[Fleet] Fix add Fleet server scenarios with subfeatures enabled

elastic · Apr 29, 2024 · 105ac55 · 105ac55
1 parent 70fb22d
commit 105ac55
Show file tree

Hide file tree

Showing 7 changed files with 71 additions and 21 deletions.
diff --git a/x-pack/plugins/fleet/common/authz.ts b/x-pack/plugins/fleet/common/authz.ts
@@ -98,6 +98,14 @@ export const calculateAuthz = ({
     ? !!(fleet.agents?.all && fleet.agentPolicies?.all && fleet.settings?.all)
     : fleet.all;
 
+  const writeIntegrationPolicies = subfeatureEnabled
+    ? (fleet.agentPolicies?.all && integrations.all) ?? false
+    : ((fleet.all || fleet.agentPolicies?.all) ?? false) && integrations.all;
+  const readIntegrationPolicies = subfeatureEnabled
+    ? (fleet.agentPolicies?.read && (integrations.all || integrations.read)) ?? false
+    : ((fleet.all || fleet.read || fleet.agentPolicies?.read) ?? false) &&
+      (integrations.all || integrations.read);
+
   // TODO remove fallback when the feature flag is removed
   const fleetAuthz: FleetAuthz['fleet'] = subfeatureEnabled
     ? {
@@ -140,14 +148,6 @@ export const calculateAuthz = ({
           (fleet.all || fleet.read || fleet.setup || fleet.agentPolicies?.read) ?? false,
       };
 
-  const writeIntegrationPolicies = subfeatureEnabled
-    ? (fleet.agentPolicies?.all && integrations.all) ?? false
-    : ((fleet.all || fleet.agentPolicies?.all) ?? false) && integrations.all;
-  const readIntegrationPolicies = subfeatureEnabled
-    ? (fleet.agentPolicies?.read && (integrations.all || integrations.read)) ?? false
-    : ((fleet.all || fleet.read || fleet.agentPolicies?.read) ?? false) &&
-      (integrations.all || integrations.read);
-
   return {
     fleet: fleetAuthz,
     integrations: {

diff --git a/...ck/plugins/fleet/public/applications/fleet/components/fleet_server_instructions/index.tsx b/...ck/plugins/fleet/public/applications/fleet/components/fleet_server_instructions/index.tsx
@@ -21,10 +21,10 @@ import {
   EuiButton,
 } from '@elastic/eui';
 import { FormattedMessage } from '@kbn/i18n-react';
-
 import styled from 'styled-components';
 
-import { useStartServices, useFlyoutContext } from '../../hooks';
+import { useStartServices, useFlyoutContext, useCheckPermissions } from '../../hooks';
+import { FleetServerMissingESPrivileges } from '../../sections/agents/components';
 
 import { QuickStartTab } from './quick_start_tab';
 import { AdvancedTab } from './advanced_tab';
@@ -121,6 +121,17 @@ const Header: React.FunctionComponent<{
 export const FleetServerFlyout: React.FunctionComponent<Props> = ({ onClose }) => {
   const { tabs, currentTab, setCurrentTab, currentTabContent } = useFleetServerTabs(onClose);
 
+  const { permissionsError, isPermissionsLoading } = useCheckPermissions();
+
+  let errorContent: React.ReactNode | undefined;
+  if (permissionsError === 'MISSING_FLEET_SERVER_SETUP_PRIVILEGES') {
+    errorContent = (
+      <ContentWrapper gutterSize="none" justifyContent="center" direction="column">
+        <FleetServerMissingESPrivileges />
+      </ContentWrapper>
+    );
+  }
+
   return (
     <EuiFlyout data-test-subj="fleetServerFlyout" onClose={onClose} size="m">
       <EuiFlyoutHeader hasBorder aria-labelledby="FleetAddFleetServerFlyoutTitle">
@@ -132,7 +143,9 @@ export const FleetServerFlyout: React.FunctionComponent<Props> = ({ onClose }) =
         />
       </EuiFlyoutHeader>
 
-      <EuiFlyoutBody>{currentTabContent}</EuiFlyoutBody>
+      <EuiFlyoutBody>
+        {isPermissionsLoading ? null : errorContent ? errorContent : currentTabContent}
+      </EuiFlyoutBody>
     </EuiFlyout>
   );
 };

diff --git a/...leet/public/applications/fleet/components/fleet_server_instructions/steps/get_started.tsx b/...leet/public/applications/fleet/components/fleet_server_instructions/steps/get_started.tsx
@@ -27,7 +27,7 @@ import { FormattedMessage } from '@kbn/i18n-react';
 
 import { MultiRowInput } from '../../../sections/settings/components/multi_row_input';
 
-import { useLink } from '../../../hooks';
+import { useAuthz, useLink } from '../../../hooks';
 
 import type { QuickStartCreateForm } from '../hooks';
 import { FleetServerHostSelect } from '../components';
@@ -53,6 +53,10 @@ const GettingStartedStepContent: React.FunctionComponent<QuickStartCreateForm> =
   onClose,
 }) => {
   const { getHref } = useLink();
+  const authz = useAuthz();
+  const canWritePolicies =
+    authz.fleet.allAgentPolicies && authz.integrations.writeIntegrationPolicies;
+  const isDisabled = fleetServerHosts.length === 0 && !canWritePolicies;
 
   if (status === 'success') {
     return (
@@ -143,6 +147,7 @@ const GettingStartedStepContent: React.FunctionComponent<QuickStartCreateForm> =
                   defaultMessage: 'Specify name',
                 })}
                 {...inputs.nameInput.props}
+                disabled={isDisabled}
               />
             </EuiFormRow>
             <EuiFormRow
@@ -158,6 +163,7 @@ const GettingStartedStepContent: React.FunctionComponent<QuickStartCreateForm> =
                 <MultiRowInput
                   data-test-subj="fleetServerSetup.multiRowInput"
                   {...inputs.hostUrlsInput.props}
+                  disabled={isDisabled}
                   placeholder={i18n.translate(
                     'xpack.fleet.fleetServerSetup.fleetServerHostsInputPlaceholder',
                     {
@@ -192,6 +198,7 @@ const GettingStartedStepContent: React.FunctionComponent<QuickStartCreateForm> =
           isLoading={status === 'loading'}
           onClick={submit}
           data-test-subj="generateFleetServerPolicyButton"
+          disabled={isDisabled}
         >
           {fleetServerHosts.length > 0 ? (
             <FormattedMessage

diff --git a/x-pack/plugins/fleet/public/applications/fleet/hooks/use_check_permissions.ts b/x-pack/plugins/fleet/public/applications/fleet/hooks/use_check_permissions.ts
@@ -24,9 +24,9 @@ async function checkPermissions() {
 }
 
 export const useCheckPermissions = () => {
-  const { data: permissionsError, status } = useQuery(
+  const { data: permissionsError, isInitialLoading } = useQuery(
     ['fetch-check-permissions'],
     checkPermissions
   );
-  return { isPermissionsLoading: status === 'loading', permissionsError };
+  return { isPermissionsLoading: isInitialLoading, permissionsError };
 };
diff --git a/...ublic/applications/integrations/sections/epm/screens/detail/policies/package_policies.tsx b/...ublic/applications/integrations/sections/epm/screens/detail/policies/package_policies.tsx
@@ -20,6 +20,8 @@ import {
 import { i18n } from '@kbn/i18n';
 import { FormattedRelative, FormattedMessage } from '@kbn/i18n-react';
 
+import { policyHasFleetServer } from '../../../../../../../../common/services';
+
 import { InstallStatus } from '../../../../../types';
 import type { GetAgentPoliciesResponseItem, InMemoryPackagePolicy } from '../../../../../types';
 import {
@@ -113,6 +115,7 @@ export const PackagePoliciesPage = ({ name, version }: PackagePoliciesPanelProps
 
   const canWriteIntegrationPolicies = useAuthz().integrations.writeIntegrationPolicies;
   const canAddAgents = useAuthz().fleet.addAgents;
+  const canAddFleetServers = useAuthz().fleet.addFleetServers;
 
