[Obs Alerting] Change API access to new authz authorization paradigm #203326
Assignees
Labels
Team:obs-ux-management
Observability Management User Experience Team
Comments
jasonrhodes
added
the
Team:obs-ux-management
|
Pinging @elastic/obs-ux-management-team (Team:obs-ux-management) |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this issue
Dec 16, 2024
…#204472) Closes elastic#203326 ## Summary Updating this obs alerting endpoint to use the new `security.authz` paradigm. Note: this endpoint may not be in use at all but it's been "available" now for three years so we likely can't just remove it without somehow confirming it's not needed. ## Testing * Start this PR using config that points at the shared "edge" cluster via oblt-cli CCS * Create a user with no roles at all * Use that user/password in the following REST call: `curl -X GET -u "$USERNAME:$PASSWORD" "$KIBANA_BASE_URL/api/observability/rules/alerts/dynamic_index_pattern?registrationContexts=observability.metrics®istrationContexts=observability.logs&namespace=default" -H "elastic-api-version: 2023-10-31"` * You should get results like this: `[".alerts-observability.metrics.alerts-default", ".alerts-observability.logs.alerts-default"]` --------- Co-authored-by: kibanamachine <[email protected]> (cherry picked from commit 05f2cba)
kibanamachine
added a commit
that referenced
this issue
Dec 16, 2024
…204472) (#204489) # Backport This will backport the following commits from `main` to `8.x`: - [Updates auth access model for dynamic_index_pattern endpoint (#204472)](#204472) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Jason Rhodes","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-12-16T20:52:11Z","message":"Updates auth access model for dynamic_index_pattern endpoint (#204472)\n\nCloses #203326\n\n## Summary\n\nUpdating this obs alerting endpoint to use the new `security.authz`\nparadigm. Note: this endpoint may not be in use at all but it's been\n\"available\" now for three years so we likely can't just remove it\nwithout somehow confirming it's not needed.\n\n## Testing\n\n* Start this PR using config that points at the shared \"edge\" cluster\nvia oblt-cli CCS\n* Create a user with no roles at all\n* Use that user/password in the following REST call: `curl -X GET -u\n\"$USERNAME:$PASSWORD\"\n\"$KIBANA_BASE_URL/api/observability/rules/alerts/dynamic_index_pattern?registrationContexts=observability.metrics®istrationContexts=observability.logs&namespace=default\"\n-H \"elastic-api-version: 2023-10-31\"`\n* You should get results like this:\n`[\".alerts-observability.metrics.alerts-default\",\n\".alerts-observability.logs.alerts-default\"]`\n\n---------\n\nCo-authored-by: kibanamachine <[email protected]>","sha":"05f2cba247e65297918b3e4ab794f95de49d9370","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","backport:prev-minor","Team:obs-ux-management"],"title":"Updates auth access model for dynamic_index_pattern endpoint","number":204472,"url":"https://github.com/elastic/kibana/pull/204472","mergeCommit":{"message":"Updates auth access model for dynamic_index_pattern endpoint (#204472)\n\nCloses #203326\n\n## Summary\n\nUpdating this obs alerting endpoint to use the new `security.authz`\nparadigm. Note: this endpoint may not be in use at all but it's been\n\"available\" now for three years so we likely can't just remove it\nwithout somehow confirming it's not needed.\n\n## Testing\n\n* Start this PR using config that points at the shared \"edge\" cluster\nvia oblt-cli CCS\n* Create a user with no roles at all\n* Use that user/password in the following REST call: `curl -X GET -u\n\"$USERNAME:$PASSWORD\"\n\"$KIBANA_BASE_URL/api/observability/rules/alerts/dynamic_index_pattern?registrationContexts=observability.metrics®istrationContexts=observability.logs&namespace=default\"\n-H \"elastic-api-version: 2023-10-31\"`\n* You should get results like this:\n`[\".alerts-observability.metrics.alerts-default\",\n\".alerts-observability.logs.alerts-default\"]`\n\n---------\n\nCo-authored-by: kibanamachine <[email protected]>","sha":"05f2cba247e65297918b3e4ab794f95de49d9370"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/204472","number":204472,"mergeCommit":{"message":"Updates auth access model for dynamic_index_pattern endpoint (#204472)\n\nCloses #203326\n\n## Summary\n\nUpdating this obs alerting endpoint to use the new `security.authz`\nparadigm. Note: this endpoint may not be in use at all but it's been\n\"available\" now for three years so we likely can't just remove it\nwithout somehow confirming it's not needed.\n\n## Testing\n\n* Start this PR using config that points at the shared \"edge\" cluster\nvia oblt-cli CCS\n* Create a user with no roles at all\n* Use that user/password in the following REST call: `curl -X GET -u\n\"$USERNAME:$PASSWORD\"\n\"$KIBANA_BASE_URL/api/observability/rules/alerts/dynamic_index_pattern?registrationContexts=observability.metrics®istrationContexts=observability.logs&namespace=default\"\n-H \"elastic-api-version: 2023-10-31\"`\n* You should get results like this:\n`[\".alerts-observability.metrics.alerts-default\",\n\".alerts-observability.logs.alerts-default\"]`\n\n---------\n\nCo-authored-by: kibanamachine <[email protected]>","sha":"05f2cba247e65297918b3e4ab794f95de49d9370"}}]}] BACKPORT--> Co-authored-by: Jason Rhodes <[email protected]>
JoseLuisGJ
pushed a commit
to JoseLuisGJ/kibana
that referenced
this issue
Dec 19, 2024
…#204472) Closes elastic#203326 ## Summary Updating this obs alerting endpoint to use the new `security.authz` paradigm. Note: this endpoint may not be in use at all but it's been "available" now for three years so we likely can't just remove it without somehow confirming it's not needed. ## Testing * Start this PR using config that points at the shared "edge" cluster via oblt-cli CCS * Create a user with no roles at all * Use that user/password in the following REST call: `curl -X GET -u "$USERNAME:$PASSWORD" "$KIBANA_BASE_URL/api/observability/rules/alerts/dynamic_index_pattern?registrationContexts=observability.metrics®istrationContexts=observability.logs&namespace=default" -H "elastic-api-version: 2023-10-31"` * You should get results like this: `[".alerts-observability.metrics.alerts-default", ".alerts-observability.logs.alerts-default"]` --------- Co-authored-by: kibanamachine <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Authorization for API endpoints must be migrated away from the previous use of
options.tags: ["access:some_tag"]and replaced with a newsecurity.authzobject. Information can be found here: https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorizationNote: this should not be confused with the
options.accessvalue that is still used to indicate whether an API route is internal or public.List of Observability Alerting routes
Full list of routes in need of manual migration can be found in these issues:
Note: there is only one route mentioned for observability alerting
For an example of this migration, see the PR that migrates all SLO routes
The text was updated successfully, but these errors were encountered: