[Fleet] API Key generated by superuser does not have permissions to upload packages

[criamico]

Uploading a package using an API key (generated by a user with superuser privileges) errors with a 403 Forbidden.

This issue was found in 8.6.2 and above.

Reproduction steps

• Start Fleet local environment
• Go to "stack management" and create a new user that has built-in role superuser
• Log in with this new user
• Go to "stack management" > "API keys" and generate a new API key; it should be owned by the "superuser" user
• Upload a package using the upload package api:

curl -XPOST -H 'content-type: application/zip' -H 'kbn-xsrf: true' -H 'Authorization: ApiKey ***' http://localhost:5601/<YOUR_PATH>/api/fleet/epm/packages --data-binary @test_package-0.1.0.zip

• The response is a 403:

User does not have required fleet authz to access path: /api/fleet/epm/packages

• Make sure that the package used is valid; I retested with basic auth and it works that way

curl -XPOST -H 'content-type: application/zip' -H 'kbn-xsrf: true' http://localhost:5601/<YOUR_PATH>/api/fleet/epm/packages -u elastic:changeme --data-binary @test_package-0.1.0.zip

Investigation

Checking the error message it comes from the router;

The upload package api requires superuser access, I printed authz from here and got

{
  "fleet": {
    "all": true,
    "setup": true,
    "readEnrollmentTokens": true,
    "readAgentPolicies": true
  },
  "integrations": {
    "readPackageInfo": true,
    "readInstalledPackages": true,
    "installPackages": true,
    "upgradePackages": true,
    "removePackages": true,
    "uploadPackages": false,
    "readPackageSettings": true,
    "writePackageSettings": true,
    "readIntegrationPolicies": true,
    "writeIntegrationPolicies": true
  },
  "packagePrivileges": {
    "endpoint": {
      "actions": {
        "readSecuritySolution": {
          "executePackageAction": true
        },
        "writeSecuritySolution": {
          "executePackageAction": true
        },
        "writeEndpointList": {
          "executePackageAction": true
        },
        "readEndpointList": {
          "executePackageAction": true
        },
        "writeTrustedApplications": {
          "executePackageAction": true
        },
        "readTrustedApplications": {
          "executePackageAction": true
        },
        "writeHostIsolationExceptions": {
          "executePackageAction": true
        },
        "readHostIsolationExceptions": {
          "executePackageAction": true
        },
        "accessHostIsolationExceptions": {
          "executePackageAction": true
        },
        "deleteHostIsolationExceptions": {
          "executePackageAction": true
        },
        "writeBlocklist": {
          "executePackageAction": true
        },
        "readBlocklist": {
          "executePackageAction": true
        },
        "writeEventFilters": {
          "executePackageAction": true
        },
        "readEventFilters": {
          "executePackageAction": true
        },
        "writePolicyManagement": {
          "executePackageAction": true
        },
        "readPolicyManagement": {
          "executePackageAction": true
        },
        "writeActionsLogManagement": {
          "executePackageAction": true
        },
        "readActionsLogManagement": {
          "executePackageAction": true
        },
        "writeHostIsolation": {
          "executePackageAction": true
        },
        "writeHostIsolationRelease": {
          "executePackageAction": true
        },
        "writeProcessOperations": {
          "executePackageAction": true
        },
        "writeFileOperations": {
          "executePackageAction": true
        },
        "writeExecuteOperations": {
          "executePackageAction": true
        }
      }
    },
    "transform": {
      "actions": {
        "canCreateTransform": {
          "executePackageAction": true
        },
        "canDeleteTransform": {
          "executePackageAction": true
        },
        "canStartStopTransform": {
          "executePackageAction": true
        },
        "canGetTransform": {
          "executePackageAction": true
        }
      }
    }
  }
}

So the issue seems to be on "uploadPackages": false, but I didn't go further on investigating why this happens.

[elasticmachine]

Pinging @elastic/fleet (Team:Fleet)

[nchaulet]

API key do not have role they only have privileges (computed from the user role that created them) so this is expected to not work, I am wondering if it still make sense to not all user with integration-all to upload package this will solve the issue @kpollich what do you think?

[kpollich]

Not sure I completely understand, @nchaulet. I'd expect having the integration-all privilege to allow a user to upload integrations. If that's not the case today we should allow this.

[nchaulet]

Not sure I completely understand, @nchaulet. I'd expect having the integration-all privilege to allow a user to upload integrations. If that's not the case today we should allow this.

There was a special case for the upload API, we required user to be superuser (this was specified/implemented 2 years ago, when the upload API was a lot less stable) I agree integration-all should give access to that API