Skip to content

Commit

Permalink
Authorized route migration for routes owned by security-detection-eng…
Browse files Browse the repository at this point in the history
…ine (elastic#198384)

### Authz API migration for authorized routes

This PR migrates `access:<privilege>` tags used in route definitions to
new security configuration.
Please refer to the documentation for more information: [Authorization
API](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)

### **Before migration:**
Access control tags were defined in the `options` object of the route:

```ts
router.get({
  path: '/api/path',
  options: {
    tags: ['access:<privilege_1>', 'access:<privilege_2>'],
  },
  ...
}, handler);
```

### **After migration:**
Tags have been replaced with the more robust
`security.authz.requiredPrivileges` field under `security`:

```ts
router.get({
  path: '/api/path',
  security: {
    authz: {
      requiredPrivileges: ['<privilege_1>', '<privilege_2>'],
    },
  },
  ...
}, handler);
```

### What to do next?
1. Review the changes in this PR.
2. You might need to update your tests to reflect the new security
configuration:
  - If you have tests that rely on checking `access` tags.
  - If you have snapshot tests that include the route definition.
- If you have FTR tests that rely on checking unauthorized error
message. The error message changed to also include missing privileges.

## Any questions?
If you have any questions or need help with API authorization, please
reach out to the `@elastic/kibana-security` team.

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Co-authored-by: Yara Tercero <yctercero@users.noreply.github.com>
  • Loading branch information
3 people authored Nov 6, 2024
1 parent bde5e11 commit bf51662
Show file tree
Hide file tree
Showing 16 changed files with 66 additions and 31 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -40,8 +40,10 @@ export const createIndexRoute = (router: SecuritySolutionPluginRouter) => {
.post({
path: DETECTION_ENGINE_INDEX_URL,
access: 'public',
options: {
tags: ['access:securitySolution'],
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
})
.addVersion(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -35,8 +35,10 @@ export const deleteIndexRoute = (router: SecuritySolutionPluginRouter) => {
.delete({
path: DETECTION_ENGINE_INDEX_URL,
access: 'public',
options: {
tags: ['access:securitySolution'],
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
})
.addVersion(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,10 @@ export const readAlertsIndexExistsRoute = (router: SecuritySolutionPluginRouter)
.get({
path: DETECTION_ENGINE_ALERTS_INDEX_URL,
access: 'internal',
options: {
tags: ['access:securitySolution'],
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
})
.addVersion(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,10 @@ export const readIndexRoute = (
.get({
path: DETECTION_ENGINE_INDEX_URL,
access: 'public',
options: {
tags: ['access:securitySolution'],
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
})
.addVersion(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -24,8 +24,10 @@ export const createSignalsMigrationRoute = (router: SecuritySolutionPluginRouter
.post({
path: DETECTION_ENGINE_SIGNALS_MIGRATION_URL,
access: 'public',
options: {
tags: ['access:securitySolution'],
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
})
.addVersion(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,10 @@ export const deleteSignalsMigrationRoute = (router: SecuritySolutionPluginRouter
.delete({
path: DETECTION_ENGINE_SIGNALS_MIGRATION_URL,
access: 'public',
options: {
tags: ['access:securitySolution'],
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
})
.addVersion(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,10 @@ export const finalizeSignalsMigrationRoute = (
.post({
path: DETECTION_ENGINE_SIGNALS_FINALIZE_MIGRATION_URL,
access: 'public',
options: {
tags: ['access:securitySolution'],
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
})
.addVersion(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,10 @@ export const getSignalsMigrationStatusRoute = (router: SecuritySolutionPluginRou
.get({
path: DETECTION_ENGINE_SIGNALS_MIGRATION_STATUS_URL,
access: 'public',
options: {
tags: ['access:securitySolution'],
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
})
.addVersion(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -37,8 +37,10 @@ export const setSignalsStatusRoute = (
.post({
path: DETECTION_ENGINE_SIGNALS_STATUS_URL,
access: 'public',
options: {
tags: ['access:securitySolution'],
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
})
.addVersion(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,10 @@ export const querySignalsRoute = (
.post({
path: DETECTION_ENGINE_QUERY_SIGNALS_URL,
access: 'public',
options: {
tags: ['access:securitySolution'],
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
})
.addVersion(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,8 +22,10 @@ export const setAlertAssigneesRoute = (router: SecuritySolutionPluginRouter) =>
.post({
path: DETECTION_ENGINE_ALERT_ASSIGNEES_URL,
access: 'public',
options: {
tags: ['access:securitySolution'],
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
})
.addVersion(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,8 +22,10 @@ export const setAlertTagsRoute = (router: SecuritySolutionPluginRouter) => {
.post({
path: DETECTION_ENGINE_ALERT_TAGS_URL,
access: 'public',
options: {
tags: ['access:securitySolution'],
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
})
.addVersion(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -34,8 +34,10 @@ export const legacyCreateLegacyNotificationRoute = (
.post({
path: UPDATE_OR_CREATE_LEGACY_ACTIONS,
access: 'internal',
options: {
tags: ['access:securitySolution'],
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
})
.addVersion(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -36,8 +36,10 @@ export const createRuleExceptionsRoute = (router: SecuritySolutionPluginRouter)
.post({
path: CREATE_RULE_EXCEPTIONS_URL,
access: 'public',
options: {
tags: ['access:securitySolution'],
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
})
.addVersion(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,8 +29,10 @@ export const findRuleExceptionReferencesRoute = (router: SecuritySolutionPluginR
.get({
path: DETECTION_ENGINE_RULES_EXCEPTIONS_REFERENCE_URL,
access: 'internal',
options: {
tags: ['access:securitySolution'],
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
})
.addVersion(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -89,8 +89,13 @@ export const previewRulesRoute = (
.post({
path: DETECTION_ENGINE_RULES_PREVIEW,
access: 'public',
security: {
authz: {
requiredPrivileges: ['securitySolution'],
},
},
options: {
tags: ['access:securitySolution', routeLimitedConcurrencyTag(MAX_ROUTE_CONCURRENCY)],
tags: [routeLimitedConcurrencyTag(MAX_ROUTE_CONCURRENCY)],
},
})
.addVersion(
Expand Down

0 comments on commit bf51662

Please sign in to comment.