Fleet: allow Universal Profiling symbolizer permissions on indices (#…

…155642)

## Summary

For the introduction of the Universal Profiling symbolizer in Cloud,
Fleet needs an update.
The reason for Universal Profiling symbolizer to be different from other
packages running via Fleet is that:

1. it ingests data into indicesm not only data-streams
2. it uses a non-conventional naming scheme for indices

x-pack/plugins/fleet/common/constants/epm.ts

@@ -16,6 +16,7 @@ export const FLEET_ENDPOINT_PACKAGE = 'endpoint';
 export const FLEET_APM_PACKAGE = 'apm';
 export const FLEET_SYNTHETICS_PACKAGE = 'synthetics';
 export const FLEET_KUBERNETES_PACKAGE = 'kubernetes';
+export const FLEET_UNIVERSAL_PROFILING_SYMBOLIZER_PACKAGE = 'profiler_symbolizer';
 export const FLEET_CLOUD_SECURITY_POSTURE_PACKAGE = 'cloud_security_posture';
 export const FLEET_CLOUD_SECURITY_POSTURE_KSPM_POLICY_TEMPLATE = 'kspm';
 

x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_permissions.test.ts

@@ -13,6 +13,7 @@ import type { DataStreamMeta } from './package_policies_to_agent_permissions';
 import {
   getDataStreamPrivileges,
   storedPackagePoliciesToAgentPermissions,
+  UNIVERSAL_PROFILING_PERMISSIONS,
 } from './package_policies_to_agent_permissions';
 
 const packageInfoCache = new Map();
@@ -137,6 +138,56 @@ packageInfoCache.set('osquery_manager-0.3.0', {
     },
   },
 });
+packageInfoCache.set('profiler_symbolizer-8.8.0-preview', {
+  format_version: '2.7.0',
+  name: 'profiler_symbolizer',
+  title: 'Universal Profiling Symbolizer',
+  version: '8.8.0-preview',
+  license: 'basic',
+  description:
+    ' Fleet-wide, whole-system, continuous profiling with zero instrumentation. Symbolize native frames.',
+  type: 'integration',
+  release: 'beta',
+  categories: ['monitoring', 'elastic_stack'],
+  icons: [
+    {
+      src: '/img/logo_profiling_symbolizer.svg',
+      title: 'logo symbolizer',
+      size: '32x32',
+      type: 'image/svg+xml',
+    },
+  ],
+  owner: { github: 'elastic/profiling' },
+  data_streams: [],
+  latestVersion: '8.8.0-preview',
+  notice: undefined,
+  status: 'not_installed',
+  assets: {
+    kibana: {
+      csp_rule_template: [],
+      dashboard: [],
+      visualization: [],
+      search: [],
+      index_pattern: [],
+      map: [],
+      lens: [],
+      security_rule: [],
+      ml_module: [],
+      tag: [],
+      osquery_pack_asset: [],
+      osquery_saved_query: [],
+    },
+    elasticsearch: {
+      component_template: [],
+      ingest_pipeline: [],
+      ilm_policy: [],
+      transform: [],
+      index_template: [],
+      data_stream_ilm_policy: [],
+      ml_model: [],
+    },
+  },
+});
 
 describe('storedPackagePoliciesToAgentPermissions()', () => {
   it('Returns `undefined` if there are no package policies', async () => {
@@ -363,6 +414,47 @@ describe('storedPackagePoliciesToAgentPermissions()', () => {
       },
     });
   });
+
+  it('Returns the Universal Profiling permissions for profiler_symbolizer package', async () => {
+    const packagePolicies: PackagePolicy[] = [
+      {
+        id: 'package-policy-uuid-test-123',
+        name: 'test-policy',
+        namespace: '',
+        enabled: true,
+        package: { name: 'profiler_symbolizer', version: '8.8.0-preview', title: 'Test Package' },
+        inputs: [
+          {
+            type: 'pf-elastic-symbolizer',
+            enabled: true,
+            streams: [],
+          },
+        ],
+        created_at: '',
+        updated_at: '',
+        created_by: '',
+        updated_by: '',
+        revision: 1,
+        policy_id: '',
+      },
+    ];
+
+    const permissions = await storedPackagePoliciesToAgentPermissions(
+      packageInfoCache,
+      packagePolicies
+    );
+
+    expect(permissions).toMatchObject({
+      'package-policy-uuid-test-123': {
+        indices: [
+          {
+            names: ['profiling-*'],
+            privileges: UNIVERSAL_PROFILING_PERMISSIONS,
+          },
+        ],
+      },
+    });
+  });
 });
 
 describe('getDataStreamPrivileges()', () => {

x-pack/plugins/fleet/server/services/agent_policies/package_policies_to_agent_permissions.ts

@@ -5,6 +5,8 @@
  * 2.0.
  */
 
+import { FLEET_UNIVERSAL_PROFILING_SYMBOLIZER_PACKAGE } from '../../../common/constants';
+
 import { getNormalizedDataStreams } from '../../../common/services';
 
 import type {
@@ -19,6 +21,16 @@ import { pkgToPkgKey } from '../epm/registry';
 
 export const DEFAULT_CLUSTER_PERMISSIONS = ['monitor'];
 
+export const UNIVERSAL_PROFILING_PERMISSIONS = [
+  'auto_configure',
+  'read',
+  'create_doc',
+  'create',
+  'write',
+  'index',
+  'view_index_metadata',
+];
+
 export async function storedPackagePoliciesToAgentPermissions(
   packageInfoCache: Map<string, PackageInfo>,
   packagePolicies?: PackagePolicy[]
@@ -42,6 +54,12 @@ export async function storedPackagePoliciesToAgentPermissions(
 
       const pkg = packageInfoCache.get(pkgToPkgKey(packagePolicy.package))!;
 
+      // Special handling for Universal Profiling packages, as it does not use data streams _only_,
+      // but also indices that do not adhere to the convention.
+      if (pkg.name === FLEET_UNIVERSAL_PROFILING_SYMBOLIZER_PACKAGE) {
+        return Promise.resolve(universalProfilingPermissions(packagePolicy.id));
+      }
+
       const dataStreams = getNormalizedDataStreams(pkg);
       if (!dataStreams || dataStreams.length === 0) {
         return [packagePolicy.name, undefined];
@@ -175,3 +193,18 @@ export function getDataStreamPrivileges(dataStream: DataStreamMeta, namespace: s
     privileges,
   };
 }
+
+async function universalProfilingPermissions(packagePolicyId: string): Promise<[string, any]> {
+  const profilingIndexPattern = 'profiling-*';
+  return [
+    packagePolicyId,
+    {
+      indices: [
+        {
+          names: [profilingIndexPattern],
+          privileges: UNIVERSAL_PROFILING_PERMISSIONS,
+        },
+      ],
+    },
+  ];
+}