Skip to content

Commit

Permalink
Unauthorized route migration for routes owned by response-ops (#198336)
Browse files Browse the repository at this point in the history
### Authz API migration for unauthorized routes

This PR migrates unauthorized routes owned by your team to a new
security configuration.
Please refer to the documentation for more information: [Authorization
API](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)

### **Before migration:**
```ts
router.get({
  path: '/api/path',
  ...
}, handler);
```

### **After migration:**
```ts
router.get({
  path: '/api/path',
  security: {
    authz: {
      enabled: false,
      reason: 'This route is opted out from authorization because ...',
    },
  },
  ...
}, handler);
```

### What to do next?
1. Review the changes in this PR.
2. Elaborate on the reasoning to opt-out of authorization.
3. Routes without a compelling reason to opt-out of authorization should
plan to introduce them as soon as possible.
2. You might need to update your tests to reflect the new security
configuration:
  - If you have snapshot tests that include the route definition.

## Any questions?
If you have any questions or need help with API authorization, please
reach out to the `@elastic/kibana-security` team.

---------

Co-authored-by: adcoelho <[email protected]>
  • Loading branch information
kibanamachine and adcoelho authored Dec 23, 2024
1 parent 3083706 commit 1df66ad
Show file tree
Hide file tree
Showing 6 changed files with 43 additions and 0 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,13 @@ export function backgroundTaskUtilizationRoute(
router.get(
{
path: `/${routeOption.basePath}/task_manager/_background_task_utilization`,
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization. It can be accessed with JWT credentials.',
},
},
// Uncomment when we determine that we can restrict API usage to Global admins based on telemetry
// options: { tags: ['access:taskManager'] },
validate: false,
Expand Down
8 changes: 8 additions & 0 deletions x-pack/plugins/task_manager/server/routes/health.ts
Original file line number Diff line number Diff line change
Expand Up @@ -139,6 +139,14 @@ export function healthRoute(params: HealthRouteParams): {
router.get(
{
path: '/api/task_manager/_health',
security: {
authz: {
enabled: false,
// https://github.com/elastic/kibana/issues/136157
reason:
'This route is opted out from authorization. Authorization is planned but not implemented yet(breaking change).',
},
},
// Uncomment when we determine that we can restrict API usage to Global admins based on telemetry
// options: { tags: ['access:taskManager'] },
validate: false,
Expand Down
7 changes: 7 additions & 0 deletions x-pack/plugins/task_manager/server/routes/metrics.ts
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,13 @@ export function metricsRoute(params: MetricsRouteParams) {
router.get(
{
path: `/api/task_manager/metrics`,
security: {
authz: {
enabled: false,
reason:
'This route is opted out from authorization. It can be accessed with JWT credentials.',
},
},
options: {
access: 'public',
// The `security:acceptJWT` tag allows route to be accessed with JWT credentials. It points to
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,13 @@ export function createFieldsRoute(logger: Logger, router: IRouter, baseRoute: st
router.post(
{
path,
security: {
authz: {
enabled: false,
reason:
'This route is opted out of authorization as it relies on ES authorization instead.',
},
},
validate: {
body: bodySchema,
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,13 @@ export function createIndicesRoute(logger: Logger, router: IRouter, baseRoute: s
router.post(
{
path,
security: {
authz: {
enabled: false,
reason:
'This route is opted out of authorization as it relies on ES authorization instead.',
},
},
validate: {
body: bodySchema,
},
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,13 @@ export function createTimeSeriesQueryRoute(
router.post(
{
path,
security: {
authz: {
enabled: false,
reason:
'This route is opted out of authorization as it relies on ES authorization instead.',
},
},
validate: {
body: TimeSeriesQuerySchema,
},
Expand Down

0 comments on commit 1df66ad

Please sign in to comment.