[Fleet] Enforce superuser role for all fleet APIs#85136
[Fleet] Enforce superuser role for all fleet APIs#85136nchaulet merged 6 commits intoelastic:masterfrom
Conversation
|
Pinging @elastic/ingest-management (Team:Ingest Management) |
…-check-superuser-api
| // since it would run this func on *every* req (other plugins, CSS, etc) | ||
| registerLimitedConcurrencyRoutes(core, config); | ||
| registerAgentRoutes(router, config); | ||
| registerEnrollmentApiKeyRoutes(router); |
There was a problem hiding this comment.
I'm not clear why registerAgentRoutes doesn't also use the new router. Can you add a comment in the code about why it's different from the code around it?
There was a problem hiding this comment.
I will add a comment 👍 in the agent routes we mix API routes to manage agents from Kibana that need to be called as superuser and route for the Elastic agent, we should probably split them in two functions
|
@jfsiii I updated my PR to split the agent routes in two function, api routes and Elastic Agent routes let me know if it makes more sense. |
jfsiii
left a comment
There was a problem hiding this comment.
🚢 I haven't run it locally, but 👍 The code is clear, extends the existing approach, and is applied to all handlers in a file.
💚 Build SucceededMetrics [docs]Distributable file count
History
To update your PR or re-run it, just comment with: |
# Conflicts: # x-pack/plugins/fleet/server/plugin.ts # x-pack/plugins/fleet/server/routes/agent/index.ts # x-pack/plugins/ingest_manager/server/routes/security.ts # x-pack/test/fleet_api_integration/apis/agents/acks.ts # x-pack/test/fleet_api_integration/apis/agents/delete.ts # x-pack/test/fleet_api_integration/apis/agents/list.ts
Summary
Enforce that all the request to the Fleet APIs are using the
superuserrole in addition of the Kibana privilegesWorking on adding some tests