[8.x] Authorized route migration for routes owned by @elastic/ml-ui (#…

…198190) (#199997)

# Backport

This will backport the following commits from `main` to `8.x`:
- [Authorized route migration for routes owned by @elastic/ml-ui
(#198190)](#198190)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Kibana
Machine","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-11-13T13:06:47Z","message":"Authorized
route migration for routes owned by @elastic/ml-ui (#198190)\n\n###
Authz API migration for authorized routes\r\n\r\nThis PR migrates
`access:<privilege>` tags used in route definitions to\r\nnew security
configuration.\r\nPlease refer to the documentation for more
information:
[Authorization\r\nAPI](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)\r\n\r\n###
**Before migration:**\r\nAccess control tags were defined in the
`options` object of the route:\r\n\r\n```ts\r\nrouter.get({\r\n path:
'/api/path',\r\n options: {\r\n tags: ['access:<privilege_1>',
'access:<privilege_2>'],\r\n },\r\n ...\r\n},
handler);\r\n```\r\n\r\n### **After migration:**\r\nTags have been
replaced with the more robust\r\n`security.authz.requiredPrivileges`
field under `security`:\r\n\r\n```ts\r\nrouter.get({\r\n path:
'/api/path',\r\n security: {\r\n authz: {\r\n requiredPrivileges:
['<privilege_1>', '<privilege_2>'],\r\n },\r\n },\r\n ...\r\n},
handler);\r\n```\r\n\r\n### What to do next?\r\n1. Review the changes in
this PR.\r\n2. You might need to update your tests to reflect the new
security\r\nconfiguration:\r\n - If you have tests that rely on checking
`access` tags.\r\n - If you have snapshot tests that include the route
definition.\r\n- If you have FTR tests that rely on checking
unauthorized error\r\nmessage. The error message changed to also include
missing privileges.\r\n\r\n## Any questions?\r\nIf you have any
questions or need help with API authorization, please\r\nreach out to
the `@elastic/kibana-security`
team.\r\n\r\n---------\r\n\r\nCo-authored-by: James Gowdy
<[email protected]>","sha":"772b03c47a062bcc12b0de0b459cf2a3c32cd474","branchLabelMapping":{"^v9.0.0$":"main","^v8.17.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["enhancement",":ml","release_note:skip","Feature:Security/Authorization","v9.0.0","backport:prev-minor","Authz:
API migration"],"title":"Authorized route migration for routes owned by
@elastic/ml-ui","number":198190,"url":"https://github.com/elastic/kibana/pull/198190","mergeCommit":{"message":"Authorized
route migration for routes owned by @elastic/ml-ui (#198190)\n\n###
Authz API migration for authorized routes\r\n\r\nThis PR migrates
`access:<privilege>` tags used in route definitions to\r\nnew security
configuration.\r\nPlease refer to the documentation for more
information:
[Authorization\r\nAPI](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)\r\n\r\n###
**Before migration:**\r\nAccess control tags were defined in the
`options` object of the route:\r\n\r\n```ts\r\nrouter.get({\r\n path:
'/api/path',\r\n options: {\r\n tags: ['access:<privilege_1>',
'access:<privilege_2>'],\r\n },\r\n ...\r\n},
handler);\r\n```\r\n\r\n### **After migration:**\r\nTags have been
replaced with the more robust\r\n`security.authz.requiredPrivileges`
field under `security`:\r\n\r\n```ts\r\nrouter.get({\r\n path:
'/api/path',\r\n security: {\r\n authz: {\r\n requiredPrivileges:
['<privilege_1>', '<privilege_2>'],\r\n },\r\n },\r\n ...\r\n},
handler);\r\n```\r\n\r\n### What to do next?\r\n1. Review the changes in
this PR.\r\n2. You might need to update your tests to reflect the new
security\r\nconfiguration:\r\n - If you have tests that rely on checking
`access` tags.\r\n - If you have snapshot tests that include the route
definition.\r\n- If you have FTR tests that rely on checking
unauthorized error\r\nmessage. The error message changed to also include
missing privileges.\r\n\r\n## Any questions?\r\nIf you have any
questions or need help with API authorization, please\r\nreach out to
the `@elastic/kibana-security`
team.\r\n\r\n---------\r\n\r\nCo-authored-by: James Gowdy
<[email protected]>","sha":"772b03c47a062bcc12b0de0b459cf2a3c32cd474"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/198190","number":198190,"mergeCommit":{"message":"Authorized
route migration for routes owned by @elastic/ml-ui (#198190)\n\n###
Authz API migration for authorized routes\r\n\r\nThis PR migrates
`access:<privilege>` tags used in route definitions to\r\nnew security
configuration.\r\nPlease refer to the documentation for more
information:
[Authorization\r\nAPI](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)\r\n\r\n###
**Before migration:**\r\nAccess control tags were defined in the
`options` object of the route:\r\n\r\n```ts\r\nrouter.get({\r\n path:
'/api/path',\r\n options: {\r\n tags: ['access:<privilege_1>',
'access:<privilege_2>'],\r\n },\r\n ...\r\n},
handler);\r\n```\r\n\r\n### **After migration:**\r\nTags have been
replaced with the more robust\r\n`security.authz.requiredPrivileges`
field under `security`:\r\n\r\n```ts\r\nrouter.get({\r\n path:
'/api/path',\r\n security: {\r\n authz: {\r\n requiredPrivileges:
['<privilege_1>', '<privilege_2>'],\r\n },\r\n },\r\n ...\r\n},
handler);\r\n```\r\n\r\n### What to do next?\r\n1. Review the changes in
this PR.\r\n2. You might need to update your tests to reflect the new
security\r\nconfiguration:\r\n - If you have tests that rely on checking
`access` tags.\r\n - If you have snapshot tests that include the route
definition.\r\n- If you have FTR tests that rely on checking
unauthorized error\r\nmessage. The error message changed to also include
missing privileges.\r\n\r\n## Any questions?\r\nIf you have any
questions or need help with API authorization, please\r\nreach out to
the `@elastic/kibana-security`
team.\r\n\r\n---------\r\n\r\nCo-authored-by: James Gowdy
<[email protected]>","sha":"772b03c47a062bcc12b0de0b459cf2a3c32cd474"}}]}]
BACKPORT-->

