[ MDM ] Puppet module fails when using GitOps user

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)

https://fleetdm.com

Other

3.11k stars 430 forks source link

[ MDM ] Puppet module fails when using GitOps user #21807

Closed ksatter closed 23 hours ago

ksatter commented 2 months ago

Fleet version: v4.54.1 Web browser and operating system:macOS

💥 Actual behavior

TODO

When using the Puppet module configured with a Fleet gitops user, the request to enqueue commands fails and the device is not released from Await Configuration.

The following error is seen in the Server logs:

{
  "component":"HTTP",
  "internal":"policy disallows request",
  "level":"error",
  "method":"POST",
  "took":"1.452792ms",
  "ts":"2024-09-04T09:52:55.84630576Z",
  "uri":"/api/latest/fleet/mdm/apple/enqueue",
  "user":"[gitops-api-user@email.com](mailto:gitops-api-user@email.com)",
  "uuid":"bc4d6cc6-bad6-44e2-9179-12d3cdd990f0"
}

🧑‍💻 Steps to reproduce

Enable MDM with Automatic enrollment for macOS
Configure puppet module, including MDM commands to be run
Assign a device to Fleet in ABM
Attempt to automatically enroll

🕯️ More info (optional)

N/A

JoStableford commented 2 months ago

Related to a Slack conversation

zayhanlon commented 2 months ago

https://github.com/fleetdm/fleet/issues/15337 - attempting to do this

customer has reverted back to admin user to fix this short term

getvictor commented 3 weeks ago

@ksatter Is this a global or team gitops user?

In our docs, neither is allowed to run MDM commands:

But in policy.rego I see global gitops can write to hosts.

ksatter commented 3 weeks ago

It's a Global Admin, It looks like we may have missed some necessary permissions when implementing #15337

gillespi314 commented 3 weeks ago

15337

Seems like 15337 was working at some point though, right? Might be that new functionality was added after 15337 that increased the scope of necessary permissions.

lukeheath commented 2 weeks ago

@zayhanlon Just a reminder to tag me on anything you nominate to prioritize per the handbook process.

Right now, we don't understand what is driving the P2, so I am removing it. If you feel this is a P2, please add context and I'm happy to revisit.

zayhanlon commented 2 weeks ago

@lukeheath sorry about that! i didn't realize that was for p2's also.

i think the customer requested an escalation but now i don't recall. i'll find out more details and add again if needed, with context

PezHub commented 4 days ago

QA Notes: Created an API user with the GitOps role and successfully hit these two endpoints

/api/latest/fleet/mdm/hosts/:host_id/profiles
/api/latest/fleet/hosts/identifier/:identifier

I also paired with Sarah to walk thru the entire workflow using her puppet server and module to confirm the fix worked.

fleet-release commented 23 hours ago

GitOps puppet fails, Fleet's embrace ensures device sails, In cloud city, no gales.