-
Notifications
You must be signed in to change notification settings - Fork 8.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Fleet] Prevent agents from enrolling in a managed policy #90458
[Fleet] Prevent agents from enrolling in a managed policy #90458
Conversation
Pinging @elastic/fleet (Team:Fleet) |
Pinging @elastic/fleet (Feature:Fleet) |
Maybe I am missing something but how agents are going to run a policy if they cannot enroll? |
@nchaulet I had the same reaction for a while. That's why I didn't add it at first. What I'm doing now is setting the policy to managed after enrollment. We don't restrict the agent policy, only what other things (agents, integrations) can do if they're associated with a managed policy. I'll update the description to include this, but Agent policies are
Then you can enroll it
and set the policy back to managed
with all the restrictions that entails (cannot unenroll, reassign, etc) |
Oh okay, so managed = cannot perform any agent actions except updating the policy. |
How hard is to had a functionnal test for that? |
Should be an issue, I did it for the others actions. I plan to circle back to it before I ship merge it. I mainly wanted to get confirmation on the behavior. |
@elasticmachine merge upstream |
@elasticmachine merge upstream |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚀 thanks for adding the test
@elasticmachine merge upstream |
@elasticmachine merge upstream |
@elasticmachine merge upstream |
@elasticmachine merge upstream |
💛 Build succeeded, but was flaky
Test FailuresKibana Pipeline / general / X-Pack API Integration Tests.x-pack/test/api_integration/apis/security_solution/uncommon_processes·ts.apis SecuritySolution Endpoints uncommon_processes should return a single data set with pagination of 1Standard Out
Stack Trace
Metrics [docs]
History
To update your PR or re-run it, just comment with: |
) ## Summary Add guard to `/agents/enroll` API preventing agents from enrolling in managed policies closes elastic#90435 - [x] No Agents can be enrolled into this policy by the user. - [x] The install & enroll commands should print an error to the console if the enroll command fails (due to being a managed policy or any other reason) #### So how do you associate an agent with a managed policy? Enroll in an unmanaged policy then set that policy to managed. We don't restrict the agent policy, only what other things (agents, integrations) can do if they're associated with a managed policy. A _force flag_ has been mentioned for some other actions. It might work here as well, but I'd like to handle discussion & implementation of those later. ### Manual testing <details><summary>Prevent enroll for managed policies</summary> 1. Created a managed agent policy ``` curl --user elastic:changeme -X POST localhost:5601/api/fleet/agent_policies -H 'Content-Type: application/json' -d'{ "name": "User created MANAGED", "namespace": "default", "is_managed": true}' -H 'kbn-xsrf: true' {"item":{"id":"3bd07db0-67d0-11eb-b656-21ad68ebfa8a","name":"User created MANAGED","namespace":"default","is_managed":true,"revision":1,"updated_at":"2021-02-05T16:36:01.931Z","updated_by":"elastic"}} ``` 2. Try `install` command show in the UI ``` sudo ./elastic-agent install -f --kibana-url=http://localhost:5601 --enrollment-token=WmcwTWMzY0IzWlBUUWJJUjZqRDA6UGRZelVlaS1STml1cVdjSUVwSkJRQQ== --insecure Password: The Elastic Agent is currently in BETA and should not be used in production Error: fail to enroll: fail to execute request to Kibana: Status code: 400, Kibana returned an error: Bad Request, message: Cannot enroll in managed policy 3bd07db0-67d0-11eb-b656-21ad68ebfa8a Error: enroll command failed with exit code: 1 ``` 3. Observe `Cannot enroll in managed policy 3bd07db0-67d0-11eb-b656-21ad68ebfa8a` error 4. Try `enroll` instead: ``` sudo ./elastic-agent enroll http://localhost:5601 WmcwTWMzY0IzWlBUUWJJUjZqRDA6UGRZelVlaS1STml1cVdjSUVwSkJRQQ== --insecure The Elastic Agent is currently in BETA and should not be used in production This will replace your current settings. Do you want to continue? [Y/n]: Error: fail to enroll: fail to execute request to Kibana: Status code: 400, Kibana returned an error: Bad Request, message: Cannot enroll in managed policy 3bd07db0-67d0-11eb-b656-21ad68ebfa8a ``` 5. Observe same `Cannot enroll in managed policy 3bd07db0-67d0-11eb-b656-21ad68ebfa8a` error </details> <details><summary>Enroll in unmanaged policy, then update it to managed</summary> Agent policies are `is_managed: false` by default, or we can update the policy to `is_managed: false`, like: ``` curl --user elastic:changeme -X PUT localhost:5601/api/fleet/agent_policies/3bd07db0-67d0-11eb-b656-21ad68ebfa8a -H 'Content-Type: application/json' -d'{ "is_managed": false, "name": "xyz", "namespace": "default" }' -H 'kbn-xsrf: true' {"item":{"id":"3bd07db0-67d0-11eb-b656-21ad68ebfa8a","name":"xyz","namespace":"default","is_managed":false,"revision":4,"updated_at":"2021-02-05T17:42:05.610Z","updated_by":"elastic","package_policies":[]}} ``` then enroll ``` sudo ./elastic-agent install -f --kibana-url=http://localhost:5601 --enrollment-token=WmcwTWMzY0IzWlBUUWJJUjZqRDA6UGRZelVlaS1STml1cVdjSUVwSkJRQQ== --insecure The Elastic Agent is currently in BETA and should not be used in production Successfully enrolled the Elastic Agent. Installation was successful and Elastic Agent is running. ``` and set the policy back to managed ``` curl --user elastic:changeme -X PUT localhost:5601/api/fleet/agent_policies/3bd07db0-67d0-11eb-b656-21ad68ebfa8a -H 'Content-Type: application/json' -d'{ "is_managed": true, "name": "xyz", "namespace": "default" }' -H 'kbn-xsrf: true' {"item":{"id":"3bd07db0-67d0-11eb-b656-21ad68ebfa8a","name":"xyz","namespace":"default","is_managed":true,"revision":5,"updated_at":"2021-02-05T17:44:18.757Z","updated_by":"elastic","package_policies":[]}} ``` with all the restrictions that entails (cannot unenroll, reassign, etc) ``` curl --user elastic:changeme -X PUT 'http://localhost:5601/api/fleet/agents/8169f0a0-67d9-11eb-80f2-73dd45e7318e/reassign' -X 'PUT' -H 'kbn-xsrf: abc' -H 'Content-Type: application/json' --data-raw '{"policy_id":"729f8440-67cf-11eb-b656-21ad68ebfa8a"}' { "statusCode": 400, "error": "Bad Request", "message": "Cannot reassign an agent from managed agent policy 3bd07db0-67d0-11eb-b656-21ad68ebfa8a" } ``` </details> ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
…90780) ## Summary Add guard to `/agents/enroll` API preventing agents from enrolling in managed policies closes #90435 - [x] No Agents can be enrolled into this policy by the user. - [x] The install & enroll commands should print an error to the console if the enroll command fails (due to being a managed policy or any other reason) #### So how do you associate an agent with a managed policy? Enroll in an unmanaged policy then set that policy to managed. We don't restrict the agent policy, only what other things (agents, integrations) can do if they're associated with a managed policy. A _force flag_ has been mentioned for some other actions. It might work here as well, but I'd like to handle discussion & implementation of those later. ### Manual testing <details><summary>Prevent enroll for managed policies</summary> 1. Created a managed agent policy ``` curl --user elastic:changeme -X POST localhost:5601/api/fleet/agent_policies -H 'Content-Type: application/json' -d'{ "name": "User created MANAGED", "namespace": "default", "is_managed": true}' -H 'kbn-xsrf: true' {"item":{"id":"3bd07db0-67d0-11eb-b656-21ad68ebfa8a","name":"User created MANAGED","namespace":"default","is_managed":true,"revision":1,"updated_at":"2021-02-05T16:36:01.931Z","updated_by":"elastic"}} ``` 2. Try `install` command show in the UI ``` sudo ./elastic-agent install -f --kibana-url=http://localhost:5601 --enrollment-token=WmcwTWMzY0IzWlBUUWJJUjZqRDA6UGRZelVlaS1STml1cVdjSUVwSkJRQQ== --insecure Password: The Elastic Agent is currently in BETA and should not be used in production Error: fail to enroll: fail to execute request to Kibana: Status code: 400, Kibana returned an error: Bad Request, message: Cannot enroll in managed policy 3bd07db0-67d0-11eb-b656-21ad68ebfa8a Error: enroll command failed with exit code: 1 ``` 3. Observe `Cannot enroll in managed policy 3bd07db0-67d0-11eb-b656-21ad68ebfa8a` error 4. Try `enroll` instead: ``` sudo ./elastic-agent enroll http://localhost:5601 WmcwTWMzY0IzWlBUUWJJUjZqRDA6UGRZelVlaS1STml1cVdjSUVwSkJRQQ== --insecure The Elastic Agent is currently in BETA and should not be used in production This will replace your current settings. Do you want to continue? [Y/n]: Error: fail to enroll: fail to execute request to Kibana: Status code: 400, Kibana returned an error: Bad Request, message: Cannot enroll in managed policy 3bd07db0-67d0-11eb-b656-21ad68ebfa8a ``` 5. Observe same `Cannot enroll in managed policy 3bd07db0-67d0-11eb-b656-21ad68ebfa8a` error </details> <details><summary>Enroll in unmanaged policy, then update it to managed</summary> Agent policies are `is_managed: false` by default, or we can update the policy to `is_managed: false`, like: ``` curl --user elastic:changeme -X PUT localhost:5601/api/fleet/agent_policies/3bd07db0-67d0-11eb-b656-21ad68ebfa8a -H 'Content-Type: application/json' -d'{ "is_managed": false, "name": "xyz", "namespace": "default" }' -H 'kbn-xsrf: true' {"item":{"id":"3bd07db0-67d0-11eb-b656-21ad68ebfa8a","name":"xyz","namespace":"default","is_managed":false,"revision":4,"updated_at":"2021-02-05T17:42:05.610Z","updated_by":"elastic","package_policies":[]}} ``` then enroll ``` sudo ./elastic-agent install -f --kibana-url=http://localhost:5601 --enrollment-token=WmcwTWMzY0IzWlBUUWJJUjZqRDA6UGRZelVlaS1STml1cVdjSUVwSkJRQQ== --insecure The Elastic Agent is currently in BETA and should not be used in production Successfully enrolled the Elastic Agent. Installation was successful and Elastic Agent is running. ``` and set the policy back to managed ``` curl --user elastic:changeme -X PUT localhost:5601/api/fleet/agent_policies/3bd07db0-67d0-11eb-b656-21ad68ebfa8a -H 'Content-Type: application/json' -d'{ "is_managed": true, "name": "xyz", "namespace": "default" }' -H 'kbn-xsrf: true' {"item":{"id":"3bd07db0-67d0-11eb-b656-21ad68ebfa8a","name":"xyz","namespace":"default","is_managed":true,"revision":5,"updated_at":"2021-02-05T17:44:18.757Z","updated_by":"elastic","package_policies":[]}} ``` with all the restrictions that entails (cannot unenroll, reassign, etc) ``` curl --user elastic:changeme -X PUT 'http://localhost:5601/api/fleet/agents/8169f0a0-67d9-11eb-80f2-73dd45e7318e/reassign' -X 'PUT' -H 'kbn-xsrf: abc' -H 'Content-Type: application/json' --data-raw '{"policy_id":"729f8440-67cf-11eb-b656-21ad68ebfa8a"}' { "statusCode": 400, "error": "Bad Request", "message": "Cannot reassign an agent from managed agent policy 3bd07db0-67d0-11eb-b656-21ad68ebfa8a" } ``` </details> ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
Summary
Add guard to
/agents/enroll
API preventing agents from enrolling in managed policiescloses #90435
So how do you associate an agent with a managed policy?
Enroll in an unmanaged policy then set that policy to managed.
We don't restrict the agent policy, only what other things (agents, integrations) can do if they're associated with a managed policy.
A force flag has been mentioned for some other actions. It might work here as well, but I'd like to handle discussion & implementation of those later.
Manual testing
Prevent enroll for managed policies
install
command show in the UICannot enroll in managed policy 3bd07db0-67d0-11eb-b656-21ad68ebfa8a
errorenroll
instead:Cannot enroll in managed policy 3bd07db0-67d0-11eb-b656-21ad68ebfa8a
errorEnroll in unmanaged policy, then update it to managed
Agent policies are
is_managed: false
by default, or we can update the policy tois_managed: false
, like:then enroll
and set the policy back to managed
with all the restrictions that entails (cannot unenroll, reassign, etc)
Checklist