x-pack/plugins/data_visualizer/server/routes.ts

@@ -25,8 +25,10 @@ export function routes(coreSetup: CoreSetup<StartDeps, unknown>, logger: Logger)
     .post({
       path: '/internal/data_visualizer/test_grok_pattern',
       access: 'internal',
-      options: {
-        tags: ['access:fileUpload:analyzeFile'],
+      security: {
+        authz: {
+          requiredPrivileges: ['fileUpload:analyzeFile'],
+        },
       },
     })
     .addVersion(
@@ -78,8 +80,10 @@ export function routes(coreSetup: CoreSetup<StartDeps, unknown>, logger: Logger)
     .get({
       path: '/internal/data_visualizer/inference_endpoints',
       access: 'internal',
-      options: {
-        tags: ['access:fileUpload:analyzeFile'],
+      security: {
+        authz: {
+          requiredPrivileges: ['fileUpload:analyzeFile'],
+        },
       },
     })
     .addVersion(

x-pack/plugins/ml/server/routes/alerting.ts

@@ -22,8 +22,10 @@ export function alertingRoutes(
     .post({
       access: 'internal',
       path: `${ML_INTERNAL_BASE_PATH}/alerting/preview`,
-      options: {
-        tags: ['access:ml:canGetJobs'],
+      security: {
+        authz: {
+          requiredPrivileges: ['ml:canGetJobs'],
+        },
       },
       summary: 'Previews an alerting condition',
       description: 'Returns a preview of the alerting condition',

x-pack/plugins/ml/server/routes/annotations.ts

@@ -46,8 +46,10 @@ export function annotationRoutes(
     .post({
       path: `${ML_INTERNAL_BASE_PATH}/annotations`,
       access: 'internal',
-      options: {
-        tags: ['access:ml:canGetAnnotations'],
+      security: {
+        authz: {
+          requiredPrivileges: ['ml:canGetAnnotations'],
+        },
       },
       summary: 'Gets annotations',
       description: 'Gets annotations.',
@@ -83,8 +85,10 @@ export function annotationRoutes(
     .put({
       path: `${ML_INTERNAL_BASE_PATH}/annotations/index`,
       access: 'internal',
-      options: {
-        tags: ['access:ml:canCreateAnnotation'],
+      security: {
+        authz: {
+          requiredPrivileges: ['ml:canCreateAnnotation'],
+        },
       },
       summary: 'Indexes annotation',
       description: 'Indexes the annotation.',
@@ -127,8 +131,10 @@ export function annotationRoutes(
     .delete({
       path: `${ML_INTERNAL_BASE_PATH}/annotations/delete/{annotationId}`,
       access: 'internal',
-      options: {
-        tags: ['access:ml:canDeleteAnnotation'],
+      security: {
+        authz: {
+          requiredPrivileges: ['ml:canDeleteAnnotation'],
+        },
       },
       summary: 'Deletes annotation',
       description: 'Deletes the specified annotation.',

x-pack/plugins/ml/server/routes/anomaly_detectors.ts

@@ -36,8 +36,10 @@ export function jobRoutes({ router, routeGuard }: RouteInitialization) {
     .get({
       path: `${ML_INTERNAL_BASE_PATH}/anomaly_detectors`,
       access: 'internal',
-      options: {
-        tags: ['access:ml:canGetJobs'],
+      security: {
+        authz: {
+          requiredPrivileges: ['ml:canGetJobs'],
+        },
       },
       summary: 'Gets anomaly detectors',
       description: 'Returns the list of anomaly detection jobs.',
@@ -67,8 +69,10 @@ export function jobRoutes({ router, routeGuard }: RouteInitialization) {
     .get({
       path: `${ML_INTERNAL_BASE_PATH}/anomaly_detectors/{jobId}`,
       access: 'internal',
-      options: {
-        tags: ['access:ml:canGetJobs'],
+      security: {
+        authz: {
+          requiredPrivileges: ['ml:canGetJobs'],
+        },
       },
       summary: 'Gets anomaly detector by ID',
       description: 'Returns the anomaly detection job by ID',
@@ -99,8 +103,10 @@ export function jobRoutes({ router, routeGuard }: RouteInitialization) {
     .get({
       path: `${ML_INTERNAL_BASE_PATH}/anomaly_detectors/_stats`,
       access: 'internal',
-      options: {
-        tags: ['access:ml:canGetJobs'],
+      security: {
+        authz: {
+          requiredPrivileges: ['ml:canGetJobs'],
+        },
       },
       summary: 'Gets anomaly detectors stats',
       description: 'Returns the anomaly detection jobs statistics.',
@@ -126,8 +132,10 @@ export function jobRoutes({ router, routeGuard }: RouteInitialization) {
     .get({
       path: `${ML_INTERNAL_BASE_PATH}/anomaly_detectors/{jobId}/_stats`,
       access: 'internal',
-      options: {
-        tags: ['access:ml:canGetJobs'],
+      security: {
+        authz: {
+          requiredPrivileges: ['ml:canGetJobs'],
+        },
       },
       summary: 'Gets anomaly detector stats by ID',
       description: 'Returns the anomaly detection job statistics by ID',
@@ -158,8 +166,10 @@ export function jobRoutes({ router, routeGuard }: RouteInitialization) {
     .put({
       path: `${ML_INTERNAL_BASE_PATH}/anomaly_detectors/{jobId}`,
       access: 'internal',
-      options: {
-        tags: ['access:ml:canCreateJob'],
+      security: {
+        authz: {
+          requiredPrivileges: ['ml:canCreateJob'],
+        },
       },
       summary: 'Creates an anomaly detection job',
       description: 'Creates an anomaly detection job.',
@@ -205,8 +215,10 @@ export function jobRoutes({ router, routeGuard }: RouteInitialization) {
     .post({
       path: `${ML_INTERNAL_BASE_PATH}/anomaly_detectors/{jobId}/_update`,
       access: 'internal',
-      options: {
-        tags: ['access:ml:canUpdateJob'],
+      security: {
+        authz: {
+          requiredPrivileges: ['ml:canUpdateJob'],
+        },
       },
       summary: 'Updates an anomaly detection job',
       description: 'Updates certain properties of an anomaly detection job.',
@@ -242,8 +254,10 @@ export function jobRoutes({ router, routeGuard }: RouteInitialization) {
     .post({
       path: `${ML_INTERNAL_BASE_PATH}/anomaly_detectors/{jobId}/_open`,
       access: 'internal',
-      options: {
-        tags: ['access:ml:canOpenJob'],
+      security: {
+        authz: {
+          requiredPrivileges: ['ml:canOpenJob'],
+        },
       },
       summary: 'Opens an anomaly detection job',
       description: 'Opens an anomaly detection job.',
@@ -274,8 +288,10 @@ export function jobRoutes({ router, routeGuard }: RouteInitialization) {
     .post({
       path: `${ML_INTERNAL_BASE_PATH}/anomaly_detectors/{jobId}/_close`,
       access: 'internal',
-      options: {
-        tags: ['access:ml:canCloseJob'],
+      security: {
+        authz: {
+          requiredPrivileges: ['ml:canCloseJob'],
+        },
       },
       summary: 'Closes an anomaly detection job',
       description: 'Closes an anomaly detection job.',
@@ -313,8 +329,10 @@ export function jobRoutes({ router, routeGuard }: RouteInitialization) {
     .delete({
       path: `${ML_INTERNAL_BASE_PATH}/anomaly_detectors/{jobId}`,
       access: 'internal',
-      options: {
-        tags: ['access:ml:canDeleteJob'],
+      security: {
+        authz: {
+          requiredPrivileges: ['ml:canDeleteJob'],
+        },
       },
       summary: 'Deletes an anomaly detection job',
       description: 'Deletes specified anomaly detection job.',
@@ -353,8 +371,10 @@ export function jobRoutes({ router, routeGuard }: RouteInitialization) {
     .delete({
       path: `${ML_INTERNAL_BASE_PATH}/anomaly_detectors/{jobId}/_forecast/{forecastId}`,
       access: 'internal',
-      options: {
-        tags: ['access:ml:canDeleteForecast'],
+      security: {
+        authz: {
+          requiredPrivileges: ['ml:canDeleteForecast'],
+        },
       },
       summary: 'Deletes specified forecast for specified job',
       description: 'Deletes a specified forecast for the specified anomaly detection job.',
@@ -388,8 +408,10 @@ export function jobRoutes({ router, routeGuard }: RouteInitialization) {
     .post({
       path: `${ML_INTERNAL_BASE_PATH}/anomaly_detectors/{jobId}/_forecast`,
       access: 'internal',
-      options: {
-        tags: ['access:ml:canForecastJob'],
+      security: {
+        authz: {
+          requiredPrivileges: ['ml:canForecastJob'],
+        },
       },
       summary: 'Creates forecast for specified job',
       description:
@@ -427,8 +449,10 @@ export function jobRoutes({ router, routeGuard }: RouteInitialization) {
     .post({
       path: `${ML_INTERNAL_BASE_PATH}/anomaly_detectors/{jobId}/results/buckets/{timestamp?}`,
       access: 'internal',
-      options: {
-        tags: ['access:ml:canGetJobs'],
+      security: {
+        authz: {
+          requiredPrivileges: ['ml:canGetJobs'],
+        },
       },
       summary: 'Gets bucket scores',
       description:
@@ -470,8 +494,10 @@ export function jobRoutes({ router, routeGuard }: RouteInitialization) {
     .post({
       path: `${ML_INTERNAL_BASE_PATH}/anomaly_detectors/{jobId}/results/overall_buckets`,
       access: 'internal',
-      options: {
-        tags: ['access:ml:canGetJobs'],
+      security: {
+        authz: {
+          requiredPrivileges: ['ml:canGetJobs'],
+        },
       },
       summary: 'Get overall buckets',
       description:
@@ -510,8 +536,10 @@ export function jobRoutes({ router, routeGuard }: RouteInitialization) {
     .get({
       path: `${ML_INTERNAL_BASE_PATH}/anomaly_detectors/{jobId}/results/categories/{categoryId}`,
       access: 'internal',
-      options: {
-        tags: ['access:ml:canGetJobs'],
+      security: {
+        authz: {
+          requiredPrivileges: ['ml:canGetJobs'],
+        },
       },
       summary: 'Get categories',
       description: 'Retrieves the categories results for the specified job ID and category ID.',
@@ -544,8 +572,10 @@ export function jobRoutes({ router, routeGuard }: RouteInitialization) {
     .get({
       path: `${ML_INTERNAL_BASE_PATH}/anomaly_detectors/{jobId}/model_snapshots`,
       access: 'internal',
-      options: {
-        tags: ['access:ml:canGetJobs'],
+      security: {
+        authz: {
+          requiredPrivileges: ['ml:canGetJobs'],
+        },
       },
       summary: 'Get model snapshots by job ID',
       description: 'Returns the model snapshots for the specified job ID',
@@ -577,8 +607,10 @@ export function jobRoutes({ router, routeGuard }: RouteInitialization) {
     .get({
       path: `${ML_INTERNAL_BASE_PATH}/anomaly_detectors/{jobId}/model_snapshots/{snapshotId}`,
       access: 'internal',
-      options: {
-        tags: ['access:ml:canGetJobs'],
+      security: {
+        authz: {
+          requiredPrivileges: ['ml:canGetJobs'],
+        },
       },
       summary: 'Get model snapshots by id',
       description: 'Returns the model snapshots for the specified job ID and snapshot ID',
@@ -611,8 +643,10 @@ export function jobRoutes({ router, routeGuard }: RouteInitialization) {
     .post({
       path: `${ML_INTERNAL_BASE_PATH}/anomaly_detectors/{jobId}/model_snapshots/{snapshotId}/_update`,
       access: 'internal',
-      options: {
-        tags: ['access:ml:canCreateJob'],
+      security: {
+        authz: {
+          requiredPrivileges: ['ml:canCreateJob'],
+        },
       },
       summary: 'Updates model snapshot by snapshot ID',
       description: 'Updates the model snapshot for the specified snapshot ID',
@@ -647,8 +681,10 @@ export function jobRoutes({ router, routeGuard }: RouteInitialization) {
     .delete({
       path: `${ML_INTERNAL_BASE_PATH}/anomaly_detectors/{jobId}/model_snapshots/{snapshotId}`,
       access: 'internal',
-      options: {
-        tags: ['access:ml:canCreateJob'],
+      security: {
+        authz: {
+          requiredPrivileges: ['ml:canCreateJob'],
+        },
       },
       summary: 'Deletes model snapshots by snapshot ID',
       description: 'Deletes the model snapshot for the specified snapshot ID',

