Skip to content

Commit

Permalink
Authorized route migration for routes owned by @elastic/ml-ui (#198190)
Browse files Browse the repository at this point in the history
### Authz API migration for authorized routes

This PR migrates `access:<privilege>` tags used in route definitions to
new security configuration.
Please refer to the documentation for more information: [Authorization
API](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)

### **Before migration:**
Access control tags were defined in the `options` object of the route:

```ts
router.get({
  path: '/api/path',
  options: {
    tags: ['access:<privilege_1>', 'access:<privilege_2>'],
  },
  ...
}, handler);
```

### **After migration:**
Tags have been replaced with the more robust
`security.authz.requiredPrivileges` field under `security`:

```ts
router.get({
  path: '/api/path',
  security: {
    authz: {
      requiredPrivileges: ['<privilege_1>', '<privilege_2>'],
    },
  },
  ...
}, handler);
```

### What to do next?
1. Review the changes in this PR.
2. You might need to update your tests to reflect the new security
configuration:
  - If you have tests that rely on checking `access` tags.
  - If you have snapshot tests that include the route definition.
- If you have FTR tests that rely on checking unauthorized error
message. The error message changed to also include missing privileges.

## Any questions?
If you have any questions or need help with API authorization, please
reach out to the `@elastic/kibana-security` team.

---------

Co-authored-by: James Gowdy <[email protected]>
  • Loading branch information
kibanamachine and jgowdyelastic authored Nov 13, 2024
1 parent b8836c5 commit 772b03c
Show file tree
Hide file tree
Showing 51 changed files with 678 additions and 405 deletions.
12 changes: 8 additions & 4 deletions x-pack/plugins/data_visualizer/server/routes.ts
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,10 @@ export function routes(coreSetup: CoreSetup<StartDeps, unknown>, logger: Logger)
.post({
path: '/internal/data_visualizer/test_grok_pattern',
access: 'internal',
options: {
tags: ['access:fileUpload:analyzeFile'],
security: {
authz: {
requiredPrivileges: ['fileUpload:analyzeFile'],
},
},
})
.addVersion(
Expand Down Expand Up @@ -78,8 +80,10 @@ export function routes(coreSetup: CoreSetup<StartDeps, unknown>, logger: Logger)
.get({
path: '/internal/data_visualizer/inference_endpoints',
access: 'internal',
options: {
tags: ['access:fileUpload:analyzeFile'],
security: {
authz: {
requiredPrivileges: ['fileUpload:analyzeFile'],
},
},
})
.addVersion(
Expand Down
6 changes: 4 additions & 2 deletions x-pack/plugins/ml/server/routes/alerting.ts
Original file line number Diff line number Diff line change
Expand Up @@ -22,8 +22,10 @@ export function alertingRoutes(
.post({
access: 'internal',
path: `${ML_INTERNAL_BASE_PATH}/alerting/preview`,
options: {
tags: ['access:ml:canGetJobs'],
security: {
authz: {
requiredPrivileges: ['ml:canGetJobs'],
},
},
summary: 'Previews an alerting condition',
description: 'Returns a preview of the alerting condition',
Expand Down
18 changes: 12 additions & 6 deletions x-pack/plugins/ml/server/routes/annotations.ts
Original file line number Diff line number Diff line change
Expand Up @@ -46,8 +46,10 @@ export function annotationRoutes(
.post({
path: `${ML_INTERNAL_BASE_PATH}/annotations`,
access: 'internal',
options: {
tags: ['access:ml:canGetAnnotations'],
security: {
authz: {
requiredPrivileges: ['ml:canGetAnnotations'],
},
},
summary: 'Gets annotations',
description: 'Gets annotations.',
Expand Down Expand Up @@ -83,8 +85,10 @@ export function annotationRoutes(
.put({
path: `${ML_INTERNAL_BASE_PATH}/annotations/index`,
access: 'internal',
options: {
tags: ['access:ml:canCreateAnnotation'],
security: {
authz: {
requiredPrivileges: ['ml:canCreateAnnotation'],
},
},
summary: 'Indexes annotation',
description: 'Indexes the annotation.',
Expand Down Expand Up @@ -127,8 +131,10 @@ export function annotationRoutes(
.delete({
path: `${ML_INTERNAL_BASE_PATH}/annotations/delete/{annotationId}`,
access: 'internal',
options: {
tags: ['access:ml:canDeleteAnnotation'],
security: {
authz: {
requiredPrivileges: ['ml:canDeleteAnnotation'],
},
},
summary: 'Deletes annotation',
description: 'Deletes the specified annotation.',
Expand Down
108 changes: 72 additions & 36 deletions x-pack/plugins/ml/server/routes/anomaly_detectors.ts
Original file line number Diff line number Diff line change
Expand Up @@ -36,8 +36,10 @@ export function jobRoutes({ router, routeGuard }: RouteInitialization) {
.get({
path: `${ML_INTERNAL_BASE_PATH}/anomaly_detectors`,
access: 'internal',
options: {
tags: ['access:ml:canGetJobs'],
security: {
authz: {
requiredPrivileges: ['ml:canGetJobs'],
},
},
summary: 'Gets anomaly detectors',
description: 'Returns the list of anomaly detection jobs.',
Expand Down Expand Up @@ -67,8 +69,10 @@ export function jobRoutes({ router, routeGuard }: RouteInitialization) {
.get({
path: `${ML_INTERNAL_BASE_PATH}/anomaly_detectors/{jobId}`,
access: 'internal',
options: {
tags: ['access:ml:canGetJobs'],
security: {
authz: {
requiredPrivileges: ['ml:canGetJobs'],
},
},
summary: 'Gets anomaly detector by ID',
description: 'Returns the anomaly detection job by ID',
Expand Down Expand Up @@ -99,8 +103,10 @@ export function jobRoutes({ router, routeGuard }: RouteInitialization) {
.get({
path: `${ML_INTERNAL_BASE_PATH}/anomaly_detectors/_stats`,
access: 'internal',
options: {
tags: ['access:ml:canGetJobs'],
security: {
authz: {
requiredPrivileges: ['ml:canGetJobs'],
},
},
summary: 'Gets anomaly detectors stats',
description: 'Returns the anomaly detection jobs statistics.',
Expand All @@ -126,8 +132,10 @@ export function jobRoutes({ router, routeGuard }: RouteInitialization) {
.get({
