[8.14] [Fleet] Relax privileges for Integrations Settings & Config tab (#182869) (#182907)

# Backport

This will backport the following commits from `main` to `8.14`:
- [[Fleet] Relax privileges for Integrations Settings & Config tab
(#182869)](https://github.com/elastic/kibana/pull/182869)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Jen
Huang","email":"its.jenetic@gmail.com"},"sourceCommit":{"committedDate":"2024-05-08T07:54:58Z","message":"[Fleet]
Relax privileges for Integrations Settings & Config tab (#182869)\n\n##
Summary\r\n\r\nResolves
https://github.com/elastic/kibana/issues/181131.\r\n\r\nThis PR enforces
the following privileges:\r\n\r\n- Read access to integrations to view
Integration > Settings\r\n- `writeIntegrationPolicies` and all access to
integrations to make\r\nchanges in Integration > Settings (including
marking an integration as\r\nauto-upgrade at API level)\r\n- Read access
to integrations & access to add agents to view\r\nIntegrations >
Config","sha":"e048b862f9243b0ffb65f81629f1d1ed6cf17c15","branchLabelMapping":{"^v8.15.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:Fleet","v8.14.0","v8.15.0"],"title":"[Fleet]
Relax privileges for Integrations Settings & Config
tab","number":182869,"url":"https://github.com/elastic/kibana/pull/182869","mergeCommit":{"message":"[Fleet]
Relax privileges for Integrations Settings & Config tab (#182869)\n\n##
Summary\r\n\r\nResolves
https://github.com/elastic/kibana/issues/181131.\r\n\r\nThis PR enforces
the following privileges:\r\n\r\n- Read access to integrations to view
Integration > Settings\r\n- `writeIntegrationPolicies` and all access to
integrations to make\r\nchanges in Integration > Settings (including
marking an integration as\r\nauto-upgrade at API level)\r\n- Read access
to integrations & access to add agents to view\r\nIntegrations >
Config","sha":"e048b862f9243b0ffb65f81629f1d1ed6cf17c15"}},"sourceBranch":"main","suggestedTargetBranches":["8.14"],"targetPullRequestStates":[{"branch":"8.14","label":"v8.14.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.15.0","branchLabelMappingKey":"^v8.15.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/182869","number":182869,"mergeCommit":{"message":"[Fleet]
Relax privileges for Integrations Settings & Config tab (#182869)\n\n##
Summary\r\n\r\nResolves
https://github.com/elastic/kibana/issues/181131.\r\n\r\nThis PR enforces
the following privileges:\r\n\r\n- Read access to integrations to view
Integration > Settings\r\n- `writeIntegrationPolicies` and all access to
integrations to make\r\nchanges in Integration > Settings (including
marking an integration as\r\nauto-upgrade at API level)\r\n- Read access
to integrations & access to add agents to view\r\nIntegrations >
Config","sha":"e048b862f9243b0ffb65f81629f1d1ed6cf17c15"}}]}]
BACKPORT-->

Co-authored-by: Jen Huang <its.jenetic@gmail.com>

x-pack/plugins/fleet/common/authz.ts

@@ -158,8 +158,8 @@ export const calculateAuthz = ({
       removePackages: writeIntegrationPolicies && integrations.all,
       uploadPackages: writeIntegrationPolicies && integrations.all,
 
-      readPackageSettings: hasFleetAll && integrations.all,
-      writePackageSettings: hasFleetAll && integrations.all,
+      readPackageSettings: integrations.read,
+      writePackageSettings: writeIntegrationPolicies && integrations.all,
 
       readIntegrationPolicies,
       writeIntegrationPolicies,

x-pack/plugins/fleet/public/applications/integrations/sections/epm/screens/detail/index.tsx

@@ -137,6 +137,7 @@ export function Detail() {
   const prerelease = useMemo(() => Boolean(queryParams.get('prerelease')), [queryParams]);
 
   const authz = useAuthz();
+  const canAddAgent = authz.fleet.addAgents;
   const canInstallPackages = authz.integrations.installPackages;
   const canReadPackageSettings = authz.integrations.readPackageSettings;
   const canReadIntegrationPolicies = authz.integrations.readIntegrationPolicies;
@@ -268,7 +269,8 @@ export function Detail() {
     useUIExtension(packageInfoData?.item?.name ?? '', 'package-detail-custom') !== undefined;
 
   // Only show config tab if package has `inputs`
-  const showConfigTab = packageInfo ? packageToPackagePolicyInputs(packageInfo).length > 0 : false;
+  const showConfigTab =
+    canAddAgent && (packageInfo ? packageToPackagePolicyInputs(packageInfo).length > 0 : false);
 
   // Only show API references tab if it is allowed & has documentation to show
   const showDocumentationTab =

x-pack/plugins/fleet/public/applications/integrations/sections/epm/screens/detail/settings/settings.tsx

@@ -83,20 +83,21 @@ const UpdatesAvailableMsg = ({
       defaultMessage: 'New version available',
     })}
   >
-    <EuiFlexGroup gutterSize="xs">
-      <EuiFlexItem grow={false}>
-        <FormattedMessage
-          id="xpack.fleet.integration.settings.versionInfo.updatesAvailableBody"
-          defaultMessage="Upgrade to version {latestVersion} to get the latest features."
-          values={{ latestVersion }}
-        />
-      </EuiFlexItem>
-      <EuiFlexItem>
-        <p>
-          <EuiLink onClick={toggleChangelogModal}>{'View changelog.'}</EuiLink>
-        </p>
-      </EuiFlexItem>
-    </EuiFlexGroup>
+    <FormattedMessage
+      id="xpack.fleet.integration.settings.versionInfo.updatesAvailableBody"
+      defaultMessage="Upgrade to version {latestVersion} to get the latest features. {changelogLink}"
+      values={{
+        latestVersion,
+        changelogLink: (
+          <EuiLink onClick={toggleChangelogModal}>
+            <FormattedMessage
+              id="xpack.fleet.integration.settings.versionInfo.updatesAvailableChangelogLink"
+              defaultMessage="View changelog."
+            />
+          </EuiLink>
+        ),
+      }}
+    />
   </EuiCallOut>
 );
 

x-pack/plugins/fleet/server/routes/epm/index.ts

@@ -192,7 +192,7 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
     .put({
       path: EPM_API_ROUTES.INFO_PATTERN,
       fleetAuthz: {
-        integrations: { upgradePackages: true, writePackageSettings: true },
+        integrations: { writePackageSettings: true },
       },
     })
     .addVersion(
@@ -359,7 +359,7 @@ export const registerRoutes = (router: FleetAuthzRouter) => {
       path: EPM_API_ROUTES.INFO_PATTERN_DEPRECATED,
 
       fleetAuthz: {
-        integrations: { upgradePackages: true, writePackageSettings: true },
+        integrations: { writePackageSettings: true },
       },
     })
     .addVersion(

x-pack/plugins/translations/translations/fr-FR.json

@@ -17668,7 +17668,6 @@
     "xpack.fleet.fleetServerSetupPermissionDeniedErrorMessage": "Le serveur Fleet doit être configuré. Pour cela, le privilège de cluster {roleName} est requis. Contactez votre administrateur.",
     "xpack.fleet.googleCloudShell.guide.description": "La commande Google Cloud Shell ci-dessous permet de créer toutes les ressources nécessaires à l'évaluation de la sécurité de vos projets GCP. En savoir plus sur {learnMore}.",
     "xpack.fleet.homeIntegration.tutorialModule.noticeText": "{notePrefix} Une version plus récente de ce module est {availableAsIntegrationLink}. Pour en savoir plus sur les intégrations et le nouvel agent Elastic Agent, lisez notre {blogPostLink}.",
-    "xpack.fleet.integration.settings.versionInfo.updatesAvailableBody": "Passez à la version {latestVersion} pour bénéficier des fonctionnalités les plus récentes.",
     "xpack.fleet.integrations.confirmUpdateModal.body.agentCount": "{agentCount, plural, one {# agent} other {# agents}}",
     "xpack.fleet.integrations.confirmUpdateModal.body.policyCount": "{packagePolicyCount, plural, one {# politique d’intégration} other {# politiques d’intégration}}",
     "xpack.fleet.integrations.installPackage.installingPackageButtonLabel": "Installation des ressources {title} en cours",

x-pack/plugins/translations/translations/ja-JP.json

@@ -17645,7 +17645,6 @@
     "xpack.fleet.fleetServerSetupPermissionDeniedErrorMessage": "Fleetサーバーを設定する必要があります。これには{roleName}クラスター権限が必要です。管理者にお問い合わせください。",
     "xpack.fleet.googleCloudShell.guide.description": "以下のGoogle Cloud Shellコマンドは、GCPプロジェクトのセキュリティ態勢を評価するために必要なすべてのリソースを作成します。{learnMore}の詳細をご覧ください。",
     "xpack.fleet.homeIntegration.tutorialModule.noticeText": "{notePrefix}このモジュールの新しいバージョンは{availableAsIntegrationLink}です。統合と新しいElasticエージェントの詳細については、{blogPostLink}をお読みください。",
-    "xpack.fleet.integration.settings.versionInfo.updatesAvailableBody": "バージョン{latestVersion}にアップグレードして最新の機能を入手してください。",
     "xpack.fleet.integrations.confirmUpdateModal.body.agentCount": "{agentCount, plural, other  {# 個のエージェント}}",
     "xpack.fleet.integrations.confirmUpdateModal.body.policyCount": "{packagePolicyCount, plural, other  {# 個の統合ポリシー}}",
     "xpack.fleet.integrations.installPackage.installingPackageButtonLabel": "{title} アセットをインストールしています",

x-pack/plugins/translations/translations/zh-CN.json

@@ -17673,7 +17673,6 @@
     "xpack.fleet.fleetServerSetupPermissionDeniedErrorMessage": "需要设置 Fleet 服务器。这需要 {roleName} 集群权限。请联系您的管理员。",
     "xpack.fleet.googleCloudShell.guide.description": "以下 Google Cloud Shell 命令将创建所有必要资源来评估您的 GCP 组织的安全态势。详细了解 {learnMore}。",
     "xpack.fleet.homeIntegration.tutorialModule.noticeText": "{notePrefix} 此模块的较新版本为 {availableAsIntegrationLink}。要详细了解集成和新 Elastic 代理，请阅读我们的{blogPostLink}。",
-    "xpack.fleet.integration.settings.versionInfo.updatesAvailableBody": "升级到版本 {latestVersion} 可获取最新功能。",
     "xpack.fleet.integrations.confirmUpdateModal.body.agentCount": "{agentCount, plural, other {# 个代理}}",
     "xpack.fleet.integrations.confirmUpdateModal.body.policyCount": "{packagePolicyCount, plural, other {# 个集成策略}}",
     "xpack.fleet.integrations.installPackage.installingPackageButtonLabel": "正在安装 {title} 资产",