From 03999da1487800e5c06805b66620813f5d4b7a0e Mon Sep 17 00:00:00 2001 From: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Date: Fri, 27 Dec 2024 23:08:10 +1100 Subject: [PATCH] Unauthorized route migration for routes owned by stack-monitoring (#198372) ### Authz API migration for unauthorized routes This PR migrates unauthorized routes owned by your team to a new security configuration. Please refer to the documentation for more information: [Authorization API](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization) ### **Before migration:** ```ts router.get({ path: '/api/path', ... }, handler); ``` ### **After migration:** ```ts router.get({ path: '/api/path', security: { authz: { enabled: false, reason: 'This route is opted out from authorization because ...', }, }, ... }, handler); ``` ### What to do next? 1. Review the changes in this PR. 2. Elaborate on the reasoning to opt-out of authorization. 3. Routes without a compelling reason to opt-out of authorization should plan to introduce them as soon as possible. 2. You might need to update your tests to reflect the new security configuration: - If you have snapshot tests that include the route definition. ## Any questions? If you have any questions or need help with API authorization, please reach out to the `@elastic/kibana-security` team. --------- Co-authored-by: consulthys --- .../routes/api/v1/dynamic_route/get_metrics_by_type.ts | 7 +++++++ .../server/routes/api/v1/prometheus/get_metrics.ts | 7 +++++++ 2 files changed, 14 insertions(+) diff --git a/x-pack/platform/plugins/private/monitoring_collection/server/routes/api/v1/dynamic_route/get_metrics_by_type.ts b/x-pack/platform/plugins/private/monitoring_collection/server/routes/api/v1/dynamic_route/get_metrics_by_type.ts index 95e1770826d6f..a128d14314052 100644 --- a/x-pack/platform/plugins/private/monitoring_collection/server/routes/api/v1/dynamic_route/get_metrics_by_type.ts +++ b/x-pack/platform/plugins/private/monitoring_collection/server/routes/api/v1/dynamic_route/get_metrics_by_type.ts @@ -36,6 +36,13 @@ export function registerDynamicRoute({ router.get( { path: `${MONITORING_COLLECTION_BASE_PATH}/{type}`, + security: { + authz: { + enabled: false, + reason: + 'This route is opted out from authorization because it is only retrieving the ES cluster UUID', + }, + }, options: { access: 'internal', authRequired: true, diff --git a/x-pack/platform/plugins/private/monitoring_collection/server/routes/api/v1/prometheus/get_metrics.ts b/x-pack/platform/plugins/private/monitoring_collection/server/routes/api/v1/prometheus/get_metrics.ts index 6977be155a4fb..ccc8465917679 100644 --- a/x-pack/platform/plugins/private/monitoring_collection/server/routes/api/v1/prometheus/get_metrics.ts +++ b/x-pack/platform/plugins/private/monitoring_collection/server/routes/api/v1/prometheus/get_metrics.ts @@ -20,6 +20,13 @@ export function registerV1PrometheusRoute({ router.get( { path: PROMETHEUS_PATH, + security: { + authz: { + enabled: false, + reason: + 'This route is opted out from authorization because it is not interacting with ES at all', + }, + }, options: { authRequired: true, tags: ['api'], // ensures that unauthenticated calls receive a 401 rather than a 302 redirect to login page