path: `${ML_INTERNAL_BASE_PATH}/anomaly_detectors/{jobId}/_stats`,
access: 'internal',
options: {
tags: ['access:ml:canGetJobs'],
security: {
authz: {
requiredPrivileges: ['ml:canGetJobs'],
},
},
summary: 'Gets anomaly detector stats by ID',
description: 'Returns the anomaly detection job statistics by ID',
Expand Down Expand Up @@ -158,8 +166,10 @@ export function jobRoutes({ router, routeGuard }: RouteInitialization) {
.put({
path: `${ML_INTERNAL_BASE_PATH}/anomaly_detectors/{jobId}`,
access: 'internal',
options: {
tags: ['access:ml:canCreateJob'],
security: {
authz: {
requiredPrivileges: ['ml:canCreateJob'],
},
},
summary: 'Creates an anomaly detection job',
description: 'Creates an anomaly detection job.',
Expand Down Expand Up @@ -205,8 +215,10 @@ export function jobRoutes({ router, routeGuard }: RouteInitialization) {
.post({
path: `${ML_INTERNAL_BASE_PATH}/anomaly_detectors/{jobId}/_update`,
access: 'internal',
options: {
tags: ['access:ml:canUpdateJob'],
security: {
authz: {
requiredPrivileges: ['ml:canUpdateJob'],
},
},
summary: 'Updates an anomaly detection job',
description: 'Updates certain properties of an anomaly detection job.',
Expand Down Expand Up @@ -242,8 +254,10 @@ export function jobRoutes({ router, routeGuard }: RouteInitialization) {
.post({
path: `${ML_INTERNAL_BASE_PATH}/anomaly_detectors/{jobId}/_open`,
access: 'internal',
options: {
tags: ['access:ml:canOpenJob'],
security: {
authz: {
requiredPrivileges: ['ml:canOpenJob'],
},
},
summary: 'Opens an anomaly detection job',
description: 'Opens an anomaly detection job.',
Expand Down Expand Up @@ -274,8 +288,10 @@ export function jobRoutes({ router, routeGuard }: RouteInitialization) {
.post({
path: `${ML_INTERNAL_BASE_PATH}/anomaly_detectors/{jobId}/_close`,
access: 'internal',
options: {
tags: ['access:ml:canCloseJob'],
security: {
authz: {
requiredPrivileges: ['ml:canCloseJob'],
},
},
summary: 'Closes an anomaly detection job',
description: 'Closes an anomaly detection job.',
Expand Down Expand Up @@ -313,8 +329,10 @@ export function jobRoutes({ router, routeGuard }: RouteInitialization) {
.delete({
path: `${ML_INTERNAL_BASE_PATH}/anomaly_detectors/{jobId}`,
access: 'internal',
options: {
tags: ['access:ml:canDeleteJob'],
security: {
authz: {
requiredPrivileges: ['ml:canDeleteJob'],
},
},
summary: 'Deletes an anomaly detection job',
description: 'Deletes specified anomaly detection job.',
Expand Down Expand Up @@ -353,8 +371,10 @@ export function jobRoutes({ router, routeGuard }: RouteInitialization) {
.delete({
path: `${ML_INTERNAL_BASE_PATH}/anomaly_detectors/{jobId}/_forecast/{forecastId}`,
access: 'internal',
options: {
tags: ['access:ml:canDeleteForecast'],
security: {
authz: {
requiredPrivileges: ['ml:canDeleteForecast'],
},
},
summary: 'Deletes specified forecast for specified job',
description: 'Deletes a specified forecast for the specified anomaly detection job.',
Expand Down Expand Up @@ -388,8 +408,10 @@ export function jobRoutes({ router, routeGuard }: RouteInitialization) {
.post({
path: `${ML_INTERNAL_BASE_PATH}/anomaly_detectors/{jobId}/_forecast`,
access: 'internal',
options: {
tags: ['access:ml:canForecastJob'],
security: {
authz: {
requiredPrivileges: ['ml:canForecastJob'],
},
},
summary: 'Creates forecast for specified job',
description:
Expand Down Expand Up @@ -427,8 +449,10 @@ export function jobRoutes({ router, routeGuard }: RouteInitialization) {
.post({
path: `${ML_INTERNAL_BASE_PATH}/anomaly_detectors/{jobId}/results/buckets/{timestamp?}`,
access: 'internal',
options: {
tags: ['access:ml:canGetJobs'],
security: {
authz: {
requiredPrivileges: ['ml:canGetJobs'],
},
},
summary: 'Gets bucket scores',
description:
Expand Down Expand Up @@ -470,8 +494,10 @@ export function jobRoutes({ router, routeGuard }: RouteInitialization) {
.post({
path: `${ML_INTERNAL_BASE_PATH}/anomaly_detectors/{jobId}/results/overall_buckets`,
access: 'internal',
options: {
tags: ['access:ml:canGetJobs'],
security: {
authz: {
requiredPrivileges: ['ml:canGetJobs'],
},
},
summary: 'Get overall buckets',
description:
Expand Down Expand Up @@ -510,8 +536,10 @@ export function jobRoutes({ router, routeGuard }: RouteInitialization) {
.get({
path: `${ML_INTERNAL_BASE_PATH}/anomaly_detectors/{jobId}/results/categories/{categoryId}`,
access: 'internal',
options: {
tags: ['access:ml:canGetJobs'],
security: {
authz: {
requiredPrivileges: ['ml:canGetJobs'],
},
},
summary: 'Get categories',
description: 'Retrieves the categories results for the specified job ID and category ID.',
Expand Down Expand Up @@ -544,8 +572,10 @@ export function jobRoutes({ router, routeGuard }: RouteInitialization) {
.get({
path: `${ML_INTERNAL_BASE_PATH}/anomaly_detectors/{jobId}/model_snapshots`,
access: 'internal',
options: {
tags: ['access:ml:canGetJobs'],
security: {
authz: {
requiredPrivileges: ['ml:canGetJobs'],
},
},
summary: 'Get model snapshots by job ID',
description: 'Returns the model snapshots for the specified job ID',
Expand Down Expand Up @@ -577,8 +607,10 @@ export function jobRoutes({ router, routeGuard }: RouteInitialization) {
.get({
path: `${ML_INTERNAL_BASE_PATH}/anomaly_detectors/{jobId}/model_snapshots/{snapshotId}`,
access: 'internal',
options: {
tags: ['access:ml:canGetJobs'],
security: {
authz: {
requiredPrivileges: ['ml:canGetJobs'],
},
},
summary: 'Get model snapshots by id',
description: 'Returns the model snapshots for the specified job ID and snapshot ID',
Expand Down Expand Up @@ -611,8 +643,10 @@ export function jobRoutes({ router, routeGuard }: RouteInitialization) {
.post({
path: `${ML_INTERNAL_BASE_PATH}/anomaly_detectors/{jobId}/model_snapshots/{snapshotId}/_update`,
access: 'internal',
options: {
tags: ['access:ml:canCreateJob'],
security: {
authz: {
requiredPrivileges: ['ml:canCreateJob'],
},
},
summary: 'Updates model snapshot by snapshot ID',
description: 'Updates the model snapshot for the specified snapshot ID',
Expand Down Expand Up @@ -647,8 +681,10 @@ export function jobRoutes({ router, routeGuard }: RouteInitialization) {
.delete({
path: `${ML_INTERNAL_BASE_PATH}/anomaly_detectors/{jobId}/model_snapshots/{snapshotId}`,
access: 'internal',
options: {
tags: ['access:ml:canCreateJob'],
security: {
authz: {
requiredPrivileges: ['ml:canCreateJob'],
},
},
summary: 'Deletes model snapshots by snapshot ID',
description: 'Deletes the model snapshot for the specified snapshot ID',
Expand Down
30 changes: 20 additions & 10 deletions x-pack/plugins/ml/server/routes/calendars.ts
Original file line number Diff line number Diff line change
Expand Up @@ -48,8 +48,10 @@ export function calendars({ router, routeGuard }: RouteInitialization) {
.get({
path: `${ML_INTERNAL_BASE_PATH}/calendars`,
access: 'internal',
options: {
tags: ['access:ml:canGetCalendars'],
security: {
authz: {
requiredPrivileges: ['ml:canGetCalendars'],
},
},
summary: 'Gets calendars',
description: 'Gets calendars - size limit has been explicitly set to 10000',
Expand All @@ -76,8 +78,10 @@ export function calendars({ router, routeGuard }: RouteInitialization) {
.get({
path: `${ML_INTERNAL_BASE_PATH}/calendars/{calendarIds}`,
access: 'internal',
options: {
tags: ['access:ml:canGetCalendars'],
security: {
authz: {
requiredPrivileges: ['ml:canGetCalendars'],
},
},
summary: 'Gets a calendar',
description: 'Gets a calendar by id',
Expand Down Expand Up @@ -115,8 +119,10 @@ export function calendars({ router, routeGuard }: RouteInitialization) {
.put({
path: `${ML_INTERNAL_BASE_PATH}/calendars`,
access: 'internal',
options: {
tags: ['access:ml:canCreateCalendar'],
security: {
authz: {
requiredPrivileges: ['ml:canCreateCalendar'],
},
},
summary: 'Creates a calendar',
description: 'Creates a calendar',
Expand Down Expand Up @@ -149,8 +155,10 @@ export function calendars({ router, routeGuard }: RouteInitialization) {
.put({
path: `${ML_INTERNAL_BASE_PATH}/calendars/{calendarId}`,
access: 'internal',
options: {
tags: ['access:ml:canCreateCalendar'],
security: {
authz: {
requiredPrivileges: ['ml:canCreateCalendar'],
},
},
summary: 'Updates a calendar',
description: 'Updates a calendar',
Expand Down Expand Up @@ -185,8 +193,10 @@ export function calendars({ router, routeGuard }: RouteInitialization) {
.delete({
path: `${ML_INTERNAL_BASE_PATH}/calendars/{calendarId}`,
access: 'internal',
options: {
tags: ['access:ml:canDeleteCalendar'],
security: {
authz: {
requiredPrivileges: ['ml:canDeleteCalendar'],
},
},
summary: 'Deletes a calendar',
description: 'Deletes a calendar',
Expand Down
Loading

0 comments on commit 772b03c

Please sign in to comment.