Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[8.17](backport #5988) Add support for pre existing Active Directory user #6201

Merged
merged 3 commits into from
Dec 4, 2024
Merged

[8.17](backport #5988) Add support for pre existing Active Directory user #6201

merged 3 commits into from
Dec 4, 2024

Conversation

mergify[bot]
Copy link
Contributor

@mergify mergify bot commented Dec 3, 2024

Waiting on custom windows image for testing with AD e2e.

New flags are introduced

  • user
  • group
  • password (windows only)

These flags are taken into account only when --unprivileged is used.

New user is added same permissions as elastic-agent user when created in order to be able to log on as a service (otherwise agent won't start)

Custom user won't be created and needs to be present

Testing steps

Create a windows VM (windows server 2022)
Run script 1 that will prepare Active Directory

Script will also wait for AD services to start

$domainname = 'testing.local'
$addsSecurePass = ConvertTo-SecureString 'Changeme123+' -AsPlainText -Force

# install ad domain services
Install-WindowsFeature -name AD-Domain-Services -IncludeManagementTools


# setup pass for administrator to conform to forest requirements
net user Administrator 'Changeme123+' /passwordreq:yes

# add a new forest testing.com
Install-ADDSForest -DomainName $domainname -InstallDNS -ErrorAction Stop -NoRebootOnCompletion -SafeModeAdministratorPassword $addsSecurePass -Confirm:$false 

# reboot needs to be performed so changes are effective
Reboot to make changes effective
Run script that will prepare user
$domainname = 'testing.local'
$addsSecurePass = ConvertTo-SecureString 'Changeme123+' -AsPlainText -Force

# wait for AD to boot up
$domainFound = $true

$newObjectParameters = @{
    TypeName = 'System.DirectoryServices.ActiveDirectory.DirectoryContext'
    ArgumentList = @(
        "Domain"
        $domainname
    )
}

$DirectoryContext = New-Object @newObjectParameters

$startDate = Get-Date
do {
    try
    {
        [System.DirectoryServices.ActiveDirectory.DomainController]::FindOne($DirectoryContext)
        $domainFound = $true
    }
    catch
    {
        $domainFound = $false
        Start-Sleep -s 2
    }
} until ($domainFound -and $startDate.AddMinutes(5) -gt (Get-Date))


# add user
New-ADUser -Name 'TestingUser' -AccountPassword $addsSecurePass -Enabled $true -ChangePasswordAtLogon $false -PasswordNeverExpires $true

Scenario 1

  • install as unpriviledged elastic-agent install --unprivileged --user="testing.local\TestUser" --password=Changeme123+
  • check permissions are set to user and service is running as this user

Scenario 2

  • install as admin
  • switch to unpriviledged elastic-agent unprivileged --user="testing.local\TestUser" --password=Changeme123+
  • check permissions are set to user and service is running as this user

Resolves #4585

This is an automatic backport of pull request #5988 done by Mergify.

@michalpristas @mergify
Add support for pre existing Active Directory user (#5988)
dca8086 
* unpriviledged ad works'

* Ensure rights for AD users

* changelog

* support for mac and unix

* Update internal/pkg/agent/cmd/install.go

Co-authored-by: Blake Rouse <blake.rouse@elastic.co>

* Update internal/pkg/agent/cmd/unprivileged.go

Co-authored-by: Blake Rouse <blake.rouse@elastic.co>

* added e2e tests for darwin and linux

* reverted sample_test

* mage fmt

* do not require password

* more strict regex

* fix description in changelog

* resolved review comments

* linter

* handle g115 in user_windows.go

* more test coverage

* fix broken windows UT

* coverage

* fixed logic for UnprivilegedUser

* fixed windows tests

---------

Co-authored-by: Blake Rouse <blake.rouse@elastic.co>
(cherry picked from commit dccfb70)
@mergify mergify bot added the backport label Dec 3, 2024
@mergify mergify bot requested a review from a team as a code owner December 3, 2024 20:05
@mergify mergify bot requested review from kaanyalti and andrzej-stencel and removed request for a team December 3, 2024 20:05
@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate failed Quality Gate failed

Failed conditions
0.0% Coverage on New Code (required ≥ 40%)

See analysis details on SonarQube

@michalpristas michalpristas merged commit 0490f40 into 8.17 Dec 4, 2024
13 of 14 checks passed
@michalpristas michalpristas deleted the mergify/bp/8.17/pr-5988 branch December 4, 2024 16:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michalpristas michalpristas michalpristas approved these changes

@kaanyalti kaanyalti Awaiting requested review from kaanyalti kaanyalti is a code owner automatically assigned from elastic/elastic-agent-control-plane

@andrzej-stencel andrzej-stencel Awaiting requested review from andrzej-stencel andrzej-stencel is a code owner automatically assigned from elastic/elastic-agent-control-plane

Assignees

@michalpristas michalpristas

Labels
backport
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@michalpristas