[Fleet] Decouple integration installation from fleet privilege

[flash1293]

Currently, it's only possible to install package assets if the current user has fleet permissions: https://github.com/elastic/kibana/blob/b913e3f143a7e69400f99fc76cb0ebf0174f8e82/x-pack/plugins/fleet/common/authz.ts#L156

This is done because the installPackages key is used for installing ES/Kibana assets as well as adding integrations to specific agent policies.

To make it possible to allow clients to only install package assets without fleet permissions, installPackages should be split up into separate keys.

[elasticmachine]

Pinging @elastic/fleet (Team:Fleet)

[flash1293]

cc @kpollich as discussed via chat.

[thomheymann]

Discussed this further and decided to:

1. add the new key installPackagesAssets
2. use it for the server side stuff (methods and REST apis) that don't touch fleet things
3. on the client side to guard the UI, still use installPackages (as this implies both integrations and fleet permissions)

[thomheymann]

Permissions changes have been reverted from https://github.com/elastic/kibana/pull/184167 so reopening issue

[kpollich]

Adding the approach we discussed offline here:

• Change installPackages to just require integrations.all - this will be picked up by the REST API and methods automatically as they already check for that
• install and reinstall button keep to use installPackages so the UI feature match what is doable through the API
• In the AddIntegrationButton here we should should it to writeIntegrationPolicies

[flash1293]

@kpollich just to make sure it doesn't fall through the cracks - you got this on the fleet team list right?

[kpollich]

just to make sure it doesn't fall through the cracks - you got this on the fleet team list right?

Yes this is scheduled and prioritized on the Fleet side.

[flash1293]

Thanks, I'll remove from our board then 👍