Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[http] Internal API access to be restricted in ESS/on-prem in v9 #186781

Closed
15 of 20 tasks
TinaHeiligers opened this issue Jun 23, 2024 · 14 comments
Closed
15 of 20 tasks

[http] Internal API access to be restricted in ESS/on-prem in v9 #186781

TinaHeiligers opened this issue Jun 23, 2024 · 14 comments
Assignees
@jloleysens
Labels
Meta Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc

Comments

@TinaHeiligers
Copy link
Contributor

TinaHeiligers commented Jun 23, 2024
edited by michaelolo24
Loading

Access to internal APIs is restricted in Serverless. With v9, we have an opportunity to make the breaking change in ESS and on-prem and restrict internal APIs by default.

What this means to users & stack components:
Access to internal APIs is blocked by default. Access to public APIs remains.

Call to Action:

What this means to Kibana and solution devs:

  • As of 8.9, all Kibana APIs default to internal. All teams must ensure that their public routes have the access route configuration option explicitly set to "public".
  • Integrations consuming internal Kibana APIs must migrate to public counterparts.

Confirm correct access:
Historically, Kibana only used a naming convention to distinguish between internal (/internal) and public (/api) routes. This distinction no longer applies.

Teams should confirm that their APIs have the intended access configuration, especially in cases where:

  • path: "/api/foo...", access: internal
  • path: "/internal/bar..." and access: public

Logging config:

logging:
  appenders:
    file:
      type: file
      fileName: /<full_path_to_file>/route_access.log
      layout:
        type: json
  loggers:
    - name: http.server.Kibana.options
      level: debug
      appenders: [file] <--- recommended

Public routes prefixed with /internal/ by team:

@elastic/response-ops

  • "access [public] [GET] for path [/internal/task_manager/_background_task_utilization]",
  • "access [public] [GET] for path [/internal/alerting/rules/_find]",

@elastic/kibana-security

  • "access [public] [GET] for path [/internal/security/reset_session_page.js]",
  • "access [public] [GET] for path [/internal/security/capture-url]",

@elastic/fleet

  • "access [public] [GET] for path [/internal/fleet/orphaned_integration_policies]",
  • "access [public] [GET] for path [/internal/fleet/settings/enrollment]",

@elastic/obs-ux-management-team

All other API routes maintained by our team have been accounted for in this issue

Internal routes prefixed by /api/ by team:

@elastic/kibana-core

  • confirm all

  • "access [internal] [GET] for path [/api/deprecations/]",

  • "access [internal] [POST] for path [/api/core/capabilities]",

  • "access [public] [POST] for path [/api/kibana/dashboards/import]",

  • "access [public] [GET] for path [/api/kibana/dashboards/export]",

  • "access [internal] [GET] for path [/api/licensing/info]",

  • "access [internal] [GET] for path [/api/licensing/feature_usage]",

  • "access [internal] [POST] for path [/api/ui_counters/_report]",

  • "access [internal] [POST] for path [/api/home/hits_status]",

  • "access [internal] [GET] for path [/api/kibana/management/saved_objects/_find]",

  • "access [internal] [POST] for path [/api/kibana/management/saved_objects/_bulk_get]",

  • "access [internal] [POST] for path [/api/kibana/management/saved_objects/scroll/counts]",

  • "access [internal] [GET] for path [/api/kibana/management/saved_objects/relationships/{type}/{id}]",

  • "access [internal] [GET] for path [/api/kibana/management/saved_objects/_allowed_types]",

"@elastic/appex-sharedux"

  • confirm all - (@jloleysens - I did sanity check and it appears current access is in line with documentation)

  • "access [internal] [GET] for path [/api/kibana/settings]",

  • "access [internal] [GET] for path [/api/kibana/global_settings]",

  • "access [internal] [DELETE] for path [/api/kibana/settings/{key}]",

  • "access [internal] [DELETE] for path [/api/kibana/global_settings/{key}]",

  • "access [internal] [POST] for path [/api/kibana/settings/{key}]",

  • "access [internal] [POST] for path [/api/kibana/global_settings/{key}]",

  • "access [internal] [POST] for path [/api/kibana/settings]",

  • "access [internal] [POST] for path [/api/kibana/global_settings]",

  • "access [internal] [GET] for path [/api/banners/info]",

  • "access [internal] [POST] for path [/api/content_management/rpc/{name}]",

  • "access [internal] [GET] for path [/api/kibana/home/tutorials]",

  • "access [internal] [GET] for path [/api/sample_data]",

  • "access [internal] [POST] for path [/api/sample_data/{id}]",

  • "access [internal] [DELETE] for path [/api/sample_data/{id}]",

  • "access [internal] [POST] for path [/api/files/find]",

  • "access [internal] [GET] for path [/api/files/metrics]",

  • "access [internal] [DELETE] for path [/api/files/blobs]",

  • "access [internal] [POST] for path [/api/files/files/defaultImage]",

  • "access [internal] [PUT] for path [/api/files/files/defaultImage/{id}/blob]",

  • "access [internal] [PATCH] for path [/api/files/files/defaultImage/{id}]",

  • "access [internal] [DELETE] for path [/api/files/files/defaultImage/{id}]",

  • "access [internal] [POST] for path [/api/files/files/defaultImage/list]",

  • "access [internal] [GET] for path [/api/files/files/defaultImage/{id}]",

  • "access [internal] [POST] for path [/api/files/shares/defaultImage/{fileId}]",

  • "access [internal] [DELETE] for path [/api/files/shares/defaultImage/{id}]",

  • "access [internal] [GET] for path [/api/files/shares/defaultImage/{id}]",

  • "access [internal] [GET] for path [/api/files/shares/defaultImage]",

  • "access [internal] [POST] for path [/api/files/files/casesFilesCases]",

  • "access [internal] [PUT] for path [/api/files/files/casesFilesCases/{id}/blob]",

  • "access [internal] [POST] for path [/api/files/files/casesFilesCases/list]",

  • "access [internal] [GET] for path [/api/files/files/casesFilesCases/{id}]",

  • "access [internal] [POST] for path [/api/files/files/observabilityFilesCases]",

  • "access [internal] [PUT] for path [/api/files/files/observabilityFilesCases/{id}/blob]",

  • "access [internal] [POST] for path [/api/files/files/observabilityFilesCases/list]",

  • "access [internal] [GET] for path [/api/files/files/observabilityFilesCases/{id}]",

  • "access [internal] [POST] for path [/api/files/files/securitySolutionFilesCases]",

  • "access [internal] [PUT] for path [/api/files/files/securitySolutionFilesCases/{id}/blob]",

  • "access [internal] [POST] for path [/api/files/files/securitySolutionFilesCases/list]",

  • "access [internal] [GET] for path [/api/files/files/securitySolutionFilesCases/{id}]",

