[Fleet] Expose Fleet services used by Osquery with authorization check

[juliaElastic]

When Osquery introduced RBAC, they have used a fleet wrapper and added authorization check on their side. Fleet should control the access to its services, instead of letting each plugin implement their authz check.

Goal:

• move the Osquery authz check to Fleet services
• move the Fleet API authz check to the services as well to avoid duplication
• expose a scoped service
• refactor Osquery usage to use the scoped service and remove their authz check

Follow the pattern done here: https://github.com/elastic/kibana/pull/119017

Similar work is being done for Security plugin here: https://github.com/elastic/kibana/pull/131233

[elasticmachine]

Pinging @elastic/fleet (Team:Fleet)

[juliaElastic]

@melissaburpo This is the issue about refactoring the Osquery usages. Can we get a confirmation on which Fleet services/APIs are being used from Osquery to include in the scope of this work? cc @joshdover

[melissaburpo]

Hi @juliaElastic, thanks for the ping. @patrykkopycinski or @tomsonpl - can either of you help answer this one? I'm not sure specifically.

Can we get a confirmation on which Fleet services/APIs are being used from Osquery to include in the scope of this work?

[patrykkopycinski]

@juliaElastic we're relying currently on

• agentService,
• packageService,
• packagePolicyService,
• agentPolicyService

https://github.com/elastic/kibana/blob/main/x-pack/plugins/osquery/server/lib/osquery_app_context_services.ts#L51-L65

Please let me know if that helps

[juliaElastic]

@patrykkopycinski yes, thanks!