From 302652c7afa79b2f9f1ebd32d9c1e3e75ccd0e5b Mon Sep 17 00:00:00 2001 From: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Date: Wed, 20 Nov 2024 01:39:44 +1100 Subject: [PATCH] Authorized route migration for routes owned by @elastic/obs-ux-infra_services-team (#198196) ### Authz API migration for authorized routes This PR migrates `access:` tags used in route definitions to new security configuration. Please refer to the documentation for more information: [Authorization API](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization) ### **Before migration:** Access control tags were defined in the `options` object of the route: ```ts router.get({ path: '/api/path', options: { tags: ['access:', 'access:'], }, ... }, handler); ``` ### **After migration:** Tags have been replaced with the more robust `security.authz.requiredPrivileges` field under `security`: ```ts router.get({ path: '/api/path', security: { authz: { requiredPrivileges: ['', ''], }, }, ... }, handler); ``` ### What to do next? 1. Review the changes in this PR. 2. You might need to update your tests to reflect the new security configuration: - If you have tests that rely on checking `access` tags. - If you have snapshot tests that include the route definition. - If you have FTR tests that rely on checking unauthorized error message. The error message changed to also include missing privileges. ## Any questions? If you have any questions or need help with API authorization, please reach out to the `@elastic/kibana-security` team. --- .../profiling/server/routes/apm.ts | 6 +++++- .../profiling/server/routes/flamechart.ts | 7 ++++++- .../profiling/server/routes/functions.ts | 7 ++++++- .../profiling/server/routes/setup/route.ts | 18 +++++++++++++++--- .../server/routes/storage_explorer/route.ts | 18 +++++++++++++++--- .../profiling/server/routes/topn.ts | 7 ++++++- 6 files changed, 53 insertions(+), 10 deletions(-) diff --git a/x-pack/plugins/observability_solution/profiling/server/routes/apm.ts b/x-pack/plugins/observability_solution/profiling/server/routes/apm.ts index e5119c17ee5da..7ad001831c0e4 100644 --- a/x-pack/plugins/observability_solution/profiling/server/routes/apm.ts +++ b/x-pack/plugins/observability_solution/profiling/server/routes/apm.ts @@ -34,8 +34,12 @@ export function registerTopNFunctionsAPMTransactionsRoute({ router.get( { path: paths.APMTransactions, + security: { + authz: { + requiredPrivileges: ['profiling', 'apm'], + }, + }, options: { - tags: ['access:profiling', 'access:apm'], timeout: { idleSocket: IDLE_SOCKET_TIMEOUT }, }, validate: { query: querySchema }, diff --git a/x-pack/plugins/observability_solution/profiling/server/routes/flamechart.ts b/x-pack/plugins/observability_solution/profiling/server/routes/flamechart.ts index 86d384f62f609..2b318e57eb364 100644 --- a/x-pack/plugins/observability_solution/profiling/server/routes/flamechart.ts +++ b/x-pack/plugins/observability_solution/profiling/server/routes/flamechart.ts @@ -23,7 +23,12 @@ export function registerFlameChartSearchRoute({ router.get( { path: paths.Flamechart, - options: { tags: ['access:profiling'], timeout: { idleSocket: IDLE_SOCKET_TIMEOUT } }, + security: { + authz: { + requiredPrivileges: ['profiling'], + }, + }, + options: { timeout: { idleSocket: IDLE_SOCKET_TIMEOUT } }, validate: { query: schema.object({ timeFrom: schema.number(), diff --git a/x-pack/plugins/observability_solution/profiling/server/routes/functions.ts b/x-pack/plugins/observability_solution/profiling/server/routes/functions.ts index 4f30ff0c8f238..1689e707a9d80 100644 --- a/x-pack/plugins/observability_solution/profiling/server/routes/functions.ts +++ b/x-pack/plugins/observability_solution/profiling/server/routes/functions.ts @@ -34,7 +34,12 @@ export function registerTopNFunctionsSearchRoute({ router.get( { path: paths.TopNFunctions, - options: { tags: ['access:profiling'], timeout: { idleSocket: IDLE_SOCKET_TIMEOUT } }, + security: { + authz: { + requiredPrivileges: ['profiling'], + }, + }, + options: { timeout: { idleSocket: IDLE_SOCKET_TIMEOUT } }, validate: { query: querySchema }, }, async (context, request, response) => { diff --git a/x-pack/plugins/observability_solution/profiling/server/routes/setup/route.ts b/x-pack/plugins/observability_solution/profiling/server/routes/setup/route.ts index cbd0f6ee2170c..a5bc8d3187bda 100644 --- a/x-pack/plugins/observability_solution/profiling/server/routes/setup/route.ts +++ b/x-pack/plugins/observability_solution/profiling/server/routes/setup/route.ts @@ -27,7 +27,11 @@ export function registerSetupRoute({ router.get( { path: paths.HasSetupESResources, - options: { tags: ['access:profiling'] }, + security: { + authz: { + requiredPrivileges: ['profiling'], + }, + }, validate: false, }, async (context, request, response) => { @@ -62,7 +66,11 @@ export function registerSetupRoute({ router.post( { path: paths.HasSetupESResources, - options: { tags: ['access:profiling'] }, + security: { + authz: { + requiredPrivileges: ['profiling'], + }, + }, validate: false, }, async (context, request, response) => { @@ -166,7 +174,11 @@ export function registerSetupRoute({ router.get( { path: paths.SetupDataCollectionInstructions, - options: { tags: ['access:profiling'] }, + security: { + authz: { + requiredPrivileges: ['profiling'], + }, + }, validate: false, }, async (context, request, response) => { diff --git a/x-pack/plugins/observability_solution/profiling/server/routes/storage_explorer/route.ts b/x-pack/plugins/observability_solution/profiling/server/routes/storage_explorer/route.ts index 2447bfea61011..d3148fd9ff03a 100644 --- a/x-pack/plugins/observability_solution/profiling/server/routes/storage_explorer/route.ts +++ b/x-pack/plugins/observability_solution/profiling/server/routes/storage_explorer/route.ts @@ -29,7 +29,11 @@ export function registerStorageExplorerRoute({ router.get( { path: paths.StorageExplorerSummary, - options: { tags: ['access:profiling'] }, + security: { + authz: { + requiredPrivileges: ['profiling'], + }, + }, validate: { query: schema.object({ indexLifecyclePhase: schema.oneOf([ @@ -112,7 +116,11 @@ export function registerStorageExplorerRoute({ router.get( { path: paths.StorageExplorerHostStorageDetails, - options: { tags: ['access:profiling'] }, + security: { + authz: { + requiredPrivileges: ['profiling'], + }, + }, validate: { query: schema.object({ indexLifecyclePhase: schema.oneOf([ @@ -156,7 +164,11 @@ export function registerStorageExplorerRoute({ router.get( { path: paths.StorageExplorerIndicesStorageDetails, - options: { tags: ['access:profiling'] }, + security: { + authz: { + requiredPrivileges: ['profiling'], + }, + }, validate: { query: schema.object({ indexLifecyclePhase: schema.oneOf([ diff --git a/x-pack/plugins/observability_solution/profiling/server/routes/topn.ts b/x-pack/plugins/observability_solution/profiling/server/routes/topn.ts index 944245a9d15cc..a675cc8e4b31a 100644 --- a/x-pack/plugins/observability_solution/profiling/server/routes/topn.ts +++ b/x-pack/plugins/observability_solution/profiling/server/routes/topn.ts @@ -171,7 +171,12 @@ export function queryTopNCommon({ router.get( { path: pathName, - options: { tags: ['access:profiling'], timeout: { idleSocket: IDLE_SOCKET_TIMEOUT } }, + security: { + authz: { + requiredPrivileges: ['profiling'], + }, + }, + options: { timeout: { idleSocket: IDLE_SOCKET_TIMEOUT } }, validate: { query: schema.object({ timeFrom: schema.number(),