  • "access [internal] [POST] for path [/api/saved_objects_tagging/tags/create]",

  • "access [internal] [POST] for path [/api/saved_objects_tagging/tags/{id}]",

  • "access [internal] [DELETE] for path [/api/saved_objects_tagging/tags/{id}]",

  • "access [internal] [GET] for path [/api/saved_objects_tagging/tags]",

  • "access [internal] [GET] for path [/api/saved_objects_tagging/tags/{id}]",

  • "access [internal] [POST] for path [/api/saved_objects_tagging/assignments/update_by_tags]",

"@elastic/kibana-data-discovery

  • confirm all

  • "access [internal] [GET] for path [/api/data_views/has_user_data_view]",

  • "access [internal] [GET] for path [/api/index_patterns/has_user_index_pattern]",

@elastic/kibana-management

  • confirm all

  • "access [internal] [POST] for path [/api/searchprofiler/profile]",

  • "access [internal] [POST] for path [/api/painless_lab/execute]",

  • "access [internal] [POST] for path [/api/grokdebugger/simulate]",

  • "access [internal] [GET] for path [/api/snapshot_restore/privileges]",

  • "access [internal] [GET] for path [/api/snapshot_restore/repositories]",

  • "access [internal] [GET] for path [/api/snapshot_restore/repositories/{name}]",

  • "access [internal] [GET] for path [/api/snapshot_restore/repository_types]",

  • "access [internal] [GET] for path [/api/snapshot_restore/repositories/{name}/verify]",

  • "access [internal] [POST] for path [/api/snapshot_restore/repositories/{name}/cleanup]",

  • "access [internal] [PUT] for path [/api/snapshot_restore/repositories]",

  • "access [internal] [PUT] for path [/api/snapshot_restore/repositories/{name}]",

  • "access [internal] [DELETE] for path [/api/snapshot_restore/repositories/{name}]",

  • "access [internal] [GET] for path [/api/snapshot_restore/snapshots]",

  • "access [internal] [GET] for path [/api/snapshot_restore/snapshots/{repository}/{snapshot}]",

  • "access [internal] [POST] for path [/api/snapshot_restore/snapshots/bulk_delete]",

  • "access [internal] [GET] for path [/api/snapshot_restore/restores]",

  • "access [internal] [POST] for path [/api/snapshot_restore/restore/{repository}/{snapshot}]",

  • "access [internal] [GET] for path [/api/snapshot_restore/policies]",

  • "access [internal] [GET] for path [/api/snapshot_restore/policy/{name}]",

  • "access [internal] [POST] for path [/api/snapshot_restore/policies]",

  • "access [internal] [PUT] for path [/api/snapshot_restore/policies/{name}]",

  • "access [internal] [DELETE] for path [/api/snapshot_restore/policies/{name}]",

  • "access [internal] [POST] for path [/api/snapshot_restore/policy/{name}/run]",

  • "access [internal] [GET] for path [/api/snapshot_restore/policies/indices]",

  • "access [internal] [GET] for path [/api/snapshot_restore/policies/features]",

  • "access [internal] [GET] for path [/api/snapshot_restore/policies/retention_settings]",

  • "access [internal] [PUT] for path [/api/snapshot_restore/policies/retention_settings]",

  • "access [internal] [POST] for path [/api/snapshot_restore/policies/retention]",

  • "access [internal] [PUT] for path [/api/license]",

  • "access [internal] [GET] for path [/api/license/start_trial]",

  • "access [internal] [POST] for path [/api/license/start_trial]",

  • "access [internal] [POST] for path [/api/license/start_basic]",

  • "access [internal] [POST] for path [/api/license/permissions]",

  • "access [internal] [GET] for path [/api/console/es_config]",

  • "access [internal] [POST] for path [/api/console/proxy]",

  • "access [internal] [GET] for path [/api/console/api_server]",

  • "access [internal] [GET] for path [/api/console/autocomplete_entities]",

  • "access [internal] [GET] for path [/api/ingest_pipelines]",

  • "access [internal] [GET] for path [/api/ingest_pipelines/{name}]",

  • "access [internal] [POST] for path [/api/ingest_pipelines]",

  • "access [internal] [PUT] for path [/api/ingest_pipelines/{name}]",

  • "access [internal] [GET] for path [/api/ingest_pipelines/privileges]",

  • "access [internal] [DELETE] for path [/api/ingest_pipelines/{names}]",

  • "access [internal] [POST] for path [/api/ingest_pipelines/simulate]",

  • "access [internal] [GET] for path [/api/ingest_pipelines/documents/{index}/{id}]",

  • "access [internal] [POST] for path [/api/ingest_pipelines/parse_csv]",

  • "access [internal] [POST] for path [/api/watcher/fields]",

  • "access [internal] [GET] for path [/api/watcher/history/{id}]",

  • "access [internal] [POST] for path [/api/watcher/indices]",

  • "access [internal] [GET] for path [/api/watcher/indices/index_patterns]",

  • "access [internal] [GET] for path [/api/watcher/license/refresh]",

  • "access [internal] [GET] for path [/api/watcher/settings]",

  • "access [internal] [GET] for path [/api/watcher/watches]",

  • "access [internal] [POST] for path [/api/watcher/watches/delete]",

  • "access [internal] [DELETE] for path [/api/watcher/watch/{watchId}]",

  • "access [internal] [PUT] for path [/api/watcher/watch/execute]",

  • "access [internal] [GET] for path [/api/watcher/watch/{id}]",

  • "access [internal] [PUT] for path [/api/watcher/watch/{id}]",

  • "access [internal] [GET] for path [/api/watcher/watch/{watchId}/history]",

  • "access [internal] [PUT] for path [/api/watcher/watch/{watchId}/activate]",

  • "access [internal] [PUT] for path [/api/watcher/watch/{watchId}/deactivate]",

  • "access [internal] [PUT] for path [/api/watcher/watch/{watchId}/action/{actionId}/acknowledge]",

  • "access [internal] [POST] for path [/api/watcher/watch/visualize]",

  • "access [internal] [GET] for path [/api/upgrade_assistant/privileges]",

  • "access [internal] [GET] for path [/api/upgrade_assistant/cloud_backup_status]",

  • "access [internal] [GET] for path [/api/upgrade_assistant/cluster_upgrade_status]",

  • "access [internal] [GET] for path [/api/upgrade_assistant/system_indices_migration]",

  • "access [internal] [POST] for path [/api/upgrade_assistant/system_indices_migration]",

  • "access [internal] [GET] for path [/api/upgrade_assistant/es_deprecations]",

  • "access [internal] [GET] for path [/api/upgrade_assistant/deprecation_logging]",

  • "access [internal] [PUT] for path [/api/upgrade_assistant/deprecation_logging]",

  • "access [internal] [GET] for path [/api/upgrade_assistant/deprecation_logging/count]",