x-pack/plugins/ml/server/routes/calendars.ts

@@ -48,8 +48,10 @@ export function calendars({ router, routeGuard }: RouteInitialization) {
     .get({
       path: `${ML_INTERNAL_BASE_PATH}/calendars`,
       access: 'internal',
-      options: {
-        tags: ['access:ml:canGetCalendars'],
+      security: {
+        authz: {
+          requiredPrivileges: ['ml:canGetCalendars'],
+        },
       },
       summary: 'Gets calendars',
       description: 'Gets calendars - size limit has been explicitly set to 10000',
@@ -76,8 +78,10 @@ export function calendars({ router, routeGuard }: RouteInitialization) {
     .get({
       path: `${ML_INTERNAL_BASE_PATH}/calendars/{calendarIds}`,
       access: 'internal',
-      options: {
-        tags: ['access:ml:canGetCalendars'],
+      security: {
+        authz: {
+          requiredPrivileges: ['ml:canGetCalendars'],
+        },
       },
       summary: 'Gets a calendar',
       description: 'Gets a calendar by id',
@@ -115,8 +119,10 @@ export function calendars({ router, routeGuard }: RouteInitialization) {
     .put({
       path: `${ML_INTERNAL_BASE_PATH}/calendars`,
       access: 'internal',
-      options: {
-        tags: ['access:ml:canCreateCalendar'],
+      security: {
+        authz: {
+          requiredPrivileges: ['ml:canCreateCalendar'],
+        },
       },
       summary: 'Creates a calendar',
       description: 'Creates a calendar',
@@ -149,8 +155,10 @@ export function calendars({ router, routeGuard }: RouteInitialization) {
     .put({
       path: `${ML_INTERNAL_BASE_PATH}/calendars/{calendarId}`,
       access: 'internal',
-      options: {
-        tags: ['access:ml:canCreateCalendar'],
+      security: {
+        authz: {
+          requiredPrivileges: ['ml:canCreateCalendar'],
+        },
       },
       summary: 'Updates a calendar',
       description: 'Updates a calendar',
@@ -185,8 +193,10 @@ export function calendars({ router, routeGuard }: RouteInitialization) {
     .delete({
       path: `${ML_INTERNAL_BASE_PATH}/calendars/{calendarId}`,
       access: 'internal',
-      options: {
-        tags: ['access:ml:canDeleteCalendar'],
+      security: {
+        authz: {
+          requiredPrivileges: ['ml:canDeleteCalendar'],
+        },
       },
       summary: 'Deletes a calendar',
       description: 'Deletes a calendar',