diff --git a/x-pack/plugins/fleet/server/routes/download_source/index.ts b/x-pack/plugins/fleet/server/routes/download_source/index.ts index cf2a5b19c4b47..83059593730db 100644 --- a/x-pack/plugins/fleet/server/routes/download_source/index.ts +++ b/x-pack/plugins/fleet/server/routes/download_source/index.ts @@ -36,8 +36,8 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .get({ path: DOWNLOAD_SOURCE_API_ROUTES.LIST_PATTERN, - fleetAuthz: { - fleet: { readSettings: true }, + fleetAuthz: (authz) => { + return authz.fleet.readSettings || authz.fleet.readAgentPolicies; }, description: `List agent binary download sources`, options: { @@ -65,8 +65,8 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .get({ path: DOWNLOAD_SOURCE_API_ROUTES.INFO_PATTERN, - fleetAuthz: { - fleet: { readSettings: true }, + fleetAuthz: (authz) => { + return authz.fleet.readSettings || authz.fleet.readAgentPolicies; }, description: `Get agent binary download source by ID`, options: { diff --git a/x-pack/plugins/fleet/server/routes/output/index.ts b/x-pack/plugins/fleet/server/routes/output/index.ts index b222f9f737d1d..a90735f053208 100644 --- a/x-pack/plugins/fleet/server/routes/output/index.ts +++ b/x-pack/plugins/fleet/server/routes/output/index.ts @@ -40,8 +40,8 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .get({ path: OUTPUT_API_ROUTES.LIST_PATTERN, - fleetAuthz: { - fleet: { readSettings: true }, + fleetAuthz: (authz) => { + return authz.fleet.readSettings || authz.fleet.readAgentPolicies; }, description: 'List outputs', options: { @@ -68,8 +68,8 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .get({ path: OUTPUT_API_ROUTES.INFO_PATTERN, - fleetAuthz: { - fleet: { readSettings: true }, + fleetAuthz: (authz) => { + return authz.fleet.readSettings || authz.fleet.readAgentPolicies; }, description: 'Get output by ID', options: { @@ -96,8 +96,8 @@ export const registerRoutes = (router: FleetAuthzRouter) => { router.versioned .put({ path: OUTPUT_API_ROUTES.UPDATE_PATTERN, - fleetAuthz: { - fleet: { allSettings: true }, + fleetAuthz: (authz) => { + return authz.fleet.allSettings || authz.fleet.allAgentPolicies; }, description: 'Update output by ID', options: { diff --git a/x-pack/test/fleet_api_integration/apis/fleet_settings_privileges.ts b/x-pack/test/fleet_api_integration/apis/fleet_settings_privileges.ts index 12399d5ba9bf2..7d6a58c066121 100644 --- a/x-pack/test/fleet_api_integration/apis/fleet_settings_privileges.ts +++ b/x-pack/test/fleet_api_integration/apis/fleet_settings_privileges.ts @@ -51,6 +51,49 @@ const READ_SCENARIOS = [ statusCode: 403, }, ]; +// Scenarios updated for download_source and outputs routes that are slightly different +const READ_SCENARIOS_2 = [ + { + user: testUsers.fleet_all_only, + statusCode: 200, + }, + { + user: testUsers.fleet_read_only, + statusCode: 200, + }, + { + user: testUsers.fleet_settings_all_only, + statusCode: 200, + }, + { + user: testUsers.fleet_settings_read_only, + statusCode: 200, + }, + { + user: testUsers.fleet_agent_policies_read_only, + statusCode: 200, + }, + { + user: testUsers.fleet_agent_policies_all_only, + statusCode: 200, + }, + { + user: testUsers.fleet_agents_read_only, + statusCode: 403, + }, + { + user: testUsers.fleet_no_access, + statusCode: 403, + }, + { + user: testUsers.fleet_minimal_all_only, + statusCode: 403, + }, + { + user: testUsers.fleet_minimal_read_only, + statusCode: 403, + }, +]; const ALL_SCENARIOS = [ { @@ -106,12 +149,12 @@ export default function (providerContext: FtrProviderContext) { { method: 'GET', path: '/api/fleet/outputs', - scenarios: READ_SCENARIOS, + scenarios: READ_SCENARIOS_2, }, { method: 'GET', path: '/api/fleet/outputs/test-privileges-output-1', - scenarios: READ_SCENARIOS, + scenarios: READ_SCENARIOS_2, }, { method: 'POST', @@ -226,12 +269,12 @@ export default function (providerContext: FtrProviderContext) { { method: 'GET', path: '/api/fleet/agent_download_sources', - scenarios: READ_SCENARIOS, + scenarios: READ_SCENARIOS_2, }, { method: 'GET', path: '/api/fleet/agent_download_sources/test-privileges-download-source-1', - scenarios: READ_SCENARIOS, + scenarios: READ_SCENARIOS_2, }, { method: 'POST',