Allow using pre-existing user and group when installing unprivileged agents

[cmacknz]

Quoting https://github.com/elastic/elastic-agent/issues/3868#issuecomment-2053871719 for a Windows use case for this:

For example, if I have a service account in active dieectory that works on the system already, can I use that or is elastic creating an account and group locally?

The use case is integrations that need network access from specific service accounts in active directory to be the service context for filebeat (api, file shares, etc).

Today system is the only option but this gives me hope for 1 non system which is great, but having custom users would be excellent.

In the past you could simply install filebeat or winglogbeat with the service account you needed as a service and it would use that user context when it runs.

[elasticmachine]

Pinging @elastic/elastic-agent (Team:Elastic-Agent)

[blakerouse]

This comes back to having an Active Directory based user/group as the service account that Elastic Agent uses to run.

This would be really nice to have on Windows because it would allow deployed agents to have the correct access and permissions that administrators want all configured in Active Directory.

Would need to add new installation parameters to allowing passing the group, user and password to configure the service.

[nimarezainia]

@blakerouse once we have this AD user/group mapping to the agent, in the future can we use it to either tag or move the agent to a pre-defined policy? this type of feature has been asked before and is part of what our own Security team wants to see implemented for Defend.

[blakerouse]

@nimarezainia Sorry I don't understand the ask about tags and pre-defined policy. Can you provide more context?

[nimarezainia]

@blakerouse sorry should have been clearer. there has been an ask for a while that we allow the users to tag agents and map those tags to Agent Policies. Some of that is described here. Obviously tagging is a way to group. An extended ask was to allow users in the same Active Directory group to dynamically be placed in a given agent policy. ( like those in Finance dept are always mapped to policy A and Engineering is mapped to policy B dynamically. No matter where they travel etc). Now we have none of these capabilities today.

Anyway this is way far away from what we are planning so perhaps I am complicating things by asking.

[pierrehilbert]

I think we can tag the Agent but to change the applying a policy depending on that tag should probably be done on the Fleet side.

[blakerouse]

I don't know if mixing the two is a good idea. When they install and enroll the Elastic Agent they can set the tag then, just like they will have to provide the username/password for it to use that specific user in Active Directory.

[jlind23]

@michalpristas please sync with Pavel to ensure we're running the right sets of tests for sudo vs non-sudo. cc @rowlandgeoff @ycombinator