  • "access [internal] [DELETE] for path [/api/upgrade_assistant/deprecation_logging/cache]",

  • "access [internal] [POST] for path [/api/upgrade_assistant/{indexName}/index_settings]",

  • "access [internal] [POST] for path [/api/upgrade_assistant/ml_snapshots]",

  • "access [internal] [GET] for path [/api/upgrade_assistant/ml_snapshots/{jobId}/{snapshotId}]",

  • "access [internal] [GET] for path [/api/upgrade_assistant/ml_upgrade_mode]",

  • "access [internal] [DELETE] for path [/api/upgrade_assistant/ml_snapshots/{jobId}/{snapshotId}]",

  • "access [internal] [GET] for path [/api/upgrade_assistant/remote_clusters]",

  • "access [internal] [GET] for path [/api/upgrade_assistant/node_disk_space]",

  • "access [internal] [POST] for path [/api/upgrade_assistant/cluster_settings]",

  • "access [internal] [GET] for path [/api/index_management/data_streams/{name}]",

  • "access [internal] [POST] for path [/api/index_management/data_streams/{name}/mappings_from_template]",

  • "access [internal] [POST] for path [/api/index_management/data_streams/{name}/rollover]",

  • "access [internal] [GET] for path [/api/index_management/data_streams]",

  • "access [internal] [POST] for path [/api/index_management/delete_data_streams]",

  • "access [internal] [PUT] for path [/api/index_management/data_streams/{name}/data_retention]",

  • "access [internal] [POST] for path [/api/index_management/indices/clear_cache]",

  • "access [internal] [POST] for path [/api/index_management/indices/close]",

  • "access [internal] [POST] for path [/api/index_management/indices/flush]",

  • "access [internal] [POST] for path [/api/index_management/indices/forcemerge]",

  • "access [internal] [GET] for path [/api/index_management/indices]",

  • "access [internal] [POST] for path [/api/index_management/indices/open]",

  • "access [internal] [POST] for path [/api/index_management/indices/refresh]",

  • "access [internal] [POST] for path [/api/index_management/indices/reload]",

  • "access [internal] [POST] for path [/api/index_management/indices/delete]",

  • "access [internal] [POST] for path [/api/index_management/indices/unfreeze]",

  • "access [internal] [GET] for path [/api/index_management/index_templates]",

  • "access [internal] [GET] for path [/api/index_management/index_templates/{name}]",

  • "access [internal] [POST] for path [/api/index_management/delete_index_templates]",

  • "access [internal] [POST] for path [/api/index_management/index_templates]",

  • "access [internal] [PUT] for path [/api/index_management/index_templates/{name}]",

  • "access [internal] [POST] for path [/api/index_management/index_templates/simulate]",

  • "access [internal] [GET] for path [/api/index_management/settings/{indexName}]",

  • "access [internal] [PUT] for path [/api/index_management/settings/{indexName}]",

  • "access [internal] [GET] for path [/api/index_management/mapping/{indexName}]",

  • "access [internal] [PUT] for path [/api/index_management/mapping/{indexName}]",

  • "access [internal] [GET] for path [/api/index_management/component_templates]",

  • "access [internal] [GET] for path [/api/index_management/component_templates/{name}]",

  • "access [internal] [POST] for path [/api/index_management/component_templates]",

  • "access [internal] [PUT] for path [/api/index_management/component_templates/{name}]",

  • "access [internal] [GET] for path [/api/index_management/component_templates/{name}/datastreams]",

  • "access [internal] [DELETE] for path [/api/index_management/component_templates/{names}]",

  • "access [internal] [GET] for path [/api/index_management/component_templates/privileges]",

  • "access [internal] [GET] for path [/api/index_management/inference/all]",

  • "access [internal] [GET] for path [/api/index_management/nodes/plugins]",

  • "access [internal] [GET] for path [/api/index_management/stats/{indexName}]",

  • "access [internal] [GET] for path [/api/remote_clusters]",

  • "access [internal] [POST] for path [/api/remote_clusters]",

  • "access [internal] [PUT] for path [/api/remote_clusters/{name}]",

  • "access [internal] [DELETE] for path [/api/remote_clusters/{nameOrNames}]",

  • "access [internal] [POST] for path [/api/cross_cluster_replication/auto_follow_patterns]",

  • "access [internal] [DELETE] for path [/api/cross_cluster_replication/auto_follow_patterns/{id}]",

  • "access [internal] [GET] for path [/api/cross_cluster_replication/auto_follow_patterns]",

  • "access [internal] [GET] for path [/api/cross_cluster_replication/auto_follow_patterns/{id}]",

  • "access [internal] [POST] for path [/api/cross_cluster_replication/auto_follow_patterns/{id}/pause]",

  • "access [internal] [POST] for path [/api/cross_cluster_replication/auto_follow_patterns/{id}/resume]",

  • "access [internal] [PUT] for path [/api/cross_cluster_replication/auto_follow_patterns/{id}]",

  • "access [internal] [POST] for path [/api/cross_cluster_replication/follower_indices]",

  • "access [internal] [GET] for path [/api/cross_cluster_replication/follower_indices]",

  • "access [internal] [GET] for path [/api/cross_cluster_replication/follower_indices/{id}]",

  • "access [internal] [PUT] for path [/api/cross_cluster_replication/follower_indices/{id}/pause]",

  • "access [internal] [PUT] for path [/api/cross_cluster_replication/follower_indices/{id}/resume]",

  • "access [internal] [PUT] for path [/api/cross_cluster_replication/follower_indices/{id}/unfollow]",

  • "access [internal] [PUT] for path [/api/cross_cluster_replication/follower_indices/{id}]",

  • "access [internal] [GET] for path [/api/cross_cluster_replication/permissions]",

  • "access [internal] [GET] for path [/api/cross_cluster_replication/stats/auto_follow]",

  • "access [internal] [POST] for path [/api/index_lifecycle_management/index/retry]",

  • "access [internal] [POST] for path [/api/index_lifecycle_management/index/remove]",

  • "access [internal] [POST] for path [/api/index_lifecycle_management/index/add]",

  • "access [internal] [GET] for path [/api/index_lifecycle_management/nodes/list]",

  • "access [internal] [GET] for path [/api/index_lifecycle_management/nodes/{nodeAttrs}/details]",

  • "access [internal] [GET] for path [/api/index_lifecycle_management/policies]",

  • "access [internal] [POST] for path [/api/index_lifecycle_management/policies]",

  • "access [internal] [DELETE] for path [/api/index_lifecycle_management/policies/{policyNames}]",

  • "access [internal] [GET] for path [/api/index_lifecycle_management/templates]",

  • "access [internal] [POST] for path [/api/index_lifecycle_management/template]",

  • "access [internal] [GET] for path [/api/index_lifecycle_management/snapshot_policies]",

