From 8f1d3c6ce2ca8e5b9a16b48695856c9d26112a83 Mon Sep 17 00:00:00 2001 From: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Date: Thu, 5 Dec 2024 11:21:53 +1100 Subject: [PATCH] [8.x] Unauthorized route migration for routes owned by kibana-visualizations,kibana-data-discovery (#198331) (#203031) # Backport This will backport the following commits from `main` to `8.x`: - [Unauthorized route migration for routes owned by kibana-visualizations,kibana-data-discovery (#198331)](https://github.com/elastic/kibana/pull/198331) ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) --- .../data/server/kql_telemetry/route.ts | 6 ++ src/plugins/data/server/query/routes.ts | 35 ++++++++++++ src/plugins/data/server/scripts/route.ts | 6 ++ .../data/server/search/routes/session.ts | 45 +++++++++++---- .../__snapshots__/oss_features.test.ts.snap | 56 +++++++++++++++++-- .../plugins/features/server/oss_features.ts | 27 +++++++-- x-pack/plugins/maps/server/plugin.ts | 2 + .../platform_security/authorization.ts | 12 ++++ .../search/platform_security/authorization.ts | 12 ++++ .../platform_security/authorization.ts | 6 ++ 10 files changed, 183 insertions(+), 24 deletions(-) diff --git a/src/plugins/data/server/kql_telemetry/route.ts b/src/plugins/data/server/kql_telemetry/route.ts index 4d6d3b5871bb0..ef9aaa16ec027 100644 --- a/src/plugins/data/server/kql_telemetry/route.ts +++ b/src/plugins/data/server/kql_telemetry/route.ts @@ -24,6 +24,12 @@ export function registerKqlTelemetryRoute( .addVersion( { version: KQL_TELEMETRY_ROUTE_LATEST_VERSION, + security: { + authz: { + enabled: false, + reason: 'This route is opted out from authorization', + }, + }, validate: { request: { body: schema.object({ diff --git a/src/plugins/data/server/query/routes.ts b/src/plugins/data/server/query/routes.ts index 950363d498a1c..cb1f79af1144d 100644 --- a/src/plugins/data/server/query/routes.ts +++ b/src/plugins/data/server/query/routes.ts @@ -43,6 +43,11 @@ export function registerSavedQueryRoutes({ http }: CoreSetup): void { router.versioned.post({ path: `${SAVED_QUERY_BASE_URL}/_is_duplicate_title`, access }).addVersion( { version, + security: { + authz: { + requiredPrivileges: ['savedQuery:read'], + }, + }, validate: { request: { body: schema.object({ @@ -75,6 +80,11 @@ export function registerSavedQueryRoutes({ http }: CoreSetup): void { router.versioned.post({ path: `${SAVED_QUERY_BASE_URL}/_create`, access }).addVersion( { version, + security: { + authz: { + requiredPrivileges: ['savedQuery:manage'], + }, + }, validate: { request: { body: SAVED_QUERY_ATTRS_CONFIG, @@ -101,6 +111,11 @@ export function registerSavedQueryRoutes({ http }: CoreSetup): void { router.versioned.put({ path: `${SAVED_QUERY_BASE_URL}/{id}`, access }).addVersion( { version, + security: { + authz: { + requiredPrivileges: ['savedQuery:manage'], + }, + }, validate: { request: { params: SAVED_QUERY_ID_CONFIG, @@ -129,6 +144,11 @@ export function registerSavedQueryRoutes({ http }: CoreSetup): void { router.versioned.get({ path: `${SAVED_QUERY_BASE_URL}/{id}`, access }).addVersion( { version, + security: { + authz: { + requiredPrivileges: ['savedQuery:read'], + }, + }, validate: { request: { params: SAVED_QUERY_ID_CONFIG, @@ -156,6 +176,11 @@ export function registerSavedQueryRoutes({ http }: CoreSetup): void { router.versioned.get({ path: `${SAVED_QUERY_BASE_URL}/_count`, access }).addVersion( { version, + security: { + authz: { + requiredPrivileges: ['savedQuery:read'], + }, + }, validate: { request: {}, response: { @@ -180,6 +205,11 @@ export function registerSavedQueryRoutes({ http }: CoreSetup): void { router.versioned.post({ path: `${SAVED_QUERY_BASE_URL}/_find`, access }).addVersion( { version, + security: { + authz: { + requiredPrivileges: ['savedQuery:read'], + }, + }, validate: { request: { body: schema.object({ @@ -214,6 +244,11 @@ export function registerSavedQueryRoutes({ http }: CoreSetup): void { router.versioned.delete({ path: `${SAVED_QUERY_BASE_URL}/{id}`, access }).addVersion( { version, + security: { + authz: { + requiredPrivileges: ['savedQuery:manage'], + }, + }, validate: { request: { params: SAVED_QUERY_ID_CONFIG, diff --git a/src/plugins/data/server/scripts/route.ts b/src/plugins/data/server/scripts/route.ts index f4c802f551d51..2e4cd5364ce01 100644 --- a/src/plugins/data/server/scripts/route.ts +++ b/src/plugins/data/server/scripts/route.ts @@ -20,6 +20,12 @@ export function registerScriptsRoute(router: IRouter) { .addVersion( { version: SCRIPT_LANGUAGES_ROUTE_LATEST_VERSION, + security: { + authz: { + enabled: false, + reason: 'This route is opted out from authorization', + }, + }, validate: { response: { '200': { diff --git a/src/plugins/data/server/search/routes/session.ts b/src/plugins/data/server/search/routes/session.ts index 0ae8eebe8180c..b339631e162f9 100644 --- a/src/plugins/data/server/search/routes/session.ts +++ b/src/plugins/data/server/search/routes/session.ts @@ -24,11 +24,8 @@ import { searchSessionsUpdateSchema, } from './response_schema'; -const STORE_SEARCH_SESSIONS_ROLE_TAG = `access:store_search_session`; const access = 'internal'; -const options = { - tags: [STORE_SEARCH_SESSIONS_ROLE_TAG], -}; +const requiredPrivileges = ['store_search_session']; const pathPrefix = '/internal/session'; export const INITIAL_SEARCH_SESSION_REST_VERSION = '1'; const version = INITIAL_SEARCH_SESSION_REST_VERSION; @@ -37,9 +34,12 @@ const idAndAttrsOnly = (so?: SearchSessionRestResponse) => so && { id: so.id, attributes: so.attributes }; export function registerSessionRoutes(router: DataPluginRouter, logger: Logger): void { - router.versioned.post({ path: pathPrefix, access, options }).addVersion( + router.versioned.post({ path: pathPrefix, access }).addVersion( { version, + security: { + authz: { requiredPrivileges }, + }, validate: { request: { body: schema.object({ @@ -85,9 +85,12 @@ export function registerSessionRoutes(router: DataPluginRouter, logger: Logger): } ); - router.versioned.get({ path: `${pathPrefix}/{id}`, access, options }).addVersion( + router.versioned.get({ path: `${pathPrefix}/{id}`, access }).addVersion( { version, + security: { + authz: { requiredPrivileges }, + }, validate: { request: { params: schema.object({ @@ -117,9 +120,12 @@ export function registerSessionRoutes(router: DataPluginRouter, logger: Logger): } ); - router.versioned.get({ path: `${pathPrefix}/{id}/status`, access, options }).addVersion( + router.versioned.get({ path: `${pathPrefix}/{id}/status`, access }).addVersion( { version, + security: { + authz: { requiredPrivileges }, + }, validate: { request: { params: schema.object({ @@ -150,9 +156,12 @@ export function registerSessionRoutes(router: DataPluginRouter, logger: Logger): } ); - router.versioned.post({ path: `${pathPrefix}/_find`, access, options }).addVersion( + router.versioned.post({ path: `${pathPrefix}/_find`, access }).addVersion( { version, + security: { + authz: { requiredPrivileges }, + }, validate: { request: { body: schema.object({ @@ -200,9 +209,12 @@ export function registerSessionRoutes(router: DataPluginRouter, logger: Logger): } ); - router.versioned.delete({ path: `${pathPrefix}/{id}`, access, options }).addVersion( + router.versioned.delete({ path: `${pathPrefix}/{id}`, access }).addVersion( { version, + security: { + authz: { requiredPrivileges }, + }, validate: { request: { params: schema.object({ @@ -226,9 +238,12 @@ export function registerSessionRoutes(router: DataPluginRouter, logger: Logger): } ); - router.versioned.post({ path: `${pathPrefix}/{id}/cancel`, access, options }).addVersion( + router.versioned.post({ path: `${pathPrefix}/{id}/cancel`, access }).addVersion( { version, + security: { + authz: { requiredPrivileges }, + }, validate: { request: { params: schema.object({ @@ -252,9 +267,12 @@ export function registerSessionRoutes(router: DataPluginRouter, logger: Logger): } ); - router.versioned.put({ path: `${pathPrefix}/{id}`, access, options }).addVersion( + router.versioned.put({ path: `${pathPrefix}/{id}`, access }).addVersion( { version, + security: { + authz: { requiredPrivileges }, + }, validate: { request: { params: schema.object({ @@ -291,9 +309,12 @@ export function registerSessionRoutes(router: DataPluginRouter, logger: Logger): } ); - router.versioned.post({ path: `${pathPrefix}/{id}/_extend`, access, options }).addVersion( + router.versioned.post({ path: `${pathPrefix}/{id}/_extend`, access }).addVersion( { version, + security: { + authz: { requiredPrivileges }, + }, validate: { request: { params: schema.object({ diff --git a/x-pack/plugins/features/server/__snapshots__/oss_features.test.ts.snap b/x-pack/plugins/features/server/__snapshots__/oss_features.test.ts.snap index b5614562f18a4..140d20f8ebdb8 100644 --- a/x-pack/plugins/features/server/__snapshots__/oss_features.test.ts.snap +++ b/x-pack/plugins/features/server/__snapshots__/oss_features.test.ts.snap @@ -548,6 +548,8 @@ Array [ "api": Array [ "bulkGetUserProfiles", "dashboardUsageStats", + "savedQuery:manage", + "savedQuery:read", "store_search_session", ], "app": Array [ @@ -607,6 +609,7 @@ Array [ "api": Array [ "bulkGetUserProfiles", "dashboardUsageStats", + "savedQuery:read", ], "app": Array [ "dashboards", @@ -709,6 +712,8 @@ Array [ }, "api": Array [ "fileUpload:analyzeFile", + "savedQuery:manage", + "savedQuery:read", "store_search_session", ], "app": Array [ @@ -757,6 +762,9 @@ Array [ }, Object { "privilege": Object { + "api": Array [ + "savedQuery:read", + ], "app": Array [ "discover", "kibana", @@ -1004,6 +1012,10 @@ exports[`buildOSSFeatures with a basic license returns the savedQueryManagement Array [ Object { "privilege": Object { + "api": Array [ + "savedQuery:manage", + "savedQuery:read", + ], "app": Array [ "kibana", ], @@ -1022,10 +1034,14 @@ Array [ }, Object { "privilege": Object { - "disabled": true, + "api": Array [ + "savedQuery:read", + ], "savedObject": Object { "all": Array [], - "read": Array [], + "read": Array [ + "query", + ], }, "ui": Array [], }, @@ -1048,7 +1064,10 @@ Array [ "read": Array [], }, }, - "api": Array [], + "api": Array [ + "savedQuery:manage", + "savedQuery:read", + ], "app": Array [ "visualize", "lens", @@ -1094,6 +1113,9 @@ Array [ }, Object { "privilege": Object { + "api": Array [ + "savedQuery:read", + ], "app": Array [ "visualize", "lens", @@ -1190,6 +1212,8 @@ Array [ "api": Array [ "bulkGetUserProfiles", "dashboardUsageStats", + "savedQuery:manage", + "savedQuery:read", "store_search_session", ], "app": Array [ @@ -1249,6 +1273,7 @@ Array [ "api": Array [ "bulkGetUserProfiles", "dashboardUsageStats", + "savedQuery:read", ], "app": Array [ "dashboards", @@ -1351,6 +1376,8 @@ Array [ }, "api": Array [ "fileUpload:analyzeFile", + "savedQuery:manage", + "savedQuery:read", "store_search_session", ], "app": Array [ @@ -1399,6 +1426,9 @@ Array [ }, Object { "privilege": Object { + "api": Array [ + "savedQuery:read", + ], "app": Array [ "discover", "kibana", @@ -1646,6 +1676,10 @@ exports[`buildOSSFeatures with a enterprise license returns the savedQueryManage Array [ Object { "privilege": Object { + "api": Array [ + "savedQuery:manage", + "savedQuery:read", + ], "app": Array [ "kibana", ], @@ -1664,10 +1698,14 @@ Array [ }, Object { "privilege": Object { - "disabled": true, + "api": Array [ + "savedQuery:read", + ], "savedObject": Object { "all": Array [], - "read": Array [], + "read": Array [ + "query", + ], }, "ui": Array [], }, @@ -1690,7 +1728,10 @@ Array [ "read": Array [], }, }, - "api": Array [], + "api": Array [ + "savedQuery:manage", + "savedQuery:read", + ], "app": Array [ "visualize", "lens", @@ -1736,6 +1777,9 @@ Array [ }, Object { "privilege": Object { + "api": Array [ + "savedQuery:read", + ], "app": Array [ "visualize", "lens", diff --git a/x-pack/plugins/features/server/oss_features.ts b/x-pack/plugins/features/server/oss_features.ts index 0f243e7e6bda8..12978c35777e7 100644 --- a/x-pack/plugins/features/server/oss_features.ts +++ b/x-pack/plugins/features/server/oss_features.ts @@ -37,7 +37,7 @@ export const buildOSSFeatures = ({ privileges: { all: { app: ['discover', 'kibana'], - api: ['fileUpload:analyzeFile'], + api: ['fileUpload:analyzeFile', 'savedQuery:manage', 'savedQuery:read'], catalogue: ['discover'], savedObject: { all: ['search', 'query'], @@ -53,6 +53,7 @@ export const buildOSSFeatures = ({ read: ['index-pattern', 'search', 'query'], }, ui: ['show'], + api: ['savedQuery:read'], }, }, subFeatures: [ @@ -139,6 +140,7 @@ export const buildOSSFeatures = ({ read: ['index-pattern', 'search', 'tag'], }, ui: ['show', 'delete', 'save', 'saveQuery'], + api: ['savedQuery:manage', 'savedQuery:read'], }, read: { app: ['visualize', 'lens', 'kibana'], @@ -148,6 +150,7 @@ export const buildOSSFeatures = ({ read: ['index-pattern', 'search', 'visualization', 'query', 'lens', 'tag'], }, ui: ['show'], + api: ['savedQuery:read'], }, }, subFeatures: [ @@ -213,7 +216,12 @@ export const buildOSSFeatures = ({ ], }, ui: ['createNew', 'show', 'showWriteControls', 'saveQuery'], - api: ['bulkGetUserProfiles', 'dashboardUsageStats'], + api: [ + 'bulkGetUserProfiles', + 'dashboardUsageStats', + 'savedQuery:manage', + 'savedQuery:read', + ], }, read: { app: ['dashboards', 'kibana'], @@ -234,7 +242,7 @@ export const buildOSSFeatures = ({ ], }, ui: ['show'], - api: ['bulkGetUserProfiles', 'dashboardUsageStats'], + api: ['bulkGetUserProfiles', 'dashboardUsageStats', 'savedQuery:read'], }, }, subFeatures: [ @@ -545,7 +553,7 @@ export const buildOSSFeatures = ({ catalogue: [], privilegesTooltip: i18n.translate('xpack.features.savedQueryManagementTooltip', { defaultMessage: - 'If set to "All", saved queries can be managed across Kibana in all applications that support them. If set to "None", saved query privileges will be determined independently by each application.', + 'If set to "All", saved queries can be managed across Kibana in all applications that support them. Otherwise, saved query privileges will be determined independently by each application.', }), privileges: { all: { @@ -556,9 +564,16 @@ export const buildOSSFeatures = ({ read: [], }, ui: ['saveQuery'], + api: ['savedQuery:manage', 'savedQuery:read'], + }, + read: { + savedObject: { + all: [], + read: ['query'], + }, + ui: [], + api: ['savedQuery:read'], }, - // No read-only mode supported - read: { disabled: true, savedObject: { all: [], read: [] }, ui: [] }, }, }, ]; diff --git a/x-pack/plugins/maps/server/plugin.ts b/x-pack/plugins/maps/server/plugin.ts index 1b98310f798e4..9d82aa0cc931e 100644 --- a/x-pack/plugins/maps/server/plugin.ts +++ b/x-pack/plugins/maps/server/plugin.ts @@ -188,6 +188,7 @@ export class MapsPlugin implements Plugin { read: ['index-pattern', 'tag'], }, ui: ['save', 'show', 'saveQuery'], + api: ['savedQuery:manage', 'savedQuery:read'], }, read: { app: [APP_ID, 'kibana'], @@ -197,6 +198,7 @@ export class MapsPlugin implements Plugin { read: [MAP_SAVED_OBJECT_TYPE, 'index-pattern', 'query', 'tag'], }, ui: ['show'], + api: ['savedQuery:read'], }, }, }); diff --git a/x-pack/test_serverless/api_integration/test_suites/observability/platform_security/authorization.ts b/x-pack/test_serverless/api_integration/test_suites/observability/platform_security/authorization.ts index b6dbceedfe65e..91812dbecb027 100644 --- a/x-pack/test_serverless/api_integration/test_suites/observability/platform_security/authorization.ts +++ b/x-pack/test_serverless/api_integration/test_suites/observability/platform_security/authorization.ts @@ -4235,6 +4235,8 @@ export default function ({ getService }: FtrProviderContext) { "login:", "api:bulkGetUserProfiles", "api:dashboardUsageStats", + "api:savedQuery:manage", + "api:savedQuery:read", "api:store_search_session", "api:generateReport", "api:downloadCsv", @@ -4418,6 +4420,8 @@ export default function ({ getService }: FtrProviderContext) { "login:", "api:bulkGetUserProfiles", "api:dashboardUsageStats", + "api:savedQuery:manage", + "api:savedQuery:read", "app:dashboards", "app:kibana", "ui:catalogue/dashboard", @@ -4570,6 +4574,7 @@ export default function ({ getService }: FtrProviderContext) { "login:", "api:bulkGetUserProfiles", "api:dashboardUsageStats", + "api:savedQuery:read", "app:dashboards", "app:kibana", "ui:catalogue/dashboard", @@ -4669,6 +4674,7 @@ export default function ({ getService }: FtrProviderContext) { "login:", "api:bulkGetUserProfiles", "api:dashboardUsageStats", + "api:savedQuery:read", "app:dashboards", "app:kibana", "ui:catalogue/dashboard", @@ -4804,6 +4810,8 @@ export default function ({ getService }: FtrProviderContext) { "all": Array [ "login:", "api:fileUpload:analyzeFile", + "api:savedQuery:manage", + "api:savedQuery:read", "api:store_search_session", "api:generateReport", "app:discover", @@ -6032,6 +6040,8 @@ export default function ({ getService }: FtrProviderContext) { "minimal_all": Array [ "login:", "api:fileUpload:analyzeFile", + "api:savedQuery:manage", + "api:savedQuery:read", "app:discover", "app:kibana", "ui:catalogue/discover", @@ -7227,6 +7237,7 @@ export default function ({ getService }: FtrProviderContext) { ], "minimal_read": Array [ "login:", + "api:savedQuery:read", "app:discover", "app:kibana", "ui:catalogue/discover", @@ -7718,6 +7729,7 @@ export default function ({ getService }: FtrProviderContext) { ], "read": Array [ "login:", + "api:savedQuery:read", "app:discover", "app:kibana", "ui:catalogue/discover", diff --git a/x-pack/test_serverless/api_integration/test_suites/search/platform_security/authorization.ts b/x-pack/test_serverless/api_integration/test_suites/search/platform_security/authorization.ts index a30b8aca571ea..ed9fdd30cbdae 100644 --- a/x-pack/test_serverless/api_integration/test_suites/search/platform_security/authorization.ts +++ b/x-pack/test_serverless/api_integration/test_suites/search/platform_security/authorization.ts @@ -42,6 +42,8 @@ export default function ({ getService }: FtrProviderContext) { "login:", "api:bulkGetUserProfiles", "api:dashboardUsageStats", + "api:savedQuery:manage", + "api:savedQuery:read", "api:store_search_session", "api:generateReport", "api:downloadCsv", @@ -225,6 +227,8 @@ export default function ({ getService }: FtrProviderContext) { "login:", "api:bulkGetUserProfiles", "api:dashboardUsageStats", + "api:savedQuery:manage", + "api:savedQuery:read", "app:dashboards", "app:kibana", "ui:catalogue/dashboard", @@ -377,6 +381,7 @@ export default function ({ getService }: FtrProviderContext) { "login:", "api:bulkGetUserProfiles", "api:dashboardUsageStats", + "api:savedQuery:read", "app:dashboards", "app:kibana", "ui:catalogue/dashboard", @@ -476,6 +481,7 @@ export default function ({ getService }: FtrProviderContext) { "login:", "api:bulkGetUserProfiles", "api:dashboardUsageStats", + "api:savedQuery:read", "app:dashboards", "app:kibana", "ui:catalogue/dashboard", @@ -611,6 +617,8 @@ export default function ({ getService }: FtrProviderContext) { "all": Array [ "login:", "api:fileUpload:analyzeFile", + "api:savedQuery:manage", + "api:savedQuery:read", "api:store_search_session", "api:generateReport", "app:discover", @@ -711,6 +719,8 @@ export default function ({ getService }: FtrProviderContext) { "minimal_all": Array [ "login:", "api:fileUpload:analyzeFile", + "api:savedQuery:manage", + "api:savedQuery:read", "app:discover", "app:kibana", "ui:catalogue/discover", @@ -778,6 +788,7 @@ export default function ({ getService }: FtrProviderContext) { ], "minimal_read": Array [ "login:", + "api:savedQuery:read", "app:discover", "app:kibana", "ui:catalogue/discover", @@ -822,6 +833,7 @@ export default function ({ getService }: FtrProviderContext) { ], "read": Array [ "login:", + "api:savedQuery:read", "app:discover", "app:kibana", "ui:catalogue/discover", diff --git a/x-pack/test_serverless/api_integration/test_suites/security/platform_security/authorization.ts b/x-pack/test_serverless/api_integration/test_suites/security/platform_security/authorization.ts index c3b37539946ff..1f9a7f74fd572 100644 --- a/x-pack/test_serverless/api_integration/test_suites/security/platform_security/authorization.ts +++ b/x-pack/test_serverless/api_integration/test_suites/security/platform_security/authorization.ts @@ -742,6 +742,8 @@ export default function ({ getService }: FtrProviderContext) { "alerting:siem.newTermsRule/siem/alert/getAlertSummary", "alerting:siem.newTermsRule/siem/alert/update", "api:fileUpload:analyzeFile", + "api:savedQuery:manage", + "api:savedQuery:read", "api:store_search_session", "api:generateReport", "app:discover", @@ -1597,6 +1599,8 @@ export default function ({ getService }: FtrProviderContext) { "alerting:siem.newTermsRule/siem/alert/getAlertSummary", "alerting:siem.newTermsRule/siem/alert/update", "api:fileUpload:analyzeFile", + "api:savedQuery:manage", + "api:savedQuery:read", "api:store_search_session", "api:generateReport", "app:discover", @@ -2003,6 +2007,7 @@ export default function ({ getService }: FtrProviderContext) { "alerting:siem.newTermsRule/siem/alert/getAuthorizedAlertsIndices", "alerting:siem.newTermsRule/siem/alert/getAlertSummary", "alerting:siem.newTermsRule/siem/alert/update", + "api:savedQuery:read", "app:discover", "ui:catalogue/discover", "ui:navLinks/discover", @@ -2370,6 +2375,7 @@ export default function ({ getService }: FtrProviderContext) { "alerting:siem.newTermsRule/siem/alert/getAuthorizedAlertsIndices", "alerting:siem.newTermsRule/siem/alert/getAlertSummary", "alerting:siem.newTermsRule/siem/alert/update", + "api:savedQuery:read", "app:discover", "ui:catalogue/discover", "ui:navLinks/discover",