fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
3.09k stars 425 forks source link

Software titles #14674

Closed noahtalerman closed 9 months ago

noahtalerman commented 1 year ago

Goal

User story
As an IT admin on the Software page in Fleet,
I want to see a list of software installed on my hosts organized by software title
so that I can see the most popular software across my fleet regardless of version.

Changes

Product

Requirements

Group software titles by:

Engineering

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

Context

QA

Risk assessment

Manual testing steps

  1. Step 1
  2. Step 2
  3. Step 3

Testing notes

Confirmation

  1. [ ] Engineer (@____): Added comment to user story confirming succesful completion of QA.
  2. [ ] QA (@____): Added comment to user story confirming succesful completion of QA.
mikermcneil commented 1 year ago

:shaqwiggle:

marko-lisica commented 1 year ago

Hey @mikermcneil, we decided to use "Software titles" instead of "Software names" (e.g. Titles view and Versions view). What's your take on it? (Figma link is attached in the issue description)

mikermcneil commented 12 months ago

@marko-lisica I think that in the current design I see in Figma, we need to further consider narrower window widths to be sure all the filters fit, and to consider that when switching that dropdown, some or all filters will need to clear, because now there's a new type of entity. Also we'll support CVEs (vulnerabilities) here as a 3rd option in the future, so even if the columns for titles and versions manage to stay the same, there'll still be more differences coming later.

That said I'm intrigued by the idea of solving this with a simple filter, just need to make sure that the visual simplicity doesn't also cause more underlying complexity and dev time / ongoing maintenance and surface area. My hunch is that it works, but to be clear, caveat: I did not review every screen in detail, I literally looked at it for 15 seconds.

cc @noahtalerman

noahtalerman commented 12 months ago

Feedback from Mike:

noahtalerman commented 12 months ago

cc @marko-lisica ^^

noahtalerman commented 11 months ago

From @marko-lisica:

Rename GET /software API endpoint to GET /software/versions. Maintain backwards compatibility. It's now one endpoint w/ two names. API docs show only the new naming.

GET /software would be what we call titles right now, and GET /software/versions would be versions for which we use GET /software in current wireframes?

Vulnerabilities instead of Probability of exploit column for paid users on Software page and Software details pages

Is this about column name or functionality should change (instead of percentage we show a number of vulnerabilities, same as we do for the free version)?

Add w/ icons for 10 celebrity apps and hardcode these. Noah: Marko, let's decide what these are together on Monday

Not sure about this one, where should we add icons? Is this something that should be part of Software titles issue or something for the future?

noahtalerman commented 11 months ago

GET /software would be what we call titles right now, and GET /software/versions would be versions for which we use GET /software in current wireframes?

@marko-lisica as part of this story, GET /software (today's API endpoint) gets renamed to GET /software/versions. As a user I can hit /software or /software/versions and they return the same response (versions).

Is this about column name or functionality should change (instead of percentage we show a number of vulnerabilities, same as we do for the free version)?

The latter: instead of prob of exploit, we show vulnerabilities (CVEs). Yep, same as we do for free.

Not sure about this one, where should we add icons? Is this something that should be part of https://github.com/fleetdm/fleet/issues/14674 issue or something for the future?

I think where we add them is up to you. Adding icons for top 10 celebrity apps is something we want to be a part of this story.

noahtalerman commented 11 months ago

Celebrity apps that we'll have icons in v1:

noahtalerman commented 11 months ago

@marko-lisica what should be the default sort for the titles and versions tables? Up to you.

I think we need a dev note for this.

marko-lisica commented 11 months ago

@marko-lisica what should be the default sort for the titles and versions tables? Up to you.

I think we need a dev note for this.

@noahtalerman It's defined already in the API design (see here for software titles). For software versions - see here Do you think a dev note is necessary?

marko-lisica commented 11 months ago

@georgekarrv Ready for specification.

marko-lisica commented 11 months ago

Based on conversation with @roperzh, we'll group Application (macOS) by name instead of bundle_identifier.

roperzh commented 11 months ago

@marko-lisica @noahtalerman regarding:

Permissions changes: Same permissions as "View all software" (permissions docs here)

What's the expectation for GET /software/titles/:id? we don't have any documented permissions for the equivalent GET /software/:id.

