Unauthorized route migration for routes owned by kibana-visualization…

…s,kibana-data-discovery (#198331) ### Authz API migration for unauthorized routes This PR migrates unauthorized routes owned by your team to a new security configuration. Please refer to the documentation for more information: [Authorization API](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization) --- EDIT --- This PR also adds two privileges related to saved query APIs: `savedQuery:read` and `savedQuery:manage`. These are given by default to the same roles that already have access to the `query`-type saved objects. ### **Before migration:** ```ts router.get({ path: '/api/path', ... }, handler); ``` ### **After migration:** ```ts router.get({ path: '/api/path', security: { authz: { enabled: false, reason: 'This route is opted out from authorization because ...', }, }, ... }, handler); ``` ### What to do next? 1. Review the changes in this PR. 2. Elaborate on the reasoning to opt-out of authorization. 3. Routes without a compelling reason to opt-out of authorization should plan to introduce them as soon as possible. 2. You might need to update your tests to reflect the new security configuration: - If you have snapshot tests that include the route definition. ## Any questions? If you have any questions or need help with API authorization, please reach out to the `@elastic/kibana-security` team. --------- Co-authored-by: Lukas Olson <lukas@elastic.co> Co-authored-by: Matthias Wilhelm <matthias.wilhelm@elastic.co> Co-authored-by: Marta Bondyra <4283304+mbondyra@users.noreply.github.com> Co-authored-by: Davis McPhee <davis.mcphee@elastic.co>
elastic · Dec 4, 2024 · 56c38bc · 56c38bc
1 parent 52e021f
commit 56c38bc
Show file tree

Hide file tree

Showing 10 changed files with 183 additions and 24 deletions.
diff --git a/src/plugins/data/server/kql_telemetry/route.ts b/src/plugins/data/server/kql_telemetry/route.ts
@@ -24,6 +24,12 @@ export function registerKqlTelemetryRoute(
     .addVersion(
       {
         version: KQL_TELEMETRY_ROUTE_LATEST_VERSION,
+        security: {
+          authz: {
+            enabled: false,
+            reason: 'This route is opted out from authorization',
+          },
+        },
         validate: {
           request: {
             body: schema.object({

diff --git a/src/plugins/data/server/query/routes.ts b/src/plugins/data/server/query/routes.ts
@@ -43,6 +43,11 @@ export function registerSavedQueryRoutes({ http }: CoreSetup): void {
   router.versioned.post({ path: `${SAVED_QUERY_BASE_URL}/_is_duplicate_title`, access }).addVersion(
     {
       version,
+      security: {
+        authz: {
+          requiredPrivileges: ['savedQuery:read'],
+        },
+      },
       validate: {
         request: {
           body: schema.object({
@@ -75,6 +80,11 @@ export function registerSavedQueryRoutes({ http }: CoreSetup): void {
   router.versioned.post({ path: `${SAVED_QUERY_BASE_URL}/_create`, access }).addVersion(
     {
       version,
+      security: {
+        authz: {
+          requiredPrivileges: ['savedQuery:manage'],
+        },
+      },
       validate: {
         request: {
           body: SAVED_QUERY_ATTRS_CONFIG,
@@ -101,6 +111,11 @@ export function registerSavedQueryRoutes({ http }: CoreSetup): void {
   router.versioned.put({ path: `${SAVED_QUERY_BASE_URL}/{id}`, access }).addVersion(
     {
       version,
+      security: {
+        authz: {
+          requiredPrivileges: ['savedQuery:manage'],
+        },
+      },
       validate: {
         request: {
           params: SAVED_QUERY_ID_CONFIG,
@@ -129,6 +144,11 @@ export function registerSavedQueryRoutes({ http }: CoreSetup): void {
   router.versioned.get({ path: `${SAVED_QUERY_BASE_URL}/{id}`, access }).addVersion(
     {
       version,
+      security: {
+        authz: {
+          requiredPrivileges: ['savedQuery:read'],
+        },
+      },
       validate: {
         request: {
           params: SAVED_QUERY_ID_CONFIG,
@@ -156,6 +176,11 @@ export function registerSavedQueryRoutes({ http }: CoreSetup): void {
   router.versioned.get({ path: `${SAVED_QUERY_BASE_URL}/_count`, access }).addVersion(
     {
       version,
+      security: {
+        authz: {
+          requiredPrivileges: ['savedQuery:read'],
+        },
+      },
       validate: {
         request: {},
         response: {
@@ -180,6 +205,11 @@ export function registerSavedQueryRoutes({ http }: CoreSetup): void {
   router.versioned.post({ path: `${SAVED_QUERY_BASE_URL}/_find`, access }).addVersion(
     {
       version,
+      security: {
+        authz: {
+          requiredPrivileges: ['savedQuery:read'],
+        },
+      },
       validate: {
         request: {
           body: schema.object({
@@ -214,6 +244,11 @@ export function registerSavedQueryRoutes({ http }: CoreSetup): void {
   router.versioned.delete({ path: `${SAVED_QUERY_BASE_URL}/{id}`, access }).addVersion(
     {
       version,
+      security: {
+        authz: {
+          requiredPrivileges: ['savedQuery:manage'],
+        },
+      },
       validate: {
         request: {
           params: SAVED_QUERY_ID_CONFIG,

diff --git a/src/plugins/data/server/scripts/route.ts b/src/plugins/data/server/scripts/route.ts
@@ -20,6 +20,12 @@ export function registerScriptsRoute(router: IRouter) {
     .addVersion(
       {
         version: SCRIPT_LANGUAGES_ROUTE_LATEST_VERSION,
+        security: {
+          authz: {
+            enabled: false,
+            reason: 'This route is opted out from authorization',
+          },
+        },
         validate: {
           response: {
             '200': {

diff --git a/src/plugins/data/server/search/routes/session.ts b/src/plugins/data/server/search/routes/session.ts
@@ -24,11 +24,8 @@ import {
   searchSessionsUpdateSchema,
 } from './response_schema';
 
-const STORE_SEARCH_SESSIONS_ROLE_TAG = `access:store_search_session`;
 const access = 'internal';
-const options = {
-  tags: [STORE_SEARCH_SESSIONS_ROLE_TAG],
-};
+const requiredPrivileges = ['store_search_session'];
 const pathPrefix = '/internal/session';
 export const INITIAL_SEARCH_SESSION_REST_VERSION = '1';
 const version = INITIAL_SEARCH_SESSION_REST_VERSION;
@@ -37,9 +34,12 @@ const idAndAttrsOnly = (so?: SearchSessionRestResponse) =>
   so && { id: so.id, attributes: so.attributes };
 
 export function registerSessionRoutes(router: DataPluginRouter, logger: Logger): void {
-  router.versioned.post({ path: pathPrefix, access, options }).addVersion(
+  router.versioned.post({ path: pathPrefix, access }).addVersion(
     {
       version,
+      security: {
+        authz: { requiredPrivileges },
+      },
       validate: {
         request: {
           body: schema.object({
@@ -85,9 +85,12 @@ export function registerSessionRoutes(router: DataPluginRouter, logger: Logger):
     }
   );
 
-  router.versioned.get({ path: `${pathPrefix}/{id}`, access, options }).addVersion(
+  router.versioned.get({ path: `${pathPrefix}/{id}`, access }).addVersion(
     {
       version,
+      security: {
+        authz: { requiredPrivileges },
+      },
       validate: {
         request: {
           params: schema.object({
@@ -117,9 +120,12 @@ export function registerSessionRoutes(router: DataPluginRouter, logger: Logger):
     }
   );
 
-  router.versioned.get({ path: `${pathPrefix}/{id}/status`, access, options }).addVersion(
+  router.versioned.get({ path: `${pathPrefix}/{id}/status`, access }).addVersion(
     {
       version,
+      security: {
+        authz: { requiredPrivileges },
+      },
       validate: {
         request: {
           params: schema.object({
@@ -150,9 +156,12 @@ export function registerSessionRoutes(router: DataPluginRouter, logger: Logger):
     }
   );
 
-  router.versioned.post({ path: `${pathPrefix}/_find`, access, options }).addVersion(
+  router.versioned.post({ path: `${pathPrefix}/_find`, access }).addVersion(
     {
       version,
+      security: {
+        authz: { requiredPrivileges },
+      },
       validate: {
         request: {
           body: schema.object({
@@ -200,9 +209,12 @@ export function registerSessionRoutes(router: DataPluginRouter, logger: Logger):
     }
   );
 
-  router.versioned.delete({ path: `${pathPrefix}/{id}`, access, options }).addVersion(
+  router.versioned.delete({ path: `${pathPrefix}/{id}`, access }).addVersion(
     {
       version,
+      security: {
+        authz: { requiredPrivileges },
+      },
       validate: {
         request: {
           params: schema.object({
@@ -226,9 +238,12 @@ export function registerSessionRoutes(router: DataPluginRouter, logger: Logger):
     }
   );
 
-  router.versioned.post({ path: `${pathPrefix}/{id}/cancel`, access, options }).addVersion(
+  router.versioned.post({ path: `${pathPrefix}/{id}/cancel`, access }).addVersion(
     {
       version,
+      security: {
+        authz: { requiredPrivileges },
+      },
       validate: {
         request: {
           params: schema.object({
@@ -252,9 +267,12 @@ export function registerSessionRoutes(router: DataPluginRouter, logger: Logger):
     }
   );
 
-  router.versioned.put({ path: `${pathPrefix}/{id}`, access, options }).addVersion(
+  router.versioned.put({ path: `${pathPrefix}/{id}`, access }).addVersion(
     {
       version,
+      security: {
+        authz: { requiredPrivileges },
+      },
       validate: {
         request: {
           params: schema.object({
@@ -291,9 +309,12 @@ export function registerSessionRoutes(router: DataPluginRouter, logger: Logger):
     }
   );
 
-  router.versioned.post({ path: `${pathPrefix}/{id}/_extend`, access, options }).addVersion(
+  router.versioned.post({ path: `${pathPrefix}/{id}/_extend`, access }).addVersion(
     {
       version,
+      security: {
+        authz: { requiredPrivileges },
+      },
       validate: {
         request: {
           params: schema.object({