Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Ingest Manager] Allow to force unenroll from the UI #72386

Merged
merged 4 commits into from
Jul 21, 2020
Merged

[Ingest Manager] Allow to force unenroll from the UI #72386

merged 4 commits into from
Jul 21, 2020

Conversation

nchaulet
Copy link
Member

@nchaulet nchaulet commented Jul 20, 2020
edited by jen-huang
Loading

Summary

Resolves elastic/beats#20006. Resolves elastic/beats#18825.

When an agent do not confirm the unenrollment, an user can invalidate all the ApiKeys for that user doing a force unenroll, that functionality was not exposed in the UI.

Done in this PR:

  • Expose the force unenroll feature for the agent in the unenrolling state.

UI Change

2020-07-19 20-33-27 2020-07-19 20_39_52

@nchaulet nchaulet requested a review from a team July 20, 2020 00:41
@botelastic botelastic bot added the Team:Fleet Team label for Observability Data Collection Fleet team label Jul 20, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/ingest-management (Team:Ingest Management)

@nchaulet
Copy link
Member Author

@elasticmachine merge upstream

@nchaulet nchaulet self-assigned this Jul 20, 2020
@nchaulet nchaulet added v7.10.0 v7.9.0 v8.0.0 release_note:skip Skip the PR/issue when compiling release notes labels Jul 20, 2020
@ph ph mentioned this pull request Jul 20, 2020
Closed
@EricDavisX
Copy link
Contributor

This is excellent. I want to be sure I understand the changes, please. @ph
@nchaulet or @mostlyjason can you translate for me (and anyone who doesn't know) the impact of whats happening when the user elects to do the 'force unenroll'?

...Meaning can we use language not specific to Ingest Manager to make sure we're on the same page, please. I get confused still a little bit still about enrolling and api-key usage and how we use the terms.

@dedemorton when we've confirmed, It may be nice to have it in 7.9 docs if we didn't have a line item for it in the main 7.9 docs tracker ticket

@mdelapenya mdelapenya mentioned this pull request Jul 20, 2020
Merged
@nchaulet
Copy link
Member Author

@EricDavisX sure I am trying to explain what the "force unenroll" and the "unenroll" do.

Unenroll

When a user click on unenroll,

  • Fleet send a message to the agent, and we wait the agent to answer to confirm the unenrollment
  • The agent confirm (ack) the unenrollment
  • Fleet invalidate all the API keys related to the agent and change the status to inactive (disappear from the UI)

Force unenroll

When a user click on force unenroll:

  • Fleet invalidate all the API keys related to the agent and change the status to inactive (disappear from the UI). The agent cannot communicate with Fleet and send date to ES anymore.

@mostlyjason
Copy link
Contributor

mostlyjason commented Jul 21, 2020
edited
Loading

@nchaulet can you explain the need to distinguish between these two cases? Is it for Endpoint where we have to uninstall it? Would it eventually end up at same state the next time it checks in and discovers its API keys are invalid? I imagine this will be the case for offline agents as well?

If users would want to do a force unenroll every time, then it simplifies the UX to combine those steps.

@nchaulet
Copy link
Member Author

Normally user will not have to do a force unenroll, it's to correct an error scenario where the agent is not able to confirm the enrollment.

The difference is with the normal unenrollment, the agent can finish to send data, correctly uninstall everything.

For the force unenroll it's more for agent that are not online anymore and an user that want to clean the API keys.

In an ideal scenario user should never had to do a force unenroll.

@EricDavisX
Copy link
Contributor

This is helpful, I think I see where I was confused too. I got worried that unenrolling one agent would invalidate all keys for a given user overall or configuration entirely (not just for that agent). Thank you. And so, to another point - I think the reason we wanted to see the Force Unenroll was because standard unenroll was not working in common cases that worked prior. I think that bug and this feature support are different... @michalpristas are you still tracking the bug in elastic/beats#20006

Either way, I'm looking forward to getting this pr in. Thanks Nicolas!

