Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Fleet] Without service token access and initial policy, can't set up Fleet Server #181757

Closed
jen-huang opened this issue Apr 25, 2024 · 2 comments · Fixed by #182015
Closed

[Fleet] Without service token access and initial policy, can't set up Fleet Server #181757

jen-huang opened this issue Apr 25, 2024 · 2 comments · Fixed by #182015
Assignees
@nchaulet
Labels
bug Fixes for quality problems that affect the customer experience Team:Fleet Team label for Observability Data Collection Fleet team

Comments

@jen-huang
Copy link
Contributor

jen-huang commented Apr 25, 2024
edited

While testing locally, I found an issue:

  • start local kibana without fleet-server
  • create a role fleet agents:all, agent policies:none, settings:all, integrations:all and create a user with this role
  • login with this user
  • click on Add Fleet Server
  • the resulting command misses service token, the service token API call returns with 403 (this happens even if fleet-server-policy exists)
  • also the Fleet server policy was not created. Is it expected that to add a Fleet-server/Agent without a pre-existing agent policy, you can only do it with Agent policies:all role? (@jen-huang: this is expected but we should still account for it)
image image image

Originally posted by @juliaElastic in #181357 (comment)
@botelastic botelastic bot added the needs-team Issues missing a team label label Apr 25, 2024
@jen-huang
Copy link
Contributor Author

the resulting command misses service token, the service token API call returns with 403 (this happens even if fleet-server-policy exists)

Good catch we rely on the user permissions to ES to generate the service token, I think I missed that part in the subfeature permission check here https://github.com/jen-huang/kibana/blob/ad3e60c16829cd14bb265dc927f1deb363814c4a/x-pack/plugins/fleet/server/routes/app/index.ts#L70

Per @nchaulet #181357 (comment)

@jen-huang jen-huang added bug Fixes for quality problems that affect the customer experience Team:Fleet Team label for Observability Data Collection Fleet team labels Apr 25, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/fleet (Team:Fleet)

@botelastic botelastic bot removed the needs-team Issues missing a team label label Apr 25, 2024
@jen-huang jen-huang mentioned this issue Apr 25, 2024
Merged
1 task
@nchaulet nchaulet assigned nchaulet and unassigned nchaulet Apr 26, 2024
@nchaulet nchaulet mentioned this issue Apr 29, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nchaulet nchaulet

Labels
bug Fixes for quality problems that affect the customer experience Team:Fleet Team label for Observability Data Collection Fleet team
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Fleet] Fix add Fleet server scenarios with subfeatures enabled nchaulet/kibana
3 participants
@nchaulet @jen-huang @elasticmachine