  • "access [internal] [GET] for path [/api/index_lifecycle_management/snapshot_repositories]",

  • "access [internal] [GET] for path [/api/rollup/indices]",

  • "access [internal] [GET] for path [/api/rollup/index_pattern_validity/{indexPattern}]",

  • "access [internal] [PUT] for path [/api/rollup/create]",

  • "access [internal] [POST] for path [/api/rollup/delete]",

  • "access [internal] [GET] for path [/api/rollup/jobs]",

  • "access [internal] [POST] for path [/api/rollup/start]",

  • "access [internal] [POST] for path [/api/rollup/stop]",

  • "access [internal] [POST] for path [/api/rollup/search]",

@elastic/kibana-security

  • confirm all ([HTTP] Set explicit access for public HTTP APIs #192554)

  • "access [internal] [GET] for path [/api/spaces/space/{id}]",

  • "access [internal] [GET] for path [/api/spaces/space]",

  • "access [internal] [PUT] for path [/api/spaces/space/{id}]",

  • "access [internal] [DELETE] for path [/api/spaces/space/{id}]",

  • "access [internal] [POST] for path [/api/spaces/space]",

  • "access [internal] [POST] for path [/api/spaces/_copy_saved_objects]",

  • "access [internal] [POST] for path [/api/spaces/_resolve_copy_saved_objects_errors]",

  • "access [internal] [POST] for path [/api/spaces/_update_objects_spaces]",

  • "access [internal] [POST] for path [/api/spaces/_get_shareable_references]",

  • "access [internal] [POST] for path [/api/spaces/_disable_legacy_url_aliases]",

  • "access [internal] [GET] for path [/api/security/v1/me]",

  • "access [internal] [GET] for path [/api/security/privileges]",

  • "access [internal] [GET] for path [/api/security/role/{name}]",

  • "access [internal] [GET] for path [/api/security/role]",

  • "access [internal] [DELETE] for path [/api/security/role/{name}]",

  • "access [internal] [PUT] for path [/api/security/role/{name}]",

  • "access [internal] [POST] for path [/api/security/session/_invalidate]",

  • "access [internal] [POST] for path [/api/encrypted_saved_objects/_rotate_key]",

@elastic/response-ops
  • confirm all - (@jloleysens - I did sanity check and it appears current access is in line with documentation)
  • "access [internal] [POST] for path [/api/alerts/alert/{id?}]",
  • "access [internal] [DELETE] for path [/api/alerts/alert/{id}]",
  • "access [internal] [GET] for path [/api/alerts/_find]",
  • "access [internal] [GET] for path [/api/alerts/alert/{id}]",
  • "access [internal] [GET] for path [/api/alerts/alert/{id}/state]",
  • "access [internal] [GET] for path [/api/alerts/alert/{id}/_instance_summary]",
  • "access [internal] [GET] for path [/api/alerts/list_alert_types]",
  • "access [internal] [PUT] for path [/api/alerts/alert/{id}]",
  • "access [internal] [POST] for path [/api/alerts/alert/{id}/_enable]",
  • "access [internal] [POST] for path [/api/alerts/alert/{id}/_disable]",
  • "access [internal] [POST] for path [/api/alerts/alert/{id}/_update_api_key]",
  • "access [internal] [POST] for path [/api/alerts/alert/{id}/_mute_all]",
  • "access [internal] [POST] for path [/api/alerts/alert/{id}/_unmute_all]",
  • "access [internal] [POST] for path [/api/alerts/alert/{alert_id}/alert_instance/{alert_instance_id}/_mute]",
  • "access [internal] [POST] for path [/api/alerts/alert/{alertId}/alert_instance/{alertInstanceId}/_unmute]",
  • "access [internal] [GET] for path [/api/alerts/_health]",
  • "access [internal] [GET] for path [/api/cases/{case_id}/resolve]",
@elastic/obs-ux-infra_services-team

  • confirm all - (@jloleysens - I did sanity check and it appears current access is in line with documentation)

  • "access [internal] [POST] for path [/api/infra/metrics_explorer]",

  • "access [internal] [POST] for path [/api/infra/ip_to_host]",

  • "access [internal] [POST] for path [/api/infra/infra_ml/results/metrics_k8s_anomalies]",

  • "access [internal] [POST] for path [/api/infra/infra_ml/results/metrics_hosts_anomalies]",

  • "access [internal] [POST] for path [/api/infra/metrics_explorer_views]",

  • "access [internal] [DELETE] for path [/api/infra/metrics_explorer_views/{metricsExplorerViewId}]",

  • "access [internal] [GET] for path [/api/infra/metrics_explorer_views]",

  • "access [internal] [GET] for path [/api/infra/metrics_explorer_views/{metricsExplorerViewId}]",

  • "access [internal] [PUT] for path [/api/infra/metrics_explorer_views/{metricsExplorerViewId}]",

  • "access [internal] [POST] for path [/api/infra/metrics_api]",

  • "access [internal] [POST] for path [/api/infra/metadata]",

  • "access [internal] [POST] for path [/api/infra/inventory/meta]",

  • "access [internal] [POST] for path [/api/infra/inventory_views]",

  • "access [internal] [DELETE] for path [/api/infra/inventory_views/{inventoryViewId}]",

  • "access [internal] [GET] for path [/api/infra/inventory_views]",

  • "access [internal] [GET] for path [/api/infra/inventory_views/{inventoryViewId}]",

  • "access [internal] [PUT] for path [/api/infra/inventory_views/{inventoryViewId}]",

  • "access [internal] [GET] for path [/api/infra/services]",

  • "access [internal] [GET] for path [/api/infra/{assetType}/custom-dashboards]",

  • "access [internal] [POST] for path [/api/infra/{assetType}/custom-dashboards]",

  • "access [internal] [DELETE] for path [/api/infra/{assetType}/custom-dashboards/{id}]",

  • "access [internal] [PUT] for path [/api/infra/{assetType}/custom-dashboards/{id}]",

  • "access [internal] [GET] for path [/api/metrics/indices]",

  • "access [internal] [POST] for path [/api/metrics/snapshot]",

  • "access [internal] [POST] for path [/api/metrics/node_details]",

  • "access [internal] [GET] for path [/api/metrics/source/{sourceId}]",

  • "access [internal] [PATCH] for path [/api/metrics/source/{sourceId}]",

  • "access [internal] [GET] for path [/api/metrics/source/{sourceId}/hasData]",

  • "access [internal] [POST] for path [/api/metrics/process_list]",

  • "access [internal] [POST] for path [/api/metrics/process_list/chart]",

  • "access [internal] [POST] for path [/api/metrics/overview/top]",

  • "access [internal] [POST] for path [/api/metrics/infra]",

@elastic/obs-ux-logs-team
  • confirm all
  • "access [internal] [POST] for path [/api/log_entries/highlights]",
  • "access [internal] [POST] for path [/api/log_entries/summary]",
  • "access [internal] [POST] for path [/api/log_entries/summary_highlights]",
  • "access [internal] [GET] for path [/api/infra/log_views/{logViewId}]",
  • "access [internal] [PUT] for path [/api/infra/log_views/{logViewId}]",
  • "access [internal] [POST] for path [/api/infra/log_analysis/results/log_entry_categories]",
  • "access [internal] [POST] for path [/api/infra/log_analysis/results/log_entry_category_datasets]",
  • "access [internal] [POST] for path [/api/infra/log_analysis/results/latest_log_entry_category_datasets_stats]",
  • "access [internal] [POST] for path [/api/infra/log_analysis/results/log_entry_category_examples]",
  • "access [internal] [POST] for path [/api/infra/log_analysis/results/log_entry_anomalies]",
  • "access [internal] [POST] for path [/api/infra/log_analysis/results/log_entry_anomalies_datasets]",
  • "access [internal] [POST] for path [/api/infra/log_analysis/id_formats]",
  • "access [internal] [POST] for path [/api/infra/log_analysis/validation/log_entry_datasets]",
  • "access [internal] [POST] for path [/api/infra/log_analysis/validation/log_entry_rate_indices]",
  • "access [internal] [POST] for path [/api/infra/log_analysis/results/log_entry_examples]",
  • "access [internal] [POST] for path [/api/infra/log_alerts/chart_preview_data]"
@elastic/obs-ux-management-team

All of the routes for this team have been checked and referenced above in this description, and are tracked in this meta issue.

@elastic/stack-monitoring

  • [Monitoring] Set explicit access option for internal API #186882

  • "access [internal] [POST] for path [/api/monitoring/v1/alert/{clusterUuid}/status]",

  • "access [internal] [POST] for path [/api/monitoring/v1/alerts/enable]",

  • "access [internal] [POST] for path [/api/monitoring/v1/clusters/{clusterUuid}/apm/{apmUuid}]",

  • "access [internal] [POST] for path [/api/monitoring/v1/clusters/{clusterUuid}/apm/instances]",

  • "access [internal] [POST] for path [/api/monitoring/v1/clusters/{clusterUuid}/apm]",

  • "access [internal] [POST] for path [/api/monitoring/v1/clusters/{clusterUuid}/beats/beat/{beatUuid}]",

  • "access [internal] [POST] for path [/api/monitoring/v1/clusters/{clusterUuid}/beats/beats]",

  • "access [internal] [POST] for path [/api/monitoring/v1/clusters/{clusterUuid}/beats]",

  • "access [internal] [GET] for path [/api/monitoring/v1/check_access]",

  • "access [internal] [POST] for path [/api/monitoring/v1/clusters/{clusterUuid}]",

  • "access [internal] [POST] for path [/api/monitoring/v1/clusters]",

  • "access [internal] [POST] for path [/api/monitoring/v1/clusters/{clusterUuid}/elasticsearch/indices/{id}]",

  • "access [internal] [POST] for path [/api/monitoring/v1/clusters/{clusterUuid}/elasticsearch/indices]",

  • "access [internal] [POST] for path [/api/monitoring/v1/clusters/{clusterUuid}/elasticsearch/nodes/{nodeUuid}]",

  • "access [internal] [POST] for path [/api/monitoring/v1/clusters/{clusterUuid}/elasticsearch/nodes]",

  • "access [internal] [POST] for path [/api/monitoring/v1/clusters/{clusterUuid}/elasticsearch]",

  • "access [internal] [POST] for path [/api/monitoring/v1/clusters/{clusterUuid}/elasticsearch/ml_jobs]",

  • "access [internal] [POST] for path [/api/monitoring/v1/clusters/{clusterUuid}/elasticsearch/ccr]",

  • "access [internal] [POST] for path [/api/monitoring/v1/clusters/{clusterUuid}/elasticsearch/ccr/{index}/shard/{shardId}]",

  • "access [internal] [GET] for path [/api/monitoring/v1/elasticsearch_settings/check/cluster]",

  • "access [internal] [POST] for path [/api/monitoring/v1/elasticsearch_settings/check/internal_monitoring]",

  • "access [internal] [GET] for path [/api/monitoring/v1/elasticsearch_settings/check/nodes]",

  • "access [internal] [PUT] for path [/api/monitoring/v1/elasticsearch_settings/set/collection_enabled]",

  • "access [internal] [PUT] for path [/api/monitoring/v1/elasticsearch_settings/set/collection_interval]",

  • "access [internal] [POST] for path [/api/monitoring/v1/clusters/{clusterUuid}/enterprise_search]",

  • "access [internal] [GET] for path [/api/monitoring/v1/_health]",

  • "access [internal] [POST] for path [/api/monitoring/v1/clusters/{clusterUuid}/logstash/pipeline_ids]",

  • "access [internal] [POST] for path [/api/monitoring/v1/clusters/{clusterUuid}/logstash/pipelines]",

  • "access [internal] [POST] for path [/api/monitoring/v1/clusters/{clusterUuid}/logstash/node/{logstashUuid}/pipelines]",

  • "access [internal] [POST] for path [/api/monitoring/v1/clusters/{clusterUuid}/logstash/node/{logstashUuid}]",

  • "access [internal] [POST] for path [/api/monitoring/v1/clusters/{clusterUuid}/logstash/nodes]",

  • "access [internal] [POST] for path [/api/monitoring/v1/clusters/{clusterUuid}/logstash]",

  • "access [internal] [POST] for path [/api/monitoring/v1/clusters/{clusterUuid}/logstash/pipeline/{pipelineId}/{pipelineHash?}]",

  • "access [internal] [POST] for path [/api/monitoring/v1/setup/collection/cluster/{clusterUuid?}]",

  • "access [internal] [POST] for path [/api/monitoring/v1/setup/collection/{clusterUuid}/disable_internal_collection]",

  • "access [internal] [POST] for path [/api/monitoring/v1/setup/collection/node/{nodeUuid}]",

  • "access [internal] [POST] for path [/api/monitoring/v1/clusters/{clusterUuid}/kibana/{kibanaUuid}]",

  • "access [internal] [POST] for path [/api/monitoring/v1/clusters/{clusterUuid}/kibana/instances]",

  • "access [internal] [POST] for path [/api/monitoring/v1/clusters/{clusterUuid}/kibana]",

  • "access [internal] [GET] for path [/api/monitoring_collection/{type}]",

@elastic/logstash
  • confirm all ([HTTP] Set explicit access for public HTTP APIs 2 #192579)
  • "access [internal] [GET] for path [/api/logstash/cluster]", to confirm
  • "access [internal] [GET] for path [/api/logstash/pipelines]", confirmed
  • "access [internal] [POST] for path [/api/logstash/pipelines/delete]", confirmed
@elastic/security-solution
  • confirm all #191799
  • "access [internal] [POST] for path [/api/risk_scores/calculation]",
  • "access [internal] [POST] for path [/api/risk_scores/calculation/entity]",
@elastic/security-threat-hunting-investigations
  • confirm all - (@jloleysens - I did sanity check and it appears current access is in line with documentation)
  • "access [internal] [POST] for path [/api/endpoint/resolver/tree]",
  • "access [internal] [POST] for path [/api/endpoint/resolver/events]",
  • "access [internal] [GET] for path [/api/endpoint/resolver/entity]",
  • "access [internal] [POST] for path [/api/timeline/_copy]",
@botelastic botelastic bot added the needs-team Issues missing a team label label Jun 23, 2024
@TinaHeiligers TinaHeiligers added Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc Meta labels Jun 23, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-core (Team:Core)

@botelastic botelastic bot removed the needs-team Issues missing a team label label Jun 23, 2024
@tonyghiani tonyghiani mentioned this issue Jun 25, 2024
Merged
tonyghiani added a commit that referenced this issue Jun 26, 2024
@tonyghiani
[Monitoring] Set explicit access option for internal API (#186882)
4ec5ad5 
## 📓 Summary

Part of #186781

Explicit set the `access` options for the monitoring internal API:

- access [internal] [POST] for path
[/api/monitoring/v1/alert/{clusterUuid}/status]"
- access [internal] [POST] for path [/api/monitoring/v1/alerts/enable]"
- access [internal] [POST] for path
[/api/monitoring/v1/clusters/{clusterUuid}/apm/{apmUuid}]"
- access [internal] [POST] for path
[/api/monitoring/v1/clusters/{clusterUuid}/apm/instances]"
- access [internal] [POST] for path
[/api/monitoring/v1/clusters/{clusterUuid}/apm]"
- access [internal] [POST] for path
[/api/monitoring/v1/clusters/{clusterUuid}/beats/beat/{beatUuid}]"
- access [internal] [POST] for path
[/api/monitoring/v1/clusters/{clusterUuid}/beats/beats]"
- access [internal] [POST] for path
[/api/monitoring/v1/clusters/{clusterUuid}/beats]"
- access [internal] [GET] for path [/api/monitoring/v1/check_access]"
- access [internal] [POST] for path
[/api/monitoring/v1/clusters/{clusterUuid}]"
- access [internal] [POST] for path [/api/monitoring/v1/clusters]"
- access [internal] [POST] for path
[/api/monitoring/v1/clusters/{clusterUuid}/elasticsearch/indices/{id}]"
- access [internal] [POST] for path
[/api/monitoring/v1/clusters/{clusterUuid}/elasticsearch/indices]"
- access [internal] [POST] for path
[/api/monitoring/v1/clusters/{clusterUuid}/elasticsearch/nodes/{nodeUuid}]"
- access [internal] [POST] for path
[/api/monitoring/v1/clusters/{clusterUuid}/elasticsearch/nodes]"
- access [internal] [POST] for path
[/api/monitoring/v1/clusters/{clusterUuid}/elasticsearch]"
- access [internal] [POST] for path
[/api/monitoring/v1/clusters/{clusterUuid}/elasticsearch/ml_jobs]"
- access [internal] [POST] for path
[/api/monitoring/v1/clusters/{clusterUuid}/elasticsearch/ccr]"
- access [internal] [POST] for path
[/api/monitoring/v1/clusters/{clusterUuid}/elasticsearch/ccr/{index}/shard/{shardId}]"
- access [internal] [GET] for path
[/api/monitoring/v1/elasticsearch_settings/check/cluster]"
- access [internal] [POST] for path
[/api/monitoring/v1/elasticsearch_settings/check/internal_monitoring]"
- access [internal] [GET] for path
[/api/monitoring/v1/elasticsearch_settings/check/nodes]"
- access [internal] [PUT] for path
[/api/monitoring/v1/elasticsearch_settings/set/collection_enabled]"
- access [internal] [PUT] for path
[/api/monitoring/v1/elasticsearch_settings/set/collection_interval]"
- access [internal] [POST] for path
[/api/monitoring/v1/clusters/{clusterUuid}/enterprise_search]"
- access [internal] [GET] for path [/api/monitoring/v1/_health]"
- access [internal] [POST] for path
[/api/monitoring/v1/clusters/{clusterUuid}/logstash/pipeline_ids]"
- access [internal] [POST] for path
[/api/monitoring/v1/clusters/{clusterUuid}/logstash/pipelines]"
- access [internal] [POST] for path
[/api/monitoring/v1/clusters/{clusterUuid}/logstash/node/{logstashUuid}/pipelines]"
- access [internal] [POST] for path
[/api/monitoring/v1/clusters/{clusterUuid}/logstash/node/{logstashUuid}]"
- access [internal] [POST] for path
[/api/monitoring/v1/clusters/{clusterUuid}/logstash/nodes]"
- access [internal] [POST] for path
[/api/monitoring/v1/clusters/{clusterUuid}/logstash]"
- access [internal] [POST] for path
[/api/monitoring/v1/clusters/{clusterUuid}/logstash/pipeline/{pipelineId}/{pipelineHash?}]"
- access [internal] [POST] for path
[/api/monitoring/v1/setup/collection/cluster/{clusterUuid?}]"
- access [internal] [POST] for path
[/api/monitoring/v1/setup/collection/{clusterUuid}/disable_internal_collection]"
- access [internal] [POST] for path
[/api/monitoring/v1/setup/collection/node/{nodeUuid}]"
- access [internal] [POST] for path
[/api/monitoring/v1/clusters/{clusterUuid}/kibana/{kibanaUuid}]"
- access [internal] [POST] for path
[/api/monitoring/v1/clusters/{clusterUuid}/kibana/instances]"
- access [internal] [POST] for path
[/api/monitoring/v1/clusters/{clusterUuid}/kibana]"
- access [internal] [GET] for path [/api/monitoring_collection/{type}]

Co-authored-by: Marco Antonio Ghiani <[email protected]>
@davismcphee davismcphee added the Team:DataDiscovery Discover, search (e.g. data plugin and KQL), data views, saved searches. For ES|QL, use Team:ES|QL. label Jun 28, 2024
@TinaHeiligers
Copy link
Contributor Author

Asked offline:

[edited] ...do you also expect to change the name prefix so the naming convention is also aligned ("to the access flag")?

Answer:

It depends(™) on whether you want the APIs to be public or internal. Ideally, both the access flag and the prefix should correspond but that would mean a new model version for the API and deprecating the “old” API path.

All public routes should have been documented as public with an OpenApi Spec.

The intention is to have parity between how we handle the APIs in Serverless and everywhere else

TL;DR: Core won’t automatically change the prefix, nor will the access flag be changed to match the route path prefix. They don’t have to correspond.

