Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Specify internal and external notes when opting out of route authorization #198590

Open
legrego opened this issue Oct 31, 2024 · 3 comments
Open

Specify internal and external notes when opting out of route authorization #198590

legrego opened this issue Oct 31, 2024 · 3 comments
Labels
enhancement New value added to drive a business result Feature:Hardening Harding of Kibana from a security perspective Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!

Comments

@legrego
Copy link
Member

legrego commented Oct 31, 2024

Routes that out-out of authorization are required to provide a justification for doing so:

kibana/packages/core/http/core-http-server/src/router/route.ts

Lines 178 to 187 in 71c0d75

/**
* Describes the state when authorization is disabled.
*
* - `enabled`: A boolean indicating that authorization is not enabled (`false`).
* - `reason`: A string explaining why authorization is disabled.
*/
export interface AuthzDisabled {
enabled: false;
reason: string;
}

kibana/packages/core/http/core-http-router-server-internal/src/security_route_config_validator.ts

Lines 98 to 106 in 71c0d75

const authcSchema = schema.object({
enabled: schema.oneOf([schema.literal(true), schema.literal('optional'), schema.literal(false)]),
reason: schema.conditional(
schema.siblingRef('enabled'),
schema.literal(false),
schema.string(),
schema.never()
),
});

These justifications are designed for internal consumption, and do not provide value to external API consumers.

We should update this schema to support two types of notes:

  1. The internal justification for disabling route authorization (e.g. "Route delegates authorization to the scoped ES Client")
  2. An external description that allows the route author to tell consumers the required privileges (e.g. "Route requires read access to the logs-* data stream).

The internal justification should remain a required field.
The new external description should be an optional field.

The new external description should be surfaced in the OAS documentation, similar to what we do for routes that have opted-in to authorization (#197001)
@legrego legrego added enhancement New value added to drive a business result Feature:Hardening Harding of Kibana from a security perspective Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! labels Oct 31, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@jeramysoucy
Copy link
Contributor

jeramysoucy commented Nov 4, 2024
edited
Loading

@legrego Will this be complete once we update and merge #198334? Or is this intended more as a cross-team meta issue?

@legrego
Copy link
Member Author

legrego commented Nov 4, 2024

Will this be complete once we update and merge #198334? Or is this intended more as a cross-team meta issue?

@jeramysoucy neither. This is tracking an enhancement to the new security.authz interface that we expose on Core's router. It will allow teams to specify both internal and external notes when opting out of route authorization. We currently only support the former.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New value added to drive a business result Feature:Hardening Harding of Kibana from a security perspective Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@legrego @elasticmachine @jeramysoucy