Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unauthorized route migration for routes owned by kibana-visualizations,kibana-data-discovery #198331

Conversation

kibanamachine
Copy link
Contributor

@kibanamachine kibanamachine commented Oct 30, 2024

Authz API migration for unauthorized routes

This PR migrates unauthorized routes owned by your team to a new security configuration.
Please refer to the documentation for more information: Authorization API

--- EDIT ---

This PR also adds two privileges related to saved query APIs: savedQuery:read and savedQuery:manage. These are given by default to the same roles that already have access to the query-type saved objects.

Before migration:

router.get({
  path: '/api/path',
  ...
}, handler);

After migration:

router.get({
  path: '/api/path',
  security: {
    authz: {
      enabled: false,
      reason: 'This route is opted out from authorization because ...',
    },
  },
  ...
}, handler);

What to do next?

  1. Review the changes in this PR.
  2. Elaborate on the reasoning to opt-out of authorization.
  3. Routes without a compelling reason to opt-out of authorization should plan to introduce them as soon as possible.
  4. You might need to update your tests to reflect the new security configuration:
  • If you have snapshot tests that include the route definition.

Any questions?

If you have any questions or need help with API authorization, please reach out to the @elastic/kibana-security team.

@kibanamachine kibanamachine requested a review from a team as a code owner October 30, 2024 13:08
@kibanamachine kibanamachine added the enhancement New value added to drive a business result label Oct 30, 2024
@kibanamachine kibanamachine requested a review from a team as a code owner October 30, 2024 13:08
@kibanamachine kibanamachine added Team:Visualizations Visualization editors, elastic-charts and infrastructure release_note:skip Skip the PR/issue when compiling release notes Feature:Security/Authorization Platform Security - Authorization Team:DataDiscovery Discover, search (e.g. data plugin and KQL), data views, saved searches. For ES|QL, use Team:ES|QL. backport:prev-minor Backport to (8.x) the previous minor version (i.e. one version back from main) Authz: API migration labels Oct 30, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-visualizations (Team:Visualizations)

@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-data-discovery (Team:DataDiscovery)

@kertal kertal requested review from lukasolson and ppisljar November 6, 2024 12:40
@kertal
Copy link
Member

kertal commented Nov 6, 2024

I guess search sessions shouldn't be excluded from authorization?

   └-> should 403 if no app gives permissions to store search sessions
[00:01:01]           └-> "before each" hook: global before each for "should 403 if no app gives permissions to store search sessions"
[00:01:01]           │ proc [kibana] [2024-10-30T14:20:54.179+00:00][WARN ][http.server.kbn-internal-api-restricted] Access to uri [/internal/session] with method [post] is deprecated {"service":{"node":{"roles":["background_tasks","ui"]}}}
[00:01:01]           │ proc [kibana] [2024-10-30T14:20:54.179+00:00][WARN ][plugins.security.api-authorization] Route authz is disabled for /internal/session": This route is opted out from authorization {"service":{"node":{"roles":["background_tasks","ui"]}}}
[00:01:01]           │ proc [kibana] [2024-10-30T14:20:54.188+00:00][ERROR][plugins.data.data] Error: Unable to create search-session
[00:01:01]           │ proc [kibana]     at SavedObjectsSecurityExtension.enforceAuthorization (/opt/buildkite-agent/builds/bk-agent-prod-gcp-1730295409880809682/elastic/kibana-pull-request/kibana-build-xpack/node_modules/@kbn/security-plugin/server/saved_objects/saved_objects_security_extension.js:399:56)
[00:01:01]           │ proc [kibana]     at /opt/buildkite-agent/builds/bk-agent-prod-gcp-1730295409880809682/elastic/kibana-pull-request/kibana-build-xpack/node_modules/@kbn/security-plugin/server/saved_objects/saved_objects_security_extension.js:461:14
[00:01:01]           │ proc [kibana]     at Set.forEach (<anonymous>)
[00:01:01]           │ proc [kibana]     at SavedObjectsSecurityExtension.authorize (/opt/buildkite-agent/builds/bk-agent-prod-gcp-1730295409880809682/elastic/kibana-pull-request/kibana-build-xpack/node_modules/@kbn/security-plugin/server/saved_objects/saved_objects_security_extension.js:460:22)
[00:01:01]           │ proc [kibana]     at processTicksAndRejections (node:internal/process/task_queues:95:5)
[00:01:01]           │ proc [kibana]     at SavedObjectsSecurityExtension.internalAuthorizeCreate (/opt/buildkite-agent/builds/bk-agent-prod-gcp-1730295409880809682/elastic/kibana-pull-request/kibana-build-xpack/node_modules/@kbn/security-plugin/server/saved_objects/saved_objects_security_extension.js:551:33)
[00:01:01]           │ proc [kibana]     at performCreate (/opt/buildkite-agent/builds/bk-agent-prod-gcp-1730295409880809682/elastic/kibana-pull-request/kibana-build-xpack/node_modules/@kbn/core-saved-objects-api-server-internal/src/lib/apis/create.js:94:31)
[00:01:01]           │ proc [kibana]     at SavedObjectsRepository.create (/opt/buildkite-agent/builds/bk-agent-prod-gcp-1730295409880809682/elastic/kibana-pull-request/kibana-build-xpack/node_modules/@kbn/core-saved-objects-api-server-internal/src/lib/repository.js:127:12)
[00:01:01]           │ proc [kibana]     at SavedObjectsClient.create (/opt/buildkite-agent/builds/bk-agent-prod-gcp-1730295409880809682/elastic/kibana-pull-request/kibana-build-xpack/node_modules/@kbn/core-saved-objects-api-server-internal/src/saved_objects_client.js:33:12)
[00:01:01]           │ proc [kibana]     at Object.fn (/opt/buildkite-agent/builds/bk-agent-prod-gcp-1730295409880809682/elastic/kibana-pull-request/kibana-build-xpack/node_modules/@kbn/data-plugin/server/search/routes/session.js:79:24)
[00:01:01]           │ proc [kibana]     at /opt/buildkite-agent/builds/bk-agent-prod-gcp-1730295409880809682/elastic/kibana-pull-request/kibana-build-xpack/node_modules/@kbn/core-http-router-server-internal/src/versioned_router/core_versioned_route.js:117:24
[00:01:01]           │ proc [kibana]     at Router.handle (/opt/buildkite-agent/builds/bk-agent-prod-gcp-1730295409880809682/elastic/kibana-pull-request/kibana-build-xpack/node_modules/@kbn/core-http-router-server-internal/src/router.js:240:30)
[00:01:01]           │ proc [kibana]     at handler (/opt/buildkite-agent/builds/bk-agent-prod-gcp-1730295409880809682/elastic/kibana-pull-request/kibana-build-xpack/node_modules/@kbn/core-http-router-server-internal/src/router.js:146:18)
[00:01:01]           │ proc [kibana]     at exports.Manager.execute (/opt/buildkite-agent/builds/bk-agent-prod-gcp-1730295409880809682/elastic/kibana-pull-request/kibana-build-xpack/node_modules/@hapi/hapi/lib/toolkit.js:60:28)
[00:01:01]           │ proc [kibana]     at Object.internals.handler (/opt/buildkite-agent/builds/bk-agent-prod-gcp-1730295409880809682/elastic/kibana-pull-request/kibana-build-xpack/node_modules/@hapi/hapi/lib/handler.js:46:20)
[00:01:01]           │ proc [kibana]     at exports.execute (/opt/buildkite-agent/builds/bk-agent-prod-gcp-1730295409880809682/elastic/kibana-pull-request/kibana-build-xpack/node_modules/@hapi/hapi/lib/handler.js:31:20)
[00:01:01]           │ proc [kibana]     at Request._lifecycle (/opt/buildkite-agent/builds/bk-agent-prod-gcp-1730295409880809682/elastic/kibana-pull-request/kibana-build-xpack/node_modules/@hapi/hapi/lib/request.js:370:32)
[00:01:01]           │ proc [kibana]     at Request._execute (/opt/buildkite-agent/builds/bk-agent-prod-gcp-1730295409880809682/elastic/kibana-pull-request/kibana-build-xpack/node_modules/@hapi/hapi/lib/request.js:280:9) {"service":{"node":{"roles":["background_tasks","ui"]}}}
[00:01:02]           └- ✖ fail: search search session search session permissions should 403 if no app gives permissions to store search sessions
[00:01:02]           │      Error: expected 403 "Forbidden", got 500 "Internal Server Error"
[00:01:02]           │       at Context.apply (session.ts:524:12)
[00:01:02]           │       at Object.apply (wrap_function.js:74:30)
[00:01:02]           │   ----
[00:01:02]           │       at Test._assertStatus (node_modules/supertest/lib/test.js:252:14)
[00:01:02]           │       at /opt/buildkite-agent/builds/bk-agent-prod-gcp-1730295409880809682/elastic/kibana-pull-request/kibana/node_modules/supertest/lib/test.js:308:13
[00:01:02]           │       at Test._assertFunction (node_modules/supertest/lib/test.js:285:13)
[00:01:02]           │       at Test.assert (node_modules/supertest/lib/test.js:164:23)
[00:01:02]           │       at localAssert (node_modules/supertest/lib/test.js:120:14)
[00:01:02]           │       at fn (node_modules/supertest/lib/test.js:125:7)
[00:01:02]           │       at Test.callback (node_modules/superagent/src/node/index.js:899:3)
[00:01:02]           │       at fn (node_modules/superagent/src/node/index.js:1165:18)
[00:01:02]           │       at IncomingMessage.<anonymous> (node_modules/superagent/src/node/parsers/json.js:19:7)
[00:01:02]           │       at IncomingMessage.emit (node:events:531:35)
[00:01:02]           │       at endReadableNT (node:internal/streams/readable:1696:12)
[00:01:02]           │       at processTicksAndRejections (node:internal/process/task_queues:82:21)
[00:01:02]           │ 

@lukasolson lukasolson requested review from a team as code owners November 13, 2024 22:19
@lukasolson lukasolson requested a review from a team as a code owner November 14, 2024 21:37
@lukasolson lukasolson requested review from a team as code owners November 14, 2024 22:25
@lukasolson lukasolson self-assigned this Nov 14, 2024
Copy link
Contributor

@davismcphee davismcphee left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code changes LGTM. I also tested saved query management with a variety of privileges, and everything seemed to behave as expected 👍 Thanks for addressing this!

security: {
authz: {
enabled: false,
reason: 'This route is opted out from authorization',
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we please elaborate on the reasoning there?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@lukasolson Maybe something along the lines of "It should be possible to collect KQL usage telemetry for all users regardless of their privileges"?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

but not all users are able to call this endpoint right?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't want to mislead so maybe @lukasolson can confirm, but I believe they can. It's called whenever a user changes their filter language preference in Unified Search from anywhere in Kibana, which doesn't have any privileges around it:
CleanShot 2024-11-22 at 15 47 34@2x

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This endpoint needs to be removed. This is the sort of thing I think we were trying to catch with this PR to begin with - we are using the internal Kibana user to create a saved object when any user invokes this endpoint, which is not ideal. I'll open up a follow-up issue for this

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Opened #202518.

@@ -197,6 +198,7 @@ export class MapsPlugin implements Plugin {
read: [MAP_SAVED_OBJECT_TYPE, 'index-pattern', 'query', 'tag'],
},
ui: ['show'],
api: ['savedQuery:read'],
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this mean you can only access maps application if you have the role 'savedQuery:read'? I am not sure that restriction makes sense.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, it means that by having access to the maps application you are automatically granted access to APIs that require savedQuery:read privileges.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for clarifying

Copy link
Contributor

@nreese nreese left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

kibana-presentation changes LGTM
code review only

@elasticmachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

✅ unchanged

History

cc @lukasolson

@lukasolson lukasolson merged commit 56c38bc into main Dec 4, 2024
8 checks passed
@lukasolson lukasolson deleted the authz-migration/unauthorized-routes-by-kibana-visualizations_kibana-data-discovery branch December 4, 2024 22:29
@kibanamachine
Copy link
Contributor Author

Starting backport for target branches: 8.x

https://github.com/elastic/kibana/actions/runs/12169460505

kibanamachine added a commit to kibanamachine/kibana that referenced this pull request Dec 4, 2024
…s,kibana-data-discovery (elastic#198331)

### Authz API migration for unauthorized routes

This PR migrates unauthorized routes owned by your team to a new
security configuration.
Please refer to the documentation for more information: [Authorization
API](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)

--- EDIT ---

This PR also adds two privileges related to saved query APIs:
`savedQuery:read` and `savedQuery:manage`. These are given by default to
the same roles that already have access to the `query`-type saved
objects.

### **Before migration:**
```ts
router.get({
  path: '/api/path',
  ...
}, handler);
```

### **After migration:**
```ts
router.get({
  path: '/api/path',
  security: {
    authz: {
      enabled: false,
      reason: 'This route is opted out from authorization because ...',
    },
  },
  ...
}, handler);
```

### What to do next?
1. Review the changes in this PR.
2. Elaborate on the reasoning to opt-out of authorization.
3. Routes without a compelling reason to opt-out of authorization should
plan to introduce them as soon as possible.
2. You might need to update your tests to reflect the new security
configuration:
  - If you have snapshot tests that include the route definition.

## Any questions?
If you have any questions or need help with API authorization, please
reach out to the `@elastic/kibana-security` team.

---------

Co-authored-by: Lukas Olson <[email protected]>
Co-authored-by: Matthias Wilhelm <[email protected]>
Co-authored-by: Marta Bondyra <[email protected]>
Co-authored-by: Davis McPhee <[email protected]>
(cherry picked from commit 56c38bc)
@kibanamachine
Copy link
Contributor Author

💚 All backports created successfully

Status Branch Result
8.x

Note: Successful backport PRs will be merged automatically after passing CI.

Questions ?

Please refer to the Backport tool documentation

kibanamachine added a commit that referenced this pull request Dec 5, 2024
…zations,kibana-data-discovery (#198331) (#203031)

# Backport

This will backport the following commits from `main` to `8.x`:
- [Unauthorized route migration for routes owned by
kibana-visualizations,kibana-data-discovery
(#198331)](#198331)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Kibana
Machine","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-12-04T22:29:15Z","message":"Unauthorized
route migration for routes owned by
kibana-visualizations,kibana-data-discovery (#198331)\n\n### Authz API
migration for unauthorized routes\r\n\r\nThis PR migrates unauthorized
routes owned by your team to a new\r\nsecurity configuration.\r\nPlease
refer to the documentation for more information:
[Authorization\r\nAPI](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)\r\n\r\n---
EDIT ---\r\n\r\nThis PR also adds two privileges related to saved query
APIs:\r\n`savedQuery:read` and `savedQuery:manage`. These are given by
default to\r\nthe same roles that already have access to the
`query`-type saved\r\nobjects.\r\n\r\n### **Before
migration:**\r\n```ts\r\nrouter.get({\r\n path: '/api/path',\r\n
...\r\n}, handler);\r\n```\r\n\r\n### **After
migration:**\r\n```ts\r\nrouter.get({\r\n path: '/api/path',\r\n
security: {\r\n authz: {\r\n enabled: false,\r\n reason: 'This route is
opted out from authorization because ...',\r\n },\r\n },\r\n ...\r\n},
handler);\r\n```\r\n\r\n### What to do next?\r\n1. Review the changes in
this PR.\r\n2. Elaborate on the reasoning to opt-out of
authorization.\r\n3. Routes without a compelling reason to opt-out of
authorization should\r\nplan to introduce them as soon as
possible.\r\n2. You might need to update your tests to reflect the new
security\r\nconfiguration:\r\n - If you have snapshot tests that include
the route definition.\r\n\r\n## Any questions?\r\nIf you have any
questions or need help with API authorization, please\r\nreach out to
the `@elastic/kibana-security`
team.\r\n\r\n---------\r\n\r\nCo-authored-by: Lukas Olson
<[email protected]>\r\nCo-authored-by: Matthias Wilhelm
<[email protected]>\r\nCo-authored-by: Marta Bondyra
<[email protected]>\r\nCo-authored-by: Davis
McPhee
<[email protected]>","sha":"56c38bca201ee453ee14c5eaf10baba87d6c2d8c","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["enhancement","Team:Visualizations","release_note:skip","Feature:Security/Authorization","v9.0.0","Team:DataDiscovery","backport:prev-minor","Authz:
API migration"],"title":"Unauthorized route migration for routes owned
by
kibana-visualizations,kibana-data-discovery","number":198331,"url":"https://github.com/elastic/kibana/pull/198331","mergeCommit":{"message":"Unauthorized
route migration for routes owned by
kibana-visualizations,kibana-data-discovery (#198331)\n\n### Authz API
migration for unauthorized routes\r\n\r\nThis PR migrates unauthorized
routes owned by your team to a new\r\nsecurity configuration.\r\nPlease
refer to the documentation for more information:
[Authorization\r\nAPI](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)\r\n\r\n---
EDIT ---\r\n\r\nThis PR also adds two privileges related to saved query
APIs:\r\n`savedQuery:read` and `savedQuery:manage`. These are given by
default to\r\nthe same roles that already have access to the
`query`-type saved\r\nobjects.\r\n\r\n### **Before
migration:**\r\n```ts\r\nrouter.get({\r\n path: '/api/path',\r\n
...\r\n}, handler);\r\n```\r\n\r\n### **After
migration:**\r\n```ts\r\nrouter.get({\r\n path: '/api/path',\r\n
security: {\r\n authz: {\r\n enabled: false,\r\n reason: 'This route is
opted out from authorization because ...',\r\n },\r\n },\r\n ...\r\n},
handler);\r\n```\r\n\r\n### What to do next?\r\n1. Review the changes in
this PR.\r\n2. Elaborate on the reasoning to opt-out of
authorization.\r\n3. Routes without a compelling reason to opt-out of
authorization should\r\nplan to introduce them as soon as
possible.\r\n2. You might need to update your tests to reflect the new
security\r\nconfiguration:\r\n - If you have snapshot tests that include
the route definition.\r\n\r\n## Any questions?\r\nIf you have any
questions or need help with API authorization, please\r\nreach out to
the `@elastic/kibana-security`
team.\r\n\r\n---------\r\n\r\nCo-authored-by: Lukas Olson
<[email protected]>\r\nCo-authored-by: Matthias Wilhelm
<[email protected]>\r\nCo-authored-by: Marta Bondyra
<[email protected]>\r\nCo-authored-by: Davis
McPhee
<[email protected]>","sha":"56c38bca201ee453ee14c5eaf10baba87d6c2d8c"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/198331","number":198331,"mergeCommit":{"message":"Unauthorized
route migration for routes owned by
kibana-visualizations,kibana-data-discovery (#198331)\n\n### Authz API
migration for unauthorized routes\r\n\r\nThis PR migrates unauthorized
routes owned by your team to a new\r\nsecurity configuration.\r\nPlease
refer to the documentation for more information:
[Authorization\r\nAPI](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)\r\n\r\n---
EDIT ---\r\n\r\nThis PR also adds two privileges related to saved query
APIs:\r\n`savedQuery:read` and `savedQuery:manage`. These are given by
default to\r\nthe same roles that already have access to the
`query`-type saved\r\nobjects.\r\n\r\n### **Before
migration:**\r\n```ts\r\nrouter.get({\r\n path: '/api/path',\r\n
...\r\n}, handler);\r\n```\r\n\r\n### **After
migration:**\r\n```ts\r\nrouter.get({\r\n path: '/api/path',\r\n
security: {\r\n authz: {\r\n enabled: false,\r\n reason: 'This route is
opted out from authorization because ...',\r\n },\r\n },\r\n ...\r\n},
handler);\r\n```\r\n\r\n### What to do next?\r\n1. Review the changes in
this PR.\r\n2. Elaborate on the reasoning to opt-out of
authorization.\r\n3. Routes without a compelling reason to opt-out of
authorization should\r\nplan to introduce them as soon as
possible.\r\n2. You might need to update your tests to reflect the new
security\r\nconfiguration:\r\n - If you have snapshot tests that include
the route definition.\r\n\r\n## Any questions?\r\nIf you have any
questions or need help with API authorization, please\r\nreach out to
the `@elastic/kibana-security`
team.\r\n\r\n---------\r\n\r\nCo-authored-by: Lukas Olson
<[email protected]>\r\nCo-authored-by: Matthias Wilhelm
<[email protected]>\r\nCo-authored-by: Marta Bondyra
<[email protected]>\r\nCo-authored-by: Davis
McPhee
<[email protected]>","sha":"56c38bca201ee453ee14c5eaf10baba87d6c2d8c"}}]}]
BACKPORT-->
SoniaSanzV pushed a commit to SoniaSanzV/kibana that referenced this pull request Dec 9, 2024
…s,kibana-data-discovery (elastic#198331)

### Authz API migration for unauthorized routes

This PR migrates unauthorized routes owned by your team to a new
security configuration.
Please refer to the documentation for more information: [Authorization
API](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)

--- EDIT ---

This PR also adds two privileges related to saved query APIs:
`savedQuery:read` and `savedQuery:manage`. These are given by default to
the same roles that already have access to the `query`-type saved
objects.

### **Before migration:**
```ts
router.get({
  path: '/api/path',
  ...
}, handler);
```

### **After migration:**
```ts
router.get({
  path: '/api/path',
  security: {
    authz: {
      enabled: false,
      reason: 'This route is opted out from authorization because ...',
    },
  },
  ...
}, handler);
```

### What to do next?
1. Review the changes in this PR.
2. Elaborate on the reasoning to opt-out of authorization.
3. Routes without a compelling reason to opt-out of authorization should
plan to introduce them as soon as possible.
2. You might need to update your tests to reflect the new security
configuration:
  - If you have snapshot tests that include the route definition.

## Any questions?
If you have any questions or need help with API authorization, please
reach out to the `@elastic/kibana-security` team.

---------

Co-authored-by: Lukas Olson <[email protected]>
Co-authored-by: Matthias Wilhelm <[email protected]>
Co-authored-by: Marta Bondyra <[email protected]>
Co-authored-by: Davis McPhee <[email protected]>
SoniaSanzV pushed a commit to SoniaSanzV/kibana that referenced this pull request Dec 9, 2024
…s,kibana-data-discovery (elastic#198331)

### Authz API migration for unauthorized routes

This PR migrates unauthorized routes owned by your team to a new
security configuration.
Please refer to the documentation for more information: [Authorization
API](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)

--- EDIT ---

This PR also adds two privileges related to saved query APIs:
`savedQuery:read` and `savedQuery:manage`. These are given by default to
the same roles that already have access to the `query`-type saved
objects.

### **Before migration:**
```ts
router.get({
  path: '/api/path',
  ...
}, handler);
```

### **After migration:**
```ts
router.get({
  path: '/api/path',
  security: {
    authz: {
      enabled: false,
      reason: 'This route is opted out from authorization because ...',
    },
  },
  ...
}, handler);
```

### What to do next?
1. Review the changes in this PR.
2. Elaborate on the reasoning to opt-out of authorization.
3. Routes without a compelling reason to opt-out of authorization should
plan to introduce them as soon as possible.
2. You might need to update your tests to reflect the new security
configuration:
  - If you have snapshot tests that include the route definition.

## Any questions?
If you have any questions or need help with API authorization, please
reach out to the `@elastic/kibana-security` team.

---------

Co-authored-by: Lukas Olson <[email protected]>
Co-authored-by: Matthias Wilhelm <[email protected]>
Co-authored-by: Marta Bondyra <[email protected]>
Co-authored-by: Davis McPhee <[email protected]>
CAWilson94 pushed a commit to CAWilson94/kibana that referenced this pull request Dec 9, 2024
…s,kibana-data-discovery (elastic#198331)

### Authz API migration for unauthorized routes

This PR migrates unauthorized routes owned by your team to a new
security configuration.
Please refer to the documentation for more information: [Authorization
API](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)

--- EDIT ---

This PR also adds two privileges related to saved query APIs:
`savedQuery:read` and `savedQuery:manage`. These are given by default to
the same roles that already have access to the `query`-type saved
objects.

### **Before migration:**
```ts
router.get({
  path: '/api/path',
  ...
}, handler);
```

### **After migration:**
```ts
router.get({
  path: '/api/path',
  security: {
    authz: {
      enabled: false,
      reason: 'This route is opted out from authorization because ...',
    },
  },
  ...
}, handler);
```

### What to do next?
1. Review the changes in this PR.
2. Elaborate on the reasoning to opt-out of authorization.
3. Routes without a compelling reason to opt-out of authorization should
plan to introduce them as soon as possible.
2. You might need to update your tests to reflect the new security
configuration:
  - If you have snapshot tests that include the route definition.

