Skip to content

Fix/deduplication privilege level change#12068

Merged
michalpristas merged 38 commits intoelastic:mainfrom
michalpristas:fix/deduplication-privilege-level-change
Feb 12, 2026
Merged

Fix/deduplication privilege level change#12068
michalpristas merged 38 commits intoelastic:mainfrom
michalpristas:fix/deduplication-privilege-level-change

Conversation

@michalpristas
Copy link
Copy Markdown
Contributor

@michalpristas michalpristas commented Jan 2, 2026

This PR adds some kind of deduplication layer for privilege level change, in case we're already running unelevated it checks desired user and group and if they match current user action is considered duplicate and acked successfully only with warning in logs.

In case of mismatch it fails with error

Fixes: #11993

@michalpristas michalpristas self-assigned this Jan 2, 2026
@michalpristas michalpristas added bug Something isn't working Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team labels Jan 2, 2026
@michalpristas michalpristas requested a review from a team as a code owner January 2, 2026 10:17
@michalpristas michalpristas added skip-changelog backport-9.3 Automated backport to the 9.3 branch labels Jan 2, 2026
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Jan 2, 2026

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)

ycombinator
ycombinator reviewed Jan 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@ycombinator ycombinator left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In addition to the unit test added for the new function, targetingSameUser, would it be possible to write a unit test covering the new logic in the handle method? The test could be skipped if utils.HasRoot() returns true so that you only need to test the various cases in the if !isRoot block, i.e. the new logic added in this PR. Essentially, we'd want to check if ackCommitFn, featuring a mocked acker, is called if we're targeting the same user, indicating that deduplication is happening OR if we're not targeting the same user, the expected error is thrown.

@cmacknz
Copy link
Copy Markdown
Member

cmacknz commented Jan 6, 2026
edited
Loading

An integration test that sends the privilege level change action twice in a row would probably be the best thing to test this, considering how coupled it is to how agent is installed I am skeptical we can cover the action implementation purely with unit tests.

There are integration tests for the command line version of this already but I don't see one for the action.

elastic-agent/testing/integration/ess/switch_unprivileged_test.go

Line 28 in adab9b6

func TestSwitchUnprivilegedWithoutBasePath(t *testing.T) {

@michalpristas michalpristas mentioned this pull request Jan 13, 2026
Merged
ycombinator
ycombinator reviewed Jan 22, 2026
View reviewed changes
@mergify
Copy link
Copy Markdown
Contributor

mergify bot commented Jan 23, 2026

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b fix/deduplication-privilege-level-change upstream/fix/deduplication-privilege-level-change
git merge upstream/main
git push upstream fix/deduplication-privilege-level-change

@michalpristas
beats
f6127ad
@michalpristas
Merge branch 'main' of github.com:elastic/elastic-agent into fix/dedu…
9bb0fc5 
…plication-privilege-level-change
@michalpristas
Merge branch 'fix/deduplication-privilege-level-change' of github.com…
03b4902 
…:michalpristas/elastic-agent into fix/deduplication-privilege-level-change
@cmacknz
Copy link
Copy Markdown
Member

cmacknz commented Feb 3, 2026

LGTM, @ycombinator can you re-review?

ycombinator
ycombinator reviewed Feb 5, 2026
View reviewed changes
michalpristas and others added 5 commits February 6, 2026 15:23
@michalpristas @ycombinator
Update internal/pkg/agent/application/actions/handlers/handler_action…
cc8d5f3 
…_privilege_level_change.go

Co-authored-by: Shaunak Kashyap <ycombinator@gmail.com>
@michalpristas @ycombinator
Update internal/pkg/agent/application/actions/handlers/handler_action…
4ca8ab9 
…_privilege_level_change.go

Co-authored-by: Shaunak Kashyap <ycombinator@gmail.com>
@michalpristas
Merge branch 'main' of github.com:elastic/elastic-agent into fix/dedu…
6c13ccb 
…plication-privilege-level-change
@michalpristas
naming
fd41011
@michalpristas
Merge branch 'main' into fix/deduplication-privilege-level-change
e4eb0cb
blakerouse
blakerouse reviewed Feb 10, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@blakerouse blakerouse left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall this looks good. I don't see any issues in the code. Just one comment inline about the log level used.

Looks like still waiting for a green CI, once its green I will give me +1.

@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Feb 10, 2026

💚 Build Succeeded

History

cc @michalpristas

blakerouse
blakerouse approved these changes Feb 12, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@blakerouse blakerouse left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for changing this to info level. Looks good!

@michalpristas michalpristas merged commit 7c07fb5 into elastic:main Feb 12, 2026
22 checks passed
mergify bot pushed a commit that referenced this pull request Feb 12, 2026
@michalpristas @mergify
Fix/deduplication privilege level change (#12068)
954c427 
(cherry picked from commit 7c07fb5)
@mergify mergify bot mentioned this pull request Feb 12, 2026
Merged
@ebeahan
Copy link
Copy Markdown
Member

ebeahan commented Feb 12, 2026

If we're fixing a bug here, I feel like we should include a changelog entry?

michel-laterman pushed a commit that referenced this pull request Feb 13, 2026
@mergify @michalpristas
Fix/deduplication privilege level change (#12068) (#12741)
0f4fb19 
(cherry picked from commit 7c07fb5)

Co-authored-by: Michal Pristas <michal.pristas@elastic.co>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@blakerouse blakerouse blakerouse approved these changes

@ycombinator ycombinator Awaiting requested review from ycombinator

Assignees

@michalpristas michalpristas

Labels

backport-9.3 Automated backport to the 9.3 branch bug Something isn't working skip-changelog Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Agent gets unhealthy and shows error on Last Check-in on triggering multiple single or bulk privilege change API calls

6 participants

@michalpristas @elasticmachine @cmacknz @ebeahan @ycombinator @blakerouse