[Security in Core]: Cleaning up the hooks between the security plugin and Core

[TinaHeiligers]

Part of #174578

Internal hooks

This area is about cleaning the various hooks between the security plugin and core, by exposing internals APIs that Core could consume instead.

• Authentication / http
  • (depends on licensing)

    kibana/x-pack/plugins/security/server/authentication/authentication_service.ts

    Line 113 in de84466

    http.registerAuth(async (request, response, t) => {

  • (depends on licensing)

    kibana/x-pack/plugins/security/server/authentication/authentication_service.ts

    Line 189 in de84466

    http.registerOnPreResponse(async (request, preResponse, toolkit) => {

  • (depends on licensing)

    kibana/x-pack/plugins/security/server/authorization/authorization_service.tsx

    Line 172 in de84466

    http.registerOnPreResponse(async (request, preResponse, toolkit) => {

• ES re-authentication
• (depends on a solution to the single vs dual licensed code)

  kibana/x-pack/plugins/security/server/authentication/authentication_service.ts

  Line 241 in de84466

  elasticsearch.setUnauthorizedErrorHandler(async ({ error, request }, toolkit) => {

• Saved Objects extensions (depends on authz)
  • https://github.com/elastic/kibana/blob/main/packages/core/saved-objects/core-saved-objects-server/src/extensions/extensions.ts

There are no consumer-facing APIs to move here, it's mostly about taking this opportunity to (finally) remove tech debt around those hooks.

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security)

[elasticmachine]

Pinging @elastic/kibana-core (Team:Core)

[TinaHeiligers]

http.registerAuth also depends on licensing. We can't tackle this until we've handled the dependencies.

[TinaHeiligers]

Another issue is that security implementations are licensed under SSPL, while core is not and we don't have a clean way to implement that.

Given that hooks aren't user-facing, we can hold off while handling more pressing issues.