[Fleet] Create UI for assisting with moving Agent Policies between spaces

[kpollich]

As a Fleet administrator adopting Fleet's new space awareness feature, I need to be able to easily move my existing global Fleet policies (and their "child" data) to my users' spaces. To facilitate this process, Fleet should provide a seamless UX for moving policies between spaces.

Implementation

• [x] Add a "select space" dropdown to the agent policy settings page
• [x] Selecting a new space from the "select space" dropdown on the agent policy settings page should move the agent policy, its integration policies, its enrollment tokens, and its uninstall tokens to the new space by updating their namespaces value or space_id value
• [x] Provide a "create a new space" button in the dropdown that directs the user to create the space within stack management

[elasticmachine]

Pinging @elastic/fleet (Team:Fleet)

[kpollich]

From @simosilvestri (see Figma)

Fleet - Create Agent policy (Space selection)

Add a shortcut to create a new space in the left Spaces description. The "Create space" CTA opens a new tab to the space creation wizard.

Fleet - Create a role / Kibana privileges flyout

Add a Tour component to notify the customer of the new Fleet privileges integration. If a customer dismisses the Tour component, it should not be shown again. In Kibana privileges, change the text to "Customize Fleet privileges" instead of using sub-features.

[nchaulet]

It looks like there is no built in component for the space selector but we could easily build one by exposing and using the getSpaces method from the space plugin https://elastic.slack.com/archives/C047ZAEUDM3/p1721235631477969 and using the already exposed getSpaceAvatar UI component, example of a space selector in the space plugin

https://github.com/elastic/kibana/blob/main/x-pack/plugins/spaces/public/copy_saved_objects_to_space/components/selectable_spaces_control.tsx

[nchaulet]

For the API part we should allow to set the space_id through the PUT /api/fleet/agent_policy API

That API should validate the user has the AgentPolicies:All privilege in the destination space.

Changing an agent policy space should change the namespace for all the related documents:

• agents
• enrollment tokens
• unenrollment token
• Package policies

What about the existing actions/action results should we update the namespace too? I think we should as it will allow a user to have the whole activity history for an agent.

[kpollich]

What about the existing actions/action results should we update the namespace too? I think we should as it will allow a user to have the whole activity history for an agent.

How much data are we expecting this to be? We could have a maximum of 90 days worth of action results per the ILM policy we ship with ES, e.g. https://github.com/elastic/elasticsearch/blob/main/x-pack/plugin/core/template-resources/src/main/resources/fleet-actions-results-ilm-policy.json

I think backfilling the activity into the new space would be the right thing to do, but I am worried we could have performance issues related to data volume.

[nchaulet]

How much data are we expecting this to be? We could have a maximum of 90 days worth of action results per the ILM policy we ship with ES, e.g. https://github.com/elastic/elasticsearch/blob/main/x-pack/plugin/core/template-resources/src/main/resources/fleet-actions-results-ilm-policy.json

It's hard to predict, it will really depends on what user are doing with Fleet, but with 2 documents for each agents and each actions it could growth significantly, may be it's acceptable to not copy that data in the new namespace

[zez3]

My response actions are mostly EDR related and that would/should stay in place and be only available for th security team.