From 2cb9b9b7d9864c1467a4c7cd5187b99f2a3da355 Mon Sep 17 00:00:00 2001
From: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Date: Sat, 2 Nov 2024 03:05:24 +1100
Subject: [PATCH] [8.x] Unauthorized route migration for routes owned by
 security-threat-hunting-explore (#198339) (#198687)

# Backport

This will backport the following commits from `main` to `8.x`:
- [Unauthorized route migration for routes owned by
security-threat-hunting-explore
(#198339)](https://github.com/elastic/kibana/pull/198339)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Kibana
Machine","email":"42973632+kibanamachine@users.noreply.github.com"},"sourceCommit":{"committedDate":"2024-11-01T14:15:30Z","message":"Unauthorized
route migration for routes owned by security-threat-hunting-explore
(#198339)\n\n### Authz API migration for unauthorized routes\r\n\r\nThis
PR migrates unauthorized routes owned by your team to a new\r\nsecurity
configuration.\r\nPlease refer to the documentation for more
information:
[Authorization\r\nAPI](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)\r\n\r\n###
**Before migration:**\r\n```ts\r\nrouter.post({\r\n path:
'/api/path',\r\n ...\r\n}, handler);\r\n```\r\n\r\n### **After
migration:**\r\n```ts\r\nrouter.post({\r\n path: '/api/path',\r\n
access: 'internal',\r\n security: {\r\n authz: {\r\n requiredPrivileges:
['securitySolution'],\r\n },\r\n },\r\n ...\r\n},
handler);\r\n```\r\n\r\n### What to do next?\r\n1. Review the changes in
this PR.\r\n2. Elaborate on the reasoning to opt-out of
authorization.\r\n3. Routes without a compelling reason to opt-out of
authorization should\r\nplan to introduce them as soon as
possible.\r\n2. You might need to update your tests to reflect the new
security\r\nconfiguration:\r\n - If you have snapshot tests that include
the route definition.\r\n\r\n## Any questions?\r\nIf you have any
questions or need help with API authorization, please\r\nreach out to
the `@elastic/kibana-security`
team.\r\n\r\n---------\r\n\r\nCo-authored-by: Angela Chuang
<yi-chun.chuang@elastic.co>\r\nCo-authored-by: Angela Chuang
<6295984+angorayc@users.noreply.github.com>","sha":"ec391f7f172a102a19d65ec8e418ac2c7c671844","branchLabelMapping":{"^v9.0.0$":"main","^v8.17.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["enhancement","release_note:skip","Feature:Security/Authorization","v9.0.0","Team:Threat
Hunting:Explore","backport:prev-minor","Authz: API
migration"],"title":"Unauthorized route migration for routes owned by
security-threat-hunting-explore","number":198339,"url":"https://github.com/elastic/kibana/pull/198339","mergeCommit":{"message":"Unauthorized
route migration for routes owned by security-threat-hunting-explore
(#198339)\n\n### Authz API migration for unauthorized routes\r\n\r\nThis
PR migrates unauthorized routes owned by your team to a new\r\nsecurity
configuration.\r\nPlease refer to the documentation for more
information:
[Authorization\r\nAPI](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)\r\n\r\n###
**Before migration:**\r\n```ts\r\nrouter.post({\r\n path:
'/api/path',\r\n ...\r\n}, handler);\r\n```\r\n\r\n### **After
migration:**\r\n```ts\r\nrouter.post({\r\n path: '/api/path',\r\n
access: 'internal',\r\n security: {\r\n authz: {\r\n requiredPrivileges:
['securitySolution'],\r\n },\r\n },\r\n ...\r\n},
handler);\r\n```\r\n\r\n### What to do next?\r\n1. Review the changes in
this PR.\r\n2. Elaborate on the reasoning to opt-out of
authorization.\r\n3. Routes without a compelling reason to opt-out of
authorization should\r\nplan to introduce them as soon as
possible.\r\n2. You might need to update your tests to reflect the new
security\r\nconfiguration:\r\n - If you have snapshot tests that include
the route definition.\r\n\r\n## Any questions?\r\nIf you have any
questions or need help with API authorization, please\r\nreach out to
the `@elastic/kibana-security`
team.\r\n\r\n---------\r\n\r\nCo-authored-by: Angela Chuang
<yi-chun.chuang@elastic.co>\r\nCo-authored-by: Angela Chuang
<6295984+angorayc@users.noreply.github.com>","sha":"ec391f7f172a102a19d65ec8e418ac2c7c671844"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/198339","number":198339,"mergeCommit":{"message":"Unauthorized
route migration for routes owned by security-threat-hunting-explore
(#198339)\n\n### Authz API migration for unauthorized routes\r\n\r\nThis
PR migrates unauthorized routes owned by your team to a new\r\nsecurity
configuration.\r\nPlease refer to the documentation for more
information:
[Authorization\r\nAPI](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)\r\n\r\n###
**Before migration:**\r\n```ts\r\nrouter.post({\r\n path:
'/api/path',\r\n ...\r\n}, handler);\r\n```\r\n\r\n### **After
migration:**\r\n```ts\r\nrouter.post({\r\n path: '/api/path',\r\n
access: 'internal',\r\n security: {\r\n authz: {\r\n requiredPrivileges:
['securitySolution'],\r\n },\r\n },\r\n ...\r\n},
handler);\r\n```\r\n\r\n### What to do next?\r\n1. Review the changes in
this PR.\r\n2. Elaborate on the reasoning to opt-out of
authorization.\r\n3. Routes without a compelling reason to opt-out of
authorization should\r\nplan to introduce them as soon as
possible.\r\n2. You might need to update your tests to reflect the new
security\r\nconfiguration:\r\n - If you have snapshot tests that include
the route definition.\r\n\r\n## Any questions?\r\nIf you have any
questions or need help with API authorization, please\r\nreach out to
the `@elastic/kibana-security`
team.\r\n\r\n---------\r\n\r\nCo-authored-by: Angela Chuang
<yi-chun.chuang@elastic.co>\r\nCo-authored-by: Angela Chuang
<6295984+angorayc@users.noreply.github.com>","sha":"ec391f7f172a102a19d65ec8e418ac2c7c671844"}}]}]
BACKPORT-->
---
 .../server/routes/get_unallowed_field_values.ts              | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/x-pack/plugins/ecs_data_quality_dashboard/server/routes/get_unallowed_field_values.ts b/x-pack/plugins/ecs_data_quality_dashboard/server/routes/get_unallowed_field_values.ts
index 76f0827caaad2..9fb743d207d08 100644
--- a/x-pack/plugins/ecs_data_quality_dashboard/server/routes/get_unallowed_field_values.ts
+++ b/x-pack/plugins/ecs_data_quality_dashboard/server/routes/get_unallowed_field_values.ts
@@ -19,6 +19,11 @@ export const getUnallowedFieldValuesRoute = (router: IRouter, logger: Logger) =>
     .post({
       path: GET_UNALLOWED_FIELD_VALUES,
       access: 'internal',
+      security: {
+        authz: {
+          requiredPrivileges: ['securitySolution'],
+        },
+      },
     })
     .addVersion(
       {