[Controls] Consider adding authorization to server routes #200779
Labels
Feature:Input Control
Input controls visualization
Team:Presentation
Presentation Team for Dashboard, Input Controls, and Canvas
Comments
nickpeihl
added
Feature:Input Control
|
Pinging @elastic/kibana-presentation (Team:Presentation) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The Controls options list route endpoints will be opted out from authorization in #198329. We should consider enabling authorizations on these routes so that only authorized users can invoke the endpoints. These routes make calls directly to Elasticsearch and, in one case, use the Kibana internal user to authorize with Elasticsearch.
Adding authorization would require adding privileges for the Controls and assigning those privileges to the routes. Users would need the appropriate privileges to access the routes, so we would need to carefully consider all usages of the Controls in Kibana both in Dashboards and Solutions and update and document the necessary privileges so that controls maintain their functionality.
If we decide not to enable to authorization on these routes, we should update the reason to explain why authorization is not enabled.
The text was updated successfully, but these errors were encountered: