Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authorized route migration for routes owned by @elastic/security-defend-workflows #198197

Conversation

kibanamachine
Copy link
Contributor

@kibanamachine kibanamachine commented Oct 29, 2024

Authz API migration for authorized routes

This PR migrates access:<privilege> tags used in route definitions to new security configuration.
Please refer to the documentation for more information: Authorization API

Before migration:

Access control tags were defined in the options object of the route:

router.get({
  path: '/api/path',
  options: {
    tags: ['access:<privilege_1>', 'access:<privilege_2>'],
  },
  ...
}, handler);

After migration:

Tags have been replaced with the more robust security.authz.requiredPrivileges field under security:

router.get({
  path: '/api/path',
  security: {
    authz: {
      requiredPrivileges: ['<privilege_1>', '<privilege_2>'],
    },
  },
  ...
}, handler);

What to do next?

  1. Review the changes in this PR.
  2. You might need to update your tests to reflect the new security configuration:
  • If you have tests that rely on checking access tags.
  • If you have snapshot tests that include the route definition.
  • If you have FTR tests that rely on checking unauthorized error message. The error message changed to also include missing privileges.

Any questions?

If you have any questions or need help with API authorization, please reach out to the @elastic/kibana-security team.

@kibanamachine kibanamachine added enhancement New value added to drive a business result release_note:skip Skip the PR/issue when compiling release notes Feature:Security/Authorization Platform Security - Authorization labels Oct 29, 2024
@kibanamachine kibanamachine requested a review from a team as a code owner October 29, 2024 19:11
@kibanamachine kibanamachine added Team:Defend Workflows “EDR Workflows” sub-team of Security Solution backport:prev-minor Backport to (8.x) the previous minor version (i.e. one version back from main) Authz: API migration labels Oct 29, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-defend-workflows (Team:Defend Workflows)

@joeypoon joeypoon added the ci:cloud-deploy Create or update a Cloud deployment label Nov 5, 2024
@joeypoon joeypoon requested a review from tomsonpl November 5, 2024 14:43
@joeypoon
Copy link
Member

joeypoon commented Nov 5, 2024

+@tomsonpl because osquery

@elena-shostak
Copy link
Contributor

@elasticmachine merge upstream

@elena-shostak elena-shostak enabled auto-merge (squash) November 20, 2024 12:05
@elasticmachine
Copy link
Contributor

elasticmachine commented Nov 20, 2024

💛 Build succeeded, but was flaky

Failed CI Steps

Test Failures

  • [job] [logs] Jest Tests #2 / FilterPopover renders button label correctly
  • [job] [logs] Jest Tests #2 / UserCommentPropertyActions renders the correct number of actions

Metrics [docs]

✅ unchanged

History

@elena-shostak elena-shostak merged commit 0043379 into main Nov 20, 2024
24 of 25 checks passed
@elena-shostak elena-shostak deleted the authz-migration/authorized-routes-by-security-defend-workflows branch November 20, 2024 16:31
@kibanamachine
Copy link
Contributor Author

Starting backport for target branches: 8.x

https://github.com/elastic/kibana/actions/runs/11937661779

kibanamachine added a commit to kibanamachine/kibana that referenced this pull request Nov 20, 2024
…nd-workflows (elastic#198197)

### Authz API migration for authorized routes

This PR migrates `access:<privilege>` tags used in route definitions to
new security configuration.
Please refer to the documentation for more information: [Authorization
API](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)

### **Before migration:**
Access control tags were defined in the `options` object of the route:

```ts
router.get({
  path: '/api/path',
  options: {
    tags: ['access:<privilege_1>', 'access:<privilege_2>'],
  },
  ...
}, handler);
```

### **After migration:**
Tags have been replaced with the more robust
`security.authz.requiredPrivileges` field under `security`:

```ts
router.get({
  path: '/api/path',
  security: {
    authz: {
      requiredPrivileges: ['<privilege_1>', '<privilege_2>'],
    },
  },
  ...
}, handler);
```

### What to do next?
1. Review the changes in this PR.
2. You might need to update your tests to reflect the new security
configuration:
  - If you have tests that rely on checking `access` tags.
  - If you have snapshot tests that include the route definition.
- If you have FTR tests that rely on checking unauthorized error
message. The error message changed to also include missing privileges.

## Any questions?
If you have any questions or need help with API authorization, please
reach out to the `@elastic/kibana-security` team.

Co-authored-by: Joey F. Poon <[email protected]>
Co-authored-by: Gergő Ábrahám <[email protected]>
Co-authored-by: Tomasz Ciecierski <[email protected]>
(cherry picked from commit 0043379)
@kibanamachine
Copy link
Contributor Author

💚 All backports created successfully

Status Branch Result
8.x

Note: Successful backport PRs will be merged automatically after passing CI.

Questions ?

Please refer to the Backport tool documentation

kibanamachine added a commit that referenced this pull request Nov 20, 2024
…y-defend-workflows (#198197) (#200995)

# Backport

This will backport the following commits from `main` to `8.x`:
- [Authorized route migration for routes owned by
@elastic/security-defend-workflows
(#198197)](#198197)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Kibana
Machine","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-11-20T16:31:19Z","message":"Authorized
route migration for routes owned by @elastic/security-defend-workflows
(#198197)\n\n### Authz API migration for authorized routes\r\n\r\nThis
PR migrates `access:<privilege>` tags used in route definitions
to\r\nnew security configuration.\r\nPlease refer to the documentation
for more information:
[Authorization\r\nAPI](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)\r\n\r\n###
**Before migration:**\r\nAccess control tags were defined in the
`options` object of the route:\r\n\r\n```ts\r\nrouter.get({\r\n path:
'/api/path',\r\n options: {\r\n tags: ['access:<privilege_1>',
'access:<privilege_2>'],\r\n },\r\n ...\r\n},
handler);\r\n```\r\n\r\n### **After migration:**\r\nTags have been
replaced with the more robust\r\n`security.authz.requiredPrivileges`
field under `security`:\r\n\r\n```ts\r\nrouter.get({\r\n path:
'/api/path',\r\n security: {\r\n authz: {\r\n requiredPrivileges:
['<privilege_1>', '<privilege_2>'],\r\n },\r\n },\r\n ...\r\n},
handler);\r\n```\r\n\r\n### What to do next?\r\n1. Review the changes in
this PR.\r\n2. You might need to update your tests to reflect the new
security\r\nconfiguration:\r\n - If you have tests that rely on checking
`access` tags.\r\n - If you have snapshot tests that include the route
definition.\r\n- If you have FTR tests that rely on checking
unauthorized error\r\nmessage. The error message changed to also include
missing privileges.\r\n\r\n## Any questions?\r\nIf you have any
questions or need help with API authorization, please\r\nreach out to
the `@elastic/kibana-security` team.\r\n\r\nCo-authored-by: Joey F. Poon
<[email protected]>\r\nCo-authored-by: Gergő Ábrahám
<[email protected]>\r\nCo-authored-by: Tomasz Ciecierski
<[email protected]>","sha":"0043379b9881eb6107df485aad2396ddfe952f34","branchLabelMapping":{"^v9.0.0$":"main","^v8.17.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["enhancement","release_note:skip","Feature:Security/Authorization","v9.0.0","Team:Defend
Workflows","backport:prev-minor","ci:cloud-deploy","Authz: API
migration"],"title":"Authorized route migration for routes owned by
@elastic/security-defend-workflows","number":198197,"url":"https://github.com/elastic/kibana/pull/198197","mergeCommit":{"message":"Authorized
route migration for routes owned by @elastic/security-defend-workflows
(#198197)\n\n### Authz API migration for authorized routes\r\n\r\nThis
PR migrates `access:<privilege>` tags used in route definitions
to\r\nnew security configuration.\r\nPlease refer to the documentation
for more information:
[Authorization\r\nAPI](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)\r\n\r\n###
**Before migration:**\r\nAccess control tags were defined in the
`options` object of the route:\r\n\r\n```ts\r\nrouter.get({\r\n path:
'/api/path',\r\n options: {\r\n tags: ['access:<privilege_1>',
'access:<privilege_2>'],\r\n },\r\n ...\r\n},
handler);\r\n```\r\n\r\n### **After migration:**\r\nTags have been
replaced with the more robust\r\n`security.authz.requiredPrivileges`
field under `security`:\r\n\r\n```ts\r\nrouter.get({\r\n path:
'/api/path',\r\n security: {\r\n authz: {\r\n requiredPrivileges:
['<privilege_1>', '<privilege_2>'],\r\n },\r\n },\r\n ...\r\n},
handler);\r\n```\r\n\r\n### What to do next?\r\n1. Review the changes in
this PR.\r\n2. You might need to update your tests to reflect the new
security\r\nconfiguration:\r\n - If you have tests that rely on checking
`access` tags.\r\n - If you have snapshot tests that include the route
definition.\r\n- If you have FTR tests that rely on checking
unauthorized error\r\nmessage. The error message changed to also include
missing privileges.\r\n\r\n## Any questions?\r\nIf you have any
questions or need help with API authorization, please\r\nreach out to
the `@elastic/kibana-security` team.\r\n\r\nCo-authored-by: Joey F. Poon
<[email protected]>\r\nCo-authored-by: Gergő Ábrahám
<[email protected]>\r\nCo-authored-by: Tomasz Ciecierski
<[email protected]>","sha":"0043379b9881eb6107df485aad2396ddfe952f34"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/198197","number":198197,"mergeCommit":{"message":"Authorized
route migration for routes owned by @elastic/security-defend-workflows
(#198197)\n\n### Authz API migration for authorized routes\r\n\r\nThis
PR migrates `access:<privilege>` tags used in route definitions
to\r\nnew security configuration.\r\nPlease refer to the documentation
for more information:
[Authorization\r\nAPI](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)\r\n\r\n###
**Before migration:**\r\nAccess control tags were defined in the
`options` object of the route:\r\n\r\n```ts\r\nrouter.get({\r\n path:
'/api/path',\r\n options: {\r\n tags: ['access:<privilege_1>',
'access:<privilege_2>'],\r\n },\r\n ...\r\n},
handler);\r\n```\r\n\r\n### **After migration:**\r\nTags have been
replaced with the more robust\r\n`security.authz.requiredPrivileges`
field under `security`:\r\n\r\n```ts\r\nrouter.get({\r\n path:
'/api/path',\r\n security: {\r\n authz: {\r\n requiredPrivileges:
['<privilege_1>', '<privilege_2>'],\r\n },\r\n },\r\n ...\r\n},
handler);\r\n```\r\n\r\n### What to do next?\r\n1. Review the changes in
this PR.\r\n2. You might need to update your tests to reflect the new
security\r\nconfiguration:\r\n - If you have tests that rely on checking
`access` tags.\r\n - If you have snapshot tests that include the route
definition.\r\n- If you have FTR tests that rely on checking
unauthorized error\r\nmessage. The error message changed to also include
missing privileges.\r\n\r\n## Any questions?\r\nIf you have any
questions or need help with API authorization, please\r\nreach out to
the `@elastic/kibana-security` team.\r\n\r\nCo-authored-by: Joey F. Poon
<[email protected]>\r\nCo-authored-by: Gergő Ábrahám
<[email protected]>\r\nCo-authored-by: Tomasz Ciecierski
<[email protected]>","sha":"0043379b9881eb6107df485aad2396ddfe952f34"}}]}]
BACKPORT-->
TattdCodeMonkey pushed a commit to TattdCodeMonkey/kibana that referenced this pull request Nov 21, 2024
…nd-workflows (elastic#198197)

### Authz API migration for authorized routes

This PR migrates `access:<privilege>` tags used in route definitions to
new security configuration.
Please refer to the documentation for more information: [Authorization
API](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)

### **Before migration:**
Access control tags were defined in the `options` object of the route:

```ts
router.get({
  path: '/api/path',
  options: {
    tags: ['access:<privilege_1>', 'access:<privilege_2>'],
  },
  ...
}, handler);
```

### **After migration:**
Tags have been replaced with the more robust
`security.authz.requiredPrivileges` field under `security`:

```ts
router.get({
  path: '/api/path',
  security: {
    authz: {
      requiredPrivileges: ['<privilege_1>', '<privilege_2>'],
    },
  },
  ...
}, handler);
```

### What to do next?
1. Review the changes in this PR.
2. You might need to update your tests to reflect the new security
configuration:
  - If you have tests that rely on checking `access` tags.
  - If you have snapshot tests that include the route definition.
- If you have FTR tests that rely on checking unauthorized error
message. The error message changed to also include missing privileges.

## Any questions?
If you have any questions or need help with API authorization, please
reach out to the `@elastic/kibana-security` team.

Co-authored-by: Joey F. Poon <[email protected]>
Co-authored-by: Gergő Ábrahám <[email protected]>
Co-authored-by: Tomasz Ciecierski <[email protected]>
paulinashakirova pushed a commit to paulinashakirova/kibana that referenced this pull request Nov 26, 2024
…nd-workflows (elastic#198197)

### Authz API migration for authorized routes

This PR migrates `access:<privilege>` tags used in route definitions to
new security configuration.
Please refer to the documentation for more information: [Authorization
API](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)

### **Before migration:**
Access control tags were defined in the `options` object of the route:

```ts
router.get({
  path: '/api/path',
  options: {
    tags: ['access:<privilege_1>', 'access:<privilege_2>'],
  },
  ...
}, handler);
```

### **After migration:**
Tags have been replaced with the more robust
`security.authz.requiredPrivileges` field under `security`:

```ts
router.get({
  path: '/api/path',
  security: {
    authz: {
      requiredPrivileges: ['<privilege_1>', '<privilege_2>'],
    },
  },
  ...
}, handler);
```

### What to do next?
1. Review the changes in this PR.
2. You might need to update your tests to reflect the new security
configuration:
  - If you have tests that rely on checking `access` tags.
  - If you have snapshot tests that include the route definition.
- If you have FTR tests that rely on checking unauthorized error
message. The error message changed to also include missing privileges.

## Any questions?
If you have any questions or need help with API authorization, please
reach out to the `@elastic/kibana-security` team.

Co-authored-by: Joey F. Poon <[email protected]>
Co-authored-by: Gergő Ábrahám <[email protected]>
Co-authored-by: Tomasz Ciecierski <[email protected]>
CAWilson94 pushed a commit to CAWilson94/kibana that referenced this pull request Dec 12, 2024
…nd-workflows (elastic#198197)

### Authz API migration for authorized routes

This PR migrates `access:<privilege>` tags used in route definitions to
new security configuration.
Please refer to the documentation for more information: [Authorization
API](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)

### **Before migration:**
Access control tags were defined in the `options` object of the route:

```ts
router.get({
  path: '/api/path',
  options: {
    tags: ['access:<privilege_1>', 'access:<privilege_2>'],
  },
  ...
}, handler);
```

### **After migration:**
Tags have been replaced with the more robust
`security.authz.requiredPrivileges` field under `security`:

```ts
router.get({
  path: '/api/path',
  security: {
    authz: {
      requiredPrivileges: ['<privilege_1>', '<privilege_2>'],
    },
  },
  ...
}, handler);
```

### What to do next?
1. Review the changes in this PR.
2. You might need to update your tests to reflect the new security
configuration:
  - If you have tests that rely on checking `access` tags.
  - If you have snapshot tests that include the route definition.
- If you have FTR tests that rely on checking unauthorized error
message. The error message changed to also include missing privileges.

## Any questions?
If you have any questions or need help with API authorization, please
reach out to the `@elastic/kibana-security` team.

Co-authored-by: Joey F. Poon <[email protected]>
Co-authored-by: Gergő Ábrahám <[email protected]>
Co-authored-by: Tomasz Ciecierski <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Authz: API migration backport:prev-minor Backport to (8.x) the previous minor version (i.e. one version back from main) ci:cloud-deploy Create or update a Cloud deployment enhancement New value added to drive a business result Feature:Security/Authorization Platform Security - Authorization release_note:skip Skip the PR/issue when compiling release notes Team:Defend Workflows “EDR Workflows” sub-team of Security Solution v8.17.0 v9.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants