[HTTP] Set explicit access for public HTTP APIs
#192554
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jloleysens
added
Feature:http
Team:Core
|
Pinging @elastic/kibana-core (Team:Core) |
jloleysens
commented
Sep 11, 2024
...e/saved-objects/core-saved-objects-server-internal/src/routes/legacy_import_export/export.ts
Outdated
Show resolved
Hide resolved
jloleysens
commented
Sep 11, 2024
There was a problem hiding this comment.
Technically this is public on stateful, because it is documented BUT since this is scheduled to be deleted for 9.0 we could also leave this unchanged for the remainder of 8. Open to just leave these legacy dashboard import/export routes unchanged.
There was a problem hiding this comment.
Don't really have a strong opinion as we'd be removing the whole route from main soon.
There was a problem hiding this comment.
We need to leave the legacy dashboard import/export routes as 'internal'.
jeramysoucy
approved these changes
Sep 11, 2024
There was a problem hiding this comment.
We actually have an open issue to make spaces CRUD endpoints public in serverless #192153. But as that will involve updating the serverless API integration tests, we can just open a separate PR for that.
jloleysens
changed the title
public HTTP APIs
This was referenced Sep 11, 2024
rudolf
approved these changes
Sep 23, 2024
There was a problem hiding this comment.
Don't really have a strong opinion as we'd be removing the whole route from main soon.
💛 Build succeeded, but was flaky
Failed CI StepsMetrics [docs]Public APIs missing comments
Unknown metric groupsAPI count
History
To update your PR or re-run it, just comment with: cc @jloleysens |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Sep 23, 2024
## Summary We will be enforcing restricted access to internal HTTP APIs [from 9.0](elastic#186781). This PR is part 1 of audit checking that our public APIs have their access tag set explicitly to ensure they are still available to end users after we start enforcing HTTP API restrictions. APIs reviewed in this PR ([docs](https://www.elastic.co/guide/en/kibana/current/dashboard-import-api.html)): <img width="260" alt="Screenshot 2024-09-11 at 11 25 55" src="https://github.com/user-attachments/assets/499b1f1f-8e01-4463-9410-4500e438cd23"> ## Note to reviewers This audit is focussed on set `access: 'public'` where needed. Per the screenshot our public-facing documentation is taken as the source of truth for which APIs should be public. This may differ per offering so please consider whether a given HTTP API should be public on both serverless and stateful offerings. ## Risks * If we miss an API that should be public, end users will encounter a `400` response when they try to use the HTTP API on 9.0 * If we set an API's access to "public" it will not have the same restrictions applied to it. (cherry picked from commit 3fa5bdf)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Sep 23, 2024
…92554) (#193735) # Backport This will backport the following commits from `main` to `8.x`: - [[HTTP] Set explicit access for `public` HTTP APIs (#192554)](#192554) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Jean-Louis Leysens","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-09-23T14:53:31Z","message":"[HTTP] Set explicit access for `public` HTTP APIs (#192554)\n\n## Summary\r\n\r\nWe will be enforcing restricted access to internal HTTP APIs [from\r\n9.0](#186781). This PR is part 1\r\nof audit checking that our public APIs have their access tag set\r\nexplicitly to ensure they are still available to end users after we\r\nstart enforcing HTTP API restrictions. APIs reviewed in this PR\r\n([docs](https://www.elastic.co/guide/en/kibana/current/dashboard-import-api.html)):\r\n\r\n<img width=\"260\" alt=\"Screenshot 2024-09-11 at 11 25 55\"\r\nsrc=\"https://github.com/user-attachments/assets/499b1f1f-8e01-4463-9410-4500e438cd23\">\r\n\r\n## Note to reviewers\r\n\r\nThis audit is focussed on set `access: 'public'` where needed. Per the\r\nscreenshot our public-facing documentation is taken as the source of\r\ntruth for which APIs should be public. This may differ per offering so\r\nplease consider whether a given HTTP API should be public on both\r\nserverless and stateful offerings.\r\n\r\n## Risks\r\n\r\n* If we miss an API that should be public, end users will encounter a\r\n`400` response when they try to use the HTTP API on 9.0\r\n* If we set an API's access to \"public\" it will not have the same\r\nrestrictions applied to it.","sha":"3fa5bdf8732101812a656ec954e2a8d779838938","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Feature:http","Team:Core","release_note:skip","v9.0.0","v8.16.0","backport:version"],"title":"[HTTP] Set explicit access for `public` HTTP APIs","number":192554,"url":"https://github.com/elastic/kibana/pull/192554","mergeCommit":{"message":"[HTTP] Set explicit access for `public` HTTP APIs (#192554)\n\n## Summary\r\n\r\nWe will be enforcing restricted access to internal HTTP APIs [from\r\n9.0](#186781). This PR is part 1\r\nof audit checking that our public APIs have their access tag set\r\nexplicitly to ensure they are still available to end users after we\r\nstart enforcing HTTP API restrictions. APIs reviewed in this PR\r\n([docs](https://www.elastic.co/guide/en/kibana/current/dashboard-import-api.html)):\r\n\r\n<img width=\"260\" alt=\"Screenshot 2024-09-11 at 11 25 55\"\r\nsrc=\"https://github.com/user-attachments/assets/499b1f1f-8e01-4463-9410-4500e438cd23\">\r\n\r\n## Note to reviewers\r\n\r\nThis audit is focussed on set `access: 'public'` where needed. Per the\r\nscreenshot our public-facing documentation is taken as the source of\r\ntruth for which APIs should be public. This may differ per offering so\r\nplease consider whether a given HTTP API should be public on both\r\nserverless and stateful offerings.