@TinaHeiligers
Copy link
Contributor Author

TinaHeiligers commented Jul 10, 2024
edited
Loading

@davismcphee This issue is Core's Meta issue to make sure teams are aware. It is not intended to be "shared" between all the teams.

As such, could you please track your teams' progress in your own issue? The meta task assignee on Core's side has @mattkime . It should be me.

CC @kertal

@TinaHeiligers TinaHeiligers removed the Team:DataDiscovery Discover, search (e.g. data plugin and KQL), data views, saved searches. For ES|QL, use Team:ES|QL. label Jul 10, 2024
@davismcphee davismcphee mentioned this issue Jul 10, 2024
Closed
@davismcphee
Copy link
Contributor

@TinaHeiligers Sure, thanks for the heads up!

@michaelolo24
Copy link
Contributor

Thanks for this heads up @TinaHeiligers ! The Resolver api's are owned by the threat hunting team, so I'm going to move them there to track this work. Thanks!

@michaelolo24 michaelolo24 mentioned this issue Jul 17, 2024
Open
4 tasks
@legrego legrego mentioned this issue Aug 2, 2024
Closed
45 tasks
@TinaHeiligers
Copy link
Contributor Author

Restricting internal apis by default has been accepted and will be enforced as of v9.0.0

@elastic/response-ops @elastic/kibana-security @elastic/fleet @elastic/obs-ux-management-team please make sure to finish your audits for the public routes prefixed with /internal/ as soon as possible!

TTL: September 15th for the audit.

@paulb-elastic
Copy link
Contributor

In the main description, I've updated the owner of the /api/synthetics APIs from @elastic/obs-ux-infra_services-team to @elastic/obs-ux-management-team as we recently moved responsibility between teams

@jasonrhodes jasonrhodes mentioned this issue Sep 5, 2024
Closed
@kpatticha kpatticha mentioned this issue Sep 10, 2024
Closed
@jloleysens jloleysens mentioned this issue Sep 11, 2024
Merged
@jasonrhodes
Copy link
Member

I've updated all references in the issue description to any routes owned by our team (obs-ux-management) and replaced them with links to the corresponding issues. Please let me know if you have any questions.

@cnasikas cnasikas mentioned this issue Sep 13, 2024
Open
@cnasikas
Copy link
Member

cnasikas commented Sep 15, 2024
edited
Loading

Inspired by @jasonrhodes (thank you!) I created a similar issue #192897 that audits all the routes owned by the @elastic/response-ops team. We will take action to explicitly set the access to all routes (#192956). About:

  • "access [public] [GET] for path [/internal/task_manager/_background_task_utilization]": This seems wrong. It should be internal but I would confirm with the @elastic/response-ops-execution team.
  • "access [public] [GET] for path [/internal/alerting/rules/_find]": This seems to be a bug in our code. We will fix it.

@iblancof iblancof mentioned this issue Sep 17, 2024
Merged
jloleysens added a commit that referenced this issue Sep 23, 2024
@jloleysens
[HTTP] Set explicit access for public HTTP APIs (#192554)
3fa5bdf 
## Summary

We will be enforcing restricted access to internal HTTP APIs [from
9.0](#186781). This PR is part 1
of audit checking that our public APIs have their access tag set
explicitly to ensure they are still available to end users after we
start enforcing HTTP API restrictions. APIs reviewed in this PR
([docs](https://www.elastic.co/guide/en/kibana/current/dashboard-import-api.html)):

<img width="260" alt="Screenshot 2024-09-11 at 11 25 55"
src="https://github.com/user-attachments/assets/499b1f1f-8e01-4463-9410-4500e438cd23">

## Note to reviewers

This audit is focussed on set `access: 'public'` where needed. Per the
screenshot our public-facing documentation is taken as the source of
truth for which APIs should be public. This may differ per offering so
please consider whether a given HTTP API should be public on both
serverless and stateful offerings.

## Risks

* If we miss an API that should be public, end users will encounter a
`400` response when they try to use the HTTP API on 9.0
* If we set an API's access to "public" it will not have the same
restrictions applied to it.
kibanamachine pushed a commit to kibanamachine/kibana that referenced this issue Sep 23, 2024
@jloleysens
[HTTP] Set explicit access for public HTTP APIs (elastic#192554)
e90578c 
## Summary

We will be enforcing restricted access to internal HTTP APIs [from
9.0](elastic#186781). This PR is part 1
of audit checking that our public APIs have their access tag set
explicitly to ensure they are still available to end users after we
start enforcing HTTP API restrictions. APIs reviewed in this PR
([docs](https://www.elastic.co/guide/en/kibana/current/dashboard-import-api.html)):

<img width="260" alt="Screenshot 2024-09-11 at 11 25 55"
src="https://github.com/user-attachments/assets/499b1f1f-8e01-4463-9410-4500e438cd23">

## Note to reviewers

This audit is focussed on set `access: 'public'` where needed. Per the
screenshot our public-facing documentation is taken as the source of
truth for which APIs should be public. This may differ per offering so
please consider whether a given HTTP API should be public on both
serverless and stateful offerings.

## Risks

* If we miss an API that should be public, end users will encounter a
`400` response when they try to use the HTTP API on 9.0
* If we set an API's access to "public" it will not have the same
restrictions applied to it.

(cherry picked from commit 3fa5bdf)
kibanamachine added a commit that referenced this issue Sep 23, 2024
@kibanamachine @jloleysens
[8.x] [HTTP] Set explicit access for &#x60;public&#x60; HTTP APIs (#1…
3cab9c2 
…92554) (#193735)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[HTTP] Set explicit access for &#x60;public&#x60; HTTP APIs
(#192554)](#192554)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Jean-Louis
Leysens","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-09-23T14:53:31Z","message":"[HTTP]
Set explicit access for `public` HTTP APIs (#192554)\n\n##
Summary\r\n\r\nWe will be enforcing restricted access to internal HTTP
APIs [from\r\n9.0](#186781).
This PR is part 1\r\nof audit checking that our public APIs have their
access tag set\r\nexplicitly to ensure they are still available to end
users after we\r\nstart enforcing HTTP API restrictions. APIs reviewed
in this
PR\r\n([docs](https://www.elastic.co/guide/en/kibana/current/dashboard-import-api.html)):\r\n\r\n<img
width=\"260\" alt=\"Screenshot 2024-09-11 at 11 25
55\"\r\nsrc=\"https://github.com/user-attachments/assets/499b1f1f-8e01-4463-9410-4500e438cd23\">\r\n\r\n##
Note to reviewers\r\n\r\nThis audit is focussed on set `access:
'public'` where needed. Per the\r\nscreenshot our public-facing
documentation is taken as the source of\r\ntruth for which APIs should
be public. This may differ per offering so\r\nplease consider whether a
given HTTP API should be public on both\r\nserverless and stateful
offerings.\r\n\r\n## Risks\r\n\r\n* If we miss an API that should be
public, end users will encounter a\r\n`400` response when they try to
use the HTTP API on 9.0\r\n* If we set an API's access to \"public\" it
will not have the same\r\nrestrictions applied to
it.","sha":"3fa5bdf8732101812a656ec954e2a8d779838938","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Feature:http","Team:Core","release_note:skip","v9.0.0","v8.16.0","backport:version"],"title":"[HTTP]
Set explicit access for `public` HTTP
APIs","number":192554,"url":"https://github.com/elastic/kibana/pull/192554","mergeCommit":{"message":"[HTTP]
Set explicit access for `public` HTTP APIs (#192554)\n\n##
Summary\r\n\r\nWe will be enforcing restricted access to internal HTTP
APIs [from\r\n9.0](#186781).
This PR is part 1\r\nof audit checking that our public APIs have their
access tag set\r\nexplicitly to ensure they are still available to end
users after we\r\nstart enforcing HTTP API restrictions. APIs reviewed
in this
PR\r\n([docs](https://www.elastic.co/guide/en/kibana/current/dashboard-import-api.html)):\r\n\r\n<img
width=\"260\" alt=\"Screenshot 2024-09-11 at 11 25
55\"\r\nsrc=\"https://github.com/user-attachments/assets/499b1f1f-8e01-4463-9410-4500e438cd23\">\r\n\r\n##
Note to reviewers\r\n\r\nThis audit is focussed on set `access:
'public'` where needed. Per the\r\nscreenshot our public-facing
documentation is taken as the source of\r\ntruth for which APIs should
be public. This may differ per offering so\r\nplease consider whether a
given HTTP API should be public on both\r\nserverless and stateful
offerings.\r\n\r\n## Risks\r\n\r\n* If we miss an API that should be
public, end users will encounter a\r\n`400` response when they try to
use the HTTP API on 9.0\r\n* If we set an API's access to \"public\" it
will not have the same\r\nrestrictions applied to
it.","sha":"3fa5bdf8732101812a656ec954e2a8d779838938"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/192554","number":192554,"mergeCommit":{"message":"[HTTP]
Set explicit access for `public` HTTP APIs (#192554)\n\n##
Summary\r\n\r\nWe will be enforcing restricted access to internal HTTP
APIs [from\r\n9.0](#186781).
This PR is part 1\r\nof audit checking that our public APIs have their
access tag set\r\nexplicitly to ensure they are still available to end
users after we\r\nstart enforcing HTTP API restrictions. APIs reviewed
in this
PR\r\n([docs](https://www.elastic.co/guide/en/kibana/current/dashboard-import-api.html)):\r\n\r\n<img
width=\"260\" alt=\"Screenshot 2024-09-11 at 11 25
55\"\r\nsrc=\"https://github.com/user-attachments/assets/499b1f1f-8e01-4463-9410-4500e438cd23\">\r\n\r\n##
Note to reviewers\r\n\r\nThis audit is focussed on set `access:
'public'` where needed. Per the\r\nscreenshot our public-facing
documentation is taken as the source of\r\ntruth for which APIs should
be public. This may differ per offering so\r\nplease consider whether a
given HTTP API should be public on both\r\nserverless and stateful
offerings.\r\n\r\n## Risks\r\n\r\n* If we miss an API that should be
public, end users will encounter a\r\n`400` response when they try to
use the HTTP API on 9.0\r\n* If we set an API's access to \"public\" it
will not have the same\r\nrestrictions applied to
it.","sha":"3fa5bdf8732101812a656ec954e2a8d779838938"}},{"branch":"8.x","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Jean-Louis Leysens <[email protected]>
@rudolf rudolf assigned jloleysens and unassigned TinaHeiligers Sep 24, 2024
@kdelemme kdelemme mentioned this issue Oct 4, 2024
Merged
@TinaHeiligers
Copy link
Contributor Author

TinaHeiligers commented Oct 8, 2024
edited
Loading

@elastic/logstash please confirm if /api/logstash/cluster is supposed to be internal. It wasn't covered in #192579

@elastic/kibana-security a gentle reminder that the restriction is now enforced as of v9. I'll check your teams' list as done since #192153 is closed. Please LMK if you need more time.

@TinaHeiligers
Copy link
Contributor Author

@jloleysens We should be able to close this as done after hearing back from the logstash team about /api/logstash/cluster as internal.
It wasn't called out in #192579

@azasypkin
Copy link
Member

@elastic/kibana-security
"access [public] [GET] for path [/internal/security/reset_session_page.js]",
"access [public] [GET] for path [/internal/security/capture-url]",

Thanks for the ping and sorry for the delayed reply, @TinaHeiligers. It somehow slipped under my radar. Both of these routes are registered with the httpResources service, and if I understand correctly, any "access" restrictions don’t apply to them since they are essentially resources like CSS and JS, with the only exception being that they are generated dynamically. Is my understanding correct?

@jloleysens
Copy link
Contributor

@azasypkin

Is my understanding correct?

Yeah, this is correct. They are treated regsitered as unversioned, public routes and excluded from OAS docs (since this PR)

@jloleysens
Copy link
Contributor

Closed by #192579

@miloszmarcinkowski miloszmarcinkowski mentioned this issue Oct 23, 2024
Merged
miloszmarcinkowski added a commit that referenced this issue Oct 24, 2024
@miloszmarcinkowski
[APM] Set explicit access options for APM public APIs (#197435)
db0a898 
## Summary

Closes #192473 
Part of #186781

Set explicit `access` option to `public` for APM public APIs.

List of affected APIs:
```
POST /api/apm/agent_keys 2023-10-31
GET /api/apm/services/{serviceName}/annotation/search 2023-10-31
POST /api/apm/services/{serviceName}/annotation 2023-10-31
GET /api/apm/settings/agent-configuration 2023-10-31
DELETE /api/apm/settings/agent-configuration 2023-10-31
PUT /api/apm/settings/agent-configuration 2023-10-31
POST /api/apm/settings/agent-configuration/search 2023-10-31
GET /api/apm/sourcemaps 2023-10-31
POST /api/apm/sourcemaps 2023-10-31
DELETE /api/apm/sourcemaps/{id} 2023-10-31
GET /api/apm/settings/agent-configuration/view 2023-10-31
GET /api/apm/settings/agent-configuration/environments 2023-10-31
GET /api/apm/settings/agent-configuration/agent_name 2023-10-31
POST /api/apm/fleet/apm_server_schema 2023-10-31
```
@kpollich kpollich mentioned this issue Nov 8, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jloleysens jloleysens

Labels
Meta Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
10 participants
@jasonrhodes @mattkime @azasypkin @cnasikas @jloleysens @TinaHeiligers @elasticmachine @michaelolo24 @davismcphee @paulb-elastic