fleet
fleet copied to clipboard
fleetdm
Update the `GET fleet/teams/{team_id}/policies` endpoint to return global policies with pass/fail count filtered to provided team id
Goal
As a User, i want to see how many hosts in my team are passing and failing global policies so that I can resolve failures.
Figma
https://www.figma.com/file/hdALBDsrti77QuDNSzLdkx/%F0%9F%9A%A7-Fleet-EE-(dev-ready%2C-scratchpad)?node-id=9544%3A317544
Related
- #7671
API wireframes
{
"policies": [
{
"id": 64,
"name": "Full disk encryption enabled (macOS) (Fleet Managed Workstations)",
"query": "SELECT 1 FROM disk_encryption WHERE user_uuid IS NOT \"\" AND filevault_status = 'on' LIMIT 1 ",
"description": "Checks to make sure that full disk encryption (FileVault) is enabled on macOS devices.",
"author_id": 42,
"author_name": "Test Admin",
"author_email": "[email protected]",
"team_id": 9,
"resolution": "To enable full disk encryption, on the failing device, select System Preferences \u003e Security \u0026 Privacy \u003e FileVault \u003e Turn On FileVault.",
"platform": "darwin",
"created_at": "2022-02-22T21:14:58Z",
"updated_at": "2022-06-06T16:44:49Z",
"passing_host_count": 19,
"failing_host_count": 0
},
],
"inherited_policies": [
{
"id": 136,
"name": "Arbitrary Test Policy (all platforms) (all teams)",
"query": "SELECT 1 FROM osquery_info WHERE 1=1;",
"description": "If you're seeing this, mostly likely this is because someone is testing out failing policies in dogfood. You can ignore this. ",
"author_id": 77,
"author_name": "Test Admin",
"author_email": "[email protected]",
"team_id": null,
"resolution": "To make it pass, change \"1=0\" to \"1=1\". To make it fail, change \"1=1\" to \"1=0\".",
"platform": "darwin,windows,linux",
"created_at": "2022-08-04T19:30:18Z",
"updated_at": "2022-08-30T15:08:26Z",
"passing_host_count": 10,
"failing_host_count": 9
},
]
Tasks
1
- [ ] Update the
GET fleet/teams/{team_id}/policiesendpoint to return global policies with pass/fail count filtered to provided team id.
2
...
@mna I'm assigning this ticket to you to complete the specification process and bring to the "Specified" column.
@lukeheath Something to keep in mind is the size of the response payload, but I think we're talking about a hundred or so policies at most so that should still be fine (though there's no enforced limitation to that).
@mna I've brought this into the "Release" board for you to start work on next week. Thanks!
I don't think an API change was required here. We can differentiate between team and global policies using the team_id field. If it's null, then it's a global policy.
@michalnicp
I don't think an API change was required here. We can differentiate between team and global policies using the team_id field. If it's null, then it's a global policy.
While that's true, I think there are pros to using different fields in the payload for those two sets of policies, as it would be a breaking change to mix global and team policies in the same array, and IMO it's a bit error-prone to manipulate as you have to remember this when you consume the payload (i.e. in our case, the frontend uses the two sets in different ways and presents them separately).
@michalnicp The primary reason this is necessary is that we want the global policies' hosts count to be filtered to only the selected team. If we used the general GET /policies endpoint, the hosts' count would reflect all hosts.