[Fleet] Managed Agent Policy

[jfsiii]

Summary

Introduces the concept of a managed agent policy. Resolves most of the acceptance criteria from #76843. Remaining to be done in follow up PRs

• Define hosted Agent Policy concept in Fleet.
  • Flag in policy? yes, added is_managed: boolean in agent policy SO
  • Should not built only for cloud, an admin should be able to set theses restrictions.
  • We should have an API to configure it Can POST and PUT to /api/fleet/agent_policies/{policy_id}
  • Integration should be editable, we expect integration author to do the right thing and limit what can be edited.
• Research if we can ensure the right behavior of Hosted Agent policy and restrict the super user.
• Capabilities restrictions
  • An Agent enrolled in an Hosted Agent policy should not be able to be upgraded.
  • An Agent enrolled in an Hosted Agent policy should not be able to be unenrolled.
  • No Agents cannot be enrolled into this policy by the user.
    • Hide the enrollment key?
    • Need to figure out the workflow.
  • An Agent enrolled in an Hosted Agent policy should not be able to be reassigned to a different configuration.
• As a user I should be prevented to do theses action. No user-level checks. Only Agent Policy. No UI changes, but API errors are shown for failed actions like reassigning
• As an API user I should receive error messages.
• If making a single "flag" is easier/faster let's do it. Currently single is_managed property on agent policy SO.

Checks are implemented in service layer (is agent enrolled in a managed policy?)

No UI-specific changes added but UI is affected because HTTP requests (like api/fleet/agents/{agentId}/reassign) can fail. See screenshots below.

Tests at service (yarn test:jest) and http (yarn test ftr) layers for each of create policy, update policy, unenroll agent, and reassign agent

Bulk actions currently filter out restricted items. A follow-up PR will change them to throw an error and cause the request to fail.

Managed Policy

Can create (POST) and update (PUT) an agent policy with an is_managed property. Each new saved object will have an is_managed property (default false)

HTTP commands

Create (is_managed: false by default)

 curl --user elastic:changeme -X POST localhost:5601/api/fleet/agent_policies -H 'Content-Type: application/json' -d'{ "name": "User created policy", "namespace": "default"}' -H 'kbn-xsrf: true'
{"item":{"id":"edc236a0-5cbb-11eb-ab2c-0134aecb4ce8","name":"User created policy","namespace":"default","is_managed":false,"revision":1,"updated_at":"2021-01-22T14:12:58.250Z","updated_by":"elastic"}}

Create with is_managed: true

 curl --user elastic:changeme -X POST localhost:5601/api/fleet/agent_policies -H 'Content-Type: application/json' -d'{ "name": "User created policy", "namespace": "default"}' -H 'kbn-xsrf: true'
{"item":{"id":"67c785b0-662e-11eb-bf6b-4790dc0178c0","name":"User created policy","namespace":"default","is_managed":false,"revision":1,"updated_at":"2021-02-03T14:45:06.059Z","updated_by":"elastic"}}

Update with is_managed: true

 curl --user elastic:changeme -X PUT  -H 'Content-Type: application/json' -H 'kbn-xsrf: 1234' localhost:5601/api/fleet/agent_policies/67c785b0-662e-11eb-bf6b-4790dc0178c0 -d '{ "name":"User created policy","namespace":"default","is_managed":true }'
{"item":{"id":"67c785b0-662e-11eb-bf6b-4790dc0178c0","name":"User created policy","namespace":"default","is_managed":true,"revision":2,"updated_at":"2021-02-03T14:47:28.471Z","updated_by":"elastic","package_policies":[]}}

Enroll behavior

is not changed/addressed in this PR. Agents can still be enrolled in managed policies

Unenroll Agent from managed policy behavior

Enrolled in managed agent policy, cannot be unenrolled

curl --user elastic:changeme -X POST http://localhost:5601/api/fleet/agents/441d4a40-6710-11eb-8f57-db14e8e41cff/unenroll -H 'kbn-xsrf: 1234' | jq
{
  "statusCode": 400,
  "error": "Bad Request",
  "message": "Cannot unenroll 441d4a40-6710-11eb-8f57-db14e8e41cff from a managed agent policy af9b4970-6701-11eb-b55a-899b78cb64da"
}

Screenshots for managed & unmanaged policies

Enrolled in managed agent policy, cannot be unenrolled

Enrolled agent policy is not managed, agent can be unenrolled

Reassign agent

No agent can be reassigned to a managed policy

 curl --user elastic:changeme -X 'PUT'  'http://localhost:5601/api/fleet/agents/482760d0-6710-11eb-8f57-db14e8e41cff/reassign' -H 'kbn-xsrf: xxx' -H 'Content-Type: application/json' -d '{"policy_id":"af9b4970-6701-11eb-b55a-899b78cb64da"}' 
{
  "statusCode": 400,
  "error": "Bad Request",
  "message": "Cannot reassign an agent to managed agent policy 94129590-6707-11eb-b55a-899b78cb64da"
}