   const packageAndAgentPolicies = useMemo((): Array<{
     agentPolicy?: GetAgentPoliciesResponseItem;
@@ -264,12 +267,15 @@ export const PackagePoliciesPage = ({ name, version }: PackagePoliciesPanelProps
           if (!agentPolicy) {
             return null;
           }
+          const canAddAgentsForPolicy = policyHasFleetServer(agentPolicy)
+            ? canAddFleetServers
+            : canAddAgents;
           return (
             <PackagePolicyAgentsCell
               agentPolicy={agentPolicy}
               agentCount={agentPolicy.agents}
               onAddAgent={() => setFlyoutOpenForPolicyId(agentPolicy.id)}
-              canAddAgents={canAddAgents}
+              canAddAgents={canAddAgentsForPolicy}
               hasHelpPopover={showAddAgentHelpForPackagePolicyId === packagePolicy.id}
             />
           );
@@ -301,7 +307,13 @@ export const PackagePoliciesPage = ({ name, version }: PackagePoliciesPanelProps
         },
       },
     ],
-    [getHref, canWriteIntegrationPolicies, canAddAgents, showAddAgentHelpForPackagePolicyId]
+    [
+      getHref,
+      canWriteIntegrationPolicies,
+      canAddAgents,
+      canAddFleetServers,
+      showAddAgentHelpForPackagePolicyId,
+    ]
   );
 
   const noItemsMessage = useMemo(() => {

diff --git a/x-pack/plugins/fleet/public/components/package_policy_actions_menu.tsx b/x-pack/plugins/fleet/public/components/package_policy_actions_menu.tsx
@@ -10,8 +10,8 @@ import { EuiContextMenuItem, EuiPortal } from '@elastic/eui';
 import { FormattedMessage } from '@kbn/i18n-react';
 
 import type { AgentPolicy, InMemoryPackagePolicy } from '../types';
-
 import { useAgentPolicyRefresh, useAuthz, useLink } from '../hooks';
+import { policyHasFleetServer } from '../services';
 
 import { AgentEnrollmentFlyout } from './agent_enrollment_flyout';
 import { ContextMenuActions } from './context_menu_actions';
@@ -35,8 +35,12 @@ export const PackagePolicyActionsMenu: React.FunctionComponent<{
 }) => {
   const [isEnrollmentFlyoutOpen, setIsEnrollmentFlyoutOpen] = useState(false);
   const { getHref } = useLink();
-  const canWriteIntegrationPolicies = useAuthz().integrations.writeIntegrationPolicies;
-  const canAddAgents = useAuthz().fleet.addAgents;
+  const authz = useAuthz();
+
+  const canWriteIntegrationPolicies = authz.integrations.writeIntegrationPolicies;
+  const isFleetServerPolicy = agentPolicy && policyHasFleetServer(agentPolicy);
+
+  const canAddAgents = isFleetServerPolicy ? authz.fleet.addFleetServers : authz.fleet.addAgents;
   const refreshAgentPolicy = useAgentPolicyRefresh();
   const [isActionsMenuOpen, setIsActionsMenuOpen] = useState(defaultIsOpen);
 

diff --git a/x-pack/plugins/fleet/server/routes/app/index.ts b/x-pack/plugins/fleet/server/routes/app/index.ts
@@ -47,6 +47,20 @@ export const getCheckPermissionsHandler: FleetRequestHandler<
           error: 'MISSING_PRIVILEGES',
         } as CheckPermissionsResponse,
       });
+    } else if (request.query.fleetServerSetup) {
+      const esClient = (await context.core).elasticsearch.client.asCurrentUser;
+      const { has_all_requested: hasAllPrivileges } = await esClient.security.hasPrivileges({
+        body: { cluster: ['manage_service_account'] },
+      });
+
+      if (!hasAllPrivileges) {
+        return response.ok({
+          body: {
+            success: false,
+            error: 'MISSING_FLEET_SERVER_SETUP_PRIVILEGES',
+          } as CheckPermissionsResponse,
+        });
+      }
     }
 
     return response.ok({ body: { success: true } as CheckPermissionsResponse });
@@ -142,7 +156,7 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
     .post({
       path: APP_API_ROUTES.GENERATE_SERVICE_TOKEN_PATTERN,
       fleetAuthz: {
-        fleet: { all: true },
+        fleet: { allAgents: true },
       },
     })
     .addVersion(
@@ -159,7 +173,7 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
     .post({
       path: APP_API_ROUTES.GENERATE_SERVICE_TOKEN_PATTERN_DEPRECATED,
       fleetAuthz: {
-        fleet: { all: true },
+        fleet: { allAgents: true },
       },
     })
     .addVersion(