@mostlyjason
Copy link
Contributor

mostlyjason commented Jul 21, 2020
edited
Loading

The difference is with the normal unenrollment, the agent can finish to send data, correctly uninstall everything.

Being able to finish sending the data makes sense, particularly once we have disk spooling. Is the purpose of the unenrolling state in Fleet clear out the queues?

Can we also confirm that after an Agent is force unenrolled that Endpoint gets uninstalled next time the Agent checks in?

Lastly, it'd be good to have design take a look at this. I'll reopen this issue to incorporate force unenroll into the confirmation modal design #72653

This was referenced Jul 21, 2020
Closed
Closed
@nchaulet nchaulet added the bug Fixes for quality problems that affect the customer experience label Jul 21, 2020
@nchaulet nchaulet requested a review from jen-huang July 21, 2020 18:17
jen-huang
jen-huang approved these changes Jul 21, 2020
View reviewed changes
Copy link
Contributor

@jen-huang jen-huang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Small suggestions, otherwise code LGTM.

Thanks @mostlyjason for creating a design issue to improve the user messaging here.

...lugins/ingest_manager/public/applications/ingest_manager/components/context_menu_actions.tsx Outdated Show resolved Hide resolved
...lugins/ingest_manager/public/applications/ingest_manager/components/context_menu_actions.tsx Outdated Show resolved Hide resolved
@nchaulet @jen-huang
Update x-pack/plugins/ingest_manager/public/applications/ingest_manag…
5a47dd3 
…er/components/context_menu_actions.tsx

Co-authored-by: Jen Huang <its.jenetic@gmail.com>
@hbharding hbharding mentioned this pull request Jul 21, 2020
Closed
@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Build metrics

async chunks size

id value diff baseline
ingestManager 1.1MB +1.6KB 1.1MB

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@nchaulet nchaulet merged commit bb7d128 into elastic:master Jul 21, 2020
@nchaulet nchaulet deleted the feature-ui-force-unenroll branch July 21, 2020 21:34
@nchaulet nchaulet mentioned this pull request Jul 21, 2020
Merged
nchaulet added a commit to nchaulet/kibana that referenced this pull request Jul 21, 2020
@nchaulet
[Ingest Manager] Allow to force unenroll from the UI (elastic#72386)
5e06f69
@nchaulet nchaulet mentioned this pull request Jul 21, 2020
Merged
nchaulet added a commit to nchaulet/kibana that referenced this pull request Jul 21, 2020
@nchaulet
[Ingest Manager] Allow to force unenroll from the UI (elastic#72386)
bfaf453
nchaulet added a commit that referenced this pull request Jul 22, 2020
@nchaulet
[Ingest Manager] Allow to force unenroll from the UI (#72386) (#72751)
0e7ad59
nchaulet added a commit that referenced this pull request Jul 22, 2020
@nchaulet
[Ingest Manager] Allow to force unenroll from the UI (#72386) (#72750)
a5d9840
gmmorris added a commit to gmmorris/kibana that referenced this pull request Jul 22, 2020
@gmmorris
Merge branch 'master' into task-manager/fix-flaky-buffer-test
1b2400c 
* master: (23 commits)
  Stabilize closing toast (elastic#72097)
  stabilize failing test (elastic#72086)
  Stabilize filter bar test (elastic#72032)
  Unskip vislib tests (elastic#71452)
  [ML] Fix layout of anomaly chart tooltip for long field values (elastic#72689)
  fix preAuth/preRouting mocks (elastic#72663)
  [Security Solution] Hide KQL bar (all pages) and alerts filters (Detections) when Resolver is full screen (elastic#72788)
  [Uptime] Rename Whitelist to Allowlist in parse_filter_map (elastic#71584)
  [Security Solution] Fixes exception modal not loading content (elastic#72770)
  [Security Solution][Exceptions] - Require non empty entries and non empty string values in exception list items (elastic#72748)
  [Detections] Add validation for Threshold value field (elastic#72611)
  [SIEM][Detection Engine][Lists] Adds version and immutability data structures (elastic#72730)
  [Security Solution][Detections] Validate file type of value lists (elastic#72746)
  [pre-req] New Component Layout proposal (elastic#72385)
  [ML] do not throw an error when agg is not supported by UI (elastic#72685)
  [Resolver] Origin process (elastic#72382)
  [Ingest Manager] Allow to force unenroll from the UI (elastic#72386)
  skip 6.8 branch when triggering baseline-capture builds (elastic#72706)
  [CI] In-progress PR comments (elastic#72211)
  Fix sorting of scripted string fields (elastic#72681)
  ...
@EricDavisX
Copy link
Contributor

the 'Force unenroll' is in BC3 and seems to work - will need more time to review the nuances of the changes and Jason's questions. anyone available?

@ph
Copy link
Contributor

ph commented Jul 23, 2020

Being able to finish sending the data makes sense, particularly once we have disk spooling. Is the purpose of the unenrolling state in Fleet clear out the queues?

We send a stop command to the process with a timeout, processes are expected to push they events to Elasticsearch and stop.

Can we also confirm that after an Agent is force unenrolled that Endpoint gets uninstalled next time the Agent checks in?

Yes, unenrolling will uninstall endpoint.

Lastly, it'd be good to have design take a look at this. I'll reopen this issue to incorporate force unenroll into the confirmation modal design #72653

@ghost
Copy link

ghost commented Jul 27, 2020
edited by ghost
Loading

Hi @EricDavisX ,

We have validated this ticket on 7.9 BC4 cloud environment with 7.9 agent integrated with security app as well on Windows 10 Host OS.

We have created 11 test cases under Un-enrolled agent section in Testrail and 02 test cases are moved from fleet to "Un-enrolled agent" section.

Moreover, we have executed 12 test cases under Allow to force an Unenroll from UI test run and 01 test case is pending due to query #1:

Please find below our observations and queries.

Observation:

  1. We observed that agent successfully gets un-enrolled after clicking "Un-enroll" option and move to Inactive state. However, it took 1-2 minute for disappearing from agent list.

Screenshot1:
Scenario1

  1. We observed that agent successfully gets un-enrolled on clicking "Force Unenroll" option and agent successfully gets disappear from agent list and move to Inactive state.

Screenshot 2:
ForceUnenrolled

Query:

  1. We observed that when we "force un-enrolled" the agent from Fleet tab and then re-enrolled with default config that is already integrated with endpoint security, then agent successfully enrolled under Fleet tab, but when we navigate to endpoint security>Admin>Host tab, then still page to enable the endpoint security by enrolling the agent appears, is it expected or a bug?

Screenshot:
Endpointsecurityagent

Additionally, we have reported below 02 defects while exploring the "Un-enrolled agent" functionality.

#73236
#73237

Please let us if anything else we need to verify for this ticket.

@EricDavisX
Copy link
Contributor

I've asked @kamalpreetpahwa-qasource to log a separate bug for this last concern. we'll track it separately. thanks for the testing and test case work

@ghost
Copy link

ghost commented Jul 28, 2020
edited by ghost
Loading

@EricDavisX : I have reported Defect #73272 for the same.

Also, marked 01 test case as failed due to the reported issue #73272 under test pan Allow to force an Unenroll from UI

Please let us know if anything else need to verify.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jen-huang jen-huang jen-huang approved these changes

Assignees

@nchaulet nchaulet

Labels
bug Fixes for quality problems that affect the customer experience release_note:skip Skip the PR/issue when compiling release notes Team:Fleet Team label for Observability Data Collection Fleet team v7.9.0 v7.10.0 v8.0.0
Projects
None yet
Milestone
No milestone
7 participants
@nchaulet @elasticmachine @EricDavisX @mostlyjason @kibanamachine @ph @jen-huang