Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authorized route migration for routes owned by @elastic/fleet #198194

Closed

Conversation

kibanamachine
Copy link
Contributor

Authz API migration for authorized routes

This PR migrates access:<privilege> tags used in route definitions to new security configuration.
Please refer to the documentation for more information: Authorization API

Before migration:

Access control tags were defined in the options object of the route:

router.get({
  path: '/api/path',
  options: {
    tags: ['access:<privilege_1>', 'access:<privilege_2>'],
  },
  ...
}, handler);

After migration:

Tags have been replaced with the more robust security.authz.requiredPrivileges field under security:

router.get({
  path: '/api/path',
  security: {
    authz: {
      requiredPrivileges: ['<privilege_1>', '<privilege_2>'],
    },
  },
  ...
}, handler);

What to do next?

  1. Review the changes in this PR.
  2. You might need to update your tests to reflect the new security configuration:
  • If you have tests that rely on checking access tags.
  • If you have snapshot tests that include the route definition.
  • If you have FTR tests that rely on checking unauthorized error message. The error message changed to also include missing privileges.

Any questions?

If you have any questions or need help with API authorization, please reach out to the @elastic/kibana-security team.

@kibanamachine kibanamachine requested a review from a team as a code owner October 29, 2024 19:11
@kibanamachine kibanamachine added enhancement New value added to drive a business result release_note:skip Skip the PR/issue when compiling release notes Feature:Security/Authorization Platform Security - Authorization Team:Fleet Team label for Observability Data Collection Fleet team backport:prev-minor Backport to (8.x) the previous minor version (i.e. one version back from main) Authz: API migration labels Oct 29, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/fleet (Team:Fleet)

@elena-shostak elena-shostak marked this pull request as draft October 29, 2024 19:19
@elasticmachine
Copy link
Contributor

🤖 Jobs for this PR can be triggered through checkboxes. 🚧

ℹ️ To trigger the CI, please tick the checkbox below 👇

  • Click to trigger kibana-pull-request for this PR!
  • Click to trigger kibana-deploy-project-from-pr for this PR!

@elena-shostak
Copy link
Contributor

No changes committed for access:tag migration, will take a look tomorrow.
Please, disregard PR for now

@elena-shostak elena-shostak deleted the authz-migration/authorized-routes-by-fleet branch December 17, 2024 10:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Authz: API migration backport:prev-minor Backport to (8.x) the previous minor version (i.e. one version back from main) enhancement New value added to drive a business result Feature:Security/Authorization Platform Security - Authorization release_note:skip Skip the PR/issue when compiling release notes Team:Fleet Team label for Observability Data Collection Fleet team
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants