[edited] Calls to Kibana internal APIs require an internal product header

[TinaHeiligers]

Kibana's HTTP service is restricting access to all internal API's for serverless in #151940.
We'll enforce this through config with a server.restrictInternalApis: <boolean> that defaults to false in any other mode.

Calling all plugin authors!

Requests to internal APIs will throw if a request doesn't include the x-elastic-internal-product: Kibana header and we need your help!

If you're using core's browser-side HTTP service (e.g. core.http.fetch('....')), you don't need to do anything, you may stop reading and move on with your day 😄

If your plugin and services use any custom way of making browser-side calls (e.g. axios), you'll need to add the header to requests made to Kibana APIs.

We've already handled bfetch:

See implementation

//src/plugins/bfetch/public/plugin.ts
private fetchStreaming =
  (
    version: string,
    basePath: string,
    getIsCompressionDisabled: () => boolean
  ): BfetchPublicSetup['fetchStreaming'] =>
  (params) =>
    fetchStreamingStatic({
      ...params,
      url: `${basePath}/${removeLeadingSlash(params.url)}`,
      headers: {
        'Content-Type': 'application/json',
        'kbn-version': version,
        [INTERNAL_ACCESS_REQUEST]: 'Kibana', <--- HERE
        ...(params.headers || {}),
      },
      getIsCompressionDisabled,
    });

The restriction is only applied to internal APIs. However, we recommend implementing the header now to all APIs, especially if you plan to change them to internal.

Calling all stack consumers of Kibana APIs!

Stack components consuming internal Kibana APIs need to ensure requests to those contain the x-elastic-product-origin header. The header is required for calls to internal Kibana APIs. We recommend sending the header with any call to Kibana APIs.

Target dates (everyone):

May 23, 2023
Acknowledge awareness of the change.

June 1, 2023
Audit: Identify usage of internal Kibana APIs that are missing the product origin header:

July 3, 2023 (provisional)
Enable protection by default in Serverless

Stack components

Team	Acknowledged (target: May 23, 2023)	Audit (target: June 1, 2023)	Work to be done (N/A if not applicable)	Issue link (if applicable)
#platform-deployment-management	✅	✅ (deadline extended to June 4, as agreed)	N/A	N/A
#synthetics-user_experience-uptime	✅	✅	N/A	N/A
#security-integration-asset-management	✅	✅	N/A	N/A
#apm-ui	✅	✅	N/A	N/A
#ent-search-application	✅	N/A	N/A	N/A
#stack-monitoring	✅	✅	N/A	N/A
#fleet	✅	✅	N/A	N/A

[elasticmachine]

Pinging @elastic/kibana-core (Team:Core)

[TinaHeiligers]

@elastic/enterprise-search @apm we're past the acknowledgment due date. Are you aware of the restrictions?

[jimczi]

Thanks for the ping @TinaHeiligers , we're aware of the restriction and we'll apply the new header where appropriate.

[apm]

@TinaHeiligers @apm is my username. I don't have anything to do with the package.

[afharo]

cc @elastic/apm

[miltonhultgren]

@TinaHeiligers Sorry, this fell through the cracks!

The Stack Monitoring plugin code uses core.http.fetch and does not call any /internal APIs.

[TinaHeiligers]

@miltonhultgren, you're all set then. Nothing for your team todo.

[gbamparop]

@apm we're past the acknowledgment due date. Are you aware of the restrictions?

We're using core's APIs and it seems that the headers are being correctly set, I have updated the description accordingly cc @sqren

For future reference the team's tag is elastic/apm-ui

[TinaHeiligers]

Thanks @gbamparop!

[juliaElastic]

Hi, I had a check in Fleet plugin, and we are only using core.http to query kibana, we are not calling /internal APIs with fetch/axios.

[yuliacech]

Hi @TinaHeiligers, I did an audit for the Deployment Management team plugins and haven't found any custom API calls. I don't think any work is needed on our side.

[TinaHeiligers]

All teams have reported back with their Audit results and are compliant. Nothing more to track here.