Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authorized route migration for routes owned by @elastic/kibana-security #198198

Conversation

kibanamachine
Copy link
Contributor

Authz API migration for authorized routes

This PR migrates access:<privilege> tags used in route definitions to new security configuration.
Please refer to the documentation for more information: Authorization API

Before migration:

Access control tags were defined in the options object of the route:

router.get({
  path: '/api/path',
  options: {
    tags: ['access:<privilege_1>', 'access:<privilege_2>'],
  },
  ...
}, handler);

After migration:

Tags have been replaced with the more robust security.authz.requiredPrivileges field under security:

router.get({
  path: '/api/path',
  security: {
    authz: {
      requiredPrivileges: ['<privilege_1>', '<privilege_2>'],
    },
  },
  ...
}, handler);

What to do next?

  1. Review the changes in this PR.
  2. You might need to update your tests to reflect the new security configuration:
  • If you have tests that rely on checking access tags.
  • If you have snapshot tests that include the route definition.
  • If you have FTR tests that rely on checking unauthorized error message. The error message changed to also include missing privileges.

Any questions?

If you have any questions or need help with API authorization, please reach out to the @elastic/kibana-security team.

@kibanamachine kibanamachine added Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! enhancement New value added to drive a business result release_note:skip Skip the PR/issue when compiling release notes Feature:Security/Authorization Platform Security - Authorization backport:prev-minor Backport to (8.x) the previous minor version (i.e. one version back from main) Authz: API migration labels Oct 29, 2024
@kibanamachine kibanamachine requested review from a team as code owners October 29, 2024 19:11
@elasticmachine
Copy link
Contributor

elasticmachine commented Oct 29, 2024

💔 Build Failed

Failed CI Steps

Test Failures

  • [job] [logs] Jest Tests #12 / Bulk get profile routes get user profiles by their ids correctly defines route.
  • [job] [logs] Jest Tests #12 / Bulk get profile routes get user profiles by their ids correctly defines route.
  • [job] [logs] FTR Configs #42 / copy to space with security copy to spaces user with no access from the default space single-namespace types should return 403 when copying to space without conflicts or references
  • [job] [logs] FTR Configs #51 / copy to space with security copy to spaces user with no access from the default space single-namespace types should return 403 when copying to space without conflicts or references
  • [job] [logs] FTR Configs #51 / copy to space with security copy to spaces user with no access from the default space single-namespace types should return 403 when copying to space without conflicts or references
  • [job] [logs] FTR Configs #42 / copy to space with security copy to spaces user with no access from the default space single-namespace types should return 403 when copying to space without conflicts or references
  • [job] [logs] FTR Configs #76 / Entity Analytics - Risk Engine @serverless essentials tier api access should not find init api
  • [job] [logs] FTR Configs #76 / Entity Analytics - Risk Engine @serverless essentials tier api access should not find init api
  • [job] [logs] Jest Tests #10 / GET /internal/spaces/{spaceId}/content_summary correctly defines route.
  • [job] [logs] Jest Tests #10 / GET /internal/spaces/{spaceId}/content_summary correctly defines route.
  • [job] [logs] Jest Tests #12 / GET all roles by space id correctly defines route.
  • [job] [logs] Jest Tests #12 / GET all roles by space id correctly defines route.
  • [job] [logs] Jest Tests #12 / Invalidate sessions routes invalidate sessions correctly defines route.
  • [job] [logs] Jest Tests #12 / Invalidate sessions routes invalidate sessions correctly defines route.
  • [job] [logs] FTR Configs #98 / spaces api with security resolve copy to spaces conflicts user with no access from the default space single-namespace types should return 403 when not overwriting, with references
  • [job] [logs] FTR Configs #103 / spaces api with security resolve copy to spaces conflicts user with no access from the default space single-namespace types should return 403 when not overwriting, with references
  • [job] [logs] FTR Configs #98 / spaces api with security resolve copy to spaces conflicts user with no access from the default space single-namespace types should return 403 when not overwriting, with references
  • [job] [logs] FTR Configs #103 / spaces api with security resolve copy to spaces conflicts user with no access from the default space single-namespace types should return 403 when not overwriting, with references
  • [job] [logs] Jest Tests #17 / test endpoint routes GET list endpoints route should return expected metadata
  • [job] [logs] Jest Tests #17 / test endpoint routes GET list endpoints route should return expected metadata
  • [job] [logs] Jest Tests #17 / test endpoint routes GET metadata transform stats route should correctly return metadata transform stats
  • [job] [logs] Jest Tests #17 / test endpoint routes GET metadata transform stats route should correctly return metadata transform stats

Metrics [docs]

✅ unchanged

History

@elena-shostak elena-shostak marked this pull request as draft October 30, 2024 10:55
@elasticmachine
Copy link
Contributor

🤖 Jobs for this PR can be triggered through checkboxes. 🚧

ℹ️ To trigger the CI, please tick the checkbox below 👇

  • Click to trigger kibana-pull-request for this PR!
  • Click to trigger kibana-deploy-project-from-pr for this PR!

@elena-shostak
Copy link
Contributor

Closing this one in favor of dedicated PRs for each team

#198380
#198381
#198382
#198383
#198384
#198385
#198386

@elena-shostak elena-shostak deleted the authz-migration/authorized-routes-by-kibana-security branch October 30, 2024 15:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Authz: API migration backport:prev-minor Backport to (8.x) the previous minor version (i.e. one version back from main) enhancement New value added to drive a business result Feature:Security/Authorization Platform Security - Authorization release_note:skip Skip the PR/issue when compiling release notes Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants