search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
3.17k stars 434 forks source link

Enable profiles based on labels #14715

Closed noahtalerman closed 9 months ago

noahtalerman commented 1 year ago

Goal

User story
As an IT admin on the Controls > OS settings page or using Fleet's best practice GitOps file structure,
I want to enable profiles based on what labels a host has
so that I can enable profiles based on host attribute while maintaining a flat profile baseline.

Specific use case (customer-flavia): Only enable a profile if a macOS host is at or above a specific macOS version (ex. macOS 13.1).

Noah: Check in on what #g-endpoint-ops built for custom osquery extensions based on labels: #13287

Changes

Product

Engineering

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

Context

QA

Risk assessment

Manual testing steps

  1. Custom settings uploader now includes a Target selector (see Figma for design comp)
    • Select between All Hosts or Custom
  2. Selecting All hosts allows Profile upload flow to proceed unchanged, profile is delivered to hosts in that team
  3. Selecting Custom allows for targeting Labels
    • Validate "zero state" with no labels present
    • Validate with Labels present
  4. Complete upload flow with a Label targeted
  5. Validate Profiles list UI changes against Figma
  6. Profiles targeting one or more label/s will now show a count of applied labels
  7. Actions show on hover only
    • In addition to download & delete, a new filter icon is present
  8. Clicking filter icon opens a modal to display targeted labels (see Figma)
  9. Delete a targeted label and verify the UI correctly displays error, verify profile is no longer deployed to new hosts
    • Figma is unclear, validate if the "profile is broken" only for hosts in that label, or for hosts with all targeted labels. Tooltip seems to imply the latter
  10. Validate able to configure via yaml
  11. Validate functionality for macOS and Windows hosts

Testing notes

Confirmation

  1. [ ] Engineer (@____): Added comment to user story confirming succesful completion of QA.
  2. [ ] QA (@____): Added comment to user story confirming succesful completion of QA.
noahtalerman commented 1 year ago

Hey @dherder heads up, this story covers Fleet's first read (osquery) + write (MDM) feature.

You can find the UI and YAML wireframes at the Figma link in the issue description.

marko-lisica commented 1 year ago

@georgekarrv It's ready for specification.

noahtalerman commented 1 year ago

DISCLAIMER: I think changes based on this feedback shouldn't impact/slow down estimation.

Hey @marko-lisica we got some feedback from Mike below which I agree with. When you get the chance, can you please adapt the UI?

Feedback:

As someone w/ fresh eyes, I'm not sure what the default behavior is when I click Add profile:

Screenshot 2023-11-16 at 1 54 56 PM

Maybe this comes from not knowing what "Filter" means.

Maybe we use a dropdown or radio button w/ something like Apply to all hosts (default) and Custom options? Selecting Custom reveals the the list of checkbox labels.

This way it's clear what the default and custom behavior is.

Screenshot 2023-11-16 at 1 49 58 PM
noahtalerman commented 1 year ago

@dherder heads up, we're breaking the POST /profiles/batch API endpoint as part of this story.

Are any customers integrating with this API? I'm thinking about the customers building a white label solution.

What a user integrating with the API will have to change:

cc @rachaelshaw

mna commented 11 months ago

@noahtalerman I remember when we discussed this story (I think it was the meeting before estimation) that we assumed labels were NOT modifiable (i.e. the query could not be changed once a label was created). That may be the case via the UI but not via fleetctl or the API: https://github.com/fleetdm/fleet/blob/main/docs/Contributing/API-for-contributors.md#apply-labels . This endpoint supports changing the query or targeting specific hosts by hostname.

Not sure if that changes anything, but wanted to bring that up since I believe we thought a) labels could not change and b) specific hosts could not be targeted. I think the biggest change would be that mapping the affected hosts will be more complex, but I don't think it drastically changes the logic (e.g. Reconcile profiles still has to identify which profiles should apply to which hosts, and ensure the corresponding install/remove gets identified). /cc @roperzh @gillespi314 @georgekarrv

noahtalerman commented 11 months ago

@mna great find. Thanks for raising.

we assumed labels were NOT modifiable (i.e. the query could not be changed once a label was created). That may be the case via the UI but not via fleetctl or the API

I'm not sure if this changes the IT admin UX.

@marko-lisica what do you think? Happy to try to see if this pokes holes in the feature during design review.

noahtalerman commented 10 months ago

Hey @zayhanlon heads up, this story didn't make it into the current design sprint. We want to get to it during Q1 so I'm leaving it on the drafting board.

noahtalerman commented 10 months ago

cc @marko-lisica ^^

Marko, can you please check if we need to update the designs for this story? I think it's been pushed out of the last couple releases so it might be stale.

marko-lisica commented 10 months ago

@mna great find. Thanks for raising.

we assumed labels were NOT modifiable (i.e. the query could not be changed once a label was created). That may be the case via the UI but not via fleetctl or the API

I'm not sure if this changes the IT admin UX.

@marko-lisica what do you think? Happy to try to see if this pokes holes in the feature during design review.

We decided that it's ok if the user can edit labels.

sabrinabuckets commented 10 months ago

Completed manual testing.

One UI bug (#16380) filed, currently In Review.

noahtalerman commented 9 months ago

@spokanemac what do you think about creating an article for this feature? It's our first osquery "read" + MDM "write" feature. Maybe a title like "MDM + osquery"?

fleet-release commented 9 months ago

Profiles tailored with grace, Labels guide the interface. Calm as clouds in space.

noahtalerman commented 9 months ago

Reopening this issue to bring it back to confirm and celebrate ritual so that we don't forgot to merge in the doc PR here: https://github.com/fleetdm/fleet/pull/15117

noahtalerman commented 9 months ago

C&C: Docs PR is here: https://github.com/fleetdm/fleet/pull/15117

noahtalerman commented 9 months ago

Docs PR was merged. Closing this issue.

@pintomi1989 and @Patagonia121, heads up, this customer request was shipped in 4.44.

fleet-release commented 9 months ago

Profiles by labels bloom, Like a city in the clouds, Secure in their room.