\r\n\r\n## Risks\r\n\r\n* If we miss an API that should be public, end users will encounter a\r\n`400` response when they try to use the HTTP API on 9.0\r\n* If we set an API's access to \"public\" it will not have the same\r\nrestrictions applied to it.","sha":"3fa5bdf8732101812a656ec954e2a8d779838938"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/192554","number":192554,"mergeCommit":{"message":"[HTTP] Set explicit access for `public` HTTP APIs (#192554)\n\n## Summary\r\n\r\nWe will be enforcing restricted access to internal HTTP APIs [from\r\n9.0](#186781). This PR is part 1\r\nof audit checking that our public APIs have their access tag set\r\nexplicitly to ensure they are still available to end users after we\r\nstart enforcing HTTP API restrictions. APIs reviewed in this PR\r\n([docs](https://www.elastic.co/guide/en/kibana/current/dashboard-import-api.html)):\r\n\r\n<img width=\"260\" alt=\"Screenshot 2024-09-11 at 11 25 55\"\r\nsrc=\"https://github.com/user-attachments/assets/499b1f1f-8e01-4463-9410-4500e438cd23\">\r\n\r\n## Note to reviewers\r\n\r\nThis audit is focussed on set `access: 'public'` where needed. Per the\r\nscreenshot our public-facing documentation is taken as the source of\r\ntruth for which APIs should be public. This may differ per offering so\r\nplease consider whether a given HTTP API should be public on both\r\nserverless and stateful offerings.\r\n\r\n## Risks\r\n\r\n* If we miss an API that should be public, end users will encounter a\r\n`400` response when they try to use the HTTP API on 9.0\r\n* If we set an API's access to \"public\" it will not have the same\r\nrestrictions applied to it.","sha":"3fa5bdf8732101812a656ec954e2a8d779838938"}},{"branch":"8.x","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Jean-Louis Leysens <[email protected]>
jloleysens
added a commit
that referenced
this pull request
Sep 25, 2024
## Summary Part 2 of this [PR](#192554). See more info there. <img width="229" alt="Screenshot 2024-09-11 at 14 50 11" src="https://github.com/user-attachments/assets/585f1ce8-2987-4355-a4b1-e13705646b48"> --------- Co-authored-by: shahzad31 <[email protected]>
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Sep 25, 2024
## Summary Part 2 of this [PR](elastic#192554). See more info there. <img width="229" alt="Screenshot 2024-09-11 at 14 50 11" src="https://github.com/user-attachments/assets/585f1ce8-2987-4355-a4b1-e13705646b48"> --------- Co-authored-by: shahzad31 <[email protected]> (cherry picked from commit 244ff7b)
kibanamachine
added a commit
that referenced
this pull request
Sep 25, 2024
…192579) (#193938) # Backport This will backport the following commits from `main` to `8.x`: - [[HTTP] Set explicit access for `public` HTTP APIs 2 (#192579)](#192579) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Jean-Louis Leysens","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-09-25T07:25:12Z","message":"[HTTP] Set explicit access for `public` HTTP APIs 2 (#192579)\n\n## Summary\r\n\r\nPart 2 of this [PR](#192554). See\r\nmore info there.\r\n\r\n<img width=\"229\" alt=\"Screenshot 2024-09-11 at 14 50 11\"\r\nsrc=\"https://github.com/user-attachments/assets/585f1ce8-2987-4355-a4b1-e13705646b48\">\r\n\r\n---------\r\n\r\nCo-authored-by: shahzad31 <[email protected]>","sha":"244ff7b2c37f66518dbb0d7121a8d02b1405fe93","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Feature:http","Team:Core","release_note:skip","v9.0.0","ci:project-deploy-observability","Team:obs-ux-management","v8.16.0","backport:version"],"title":"[HTTP] Set explicit access for `public` HTTP APIs 2","number":192579,"url":"https://github.com/elastic/kibana/pull/192579","mergeCommit":{"message":"[HTTP] Set explicit access for `public` HTTP APIs 2 (#192579)\n\n## Summary\r\n\r\nPart 2 of this [PR](#192554). See\r\nmore info there.\r\n\r\n<img width=\"229\" alt=\"Screenshot 2024-09-11 at 14 50 11\"\r\nsrc=\"https://github.com/user-attachments/assets/585f1ce8-2987-4355-a4b1-e13705646b48\">\r\n\r\n---------\r\n\r\nCo-authored-by: shahzad31 <[email protected]>","sha":"244ff7b2c37f66518dbb0d7121a8d02b1405fe93"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/192579","number":192579,"mergeCommit":{"message":"[HTTP] Set explicit access for `public` HTTP APIs 2 (#192579)\n\n## Summary\r\n\r\nPart 2 of this [PR](#192554). See\r\nmore info there.\r\n\r\n<img width=\"229\" alt=\"Screenshot 2024-09-11 at 14 50 11\"\r\nsrc=\"https://github.com/user-attachments/assets/585f1ce8-2987-4355-a4b1-e13705646b48\">\r\n\r\n---------\r\n\r\nCo-authored-by: shahzad31 <[email protected]>","sha":"244ff7b2c37f66518dbb0d7121a8d02b1405fe93"}},{"branch":"8.x","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Jean-Louis Leysens <[email protected]>
45 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
We will be enforcing restricted access to internal HTTP APIs from 9.0. This PR is part 1 of audit checking that our public APIs have their access tag set explicitly to ensure they are still available to end users after we start enforcing HTTP API restrictions. APIs reviewed in this PR (docs):
Note to reviewers
This audit is focussed on set
access: 'public'where needed. Per the screenshot our public-facing documentation is taken as the source of truth for which APIs should be public. This may differ per offering so please consider whether a given HTTP API should be public on both serverless and stateful offerings.Risks
400response when they try to use the HTTP API on 9.0