Unauthorized route migration for routes owned by kibana-visualizations,kibana-data-discovery

src/plugins/data/server/kql_telemetry/route.ts

@@ -24,6 +24,12 @@ export function registerKqlTelemetryRoute(
     .addVersion(
       {
         version: KQL_TELEMETRY_ROUTE_LATEST_VERSION,
+        security: {
+          authz: {
+            enabled: false,
+            reason: 'This route is opted out from authorization',
+          },
+        },
         validate: {
           request: {
             body: schema.object({

src/plugins/data/server/query/routes.ts

@@ -43,6 +43,11 @@ export function registerSavedQueryRoutes({ http }: CoreSetup): void {
   router.versioned.post({ path: `${SAVED_QUERY_BASE_URL}/_is_duplicate_title`, access }).addVersion(
     {
       version,
+      security: {
+        authz: {
+          requiredPrivileges: ['savedQuery:read'],
+        },
+      },
       validate: {
         request: {
           body: schema.object({
@@ -75,6 +80,11 @@ export function registerSavedQueryRoutes({ http }: CoreSetup): void {
   router.versioned.post({ path: `${SAVED_QUERY_BASE_URL}/_create`, access }).addVersion(
     {
       version,
+      security: {
+        authz: {
+          requiredPrivileges: ['savedQuery:manage'],
+        },
+      },
       validate: {
         request: {
           body: SAVED_QUERY_ATTRS_CONFIG,
@@ -101,6 +111,11 @@ export function registerSavedQueryRoutes({ http }: CoreSetup): void {
   router.versioned.put({ path: `${SAVED_QUERY_BASE_URL}/{id}`, access }).addVersion(
     {
       version,
+      security: {
+        authz: {
+          requiredPrivileges: ['savedQuery:manage'],
+        },
+      },
       validate: {
         request: {
           params: SAVED_QUERY_ID_CONFIG,
@@ -129,6 +144,11 @@ export function registerSavedQueryRoutes({ http }: CoreSetup): void {
   router.versioned.get({ path: `${SAVED_QUERY_BASE_URL}/{id}`, access }).addVersion(
     {
       version,
+      security: {
+        authz: {
+          requiredPrivileges: ['savedQuery:read'],
+        },
+      },
       validate: {
         request: {
           params: SAVED_QUERY_ID_CONFIG,
@@ -156,6 +176,11 @@ export function registerSavedQueryRoutes({ http }: CoreSetup): void {
   router.versioned.get({ path: `${SAVED_QUERY_BASE_URL}/_count`, access }).addVersion(
     {
       version,
+      security: {
+        authz: {
+          requiredPrivileges: ['savedQuery:read'],
+        },
+      },
       validate: {
         request: {},
         response: {
@@ -180,6 +205,11 @@ export function registerSavedQueryRoutes({ http }: CoreSetup): void {
   router.versioned.post({ path: `${SAVED_QUERY_BASE_URL}/_find`, access }).addVersion(
     {
       version,
+      security: {
+        authz: {
+          requiredPrivileges: ['savedQuery:read'],
+        },
+      },
       validate: {
         request: {
           body: schema.object({
@@ -214,6 +244,11 @@ export function registerSavedQueryRoutes({ http }: CoreSetup): void {
   router.versioned.delete({ path: `${SAVED_QUERY_BASE_URL}/{id}`, access }).addVersion(
     {
       version,
+      security: {
+        authz: {
+          requiredPrivileges: ['savedQuery:manage'],
+        },
+      },
       validate: {
         request: {
           params: SAVED_QUERY_ID_CONFIG,

src/plugins/data/server/scripts/route.ts

@@ -20,6 +20,12 @@ export function registerScriptsRoute(router: IRouter) {
     .addVersion(
       {
         version: SCRIPT_LANGUAGES_ROUTE_LATEST_VERSION,
+        security: {
+          authz: {
+            enabled: false,
+            reason: 'This route is opted out from authorization',
+          },
+        },
         validate: {
           response: {
             '200': {

src/plugins/data/server/search/routes/session.ts

@@ -24,11 +24,8 @@ import {
   searchSessionsUpdateSchema,
 } from './response_schema';
 
-const STORE_SEARCH_SESSIONS_ROLE_TAG = `access:store_search_session`;
 const access = 'internal';
-const options = {
-  tags: [STORE_SEARCH_SESSIONS_ROLE_TAG],
-};
+const requiredPrivileges = ['store_search_session'];
 const pathPrefix = '/internal/session';
 export const INITIAL_SEARCH_SESSION_REST_VERSION = '1';
 const version = INITIAL_SEARCH_SESSION_REST_VERSION;
@@ -37,9 +34,12 @@ const idAndAttrsOnly = (so?: SearchSessionRestResponse) =>
   so && { id: so.id, attributes: so.attributes };
 
 export function registerSessionRoutes(router: DataPluginRouter, logger: Logger): void {
-  router.versioned.post({ path: pathPrefix, access, options }).addVersion(
+  router.versioned.post({ path: pathPrefix, access }).addVersion(
     {
       version,
+      security: {
+        authz: { requiredPrivileges },
+      },
       validate: {
         request: {
           body: schema.object({
@@ -85,9 +85,12 @@ export function registerSessionRoutes(router: DataPluginRouter, logger: Logger):
     }
   );
 
-  router.versioned.get({ path: `${pathPrefix}/{id}`, access, options }).addVersion(
+  router.versioned.get({ path: `${pathPrefix}/{id}`, access }).addVersion(
     {
       version,
+      security: {
+        authz: { requiredPrivileges },
+      },
       validate: {
         request: {
           params: schema.object({
@@ -117,9 +120,12 @@ export function registerSessionRoutes(router: DataPluginRouter, logger: Logger):
     }
   );
 
-  router.versioned.get({ path: `${pathPrefix}/{id}/status`, access, options }).addVersion(
+  router.versioned.get({ path: `${pathPrefix}/{id}/status`, access }).addVersion(
     {
       version,
+      security: {
+        authz: { requiredPrivileges },
+      },
       validate: {
         request: {
           params: schema.object({
@@ -150,9 +156,12 @@ export function registerSessionRoutes(router: DataPluginRouter, logger: Logger):
     }
   );
 
-  router.versioned.post({ path: `${pathPrefix}/_find`, access, options }).addVersion(
+  router.versioned.post({ path: `${pathPrefix}/_find`, access }).addVersion(
     {
       version,
+      security: {
+        authz: { requiredPrivileges },
+      },
       validate: {
         request: {
           body: schema.object({
@@ -200,9 +209,12 @@ export function registerSessionRoutes(router: DataPluginRouter, logger: Logger):
     }
   );
 
-  router.versioned.delete({ path: `${pathPrefix}/{id}`, access, options }).addVersion(
+  router.versioned.delete({ path: `${pathPrefix}/{id}`, access }).addVersion(
     {
       version,
+      security: {
+        authz: { requiredPrivileges },
+      },
       validate: {
         request: {
           params: schema.object({
@@ -226,9 +238,12 @@ export function registerSessionRoutes(router: DataPluginRouter, logger: Logger):
     }
   );
 
-  router.versioned.post({ path: `${pathPrefix}/{id}/cancel`, access, options }).addVersion(
+  router.versioned.post({ path: `${pathPrefix}/{id}/cancel`, access }).addVersion(
     {
       version,
+      security: {
+        authz: { requiredPrivileges },
+      },
       validate: {
         request: {
           params: schema.object({
@@ -252,9 +267,12 @@ export function registerSessionRoutes(router: DataPluginRouter, logger: Logger):
     }
   );
 
-  router.versioned.put({ path: `${pathPrefix}/{id}`, access, options }).addVersion(
+  router.versioned.put({ path: `${pathPrefix}/{id}`, access }).addVersion(
     {
       version,
+      security: {
+        authz: { requiredPrivileges },
+      },
       validate: {
         request: {
           params: schema.object({
@@ -291,9 +309,12 @@ export function registerSessionRoutes(router: DataPluginRouter, logger: Logger):
     }
   );
 
-  router.versioned.post({ path: `${pathPrefix}/{id}/_extend`, access, options }).addVersion(
+  router.versioned.post({ path: `${pathPrefix}/{id}/_extend`, access }).addVersion(
     {
       version,
+      security: {
+        authz: { requiredPrivileges },
+      },
       validate: {
         request: {
           params: schema.object({