Determining permissions is a bit tricky because software and software titles don't "belong" to a team.

marko-lisica commented 11 months ago

@roperzh Right now all roles (except GitOps) can view all software. We want same experience for titles as well. Each role (except GitOps) should be able to see all software titles and software versions.

Screenshot 2023-12-05 at 19 46 39

How does it work for team roles today with softvare versions?

roperzh commented 11 months ago

How does it work for team roles today with softvare versions?

@marko-lisica as far as I can tell, everyone is able to access everything. Eg: a team member can see any software

marko-lisica commented 10 months ago

@roperzh In regard of team based roles:

Team observer, maintainer and admin roles should be able to view only software installed to hosts that belongs to their team. This is how it works today (e.g. Maintainer of Team A can see only software installed to hosts that belong to Team A).

This should work the same for software titles. For example, the maintainer of Team B should be able to see software titles that are installed to hosts that belong to Team B. The maintainer should be able to see only versions that are installed on the hosts from Team B, in software title details (GET /software/titles/{id}.

I'll update the issue description to reflect this. cc @noahtalerman

noahtalerman commented 10 months ago

This is how it works today (e.g. Maintainer of Team A can see only software installed to hosts that belong to Team A).

@marko-lisica and @roperzh I just realized that this might be how it works in the UI today but not in the API? (Marko and I tested the UI)

If that's the case, there might be a change we need to make at the API level.

Like Marko said, we'd like for team observer, maintainer and admin roles be able to view only software installed to hosts that belongs to their team. (API and UI)

roperzh commented 10 months ago

@noahtalerman yeah, that's the case in the API. It's a bit tricky to do but not impossible

noahtalerman commented 10 months ago

@roperzh and @marko-lisica I think we should add the permissions at the API level.

What permissions error will a team admin of Team A see when they try to view Team B's software?

sabrinabuckets commented 10 months ago

Manual testing completed. Follow up issue filed here.

noahtalerman commented 9 months ago

Confirm and celebrate ritual:

marko-lisica commented 9 months ago

@marko-lisica was there some permissions change that didn't make it in to this story that we wanted to come back to? IIRC we had some conversation w/ Roberto

@noahtalerman I've just tested and it seems it works as expected. I created account that has access to specific teams and I was able to get response for teams that are assigned to that user, otherwise, it just returns a forbidden error (the error could probably be clearer). Also, when I tried to get all software titles or versions it returns error.

cc @roperzh

marko-lisica commented 9 months ago

TODO Marko: Check if GET /software/titles and GET /software/versions is truly filtered by team as a team user. If not, let's file a bug for it.

@noahtalerman I've checked and it works properly.

The problem is user can open any software title or version by id (GET /software/titles/:id & GET /software/versions/:id) in UI (accessing directly via URL) and API.

noahtalerman commented 9 months ago

@noahtalerman I've checked and it works properly.

Great, thanks!

The problem is user can open any software title or version by id (GET /software/titles/:id & GET /software/versions/:id) in UI (accessing directly via URL) and API.

@marko-lisica good find. Can you please file a bug for this?

For the UI, I think the expected behavior is to show a "Forbidden" (403) page. I think this has some illustration. I might be wrong here.

noahtalerman commented 9 months ago

The problem is user can open any software title or version by id (GET /software/titles/:id & GET /software/versions/:id) in UI (accessing directly via URL) and API.

@marko-lisica ping! When you get the chance, can you please file a bug for this?

noahtalerman commented 9 months ago

C&C: @rachaelshaw when you get the chance, can you please take a look at the docs PR here? https://github.com/fleetdm/fleet/pull/14831

If it's approved, can you please merge and close this issue?

marko-lisica commented 9 months ago

The problem is user can open any software title or version by id (GET /software/titles/:id & GET /software/versions/:id) in UI (accessing directly via URL) and API.

@marko-lisica ping! When you get the chance, can you please file a bug for this?

@noahtalerman I did it already last week, here's the bug: #16052

fleet-release commented 9 months ago

Software titles shine, Each host's unique list aligns, In the cloud, peace of mind.