[http] Default route access to internal
#161672
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
TinaHeiligers
added
Feature:http
Team:Core
|
cc @jloleysens Here's the draft for relaxing API restrictions |
💚 Build Succeeded
Metrics [docs]Unknown metric groupsESLint disabled line counts
Total ESLint disabled count
History
To update your PR or re-run it, just comment with: |
|
Pinging @elastic/kibana-core (Team:Core) |
jloleysens
approved these changes
Jul 12, 2023
34 tasks
This was referenced Jul 24, 2023
This was referenced Jul 24, 2023
jeramysoucy
added a commit
that referenced
this pull request
Jul 26, 2023
Subset of #161337 Unblocks #162149 ## Summary This PR uses the access 'public' option when registering the `GET /api/security/logout` and `POST /api/security/saml/callback` APIs. This will ensure they have public access in serverless, while all other APIs will default to internal. PR #161672 changes default access of registered endpoints to 'internal', meaning that API owners have to explicitly set access: public to pass the API protection restriction. This PR also adds internal headers to the existing serverless Spaces API tests. This unblocks the PR to enable API protection in serverless (#162149). --------- Co-authored-by: kibanamachine <[email protected]>
ThomThomson
pushed a commit
to ThomThomson/kibana
that referenced
this pull request
Aug 1, 2023
…62523) Subset of elastic#161337 Unblocks elastic#162149 ## Summary This PR uses the access 'public' option when registering the `GET /api/security/logout` and `POST /api/security/saml/callback` APIs. This will ensure they have public access in serverless, while all other APIs will default to internal. PR elastic#161672 changes default access of registered endpoints to 'internal', meaning that API owners have to explicitly set access: public to pass the API protection restriction. This PR also adds internal headers to the existing serverless Spaces API tests. This unblocks the PR to enable API protection in serverless (elastic#162149). --------- Co-authored-by: kibanamachine <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
fix #161371
Kibana enforces restricting access to public APIs if a request can't be verified using a header.
By default, Kibana interprets if an API is internal or public based on the route path string if not explicitly set otherwise.
That means that all routes that don't have an
internalprefix in the path string becomepublic, and need the header to pass validation in core's server route handler.We need to change that to rather set the default as
internaland allow teams who specifically want their APIs to bepublic, to declare their routeaccessproperty aspublicthemselves.Checklist
Risk Matrix
publicdon't override the defaultpublicAPIs without the required header will fail.