From 1df66ad4c709709f7b27dccb05375e84e9bb13a4 Mon Sep 17 00:00:00 2001 From: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Date: Tue, 24 Dec 2024 01:05:43 +1100 Subject: [PATCH] Unauthorized route migration for routes owned by response-ops (#198336) ### Authz API migration for unauthorized routes This PR migrates unauthorized routes owned by your team to a new security configuration. Please refer to the documentation for more information: [Authorization API](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization) ### **Before migration:** ```ts router.get({ path: '/api/path', ... }, handler); ``` ### **After migration:** ```ts router.get({ path: '/api/path', security: { authz: { enabled: false, reason: 'This route is opted out from authorization because ...', }, }, ... }, handler); ``` ### What to do next? 1. Review the changes in this PR. 2. Elaborate on the reasoning to opt-out of authorization. 3. Routes without a compelling reason to opt-out of authorization should plan to introduce them as soon as possible. 2. You might need to update your tests to reflect the new security configuration: - If you have snapshot tests that include the route definition. ## Any questions? If you have any questions or need help with API authorization, please reach out to the `@elastic/kibana-security` team. --------- Co-authored-by: adcoelho --- .../server/routes/background_task_utilization.ts | 7 +++++++ x-pack/plugins/task_manager/server/routes/health.ts | 8 ++++++++ x-pack/plugins/task_manager/server/routes/metrics.ts | 7 +++++++ .../triggers_actions_ui/server/data/routes/fields.ts | 7 +++++++ .../triggers_actions_ui/server/data/routes/indices.ts | 7 +++++++ .../server/data/routes/time_series_query.ts | 7 +++++++ 6 files changed, 43 insertions(+) diff --git a/x-pack/plugins/task_manager/server/routes/background_task_utilization.ts b/x-pack/plugins/task_manager/server/routes/background_task_utilization.ts index 43cc2a69fe11c..58c89a5bc8740 100644 --- a/x-pack/plugins/task_manager/server/routes/background_task_utilization.ts +++ b/x-pack/plugins/task_manager/server/routes/background_task_utilization.ts @@ -111,6 +111,13 @@ export function backgroundTaskUtilizationRoute( router.get( { path: `/${routeOption.basePath}/task_manager/_background_task_utilization`, + security: { + authz: { + enabled: false, + reason: + 'This route is opted out from authorization. It can be accessed with JWT credentials.', + }, + }, // Uncomment when we determine that we can restrict API usage to Global admins based on telemetry // options: { tags: ['access:taskManager'] }, validate: false, diff --git a/x-pack/plugins/task_manager/server/routes/health.ts b/x-pack/plugins/task_manager/server/routes/health.ts index 7bcebfabdca60..694bcef1dc053 100644 --- a/x-pack/plugins/task_manager/server/routes/health.ts +++ b/x-pack/plugins/task_manager/server/routes/health.ts @@ -139,6 +139,14 @@ export function healthRoute(params: HealthRouteParams): { router.get( { path: '/api/task_manager/_health', + security: { + authz: { + enabled: false, + // https://github.com/elastic/kibana/issues/136157 + reason: + 'This route is opted out from authorization. Authorization is planned but not implemented yet(breaking change).', + }, + }, // Uncomment when we determine that we can restrict API usage to Global admins based on telemetry // options: { tags: ['access:taskManager'] }, validate: false, diff --git a/x-pack/plugins/task_manager/server/routes/metrics.ts b/x-pack/plugins/task_manager/server/routes/metrics.ts index 808675f25818b..bd2b912fe9469 100644 --- a/x-pack/plugins/task_manager/server/routes/metrics.ts +++ b/x-pack/plugins/task_manager/server/routes/metrics.ts @@ -48,6 +48,13 @@ export function metricsRoute(params: MetricsRouteParams) { router.get( { path: `/api/task_manager/metrics`, + security: { + authz: { + enabled: false, + reason: + 'This route is opted out from authorization. It can be accessed with JWT credentials.', + }, + }, options: { access: 'public', // The `security:acceptJWT` tag allows route to be accessed with JWT credentials. It points to diff --git a/x-pack/plugins/triggers_actions_ui/server/data/routes/fields.ts b/x-pack/plugins/triggers_actions_ui/server/data/routes/fields.ts index 677d90066f182..a5bd9931aae12 100644 --- a/x-pack/plugins/triggers_actions_ui/server/data/routes/fields.ts +++ b/x-pack/plugins/triggers_actions_ui/server/data/routes/fields.ts @@ -29,6 +29,13 @@ export function createFieldsRoute(logger: Logger, router: IRouter, baseRoute: st router.post( { path, + security: { + authz: { + enabled: false, + reason: + 'This route is opted out of authorization as it relies on ES authorization instead.', + }, + }, validate: { body: bodySchema, }, diff --git a/x-pack/plugins/triggers_actions_ui/server/data/routes/indices.ts b/x-pack/plugins/triggers_actions_ui/server/data/routes/indices.ts index ddca5d8f1dd6b..2e42016659d88 100644 --- a/x-pack/plugins/triggers_actions_ui/server/data/routes/indices.ts +++ b/x-pack/plugins/triggers_actions_ui/server/data/routes/indices.ts @@ -33,6 +33,13 @@ export function createIndicesRoute(logger: Logger, router: IRouter, baseRoute: s router.post( { path, + security: { + authz: { + enabled: false, + reason: + 'This route is opted out of authorization as it relies on ES authorization instead.', + }, + }, validate: { body: bodySchema, }, diff --git a/x-pack/plugins/triggers_actions_ui/server/data/routes/time_series_query.ts b/x-pack/plugins/triggers_actions_ui/server/data/routes/time_series_query.ts index f549e46576939..956631a1d2726 100644 --- a/x-pack/plugins/triggers_actions_ui/server/data/routes/time_series_query.ts +++ b/x-pack/plugins/triggers_actions_ui/server/data/routes/time_series_query.ts @@ -28,6 +28,13 @@ export function createTimeSeriesQueryRoute( router.post( { path, + security: { + authz: { + enabled: false, + reason: + 'This route is opted out of authorization as it relies on ES authorization instead.', + }, + }, validate: { body: TimeSeriesQuerySchema, },