb-9d2c-4b1ceef2e783.png"> </details> #### Enrolled in managed agent policy, cannot be reassigned ``` curl --user elastic:changeme -X 'PUT' 'http://localhost:5601/api/fleet/agents/482760d0-6710-11eb-8f57-db14e8e41cff/reassign' -H 'kbn-xsrf: xxx' -H 'Content-Type: application/json' -d '{"policy_id":"af9b4970-6701-11eb-b55a-899b78cb64da"}' { "statusCode": 400, "error": "Bad Request", "message": "Cannot reassign an agent from managed agent policy 94129590-6707-11eb-b55a-899b78cb64da" } ``` <details><summary>Screenshots</summary> <img width="1364" alt="Screen Shot 2021-01-19 at 2 58 38 PM" src="https://user-images.githubusercontent.com/57655/105086737-72dab800-5a67-11eb-8f5e-93cd7768b914.png"> <img width="1367" alt="Screen Shot 2021-01-19 at 2 58 44 PM" src="https://user-images.githubusercontent.com/57655/105086740-73734e80-5a67-11eb-8ef9-9c7005a0a4ea.png"> <img width="623" alt="Screen Shot 2021-01-19 at 2 59 27 PM" src="https://user-images.githubusercontent.com/57655/105086741-740be500-5a67-11eb-8fc2-721f8b5d178a.png"> </details> #### Enrolled agent policy is unmanaged, agent can be reassigned to another unmanaged policy <details><summary>Screenshots</summary> <img width="1368" alt="Screen Shot 2021-01-19 at 3 00 01 PM" src="https://user-images.githubusercontent.com/57655/105086754-78d09900-5a67-11eb-86a5-9e3ac02d6e1f.png"> <img width="1363" alt="Screen Shot 2021-01-19 at 3 00 08 PM" src="https://user-images.githubusercontent.com/57655/105086761-7a01c600-5a67-11eb-991d-acf994e2a393.png"> <img width="625" alt="Screen Shot 2021-01-19 at 3 00 46 PM" src="https://user-images.githubusercontent.com/57655/105086764-7a9a5c80-5a67-11eb-8290-e79648d01579.png"> </details> ### Checklist Delete any items that are not applicable to this PR. - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios		2021-02-04 15:16:45 -05:00
.ci	[CI] Remove TeamCity code (#90041 )	2021-02-02 16:31:48 -05:00
.github	[CI] Remove TeamCity code (#90041 )	2021-02-02 16:31:48 -05:00
common/graphql
config	Add `server.publicBaseUrl` config (#85075 )	2020-12-08 17:02:39 -07:00
dev_docs	fix bad link (#89222 )	2021-01-25 15:06:09 -08:00
docs	Use doc link service in more Stack Monitoring pages (#89050 )	2021-02-04 11:44:57 -08:00
examples	Elastic License 2.0 (#90099 )	2021-02-03 18:12:39 -08:00
licenses	Elastic License 2.0 (#90099 )	2021-02-03 18:12:39 -08:00
packages	[core.logging] Add response logs to the KP logging system. (#87939 )	2021-02-04 06:05:06 -07:00
plugins	[dev/cli] ensure plugins/ and all watch source dirs exist (#78973 )	2020-09-30 10:20:44 -07:00
rfcs	[Search Sessions] Replace search session constants with kibana.yml configs (#88023 )	2021-01-15 01:14:02 +02:00
scripts	Elastic License 2.0 (#90099 )	2021-02-03 18:12:39 -08:00
src	Use doc link service in more Stack Monitoring pages (#89050 )	2021-02-04 11:44:57 -08:00
tasks/config	Elastic License 2.0 (#90099 )	2021-02-03 18:12:39 -08:00
test	skip flaky suite (#85086 )	2021-02-04 10:15:11 -07:00
typings	Elastic License 2.0 (#90099 )	2021-02-03 18:12:39 -08:00
utilities	Elastic License 2.0 (#90099 )	2021-02-03 18:12:39 -08:00
vars	[ci/docsLink] hide link when 200 says "There aren't any differences!" (#90079 )	2021-02-02 15:21:19 -07:00
x-pack	[Fleet] Managed Agent Policy (#88688 )	2021-02-04 15:16:45 -05:00
.backportrc.json	[backportrc] Adds 7.11 branch and bumps 7.x (#86131 )	2020-12-16 10:10:39 -08:00
.bazelignore	chore(NA): introduce new yarn kbn reset command to support bazel workflow (#89597 )	2021-02-03 22:02:34 +00:00
.bazeliskversion	chore(NA): bazel machinery installation on kbn bootstrap (#89469 )	2021-01-28 00:51:01 +00:00
.bazelrc	chore(NA): introduce new yarn kbn reset command to support bazel workflow (#89597 )	2021-02-03 22:02:34 +00:00
.bazelrc.common	chore(NA): introduce new yarn kbn reset command to support bazel workflow (#89597 )	2021-02-03 22:02:34 +00:00
.bazelversion	chore(NA): bazel machinery installation on kbn bootstrap (#89469 )	2021-01-28 00:51:01 +00:00
.browserslistrc	[browserslist] remove unnecessary browsers (#89186 )	2021-01-25 16:30:18 -07:00
.editorconfig	[editorconfig] disable `insert_final_newline` for package.json	2019-04-18 09:44:17 -07:00
.eslintignore	chore(NA): introduce new yarn kbn reset command to support bazel workflow (#89597 )	2021-02-03 22:02:34 +00:00
.eslintrc.js	Elastic License 2.0 (#90099 )	2021-02-03 18:12:39 -08:00
.fossa.yml	Adds FOSSA CLI configuration file (#70137 )	2020-07-02 08:37:37 -07:00
.gitattributes	[canvas] Color fixes + Storybook 5 (#34075 )	2019-04-02 11:21:51 -05:00
.gitignore	chore(NA): introduce new yarn kbn reset command to support bazel workflow (#89597 )	2021-02-03 22:02:34 +00:00
.i18nrc.json	Cleanup OSS code from visualizations wizard (#89092 )	2021-01-27 12:45:49 +02:00
.node-version	Bump Node.js from version 14.15.3 to 14.15.4 (#87207 )	2021-01-04 22:14:48 +01:00
.npmrc	chore(NA): assure puppeteer_skip_chromium_download is applied across every yarn install situation (#88346 )	2021-01-14 18:00:23 +00:00
.nvmrc	Bump Node.js from version 14.15.3 to 14.15.4 (#87207 )	2021-01-04 22:14:48 +01:00
.prettierignore	[dev] Replace sass-lint with stylelint (#86177 )	2021-01-15 11:52:29 -06:00
.prettierrc	Increase prettier line width to 100 (#20535 )	2018-07-09 22:50:37 +02:00
.stylelintignore	[dev] Replace sass-lint with stylelint (#86177 )	2021-01-15 11:52:29 -06:00
.stylelintrc	[dev] Replace sass-lint with stylelint (#86177 )	2021-01-15 11:52:29 -06:00
.telemetryrc.json	[Usage collection] Make `schema` mandatory (#79999 )	2020-10-26 12:57:15 +02:00
.yarnrc	chore(NA): enable yarn prefer offline and local mirror for development (#84124 )	2020-11-25 00:18:18 +00:00
api-documenter.json
BUILD.bazel	chore(NA): support bazel and kbn packages in parallel on kbn pm and on distributable build scripts (#89961 )	2021-02-04 04:39:35 +00:00
CONTRIBUTING.md	Improvements to our developer guide (#67764 )	2020-07-13 10:47:01 -04:00
FAQ.md	propose language changes (#10709 )	2017-03-05 12:10:32 -05:00
github_checks_reporter.json
Gruntfile.js	Elastic License 2.0 (#90099 )	2021-02-03 18:12:39 -08:00
Jenkinsfile	chore(NA): remove usage of unverified es snapshots (#83589 )	2020-11-18 00:18:31 +00:00
jest.config.integration.js	Elastic License 2.0 (#90099 )	2021-02-03 18:12:39 -08:00
jest.config.js	Elastic License 2.0 (#90099 )	2021-02-03 18:12:39 -08:00
jest.config.oss.js	Elastic License 2.0 (#90099 )	2021-02-03 18:12:39 -08:00
kibana.d.ts	Elastic License 2.0 (#90099 )	2021-02-03 18:12:39 -08:00
LICENSE.txt	Elastic License 2.0 (#90099 )	2021-02-03 18:12:39 -08:00
NOTICE.txt	🍾 update notice text for 2021	2021-01-01 01:26:53 -07:00
package.json	[npm] upgrade mocha (#90188 )	2021-02-03 13:08:21 -07:00
preinstall_check.js	Elastic License 2.0 (#90099 )	2021-02-03 18:12:39 -08:00
README.md	Fix "Getting started" link in README (#84153 )	2020-11-23 15:33:02 -05:00
renovate.json5	[renovate] update label config	2020-12-04 12:23:47 -07:00
SECURITY.md	Add security policy to the Kibana repository (#85407 )	2020-12-10 09:26:00 -05:00
STYLEGUIDE.md	chore(NA): tool to find plugins circular dependencies between plugins (#82867 )	2020-11-30 22:19:32 +00:00
tsconfig.base.json	chore(NA): improve ts build refs performance on kbn bootstrap (#89333 )	2021-01-27 00:59:24 +00:00
tsconfig.browser.json	Introduce TS incremental builds & move src/test_utils to TS project (#76082 )	2020-09-03 14:20:04 +02:00
tsconfig.json	migrate more core-owned plugins to tsproject ref (#89975 )	2021-02-02 16:16:25 +01:00
tsconfig.refs.json	migrate more core-owned plugins to tsproject ref (#89975 )	2021-02-02 16:16:25 +01:00
tsconfig.types.json	ui_actions service initial docs (#78902 )	2020-09-30 16:44:29 +02:00
TYPESCRIPT.md	Fixed grammar (#74725 )	2020-08-11 06:40:22 -04:00
WORKSPACE.bazel	chore(NA): bazel machinery installation on kbn bootstrap (#89469 )	2021-01-28 00:51:01 +00:00
yarn.lock	[npm] upgrade mocha (#90188 )	2021-02-03 13:08:21 -07:00

README.md

Kibana

Kibana is your window into the Elastic Stack. Specifically, it's a browser-based analytics and search dashboard for Elasticsearch.

Getting Started
- Using a Kibana Release
- Building and Running Kibana, and/or Contributing Code
Documentation
Version Compatibility with Elasticsearch
Questions? Problems? Suggestions?

Getting Started

If you just want to try Kibana out, check out the Elastic Stack Getting Started Page to give it a whirl.

If you're interested in diving a bit deeper and getting a taste of Kibana's capabilities, head over to the Kibana Getting Started Page.

Using a Kibana Release

If you want to use a Kibana release in production, give it a test run, or just play around:

Download the latest version on the Kibana Download Page.
Learn more about Kibana's features and capabilities on the Kibana Product Page.
We also offer a hosted version of Kibana on our Cloud Service.

Building and Running Kibana, and/or Contributing Code

You might want to build Kibana locally to contribute some code, test out the latest features, or try out an open PR:

CONTRIBUTING.md will help you get Kibana up and running.
If you would like to contribute code, please follow our STYLEGUIDE.md.
For all other questions, check out the FAQ.md and wiki.

Documentation

Visit Elastic.co for the full Kibana documentation.

For information about building the documentation, see the README in elastic/docs.

Version Compatibility with Elasticsearch

Ideally, you should be running Elasticsearch and Kibana with matching version numbers. If your Elasticsearch has an older version number or a newer major number than Kibana, then Kibana will fail to run. If Elasticsearch has a newer minor or patch number than Kibana, then the Kibana Server will log a warning.

Note: The version numbers below are only examples, meant to illustrate the relationships between different types of version numbers.

Situation	Example Kibana version	Example ES version	Outcome
Versions are the same.	5.1.2	5.1.2	💚 OK
ES patch number is newer.	5.1.2	5.1.5	⚠️ Logged warning
ES minor number is newer.	5.1.2	5.5.0	⚠️ Logged warning
ES major number is newer.	5.1.2	6.0.0	🚫 Fatal error
ES patch number is older.	5.1.2	5.1.0	⚠️ Logged warning
ES minor number is older.	5.1.2	5.0.0	🚫 Fatal error
ES major number is older.	5.1.2	4.0.0	🚫 Fatal error

Questions? Problems? Suggestions?

If you've found a bug or want to request a feature, please create a GitHub Issue. Please check to make sure someone else hasn't already created an issue for the same topic.
Need help using Kibana? Ask away on our Kibana Discuss Forum and a fellow community member or Elastic engineer will be glad to help you out.