Skip to content

Handle PRIVILEGE_LEVEL_CHANGE action #10231

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
michalpristas merged 38 commits into from
Nov 5, 2025
Merged

Handle PRIVILEGE_LEVEL_CHANGE action #10231

michalpristas merged 38 commits into from
Nov 5, 2025

Conversation

@michalpristas
Copy link
Contributor

@michalpristas michalpristas commented Oct 1, 2025
edited
Loading

to test this you need a 9.2 kibana with FF config:

xpack.fleet.enableExperimental: ["enableAgentPrivilegeLevelChange"]

This PR adds a handler for PRIVILEGE_LEVEL_CHANGE action.
Once action comes and permissions are fixed we call the code identical to privilege or unprivilege CLI commands.

Service manager handles user changes differently Windows being least problematic.
Systemd could do daemon-reload but for consistency MacOS and Linux are handled in a same way:

  • change to service file is made
  • agent is rebooted
  • desired user is detecting by reading a service definition file
  • permissions are fixed if needed
  • if it is non-root, setgid,setuid calls are made to drop privileges
  • we continue running.
    This is not performed if we are running using proper user

Test steps:

  • run kibana instance local or cloud >=9.2-SNAPSHOT
  • set config value xpack.fleet.enableExperimental: ["enableAgentPrivilegeLevelChange"]
  • enroll agent to fleet, make sure you don't have system integration enabled (system requires root)
  • dev tools: POST kbn:api/fleet/agents/{agent_id}/privilege_level_change
  • check file system permissions are correct
  • check process is using proper user/group
  • check service file is updated
  • restart machine recheck everything

Fixes: #4973

@michalpristas michalpristas self-assigned this Oct 1, 2025
@michalpristas michalpristas requested a review from a team as a code owner October 1, 2025 11:37
@michalpristas michalpristas added enhancement New feature or request Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team backport-skip labels Oct 1, 2025
@elasticmachine
Copy link
Contributor

elasticmachine commented Oct 1, 2025

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)

pchila
pchila reviewed Oct 2, 2025
View reviewed changes
ycombinator
ycombinator reviewed Oct 2, 2025
View reviewed changes
Copy link
Contributor

@ycombinator ycombinator left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@michalpristas Would it be possible to add some integration/E2E tests in this PR? Failing that, could you add some manual testing steps to the PR description? Thanks.

@michalpristas
Copy link
Contributor Author

michalpristas commented Oct 3, 2025

added testing steps to description

ycombinator
ycombinator reviewed Oct 4, 2025
View reviewed changes
michalpristas and others added 11 commits October 6, 2025 09:49
@michalpristas @ycombinator
Update internal/pkg/fleetapi/action.go
6d4ae3a 
Co-authored-by: Shaunak Kashyap <[email protected]>
@michalpristas @ycombinator
Update internal/pkg/fleetapi/action.go
5d937b6 
Co-authored-by: Shaunak Kashyap <[email protected]>
@michalpristas
Rename Describer interface
ed2fe10
@michalpristas
Merge branch 'feat/switch-action' of github.com:michalpristas/elastic…
cfa5315 
…-agent into feat/switch-action
@michalpristas
Merge branch 'main' of github.com:elastic/elastic-agent into feat/swi…
dfa8800 
…tch-action
@michalpristas @ycombinator
Update changelog/fragments/1759318728-support-for-privilege_level_cha…
52e1634 
…nge.yaml

Co-authored-by: Shaunak Kashyap <[email protected]>
@michalpristas @ycombinator
Update internal/pkg/agent/application/actions/handlers/handle_action_…
69c9c7e 
…privilege_level_change.go

Co-authored-by: Shaunak Kashyap <[email protected]>
@michalpristas @ycombinator
Update internal/pkg/agent/application/actions/handlers/handle_action_…
521ba4f 
…privilege_level_change.go

Co-authored-by: Shaunak Kashyap <[email protected]>
@michalpristas
helper for stopping components
9173efc
@michalpristas
Merge branch 'feat/switch-action' of github.com:michalpristas/elastic…
f30b811 
…-agent into feat/switch-action
@michalpristas
Merge branch 'main' of github.com:elastic/elastic-agent into feat/swi…
109df8a 
…tch-action
blakerouse
blakerouse requested changes Oct 7, 2025
View reviewed changes
@mergify
Copy link
Contributor

mergify bot commented Oct 7, 2025

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b feat/switch-action upstream/feat/switch-action
git merge upstream/main
git push upstream feat/switch-action

@mergify
Copy link
Contributor

mergify bot commented Oct 24, 2025

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b feat/switch-action upstream/feat/switch-action
git merge upstream/main
git push upstream feat/switch-action

@mergify
Copy link
Contributor

mergify bot commented Oct 30, 2025

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b feat/switch-action upstream/feat/switch-action
git merge upstream/main
git push upstream feat/switch-action

@elasticmachine
Copy link
Contributor

elasticmachine commented Nov 3, 2025

💛 Build succeeded, but was flaky

Failed CI Steps

History

cc @michalpristas

blakerouse
blakerouse approved these changes Nov 4, 2025
View reviewed changes
Copy link
Contributor

@blakerouse blakerouse left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good, thanks for working on it and iterating to get it into a good state.

@michalpristas michalpristas merged commit ac2e9f8 into elastic:main Nov 5, 2025
21 checks passed
hayotbisonai pushed a commit to hayotbisonai/elastic-agent that referenced this pull request Nov 23, 2025
@michalpristas @hayotbisonai
Handle PRIVILEGE_LEVEL_CHANGE action (elastic#10231)
776cb62
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ycombinator ycombinator ycombinator left review comments

@pchila pchila pchila left review comments

@blakerouse blakerouse blakerouse approved these changes

Assignees

@michalpristas michalpristas

Labels

backport-skip enhancement New feature or request Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Handle new action for switching Agent from privileged to unprivileged mode

5 participants

@michalpristas @elasticmachine @ycombinator @blakerouse @pchila