Skip to content

Commit

Permalink
Unauthorized route migration for routes owned by kibana-visualization…
Browse files Browse the repository at this point in the history
…s,kibana-data-discovery (elastic#198331)

### Authz API migration for unauthorized routes

This PR migrates unauthorized routes owned by your team to a new
security configuration.
Please refer to the documentation for more information: [Authorization
API](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)

--- EDIT ---

This PR also adds two privileges related to saved query APIs:
`savedQuery:read` and `savedQuery:manage`. These are given by default to
the same roles that already have access to the `query`-type saved
objects.

### **Before migration:**
```ts
router.get({
  path: '/api/path',
  ...
}, handler);
```

### **After migration:**
```ts
router.get({
  path: '/api/path',
  security: {
    authz: {
      enabled: false,
      reason: 'This route is opted out from authorization because ...',
    },
  },
  ...
}, handler);
```

### What to do next?
1. Review the changes in this PR.
2. Elaborate on the reasoning to opt-out of authorization.
3. Routes without a compelling reason to opt-out of authorization should
plan to introduce them as soon as possible.
2. You might need to update your tests to reflect the new security
configuration:
  - If you have snapshot tests that include the route definition.

## Any questions?
If you have any questions or need help with API authorization, please
reach out to the `@elastic/kibana-security` team.

---------

Co-authored-by: Lukas Olson <[email protected]>
Co-authored-by: Matthias Wilhelm <[email protected]>
Co-authored-by: Marta Bondyra <[email protected]>
Co-authored-by: Davis McPhee <[email protected]>
  • Loading branch information
5 people authored Dec 4, 2024
1 parent 52e021f commit 56c38bc
Show file tree
Hide file tree
Showing 10 changed files with 183 additions and 24 deletions.
6 changes: 6 additions & 0 deletions src/plugins/data/server/kql_telemetry/route.ts
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,12 @@ export function registerKqlTelemetryRoute(
.addVersion(
{
version: KQL_TELEMETRY_ROUTE_LATEST_VERSION,
security: {
authz: {
enabled: false,
reason: 'This route is opted out from authorization',
},
},
validate: {
request: {
body: schema.object({
Expand Down
35 changes: 35 additions & 0 deletions src/plugins/data/server/query/routes.ts
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,11 @@ export function registerSavedQueryRoutes({ http }: CoreSetup): void {
router.versioned.post({ path: `${SAVED_QUERY_BASE_URL}/_is_duplicate_title`, access }).addVersion(
{
version,
security: {
authz: {
requiredPrivileges: ['savedQuery:read'],
},
},
validate: {
request: {
body: schema.object({
Expand Down Expand Up @@ -75,6 +80,11 @@ export function registerSavedQueryRoutes({ http }: CoreSetup): void {
router.versioned.post({ path: `${SAVED_QUERY_BASE_URL}/_create`, access }).addVersion(
{
version,
security: {
authz: {
requiredPrivileges: ['savedQuery:manage'],
},
},
validate: {
request: {
body: SAVED_QUERY_ATTRS_CONFIG,
Expand All @@ -101,6 +111,11 @@ export function registerSavedQueryRoutes({ http }: CoreSetup): void {
router.versioned.put({ path: `${SAVED_QUERY_BASE_URL}/{id}`, access }).addVersion(
{
version,
security: {
authz: {
requiredPrivileges: ['savedQuery:manage'],
},
},
validate: {
request: {
params: SAVED_QUERY_ID_CONFIG,
Expand Down Expand Up @@ -129,6 +144,11 @@ export function registerSavedQueryRoutes({ http }: CoreSetup): void {
router.versioned.get({ path: `${SAVED_QUERY_BASE_URL}/{id}`, access }).addVersion(
{
version,
security: {
authz: {
requiredPrivileges: ['savedQuery:read'],
},
},
validate: {
request: {
params: SAVED_QUERY_ID_CONFIG,
Expand Down Expand Up @@ -156,6 +176,11 @@ export function registerSavedQueryRoutes({ http }: CoreSetup): void {
router.versioned.get({ path: `${SAVED_QUERY_BASE_URL}/_count`, access }).addVersion(
{
version,
security: {
authz: {
requiredPrivileges: ['savedQuery:read'],
},
},
validate: {
request: {},
response: {
Expand All @@ -180,6 +205,11 @@ export function registerSavedQueryRoutes({ http }: CoreSetup): void {
router.versioned.post({ path: `${SAVED_QUERY_BASE_URL}/_find`, access }).addVersion(
{
version,
security: {
authz: {
requiredPrivileges: ['savedQuery:read'],
},
},
validate: {
request: {
body: schema.object({
Expand Down Expand Up @@ -214,6 +244,11 @@ export function registerSavedQueryRoutes({ http }: CoreSetup): void {
router.versioned.delete({ path: `${SAVED_QUERY_BASE_URL}/{id}`, access }).addVersion(
{
version,
security: {
authz: {
requiredPrivileges: ['savedQuery:manage'],
},
},
validate: {
request: {
params: SAVED_QUERY_ID_CONFIG,
Expand Down
6 changes: 6 additions & 0 deletions src/plugins/data/server/scripts/route.ts
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,12 @@ export function registerScriptsRoute(router: IRouter) {
.addVersion(
{
version: SCRIPT_LANGUAGES_ROUTE_LATEST_VERSION,
security: {
authz: {
enabled: false,
reason: 'This route is opted out from authorization',
},
},
validate: {
response: {
'200': {
Expand Down
45 changes: 33 additions & 12 deletions src/plugins/data/server/search/routes/session.ts
Original file line number Diff line number Diff line change
Expand Up @@ -24,11 +24,8 @@ import {
searchSessionsUpdateSchema,
} from './response_schema';

const STORE_SEARCH_SESSIONS_ROLE_TAG = `access:store_search_session`;
const access = 'internal';
const options = {
tags: [STORE_SEARCH_SESSIONS_ROLE_TAG],
};
const requiredPrivileges = ['store_search_session'];
const pathPrefix = '/internal/session';
export const INITIAL_SEARCH_SESSION_REST_VERSION = '1';
const version = INITIAL_SEARCH_SESSION_REST_VERSION;
Expand All @@ -37,9 +34,12 @@ const idAndAttrsOnly = (so?: SearchSessionRestResponse) =>
so && { id: so.id, attributes: so.attributes };

export function registerSessionRoutes(router: DataPluginRouter, logger: Logger): void {
router.versioned.post({ path: pathPrefix, access, options }).addVersion(
router.versioned.post({ path: pathPrefix, access }).addVersion(
{
version,
security: {
authz: { requiredPrivileges },
},
validate: {
request: {
body: schema.object({
Expand Down Expand Up @@ -85,9 +85,12 @@ export function registerSessionRoutes(router: DataPluginRouter, logger: Logger):
}
);

router.versioned.get({ path: `${pathPrefix}/{id}`, access, options }).addVersion(
router.versioned.get({ path: `${pathPrefix}/{id}`, access }).addVersion(
{
version,
security: {
authz: { requiredPrivileges },
},
validate: {
request: {
params: schema.object({
Expand Down Expand Up @@ -117,9 +120,12 @@ export function registerSessionRoutes(router: DataPluginRouter, logger: Logger):
}
);

router.versioned.get({ path: `${pathPrefix}/{id}/status`, access, options }).addVersion(
router.versioned.get({ path: `${pathPrefix}/{id}/status`, access }).addVersion(
{
version,
security: {
authz: { requiredPrivileges },
},
validate: {
request: {
params: schema.object({
Expand Down Expand Up @@ -150,9 +156,12 @@ export function registerSessionRoutes(router: DataPluginRouter, logger: Logger):
}
);

router.versioned.post({ path: `${pathPrefix}/_find`, access, options }).addVersion(
router.versioned.post({ path: `${pathPrefix}/_find`, access }).addVersion(
{
version,
security: {
authz: { requiredPrivileges },
},
validate: {
request: {
body: schema.object({
Expand Down Expand Up @@ -200,9 +209,12 @@ export function registerSessionRoutes(router: DataPluginRouter, logger: Logger):
}
);

router.versioned.delete({ path: `${pathPrefix}/{id}`, access, options }).addVersion(
router.versioned.delete({ path: `${pathPrefix}/{id}`, access }).addVersion(
{
version,
security: {
authz: { requiredPrivileges },
},
validate: {
request: {
params: schema.object({
Expand All @@ -226,9 +238,12 @@ export function registerSessionRoutes(router: DataPluginRouter, logger: Logger):
}
);

router.versioned.post({ path: `${pathPrefix}/{id}/cancel`, access, options }).addVersion(
router.versioned.post({ path: `${pathPrefix}/{id}/cancel`, access }).addVersion(
{
version,
security: {
authz: { requiredPrivileges },
},
validate: {
request: {
params: schema.object({
Expand All @@ -252,9 +267,12 @@ export function registerSessionRoutes(router: DataPluginRouter, logger: Logger):
}
);

router.versioned.put({ path: `${pathPrefix}/{id}`, access, options }).addVersion(
router.versioned.put({ path: `${pathPrefix}/{id}`, access }).addVersion(
{
version,
security: {
authz: { requiredPrivileges },
},
validate: {
request: {
params: schema.object({
Expand Down Expand Up @@ -291,9 +309,12 @@ export function registerSessionRoutes(router: DataPluginRouter, logger: Logger):
}
);

router.versioned.post({ path: `${pathPrefix}/{id}/_extend`, access, options }).addVersion(
router.versioned.post({ path: `${pathPrefix}/{id}/_extend`, access }).addVersion(
{
version,
security: {
authz: { requiredPrivileges },
},
validate: {
request: {
params: schema.object({
Expand Down
Loading

0 comments on commit 56c38bc

Please sign in to comment.