Skip to content

Commit

Permalink
Unauthorized route migration for routes owned by kibana-cloud-securit…
Browse files Browse the repository at this point in the history
…y-posture (#198353)

### Authz API migration for unauthorized routes

This PR migrates unauthorized routes owned by your team to a new
security configuration.
Please refer to the documentation for more information: [Authorization
API](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)

### **Before migration:**
```ts
router.get({
  path: '/api/path',
  ...
}, handler);
```

### **After migration:**
```ts
router.get({
  path: '/api/path',
  security: {
    authz: {
      enabled: false,
      reason: 'This route is opted out from authorization because ...',
    },
  },
  ...
}, handler);
```

### What to do next?
1. Review the changes in this PR.
2. Elaborate on the reasoning to opt-out of authorization.
3. Routes without a compelling reason to opt-out of authorization should
plan to introduce them as soon as possible.
2. You might need to update your tests to reflect the new security
configuration:
  - If you have snapshot tests that include the route definition.

## Any questions?
If you have any questions or need help with API authorization, please
reach out to the `@elastic/kibana-security` team.

---------

Co-authored-by: Paulo Silva <[email protected]>
(cherry picked from commit 767a4bb)
  • Loading branch information
kibanamachine committed Nov 14, 2024
1 parent 665fadc commit 2b49dd1
Show file tree
Hide file tree
Showing 8 changed files with 43 additions and 0 deletions.
5 changes: 5 additions & 0 deletions x-pack/plugins/kubernetes_security/server/routes/aggregate.ts
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,11 @@ export const registerAggregateRoute = (router: IRouter, logger: Logger) => {
.addVersion(
{
version: '1',
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
validate: {
request: {
query: schema.object({
Expand Down
5 changes: 5 additions & 0 deletions x-pack/plugins/kubernetes_security/server/routes/count.ts
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,11 @@ export const registerCountRoute = (router: IRouter, logger: Logger) => {
.addVersion(
{
version: '1',
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
validate: {
request: {
query: schema.object({
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,11 @@ export const registerMultiTermsAggregateRoute = (router: IRouter, logger: Logger
.addVersion(
{
version: '1',
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
validate: {
request: {
query: schema.object({
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,11 @@ export const registerAlertStatusRoute = (
.addVersion(
{
version: '1',
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
validate: {
request: {
query: schema.object({
Expand Down
5 changes: 5 additions & 0 deletions x-pack/plugins/session_view/server/routes/alerts_route.ts
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,11 @@ export const registerAlertsRoute = (
.addVersion(
{
version: '1',
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
validate: {
request: {
query: schema.object({
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,12 @@ export const registerGetTotalIOBytesRoute = (router: IRouter, logger: Logger) =>
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason: `This route delegates authorization to Elasticsearch and it's not tied to a Kibana privilege.`,
},
},
validate: {
request: {
query: schema.object({
Expand Down
6 changes: 6 additions & 0 deletions x-pack/plugins/session_view/server/routes/io_events_route.ts
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,12 @@ export const registerIOEventsRoute = (router: IRouter, logger: Logger) => {
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason: `This route delegates authorization to Elasticsearch and it's not tied to a Kibana privilege.`,
},
},
validate: {
request: {
query: schema.object({
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,12 @@ export const registerProcessEventsRoute = (
.addVersion(
{
version: '1',
security: {
authz: {
enabled: false,
reason: `This route delegates authorization to Elasticsearch and it's not tied to a Kibana privilege.`,
},
},
validate: {
request: {
query: schema.object({
Expand Down

0 comments on commit 2b49dd1

Please sign in to comment.