From 4ddeeca1ca7757b6426939e0c3154cd4c4fc30ec Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Wed, 30 Oct 2024 13:48:08 +0000 Subject: [PATCH 1/4] [Authz] Migrated unauthorized routes owned by kibana-cloud-security-posture --- .../plugins/kubernetes_security/server/routes/aggregate.ts | 6 ++++++ x-pack/plugins/kubernetes_security/server/routes/count.ts | 6 ++++++ .../server/routes/multi_terms_aggregate.ts | 6 ++++++ .../session_view/server/routes/alert_status_route.ts | 6 ++++++ x-pack/plugins/session_view/server/routes/alerts_route.ts | 6 ++++++ .../session_view/server/routes/get_total_io_bytes_route.ts | 6 ++++++ .../plugins/session_view/server/routes/io_events_route.ts | 6 ++++++ .../session_view/server/routes/process_events_route.ts | 6 ++++++ 8 files changed, 48 insertions(+) diff --git a/x-pack/plugins/kubernetes_security/server/routes/aggregate.ts b/x-pack/plugins/kubernetes_security/server/routes/aggregate.ts index f83ddc818cbb4..e8a5b616cd6a8 100644 --- a/x-pack/plugins/kubernetes_security/server/routes/aggregate.ts +++ b/x-pack/plugins/kubernetes_security/server/routes/aggregate.ts @@ -38,6 +38,12 @@ export const registerAggregateRoute = (router: IRouter, logger: Logger) => { .addVersion( { version: '1', + security: { + authz: { + enabled: false, + reason: 'This route is opted out from authorization', + }, + }, validate: { request: { query: schema.object({ diff --git a/x-pack/plugins/kubernetes_security/server/routes/count.ts b/x-pack/plugins/kubernetes_security/server/routes/count.ts index 0922adeb0cf45..788c3ce4adb98 100644 --- a/x-pack/plugins/kubernetes_security/server/routes/count.ts +++ b/x-pack/plugins/kubernetes_security/server/routes/count.ts @@ -28,6 +28,12 @@ export const registerCountRoute = (router: IRouter, logger: Logger) => { .addVersion( { version: '1', + security: { + authz: { + enabled: false, + reason: 'This route is opted out from authorization', + }, + }, validate: { request: { query: schema.object({ diff --git a/x-pack/plugins/kubernetes_security/server/routes/multi_terms_aggregate.ts b/x-pack/plugins/kubernetes_security/server/routes/multi_terms_aggregate.ts index 83f5b70efe051..6eda8b3c9af2f 100644 --- a/x-pack/plugins/kubernetes_security/server/routes/multi_terms_aggregate.ts +++ b/x-pack/plugins/kubernetes_security/server/routes/multi_terms_aggregate.ts @@ -35,6 +35,12 @@ export const registerMultiTermsAggregateRoute = (router: IRouter, logger: Logger .addVersion( { version: '1', + security: { + authz: { + enabled: false, + reason: 'This route is opted out from authorization', + }, + }, validate: { request: { query: schema.object({ diff --git a/x-pack/plugins/session_view/server/routes/alert_status_route.ts b/x-pack/plugins/session_view/server/routes/alert_status_route.ts index e0b95f9705e9d..6f2605ab48c1f 100644 --- a/x-pack/plugins/session_view/server/routes/alert_status_route.ts +++ b/x-pack/plugins/session_view/server/routes/alert_status_route.ts @@ -31,6 +31,12 @@ export const registerAlertStatusRoute = ( .addVersion( { version: '1', + security: { + authz: { + enabled: false, + reason: 'This route is opted out from authorization', + }, + }, validate: { request: { query: schema.object({ diff --git a/x-pack/plugins/session_view/server/routes/alerts_route.ts b/x-pack/plugins/session_view/server/routes/alerts_route.ts index c6b7fd8db7896..8e6817c80d787 100644 --- a/x-pack/plugins/session_view/server/routes/alerts_route.ts +++ b/x-pack/plugins/session_view/server/routes/alerts_route.ts @@ -36,6 +36,12 @@ export const registerAlertsRoute = ( .addVersion( { version: '1', + security: { + authz: { + enabled: false, + reason: 'This route is opted out from authorization', + }, + }, validate: { request: { query: schema.object({ diff --git a/x-pack/plugins/session_view/server/routes/get_total_io_bytes_route.ts b/x-pack/plugins/session_view/server/routes/get_total_io_bytes_route.ts index 50f36ac47f5a4..bb9972804ed18 100644 --- a/x-pack/plugins/session_view/server/routes/get_total_io_bytes_route.ts +++ b/x-pack/plugins/session_view/server/routes/get_total_io_bytes_route.ts @@ -22,6 +22,12 @@ export const registerGetTotalIOBytesRoute = (router: IRouter, logger: Logger) => .addVersion( { version: '1', + security: { + authz: { + enabled: false, + reason: 'This route is opted out from authorization', + }, + }, validate: { request: { query: schema.object({ diff --git a/x-pack/plugins/session_view/server/routes/io_events_route.ts b/x-pack/plugins/session_view/server/routes/io_events_route.ts index 9810f9da5aa77..0f982cd1903ad 100644 --- a/x-pack/plugins/session_view/server/routes/io_events_route.ts +++ b/x-pack/plugins/session_view/server/routes/io_events_route.ts @@ -29,6 +29,12 @@ export const registerIOEventsRoute = (router: IRouter, logger: Logger) => { .addVersion( { version: '1', + security: { + authz: { + enabled: false, + reason: 'This route is opted out from authorization', + }, + }, validate: { request: { query: schema.object({ diff --git a/x-pack/plugins/session_view/server/routes/process_events_route.ts b/x-pack/plugins/session_view/server/routes/process_events_route.ts index bc6b24fc36bc5..a9a491cd4c0da 100644 --- a/x-pack/plugins/session_view/server/routes/process_events_route.ts +++ b/x-pack/plugins/session_view/server/routes/process_events_route.ts @@ -43,6 +43,12 @@ export const registerProcessEventsRoute = ( .addVersion( { version: '1', + security: { + authz: { + enabled: false, + reason: 'This route is opted out from authorization', + }, + }, validate: { request: { query: schema.object({ From ded55a75813e5612a1e844cc65a64c77b55d800d Mon Sep 17 00:00:00 2001 From: Paulo Henrique Date: Wed, 13 Nov 2024 11:35:51 -0800 Subject: [PATCH 2/4] privilege requirement for session_view and kubernetes dashboard routes --- x-pack/plugins/kubernetes_security/server/routes/aggregate.ts | 3 +-- x-pack/plugins/kubernetes_security/server/routes/count.ts | 3 +-- .../kubernetes_security/server/routes/multi_terms_aggregate.ts | 3 +-- x-pack/plugins/session_view/server/routes/alerts_route.ts | 3 +-- .../session_view/server/routes/get_total_io_bytes_route.ts | 3 +-- x-pack/plugins/session_view/server/routes/io_events_route.ts | 3 +-- .../plugins/session_view/server/routes/process_events_route.ts | 3 +-- 7 files changed, 7 insertions(+), 14 deletions(-) diff --git a/x-pack/plugins/kubernetes_security/server/routes/aggregate.ts b/x-pack/plugins/kubernetes_security/server/routes/aggregate.ts index e8a5b616cd6a8..4ddb828b68976 100644 --- a/x-pack/plugins/kubernetes_security/server/routes/aggregate.ts +++ b/x-pack/plugins/kubernetes_security/server/routes/aggregate.ts @@ -40,8 +40,7 @@ export const registerAggregateRoute = (router: IRouter, logger: Logger) => { version: '1', security: { authz: { - enabled: false, - reason: 'This route is opted out from authorization', + requiredPrivileges: ['securitySolution'], }, }, validate: { diff --git a/x-pack/plugins/kubernetes_security/server/routes/count.ts