Screenshots

Enrolled in managed agent policy, cannot be reassigned

 curl --user elastic:changeme -X 'PUT'  'http://localhost:5601/api/fleet/agents/482760d0-6710-11eb-8f57-db14e8e41cff/reassign' -H 'kbn-xsrf: xxx' -H 'Content-Type: application/json' -d '{"policy_id":"af9b4970-6701-11eb-b55a-899b78cb64da"}' 
{
  "statusCode": 400,
  "error": "Bad Request",
  "message": "Cannot reassign an agent from managed agent policy 94129590-6707-11eb-b55a-899b78cb64da"
}

Screenshots

Enrolled agent policy is unmanaged, agent can be reassigned to another unmanaged policy

Screenshots

Checklist

Delete any items that are not applicable to this PR.

• Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
• Documentation was added for features that require explanation or tutorials
• Unit or functional tests were updated or added to match the most common scenarios

[jfsiii]

@elasticmachine merge upstream

[jfsiii]

@elasticmachine merge upstream

[kibanamachine]

merge conflict between base and head

[jfsiii]

@elasticmachine merge upstream

[jfsiii]

@elasticmachine merge upstream

[nchaulet]

Do we need the isV12 here? the migration will only run when it's migrated one time right?

[jfsiii]

Right. It's left over from when I was debug logging; it also felt like a long if. I guess it also be hasManagedAttr or not a problem to inline it.

[elasticmachine]

Pinging @elastic/fleet (Team:Fleet)

[nchaulet]

Curious to have your thought on how this will scale, I am wondering if should do this in multiple phase:

• collect the policy ids we need
• create a map of <policy_id,is_managed>
• than filtering the agents

if we have 1000 agents selected here otherwise it's 1000 concurrent request to ES

[jfsiii]

Thanks for 👀 . 🎯 about the many requests. I think I'll change it to do a bulkGet for the agent policies and use that for the map like you said.

I've put off changing the *isAllowed function to accept either a string or object, but this is a good reason to change that.

[jfsiii]

@nchaulet I'd like to do this in a follow up PR if that's ok. I'd like to get the existing features merged in so others can use them. I'll come back to this as part of the changes to bulk operations (having them error instead of filter out invalid values)

[nchaulet]

Sure, maybe add a TODO in the code so we know about that limitation?

[jfsiii]

@nchaulet sorry, I missed this yesterday but I did add this to #90437

[jfsiii]

@elasticmachine merge upstream

[ruflin]

During testing this I check the box to "immediately" unenroll the Agent and it seems this removes the Elastic Agent but that should also be blocked.

[jfsiii]

During testing this I check the box to "immediately" unenroll the Agent and it seems this removes the Elastic Agent but that should also be blocked.

@ruflin Do you mean the Force unenroll agent here?

That fails/rejects if the box is unchecked

As you said, it unenrolls if checked

Which is because unenroll is called with force: true.

We can add the same "is managed policy" prevention here, but that means we'll need a new/different param to signal "let me do it" or "ignore the managed policy check"

cc @mostlyjason

[kibanamachine]

💚 Build Succeeded

• continuous-integration/kibana-ci/pull-request
• Commit: 13994c7

Metrics [docs]

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id	before	after	diff
fleet	365.9KB	365.9KB	+17.0B

Saved Objects .kibana field count

Every field in each saved object type adds overhead to Elasticsearch. Kibana needs to keep the total field count below Elasticsearch's default limit of 1000 fields. Only specify field mappings for the fields you wish to search on or query. See https://www.elastic.co/guide/en/kibana/master/development-plugin-saved-objects.html#_mappings

id	before	after	diff
ingest-agent-policies	11	12	+1

History

• 💔 Build #103828 failed b6b8ce0
• 💚 Build #103235 succeeded a15a0d0
• 💔 Build #103176 failed 86d6958
• 💚 Build #102572 succeeded 4a0d342
• 💚 Build #102408 succeeded bd6b286

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

[kevinlog]

LGTM 👍 , CI should fail if anything's wrong

[dikshachauhan-qasource]

Hi @EricDavisX ,

We have performed some exploratory around managed hosts and policies on 7.13 and 8.0 snapshot Builds. Here, code for it is marked as merged. However, on verifying the changes, it seems code is still not available.

Observations on managed policy is as follows for now:

• Able to change policy namespace.
• Able to assign a new policy
• able to add new integration
• able to remove integration
• able to unenroll agent.
• able to upgrade agent.

Screenshot:

So could you please confirm us, when the code will be available for feature so that we can test it and proceed with testcase creation task.

QUERY: Further, we have observed that when we installed an agent using Fleet server policy, Metricbeat service is not started.

Logs:
Fleetserverlogs.txt

Later, when we added an integration[say elastic-apm] to it, we observed metricbeat service resumed its state to running. Could you please have a look on this behavior and confirm us its expected behavior.

Further logs generated:
laterlogs.txt

Conclusion, as per our understanding, it is behaving like a normal user created policy.

7.13 Kibana Cloud build details:

BUILD 39703
COMMIT c0c62723075bd0660db511d723035ff636787695
Artifact link: https://artifacts-api.elastic.co/v1/search/7.13.0-SNAPSHOT

8.0 snapshot build details:

BUILD 41420
COMMIT c0f9bfcd217f20a71818e432e470cbd01875349d

Please let us know if we our missing anything.

Thanks
QAS

[EricDavisX]

I don't know the feature specifics / requirements for testing yet, so we're totally in the Fleet Team's hands. John can guide it.

[jfsiii]

Hi @dikshachauhan-qasource,

This feature is currently managed only through the API. The only UI impact is when an HTTP request fails because of these new restrictions.

The "Managed Policy" section of the PR has HTTP/curl examples and related UI screenshots for actions like creating, reassigning, and unenrolling an agent.

For example, if we start with a managed policy using any of these approaches

HTTP commands

Create (is_managed: false by default)

 curl --user elastic:changeme -X POST localhost:5601/api/fleet/agent_policies -H 'Content-Type: application/json' -d'{ "name": "User created policy", "namespace": "default"}' -H 'kbn-xsrf: true'
{"item":{"id":"edc236a0-5cbb-11eb-ab2c-0134aecb4ce8","name":"User created policy","namespace":"default","is_managed":false,"revision":1,"updated_at":"2021-01-22T14:12:58.250Z","updated_by":"elastic"}}

Create with is_managed: true

 curl --user elastic:changeme -X POST localhost:5601/api/fleet/agent_policies -H 'Content-Type: application/json' -d'{ "name": "User created policy", "namespace": "default"}' -H 'kbn-xsrf: true'
{"item":{"id":"67c785b0-662e-11eb-bf6b-4790dc0178c0","name":"User created policy","namespace":"default","is_managed":false,"revision":1,"updated_at":"2021-02-03T14:45:06.059Z","updated_by":"elastic"}}

Update with is_managed: true

 curl --user elastic:changeme -X PUT  -H 'Content-Type: application/json' -H 'kbn-xsrf: 1234' localhost:5601/api/fleet/agent_policies/67c785b0-662e-11eb-bf6b-4790dc0178c0 -d '{ "name":"User created policy","namespace":"default","is_managed":true }'
{"item":{"id":"67c785b0-662e-11eb-bf6b-4790dc0178c0","name":"User created policy","namespace":"default","is_managed":true,"revision":2,"updated_at":"2021-02-03T14:47:28.471Z","updated_by":"elastic","package_policies":[]}}

Then enroll as usual, then attempt to unenroll using the UI, it would fail like

similar with reassigning

Let me know if I can answer any other questions about how to test it or anything else. I'm happy to help.

[dikshachauhan-qasource]

Hi @jfsiii

Today, we have attempted to create a managed policy using above mentioned curl examples on 8.0 snapshot environment.

• We were able to create a managed policy using flag is_managed: true. [As for now no specific changes on UI and no integration was added to this policy by default]

Screenshot:

• We were unable to add integrations.

• Was able to update policy settings.
  

• Enroll a agent to it, error message shown up.
  

• unable to move agent into a managed policy
  

• Was able to update the user created policy to managed policy.

  • error message was displayed while adding integration to managed policy

• unable to unenroll agent under a managed policy.

Build details:
BUILD 41718
COMMIT a1c36e7

Thank you for the help.

cc @EricDavisX We are in progress of validating above merges and report back if found anything else.

Thanks
QAS

[EricDavisX]

@dikshachauhan-qasource hi - these 2 pr's were merged that have the relating UI work:
https://github.com/elastic/kibana/pull/96087 & https://github.com/elastic/kibana/pull/96160 

• you can check them out on 8.0 latest build. Please do! And we can stop the API only testing. Please do update relating test cases to be UI centric and we can get a test run done for 7.13 - the most interesting part here will be the creative free-form tests we can do! Regards. If you want to open a test ticket that is good.

[dikshachauhan-qasource]

Hi Eric,

We have done with the testing of merged changes for both of the above mentioned tickets and provided our observations under:
#96160 and #96087 respectively.

Thanks
QAS