## Any questions?
If you have any questions or need help with API authorization, please
reach out to the `@elastic/kibana-security` team.

---------

Co-authored-by: Lukas Olson <[email protected]>
Co-authored-by: Matthias Wilhelm <[email protected]>
Co-authored-by: Marta Bondyra <[email protected]>
Co-authored-by: Davis McPhee <[email protected]>
Samiul-TheSoccerFan pushed a commit to Samiul-TheSoccerFan/kibana that referenced this pull request Dec 10, 2024
…s,kibana-data-discovery (elastic#198331)

### Authz API migration for unauthorized routes

This PR migrates unauthorized routes owned by your team to a new
security configuration.
Please refer to the documentation for more information: [Authorization
API](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)

--- EDIT ---

This PR also adds two privileges related to saved query APIs:
`savedQuery:read` and `savedQuery:manage`. These are given by default to
the same roles that already have access to the `query`-type saved
objects.

### **Before migration:**
```ts
router.get({
  path: '/api/path',
  ...
}, handler);
```

### **After migration:**
```ts
router.get({
  path: '/api/path',
  security: {
    authz: {
      enabled: false,
      reason: 'This route is opted out from authorization because ...',
    },
  },
  ...
}, handler);
```

### What to do next?
1. Review the changes in this PR.
2. Elaborate on the reasoning to opt-out of authorization.
3. Routes without a compelling reason to opt-out of authorization should
plan to introduce them as soon as possible.
2. You might need to update your tests to reflect the new security
configuration:
  - If you have snapshot tests that include the route definition.

## Any questions?
If you have any questions or need help with API authorization, please
reach out to the `@elastic/kibana-security` team.

---------

Co-authored-by: Lukas Olson <[email protected]>
Co-authored-by: Matthias Wilhelm <[email protected]>
Co-authored-by: Marta Bondyra <[email protected]>
Co-authored-by: Davis McPhee <[email protected]>
CAWilson94 pushed a commit to CAWilson94/kibana that referenced this pull request Dec 12, 2024
…s,kibana-data-discovery (elastic#198331)

### Authz API migration for unauthorized routes

This PR migrates unauthorized routes owned by your team to a new
security configuration.
Please refer to the documentation for more information: [Authorization
API](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)

--- EDIT ---

This PR also adds two privileges related to saved query APIs:
`savedQuery:read` and `savedQuery:manage`. These are given by default to
the same roles that already have access to the `query`-type saved
objects.

### **Before migration:**
```ts
router.get({
  path: '/api/path',
  ...
}, handler);
```

### **After migration:**
```ts
router.get({
  path: '/api/path',
  security: {
    authz: {
      enabled: false,
      reason: 'This route is opted out from authorization because ...',
    },
  },
  ...
}, handler);
```

### What to do next?
1. Review the changes in this PR.
2. Elaborate on the reasoning to opt-out of authorization.
3. Routes without a compelling reason to opt-out of authorization should
plan to introduce them as soon as possible.
2. You might need to update your tests to reflect the new security
configuration:
  - If you have snapshot tests that include the route definition.

## Any questions?
If you have any questions or need help with API authorization, please
reach out to the `@elastic/kibana-security` team.

---------

Co-authored-by: Lukas Olson <[email protected]>
Co-authored-by: Matthias Wilhelm <[email protected]>
Co-authored-by: Marta Bondyra <[email protected]>
Co-authored-by: Davis McPhee <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Authz: API migration backport:prev-minor Backport to (8.x) the previous minor version (i.e. one version back from main) enhancement New value added to drive a business result Feature:Security/Authorization Platform Security - Authorization release_note:skip Skip the PR/issue when compiling release notes Team:DataDiscovery Discover, search (e.g. data plugin and KQL), data views, saved searches. For ES|QL, use Team:ES|QL. Team:Visualizations Visualization editors, elastic-charts and infrastructure v8.18.0 v9.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.