b/x-pack/plugins/kubernetes_security/server/routes/count.ts index 788c3ce4adb98..b73452e8e45fc 100644 --- a/x-pack/plugins/kubernetes_security/server/routes/count.ts +++ b/x-pack/plugins/kubernetes_security/server/routes/count.ts @@ -30,8 +30,7 @@ export const registerCountRoute = (router: IRouter, logger: Logger) => { version: '1', security: { authz: { - enabled: false, - reason: 'This route is opted out from authorization', + requiredPrivileges: ['securitySolution'], }, }, validate: { diff --git a/x-pack/plugins/kubernetes_security/server/routes/multi_terms_aggregate.ts b/x-pack/plugins/kubernetes_security/server/routes/multi_terms_aggregate.ts index 6eda8b3c9af2f..b4a0271b63edc 100644 --- a/x-pack/plugins/kubernetes_security/server/routes/multi_terms_aggregate.ts +++ b/x-pack/plugins/kubernetes_security/server/routes/multi_terms_aggregate.ts @@ -37,8 +37,7 @@ export const registerMultiTermsAggregateRoute = (router: IRouter, logger: Logger version: '1', security: { authz: { - enabled: false, - reason: 'This route is opted out from authorization', + requiredPrivileges: ['securitySolution'], }, }, validate: { diff --git a/x-pack/plugins/session_view/server/routes/alerts_route.ts b/x-pack/plugins/session_view/server/routes/alerts_route.ts index 8e6817c80d787..c875236989efe 100644 --- a/x-pack/plugins/session_view/server/routes/alerts_route.ts +++ b/x-pack/plugins/session_view/server/routes/alerts_route.ts @@ -38,8 +38,7 @@ export const registerAlertsRoute = ( version: '1', security: { authz: { - enabled: false, - reason: 'This route is opted out from authorization', + requiredPrivileges: ['securitySolution'], }, }, validate: { diff --git a/x-pack/plugins/session_view/server/routes/get_total_io_bytes_route.ts b/x-pack/plugins/session_view/server/routes/get_total_io_bytes_route.ts index bb9972804ed18..e2dcf34813cc5 100644 --- a/x-pack/plugins/session_view/server/routes/get_total_io_bytes_route.ts +++ b/x-pack/plugins/session_view/server/routes/get_total_io_bytes_route.ts @@ -24,8 +24,7 @@ export const registerGetTotalIOBytesRoute = (router: IRouter, logger: Logger) => version: '1', security: { authz: { - enabled: false, - reason: 'This route is opted out from authorization', + requiredPrivileges: ['securitySolution'], }, }, validate: { diff --git a/x-pack/plugins/session_view/server/routes/io_events_route.ts b/x-pack/plugins/session_view/server/routes/io_events_route.ts index 0f982cd1903ad..3956e5c3575b8 100644 --- a/x-pack/plugins/session_view/server/routes/io_events_route.ts +++ b/x-pack/plugins/session_view/server/routes/io_events_route.ts @@ -31,8 +31,7 @@ export const registerIOEventsRoute = (router: IRouter, logger: Logger) => { version: '1', security: { authz: { - enabled: false, - reason: 'This route is opted out from authorization', + requiredPrivileges: ['securitySolution'], }, }, validate: { diff --git a/x-pack/plugins/session_view/server/routes/process_events_route.ts b/x-pack/plugins/session_view/server/routes/process_events_route.ts index a9a491cd4c0da..df707b5a96a93 100644 --- a/x-pack/plugins/session_view/server/routes/process_events_route.ts +++ b/x-pack/plugins/session_view/server/routes/process_events_route.ts @@ -45,8 +45,7 @@ export const registerProcessEventsRoute = ( version: '1', security: { authz: { - enabled: false, - reason: 'This route is opted out from authorization', + requiredPrivileges: ['securitySolution'], }, }, validate: { From 03b837ca0a203b8f76445992de4a3b63218e680e Mon Sep 17 00:00:00 2001 From: Paulo Henrique Date: Wed, 13 Nov 2024 11:58:12 -0800 Subject: [PATCH 3/4] Revert "privilege requirement for session_view and kubernetes dashboard routes" This reverts commit ded55a75813e5612a1e844cc65a64c77b55d800d. --- x-pack/plugins/kubernetes_security/server/routes/aggregate.ts | 3 ++- x-pack/plugins/kubernetes_security/server/routes/count.ts | 3 ++- .../kubernetes_security/server/routes/multi_terms_aggregate.ts | 3 ++- x-pack/plugins/session_view/server/routes/alerts_route.ts | 3 ++- .../session_view/server/routes/get_total_io_bytes_route.ts | 3 ++- x-pack/plugins/session_view/server/routes/io_events_route.ts | 3 ++- .../plugins/session_view/server/routes/process_events_route.ts | 3 ++- 7 files changed, 14 insertions(+), 7 deletions(-) diff --git a/x-pack/plugins/kubernetes_security/server/routes/aggregate.ts b/x-pack/plugins/kubernetes_security/server/routes/aggregate.ts index 4ddb828b68976..e8a5b616cd6a8 100644 --- a/x-pack/plugins/kubernetes_security/server/routes/aggregate.ts +++ b/x-pack/plugins/kubernetes_security/server/routes/aggregate.ts @@ -40,7 +40,8 @@ export const registerAggregateRoute = (router: IRouter, logger: Logger) => { version: '1', security: { authz: { - requiredPrivileges: ['securitySolution'], + enabled: false, + reason: 'This route is opted out from authorization', }, }, validate: { diff --git a/x-pack/plugins/kubernetes_security/server/routes/count.ts b/x-pack/plugins/kubernetes_security/server/routes/count.ts index b73452e8e45fc..788c3ce4adb98 100644 --- a/x-pack/plugins/kubernetes_security/server/routes/count.ts +++ b/x-pack/plugins/kubernetes_security/server/routes/count.ts @@ -30,7 +30,8 @@ export const registerCountRoute = (router: IRouter, logger: Logger) => { version: '1', security: { authz: { - requiredPrivileges: ['securitySolution'], + enabled: false, + reason: 'This route is opted out from authorization', }, }, validate: { diff --git a/x-pack/plugins/kubernetes_security/server/routes/multi_terms_aggregate.ts b/x-pack/plugins/kubernetes_security/server/routes/multi_terms_aggregate.ts index b4a0271b63edc..6eda8b3c9af2f 100644 --- a/x-pack/plugins/kubernetes_security/server/routes/multi_terms_aggregate.ts +++ b/x-pack/plugins/kubernetes_security/server/routes/multi_terms_aggregate.ts @@ -37,7 +37,8 @@ export const registerMultiTermsAggregateRoute = (router: IRouter, logger: Logger version: '1', security: { authz: { - requiredPrivileges: ['securitySolution'], + enabled: false, + reason: 'This route is opted out from authorization', }, }, validate: { diff --git a/x-pack/plugins/session_view/server/routes/alerts_route.ts b/x-pack/plugins/session_view/server/routes/alerts_route.ts index c875236989efe..8e6817c80d787 100644 --- a/x-pack/plugins/session_view/server/routes/alerts_route.ts +++ b/x-pack/plugins/session_view/server/routes/alerts_route.ts @@ -38,7 +38,8 @@ export const registerAlertsRoute = ( version: '1', security: { authz: { - requiredPrivileges: ['securitySolution'], + enabled: false, + reason: 'This route is opted out from authorization', }, }, validate: { diff --git a/x-pack/plugins/session_view/server/routes/get_total_io_bytes_route.ts b/x-pack/plugins/session_view/server/routes/get_total_io_bytes_route.ts index e2dcf34813cc5..bb9972804ed18 100644 --- a/x-pack/plugins/session_view/server/routes/get_total_io_bytes_route.ts +++ b/x-pack/plugins/session_view/server/routes/get_total_io_bytes_route.ts @@ -24,7 +24,8 @@ export const registerGetTotalIOBytesRoute = (router: IRouter, logger: Logger) => version: '1', security: { authz: { - requiredPrivileges: ['securitySolution'], + enabled: false, + reason: 'This route is opted out from authorization', }, }, validate: { diff --git a/x-pack/plugins/session_view/server/routes/io_events_route.ts b/x-pack/plugins/session_view/server/routes/io_events_route.ts index 3956e5c3575b8..0f982cd1903ad 100644 --- a/x-pack/plugins/session_view/server/routes/io_events_route.ts +++ b/x-pack/plugins/session_view/server/routes/io_events_route.ts @@ -31,7 +31,8 @@ export const registerIOEventsRoute = (router: IRouter, logger: Logger) => { version: '1', security: { authz: { - requiredPrivileges: ['securitySolution'], + enabled: false, + reason: 'This route is opted out from authorization', }, }, validate: { diff --git a/x-pack/plugins/session_view/server/routes/process_events_route.ts b/x-pack/plugins/session_view/server/routes/process_events_route.ts index df707b5a96a93..a9a491cd4c0da 100644 --- a/x-pack/plugins/session_view/server/routes/process_events_route.ts +++ b/x-pack/plugins/session_view/server/routes/process_events_route.ts @@ -45,7 +45,8 @@ export const registerProcessEventsRoute = ( version: '1', security: { authz: { - requiredPrivileges: ['securitySolution'], + enabled: false, + reason: 'This route is opted out from authorization', }, }, validate: { From 4ab648c4cc2a1b8804e4b2a54723bf6cc38c215a Mon Sep 17 00:00:00 2001 From: Paulo Henrique Date: Thu, 14 Nov 2024 14:03:55 -0800 Subject: [PATCH 4/4] updating security.authz for SessionView and Kubernetes Dashboard --- x-pack/plugins/kubernetes_security/server/routes/aggregate.ts | 3 +-- x-pack/plugins/kubernetes_security/server/routes/count.ts | 3 +-- .../kubernetes_security/server/routes/multi_terms_aggregate.ts | 3 +-- .../plugins/session_view/server/routes/alert_status_route.ts | 3 +-- x-pack/plugins/session_view/server/routes/alerts_route.ts | 3 +-- .../session_view/server/routes/get_total_io_bytes_route.ts | 2 +- x-pack/plugins/session_view/server/routes/io_events_route.ts | 2 +- .../plugins/session_view/server/routes/process_events_route.ts | 2 +- 8 files changed, 8 insertions(+), 13 deletions(-) diff --git a/x-pack/plugins/kubernetes_security/server/routes/aggregate.ts b/x-pack/plugins/kubernetes_security/server/routes/aggregate.ts index e8a5b616cd6a8..4ddb828b68976 100644 --- a/x-pack/plugins/kubernetes_security/server/routes/aggregate.ts +++ b/x-pack/plugins/kubernetes_security/server/routes/aggregate.ts @@ -40,8 +40,7 @@ export const registerAggregateRoute = (router: IRouter, logger: Logger) => { version: '1', security: { authz: { - enabled: false, - reason: 'This route is opted out from authorization', + requiredPrivileges: ['securitySolution'], }, }, validate: { diff --git a/x-pack/plugins/kubernetes_security/server/routes/count.ts b/x-pack/plugins/kubernetes_security/server/routes/count.ts index 788c3ce4adb98..b73452e8e45fc 100644 --- a/x-pack/plugins/kubernetes_security/server/routes/count.ts +++ b/x-pack/plugins/kubernetes_security/server/routes/count.ts @@ -30,8 +30,7 @@ export const registerCountRoute = (router: IRouter, logger: Logger) => { version: '1', security: { authz: { - enabled: false, - reason: 'This route is opted out from authorization', + requiredPrivileges: ['securitySolution'], }, }, validate: { diff --git a/x-pack/plugins/kubernetes_security/server/routes/multi_terms_aggregate.ts b/x-pack/plugins/kubernetes_security/server/routes/multi_terms_aggregate.ts index 6eda8b3c9af2f..b4a0271b63edc 100644 --- a/x-pack/plugins/kubernetes_security/server/routes/multi_terms_aggregate.ts +++ b/x-pack/plugins/kubernetes_security/server/routes/multi_terms_aggregate.ts @@ -37,8 +37,7 @@ export const registerMultiTermsAggregateRoute = (router: IRouter, logger: Logger version: '1', security: { authz: { - enabled: false, - reason: 'This route is opted out from authorization', + requiredPrivileges: ['securitySolution'], }, }, validate: { diff --git a/x-pack/plugins/session_view/server/routes/alert_status_route.ts b/x-pack/plugins/session_view/server/routes/alert_status_route.ts index 6f2605ab48c1f..64192198b5e46 100644 --- a/x-pack/plugins/session_view/server/routes/alert_status_route.ts +++ b/x-pack/plugins/session_view/server/routes/alert_status_route.ts @@ -33,8 +33,7 @@ export const registerAlertStatusRoute = ( version: '1', security: { authz: { - enabled: false, - reason: 'This route is opted out from authorization', + requiredPrivileges: ['securitySolution'], }, }, validate: { diff --git a/x-pack/plugins/session_view/server/routes/alerts_route.ts b/x-pack/plugins/session_view/server/routes/alerts_route.ts index 8e6817c80d787..c875236989efe 100644 --- a/x-pack/plugins/session_view/server/routes/alerts_route.ts +++ b/x-pack/plugins/session_view/server/routes/alerts_route.ts @@ -38,8 +38,7 @@ export const registerAlertsRoute = ( version: '1', security: { authz: { - enabled: false, - reason: 'This route is opted out from authorization', + requiredPrivileges: ['securitySolution'], }, }, validate: { diff --git a/x-pack/plugins/session_view/server/routes/get_total_io_bytes_route.ts b/x-pack/plugins/session_view/server/routes/get_total_io_bytes_route.ts index bb9972804ed18..7d54654c89cdc 100644 --- a/x-pack/plugins/session_view/server/routes/get_total_io_bytes_route.ts +++ b/x-pack/plugins/session_view/server/routes/get_total_io_bytes_route.ts @@ -25,7 +25,7 @@ export const registerGetTotalIOBytesRoute = (router: IRouter, logger: Logger) => security: { authz: { enabled: false, - reason: 'This route is opted out from authorization', + reason: `This route delegates authorization to Elasticsearch and it's not tied to a Kibana privilege.`, }, }, validate: { diff --git a/x-pack/plugins/session_view/server/routes/io_events_route.ts b/x-pack/plugins/session_view/server/routes/io_events_route.ts index 0f982cd1903ad..3e73517a978c3 100644 --- a/x-pack/plugins/session_view/server/routes/io_events_route.ts +++ b/x-pack/plugins/session_view/server/routes/io_events_route.ts @@ -32,7 +32,7 @@ export const registerIOEventsRoute = (router: IRouter, logger: Logger) => { security: { authz: { enabled: false, - reason: 'This route is opted out from authorization', + reason: `This route delegates authorization to Elasticsearch and it's not tied to a Kibana privilege.`, }, }, validate: { diff --git a/x-pack/plugins/session_view/server/routes/process_events_route.ts b/x-pack/plugins/session_view/server/routes/process_events_route.ts index a9a491cd4c0da..b30b3b6ddcc51 100644 --- a/x-pack/plugins/session_view/server/routes/process_events_route.ts +++ b/x-pack/plugins/session_view/server/routes/process_events_route.ts @@ -46,7 +46,7 @@ export const registerProcessEventsRoute = ( security: { authz: { enabled: false, - reason: 'This route is opted out from authorization', + reason: `This route delegates authorization to Elasticsearch and it's not tied to a Kibana privilege.`, }, }, validate: {