Skip to content

Commit

Permalink
Authorized route migration for routes owned by @elastic/security-thre…
Browse files Browse the repository at this point in the history
…at-hunting-explore (elastic#198191)

### Authz API migration for authorized routes

This PR migrates `access:<privilege>` tags used in route definitions to
new security configuration.
Please refer to the documentation for more information: [Authorization
API](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)

### **Before migration:**
Access control tags were defined in the `options` object of the route:

```ts
router.get({
  path: '/api/path',
  options: {
    tags: ['access:<privilege_1>', 'access:<privilege_2>'],
  },
  ...
}, handler);
```

### **After migration:**
Tags have been replaced with the more robust
`security.authz.requiredPrivileges` field under `security`:

```ts
router.get({
  path: '/api/path',
  security: {
    authz: {
      requiredPrivileges: ['<privilege_1>', '<privilege_2>'],
    },
  },
  ...
}, handler);
```

### What to do next?
1. Review the changes in this PR.
2. You might need to update your tests to reflect the new security
configuration:
  - If you have tests that rely on checking `access` tags.
  - If you have snapshot tests that include the route definition.
- If you have FTR tests that rely on checking unauthorized error
message. The error message changed to also include missing privileges.

## Any questions?
If you have any questions or need help with API authorization, please
reach out to the `@elastic/kibana-security` team.
  • Loading branch information
kibanamachine authored and nreese committed Nov 1, 2024
1 parent bf8b06d commit dc5bf84
Show file tree
Hide file tree
Showing 6 changed files with 30 additions and 6 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,11 @@ export const getILMExplainRoute = (router: IRouter, logger: Logger) => {
.get({
path: GET_ILM_EXPLAIN,
access: 'internal',
options: { tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,11 @@ export const getIndexMappingsRoute = (router: IRouter, logger: Logger) => {
.get({
path: GET_INDEX_MAPPINGS,
access: 'internal',
options: { tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,11 @@ export const getIndexStatsRoute = (router: IRouter, logger: Logger) => {
.get({
path: GET_INDEX_STATS,
access: 'internal',
options: { tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,11 @@ export const getIndexResultsRoute = (
.get({
path: GET_INDEX_RESULTS,
access: 'internal',
options: { tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,11 @@ export const getIndexResultsLatestRoute = (
.get({
path: GET_INDEX_RESULTS_LATEST,
access: 'internal',
options: { tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
})
.addVersion(
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,11 @@ export const postIndexResultsRoute = (
.post({
path: POST_INDEX_RESULTS,
access: 'internal',
options: { tags: ['access:securitySolution'] },
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
})
.addVersion(
{
Expand Down

0 comments on commit dc5bf84

Please sign in to comment.