When the useSpaceAwareness feature flag is enabled we shoud do:
Access validation
For every API we should ensure the user only access agent in the current space, this mean:
For individual agent actions we should validate the agent is the current space (if soClient.getCurrentNamespace() we are in the default space, we should validate namespaces:['default'] or not namespaces:*
For action using kuery we should add the following namespaces:['default'] or not namespaces:* to the provided kuery (there is an helper _joinFilters that could help to do so.
The saved object client used in those API should be scoped to the current space (if we need an internal client we could use appContextService.getInternalUserSOClientForSpaceId(spaceId?), this should ensure we access related object like agent policy in the same space only.
Write namespaces for related action
All the .fleet-actions and .fleet-action-results should be created with the namespaces: [currentSpaceId] property
APIs
Agent Action
[x] POST /agents/{agentId}/reassign
[x] POST /agents/{agentId}/unenroll
[x] POST /agents/{agentId}/request_diagnostics
[x] POST /agents/{agentId}/upgrade
Agents Bulk API
[x] POST /agents/bulk_reassign
[x] POST /agents/bulk_request_diagnostics
[x] POST /agents/bulk_unenroll
[x] POST /agents/bulk_update_agent_tags
[x] POST /agents/bulk_upgrade
Agent Misc
[x] DELETE /agents/{agentId}
[x] PUT /agents/{agentId}
Agent Actions
[x] POST /agents/{agentId}/actions/{actionId}/cancel
[x] GET /agents/action_status
[x] POST /agents/{agentId}/actions
Implementation details/guideline
With a scoped saved objet client space could be retrieved with the soClient.getCurrentNamespace()
To write API integration test for this, I created a new tests suite with the space awarness flag enabled in x-pack/test/fleet_api_integration/apis/space_awarness/
Description
Related to https://github.com/elastic/ingest-dev/issues/2893 Similar to https://github.com/elastic/kibana/pull/184869
As part of making Fleet space aware we should make the Fleet agent APIs space aware (the read API should already be done in https://github.com/elastic/kibana/pull/184869)
Details
When the
useSpaceAwareness
feature flag is enabled we shoud do:Access validation
For every API we should ensure the user only access agent in the current space, this mean:
soClient.getCurrentNamespace()
we are in the default space, we should validatenamespaces:['default'] or not namespaces:*
namespaces:['default'] or not namespaces:*
to the provided kuery (there is an helper_joinFilters
that could help to do so.The saved object client used in those API should be scoped to the current space (if we need an internal client we could use
appContextService.getInternalUserSOClientForSpaceId(spaceId?)
, this should ensure we access related object like agent policy in the same space only.Write namespaces for related action
All the
.fleet-actions
and.fleet-action-results
should be created with thenamespaces: [currentSpaceId]
propertyAPIs
Agent Action
Agents Bulk API
Agent Misc
Agent Actions
Implementation details/guideline
With a scoped saved objet client space could be retrieved with the
soClient.getCurrentNamespace()
To write API integration test for this, I created a new tests suite with the space awarness flag enabled in
x-pack/test/fleet_api_integration/apis/space_awarness/