Skip to content

Commit

Permalink
[8.x] Authorized route migration for routes owned by @elastic/obs-ux-…
Browse files Browse the repository at this point in the history
…infra_services-team (#198196) (#200752)

# Backport

This will backport the following commits from `main` to `8.x`:
- [Authorized route migration for routes owned by
@elastic/obs-ux-infra_services-team
(#198196)](#198196)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Kibana
Machine","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-11-19T14:39:44Z","message":"Authorized
route migration for routes owned by @elastic/obs-ux-infra_services-team
(#198196)\n\n### Authz API migration for authorized routes\r\n\r\nThis
PR migrates `access:<privilege>` tags used in route definitions
to\r\nnew security configuration.\r\nPlease refer to the documentation
for more information:
[Authorization\r\nAPI](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)\r\n\r\n###
**Before migration:**\r\nAccess control tags were defined in the
`options` object of the route:\r\n\r\n```ts\r\nrouter.get({\r\n path:
'/api/path',\r\n options: {\r\n tags: ['access:<privilege_1>',
'access:<privilege_2>'],\r\n },\r\n ...\r\n},
handler);\r\n```\r\n\r\n### **After migration:**\r\nTags have been
replaced with the more robust\r\n`security.authz.requiredPrivileges`
field under `security`:\r\n\r\n```ts\r\nrouter.get({\r\n path:
'/api/path',\r\n security: {\r\n authz: {\r\n requiredPrivileges:
['<privilege_1>', '<privilege_2>'],\r\n },\r\n },\r\n ...\r\n},
handler);\r\n```\r\n\r\n### What to do next?\r\n1. Review the changes in
this PR.\r\n2. You might need to update your tests to reflect the new
security\r\nconfiguration:\r\n - If you have tests that rely on checking
`access` tags.\r\n - If you have snapshot tests that include the route
definition.\r\n- If you have FTR tests that rely on checking
unauthorized error\r\nmessage. The error message changed to also include
missing privileges.\r\n\r\n## Any questions?\r\nIf you have any
questions or need help with API authorization, please\r\nreach out to
the `@elastic/kibana-security`
team.","sha":"302652c7afa79b2f9f1ebd32d9c1e3e75ccd0e5b","branchLabelMapping":{"^v9.0.0$":"main","^v8.17.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["enhancement","release_note:skip","Feature:Security/Authorization","v9.0.0","backport:prev-minor","ci:project-deploy-observability","Team:obs-ux-infra_services","apm:review","Authz:
API migration"],"title":"Authorized route migration for routes owned by
@elastic/obs-ux-infra_services-team","number":198196,"url":"https://github.com/elastic/kibana/pull/198196","mergeCommit":{"message":"Authorized
route migration for routes owned by @elastic/obs-ux-infra_services-team
(#198196)\n\n### Authz API migration for authorized routes\r\n\r\nThis
PR migrates `access:<privilege>` tags used in route definitions
to\r\nnew security configuration.\r\nPlease refer to the documentation
for more information:
[Authorization\r\nAPI](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)\r\n\r\n###
**Before migration:**\r\nAccess control tags were defined in the
`options` object of the route:\r\n\r\n```ts\r\nrouter.get({\r\n path:
'/api/path',\r\n options: {\r\n tags: ['access:<privilege_1>',
'access:<privilege_2>'],\r\n },\r\n ...\r\n},
handler);\r\n```\r\n\r\n### **After migration:**\r\nTags have been
replaced with the more robust\r\n`security.authz.requiredPrivileges`
field under `security`:\r\n\r\n```ts\r\nrouter.get({\r\n path:
'/api/path',\r\n security: {\r\n authz: {\r\n requiredPrivileges:
['<privilege_1>', '<privilege_2>'],\r\n },\r\n },\r\n ...\r\n},
handler);\r\n```\r\n\r\n### What to do next?\r\n1. Review the changes in
this PR.\r\n2. You might need to update your tests to reflect the new
security\r\nconfiguration:\r\n - If you have tests that rely on checking
`access` tags.\r\n - If you have snapshot tests that include the route
definition.\r\n- If you have FTR tests that rely on checking
unauthorized error\r\nmessage. The error message changed to also include
missing privileges.\r\n\r\n## Any questions?\r\nIf you have any
questions or need help with API authorization, please\r\nreach out to
the `@elastic/kibana-security`
team.","sha":"302652c7afa79b2f9f1ebd32d9c1e3e75ccd0e5b"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/198196","number":198196,"mergeCommit":{"message":"Authorized
route migration for routes owned by @elastic/obs-ux-infra_services-team
(#198196)\n\n### Authz API migration for authorized routes\r\n\r\nThis
PR migrates `access:<privilege>` tags used in route definitions
to\r\nnew security configuration.\r\nPlease refer to the documentation
for more information:
[Authorization\r\nAPI](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)\r\n\r\n###
**Before migration:**\r\nAccess control tags were defined in the
`options` object of the route:\r\n\r\n```ts\r\nrouter.get({\r\n path:
'/api/path',\r\n options: {\r\n tags: ['access:<privilege_1>',
'access:<privilege_2>'],\r\n },\r\n ...\r\n},
handler);\r\n```\r\n\r\n### **After migration:**\r\nTags have been
replaced with the more robust\r\n`security.authz.requiredPrivileges`
field under `security`:\r\n\r\n```ts\r\nrouter.get({\r\n path:
'/api/path',\r\n security: {\r\n authz: {\r\n requiredPrivileges:
['<privilege_1>', '<privilege_2>'],\r\n },\r\n },\r\n ...\r\n},
handler);\r\n```\r\n\r\n### What to do next?\r\n1. Review the changes in
this PR.\r\n2. You might need to update your tests to reflect the new
security\r\nconfiguration:\r\n - If you have tests that rely on checking
`access` tags.\r\n - If you have snapshot tests that include the route
definition.\r\n- If you have FTR tests that rely on checking
unauthorized error\r\nmessage. The error message changed to also include
missing privileges.\r\n\r\n## Any questions?\r\nIf you have any
questions or need help with API authorization, please\r\nreach out to
the `@elastic/kibana-security`
team.","sha":"302652c7afa79b2f9f1ebd32d9c1e3e75ccd0e5b"}}]}] BACKPORT-->
  • Loading branch information
kibanamachine authored Nov 19, 2024
1 parent bf5c9de commit 59e8006
Show file tree
Hide file tree
Showing 6 changed files with 53 additions and 10 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -34,8 +34,12 @@ export function registerTopNFunctionsAPMTransactionsRoute({
router.get(
{
path: paths.APMTransactions,
security: {
authz: {
requiredPrivileges: ['profiling', 'apm'],
},
},
options: {
tags: ['access:profiling', 'access:apm'],
timeout: { idleSocket: IDLE_SOCKET_TIMEOUT },
},
validate: { query: querySchema },
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,12 @@ export function registerFlameChartSearchRoute({
router.get(
{
path: paths.Flamechart,
options: { tags: ['access:profiling'], timeout: { idleSocket: IDLE_SOCKET_TIMEOUT } },
security: {
authz: {
requiredPrivileges: ['profiling'],
},
},
options: { timeout: { idleSocket: IDLE_SOCKET_TIMEOUT } },
validate: {
query: schema.object({
timeFrom: schema.number(),
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,12 @@ export function registerTopNFunctionsSearchRoute({
router.get(
{
path: paths.TopNFunctions,
options: { tags: ['access:profiling'], timeout: { idleSocket: IDLE_SOCKET_TIMEOUT } },
security: {
authz: {
requiredPrivileges: ['profiling'],
},
},
options: { timeout: { idleSocket: IDLE_SOCKET_TIMEOUT } },
validate: { query: querySchema },
},
async (context, request, response) => {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,11 @@ export function registerSetupRoute({
router.get(
{
path: paths.HasSetupESResources,
options: { tags: ['access:profiling'] },
security: {
authz: {
requiredPrivileges: ['profiling'],
},
},
validate: false,
},
async (context, request, response) => {
Expand Down Expand Up @@ -62,7 +66,11 @@ export function registerSetupRoute({
router.post(
{
path: paths.HasSetupESResources,
options: { tags: ['access:profiling'] },
security: {
authz: {
requiredPrivileges: ['profiling'],
},
},
validate: false,
},
async (context, request, response) => {
Expand Down Expand Up @@ -166,7 +174,11 @@ export function registerSetupRoute({
router.get(
{
path: paths.SetupDataCollectionInstructions,
options: { tags: ['access:profiling'] },
security: {
authz: {
requiredPrivileges: ['profiling'],
},
},
validate: false,
},
async (context, request, response) => {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,11 @@ export function registerStorageExplorerRoute({
router.get(
{
path: paths.StorageExplorerSummary,
options: { tags: ['access:profiling'] },
security: {
authz: {
requiredPrivileges: ['profiling'],
},
},
validate: {
query: schema.object({
indexLifecyclePhase: schema.oneOf([
Expand Down Expand Up @@ -112,7 +116,11 @@ export function registerStorageExplorerRoute({
router.get(
{
path: paths.StorageExplorerHostStorageDetails,
options: { tags: ['access:profiling'] },
security: {
authz: {
requiredPrivileges: ['profiling'],
},
},
validate: {
query: schema.object({
indexLifecyclePhase: schema.oneOf([
Expand Down Expand Up @@ -156,7 +164,11 @@ export function registerStorageExplorerRoute({
router.get(
{
path: paths.StorageExplorerIndicesStorageDetails,
options: { tags: ['access:profiling'] },
security: {
authz: {
requiredPrivileges: ['profiling'],
},
},
validate: {
query: schema.object({
indexLifecyclePhase: schema.oneOf([
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -171,7 +171,12 @@ export function queryTopNCommon({
router.get(
{
path: pathName,
options: { tags: ['access:profiling'], timeout: { idleSocket: IDLE_SOCKET_TIMEOUT } },
security: {
authz: {
requiredPrivileges: ['profiling'],
},
},
options: { timeout: { idleSocket: IDLE_SOCKET_TIMEOUT } },
validate: {
query: schema.object({
timeFrom: schema.number(),
Expand Down

0 comments on commit 59e8006

Please sign in to comment.