Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unauthorized route migration for routes owned by obs-ux-management-team #198374

Conversation

kibanamachine
Copy link
Contributor

@kibanamachine kibanamachine commented Oct 30, 2024

Authz API migration for unauthorized routes

This PR migrates unauthorized routes owned by your team to a new security configuration.
Please refer to the documentation for more information: Authorization API

Before migration:

router.get({
  path: '/api/path',
  ...
}, handler);

After migration:

router.get({
  path: '/api/path',
  security: {
    authz: {
      enabled: false,
      reason: 'This route is opted out from authorization because ...',
    },
  },
  ...
}, handler);

What to do next?

  1. Review the changes in this PR.
  2. Elaborate on the reasoning to opt-out of authorization.
  3. Routes without a compelling reason to opt-out of authorization should plan to introduce them as soon as possible.
  4. You might need to update your tests to reflect the new security configuration:
  • If you have snapshot tests that include the route definition.

Any questions?

If you have any questions or need help with API authorization, please reach out to the @elastic/kibana-security team.

@kibanamachine kibanamachine requested a review from a team as a code owner October 30, 2024 14:52
@kibanamachine kibanamachine added enhancement New value added to drive a business result release_note:skip Skip the PR/issue when compiling release notes Feature:Security/Authorization Platform Security - Authorization backport:prev-minor Backport to (8.x) the previous minor version (i.e. one version back from main) Team:obs-ux-management Observability Management User Experience Team Authz: API migration labels Oct 30, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/obs-ux-management-team (Team:obs-ux-management)

@botelastic botelastic bot added the ci:project-deploy-observability Create an Observability project label Oct 30, 2024
Copy link
Contributor

🤖 GitHub comments

Expand to view the GitHub comments

Just comment with:

  • /oblt-deploy : Deploy a Kibana instance using the Observability test environments.
  • run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

@dominiqueclarke dominiqueclarke self-requested a review November 1, 2024 16:56
Copy link
Contributor

@shahzad31 shahzad31 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, i added some API tests !!

@elasticmachine
Copy link
Contributor

elasticmachine commented Nov 21, 2024

💚 Build Succeeded

  • Buildkite Build
  • Commit: 7b40882
  • Kibana Serverless Image: docker.elastic.co/kibana-ci/kibana-serverless:pr-198374-7b408829a593

Metrics [docs]

✅ unchanged

History

@dominiqueclarke dominiqueclarke merged commit 0b193ec into main Nov 21, 2024
26 checks passed
@dominiqueclarke dominiqueclarke deleted the authz-migration/unauthorized-routes-by-obs-ux-management-team branch November 21, 2024 22:03
@kibanamachine
Copy link
Contributor Author

Starting backport for target branches: 8.x

https://github.com/elastic/kibana/actions/runs/11962424413

kibanamachine added a commit to kibanamachine/kibana that referenced this pull request Nov 21, 2024
…am (elastic#198374)

### Authz API migration for unauthorized routes

This PR migrates unauthorized routes owned by your team to a new
security configuration.
Please refer to the documentation for more information: [Authorization
API](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)

### **Before migration:**
```ts
router.get({
  path: '/api/path',
  ...
}, handler);
```

### **After migration:**
```ts
router.get({
  path: '/api/path',
  security: {
    authz: {
      enabled: false,
      reason: 'This route is opted out from authorization because ...',
    },
  },
  ...
}, handler);
```

### What to do next?
1. Review the changes in this PR.
2. Elaborate on the reasoning to opt-out of authorization.
3. Routes without a compelling reason to opt-out of authorization should
plan to introduce them as soon as possible.
2. You might need to update your tests to reflect the new security
configuration:
  - If you have snapshot tests that include the route definition.

## Any questions?
If you have any questions or need help with API authorization, please
reach out to the `@elastic/kibana-security` team.

---------

Co-authored-by: Dominique Belcher <[email protected]>
Co-authored-by: Shahzad <[email protected]>
(cherry picked from commit 0b193ec)
@kibanamachine
Copy link
Contributor Author

💚 All backports created successfully

Status Branch Result
8.x

Note: Successful backport PRs will be merged automatically after passing CI.

Questions ?

Please refer to the Backport tool documentation

kibanamachine added a commit that referenced this pull request Nov 21, 2024
…ent-team (#198374) (#201298)

# Backport

This will backport the following commits from `main` to `8.x`:
- [Unauthorized route migration for routes owned by
obs-ux-management-team
(#198374)](#198374)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Kibana
Machine","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-11-21T22:03:55Z","message":"Unauthorized
route migration for routes owned by obs-ux-management-team
(#198374)\n\n### Authz API migration for unauthorized routes\r\n\r\nThis
PR migrates unauthorized routes owned by your team to a new\r\nsecurity
configuration.\r\nPlease refer to the documentation for more
information:
[Authorization\r\nAPI](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)\r\n\r\n###
**Before migration:**\r\n```ts\r\nrouter.get({\r\n path:
'/api/path',\r\n ...\r\n}, handler);\r\n```\r\n\r\n### **After
migration:**\r\n```ts\r\nrouter.get({\r\n path: '/api/path',\r\n
security: {\r\n authz: {\r\n enabled: false,\r\n reason: 'This route is
opted out from authorization because ...',\r\n },\r\n },\r\n ...\r\n},
handler);\r\n```\r\n\r\n### What to do next?\r\n1. Review the changes in
this PR.\r\n2. Elaborate on the reasoning to opt-out of
authorization.\r\n3. Routes without a compelling reason to opt-out of
authorization should\r\nplan to introduce them as soon as
possible.\r\n2. You might need to update your tests to reflect the new
security\r\nconfiguration:\r\n - If you have snapshot tests that include
the route definition.\r\n\r\n## Any questions?\r\nIf you have any
questions or need help with API authorization, please\r\nreach out to
the `@elastic/kibana-security`
team.\r\n\r\n---------\r\n\r\nCo-authored-by: Dominique Belcher
<[email protected]>\r\nCo-authored-by: Shahzad
<[email protected]>","sha":"0b193ec81ed70e1e36cfb824e89d9bf12b7c5b0b","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["enhancement","release_note:skip","Feature:Security/Authorization","v9.0.0","backport:prev-minor","ci:project-deploy-observability","Team:obs-ux-management","Authz:
API migration"],"title":"Unauthorized route migration for routes owned
by
obs-ux-management-team","number":198374,"url":"https://github.com/elastic/kibana/pull/198374","mergeCommit":{"message":"Unauthorized
route migration for routes owned by obs-ux-management-team
(#198374)\n\n### Authz API migration for unauthorized routes\r\n\r\nThis
PR migrates unauthorized routes owned by your team to a new\r\nsecurity
configuration.\r\nPlease refer to the documentation for more
information:
[Authorization\r\nAPI](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)\r\n\r\n###
**Before migration:**\r\n```ts\r\nrouter.get({\r\n path:
'/api/path',\r\n ...\r\n}, handler);\r\n```\r\n\r\n### **After
migration:**\r\n```ts\r\nrouter.get({\r\n path: '/api/path',\r\n
security: {\r\n authz: {\r\n enabled: false,\r\n reason: 'This route is
opted out from authorization because ...',\r\n },\r\n },\r\n ...\r\n},
handler);\r\n```\r\n\r\n### What to do next?\r\n1. Review the changes in
this PR.\r\n2. Elaborate on the reasoning to opt-out of
authorization.\r\n3. Routes without a compelling reason to opt-out of
authorization should\r\nplan to introduce them as soon as
possible.\r\n2. You might need to update your tests to reflect the new
security\r\nconfiguration:\r\n - If you have snapshot tests that include
the route definition.\r\n\r\n## Any questions?\r\nIf you have any
questions or need help with API authorization, please\r\nreach out to
the `@elastic/kibana-security`
team.\r\n\r\n---------\r\n\r\nCo-authored-by: Dominique Belcher
<[email protected]>\r\nCo-authored-by: Shahzad
<[email protected]>","sha":"0b193ec81ed70e1e36cfb824e89d9bf12b7c5b0b"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/198374","number":198374,"mergeCommit":{"message":"Unauthorized
route migration for routes owned by obs-ux-management-team
(#198374)\n\n### Authz API migration for unauthorized routes\r\n\r\nThis
PR migrates unauthorized routes owned by your team to a new\r\nsecurity
configuration.\r\nPlease refer to the documentation for more
information:
[Authorization\r\nAPI](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)\r\n\r\n###
**Before migration:**\r\n```ts\r\nrouter.get({\r\n path:
'/api/path',\r\n ...\r\n}, handler);\r\n```\r\n\r\n### **After
migration:**\r\n```ts\r\nrouter.get({\r\n path: '/api/path',\r\n
security: {\r\n authz: {\r\n enabled: false,\r\n reason: 'This route is
opted out from authorization because ...',\r\n },\r\n },\r\n ...\r\n},
handler);\r\n```\r\n\r\n### What to do next?\r\n1. Review the changes in
this PR.\r\n2. Elaborate on the reasoning to opt-out of
authorization.\r\n3. Routes without a compelling reason to opt-out of
authorization should\r\nplan to introduce them as soon as
possible.\r\n2. You might need to update your tests to reflect the new
security\r\nconfiguration:\r\n - If you have snapshot tests that include
the route definition.\r\n\r\n## Any questions?\r\nIf you have any
questions or need help with API authorization, please\r\nreach out to
the `@elastic/kibana-security`
team.\r\n\r\n---------\r\n\r\nCo-authored-by: Dominique Belcher
<[email protected]>\r\nCo-authored-by: Shahzad
<[email protected]>","sha":"0b193ec81ed70e1e36cfb824e89d9bf12b7c5b0b"}}]}]
BACKPORT-->
paulinashakirova pushed a commit to paulinashakirova/kibana that referenced this pull request Nov 26, 2024
…am (elastic#198374)

### Authz API migration for unauthorized routes

This PR migrates unauthorized routes owned by your team to a new
security configuration.
Please refer to the documentation for more information: [Authorization
API](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)

### **Before migration:**
```ts
router.get({
  path: '/api/path',
  ...
}, handler);
```

### **After migration:**
```ts
router.get({
  path: '/api/path',
  security: {
    authz: {
      enabled: false,
      reason: 'This route is opted out from authorization because ...',
    },
  },
  ...
}, handler);
```

### What to do next?
1. Review the changes in this PR.
2. Elaborate on the reasoning to opt-out of authorization.
3. Routes without a compelling reason to opt-out of authorization should
plan to introduce them as soon as possible.
2. You might need to update your tests to reflect the new security
configuration:
  - If you have snapshot tests that include the route definition.

## Any questions?
If you have any questions or need help with API authorization, please
reach out to the `@elastic/kibana-security` team.

---------

Co-authored-by: Dominique Belcher <[email protected]>
Co-authored-by: Shahzad <[email protected]>
fkanout added a commit that referenced this pull request Dec 10, 2024
CAWilson94 pushed a commit to CAWilson94/kibana that referenced this pull request Dec 12, 2024
…am (elastic#198374)

### Authz API migration for unauthorized routes

This PR migrates unauthorized routes owned by your team to a new
security configuration.
Please refer to the documentation for more information: [Authorization
API](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)

### **Before migration:**
```ts
router.get({
  path: '/api/path',
  ...
}, handler);
```

### **After migration:**
```ts
router.get({
  path: '/api/path',
  security: {
    authz: {
      enabled: false,
      reason: 'This route is opted out from authorization because ...',
    },
  },
  ...
}, handler);
```

### What to do next?
1. Review the changes in this PR.
2. Elaborate on the reasoning to opt-out of authorization.
3. Routes without a compelling reason to opt-out of authorization should
plan to introduce them as soon as possible.
2. You might need to update your tests to reflect the new security
configuration:
  - If you have snapshot tests that include the route definition.

## Any questions?
If you have any questions or need help with API authorization, please
reach out to the `@elastic/kibana-security` team.

---------

Co-authored-by: Dominique Belcher <[email protected]>
Co-authored-by: Shahzad <[email protected]>
CAWilson94 pushed a commit to CAWilson94/kibana that referenced this pull request Dec 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Authz: API migration backport:prev-minor Backport to (8.x) the previous minor version (i.e. one version back from main) ci:project-deploy-observability Create an Observability project enhancement New value added to drive a business result Feature:Security/Authorization Platform Security - Authorization release_note:skip Skip the PR/issue when compiling release notes Team:obs-ux-management Observability Management User Experience Team v8.18.0 v9.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants