Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authorized route migration for routes owned by @elastic/kibana-core #198187

Merged
merged 4 commits into from
Nov 8, 2024
Merged

Authorized route migration for routes owned by @elastic/kibana-core #198187

merged 4 commits into from
Nov 8, 2024

Conversation

kibanamachine
Copy link
Contributor

@kibanamachine kibanamachine commented Oct 29, 2024
edited
Loading

Authz API migration for authorized routes

This PR migrates access:<privilege> tags used in route definitions to new security configuration.
Please refer to the documentation for more information: Authorization API

Before migration:

Access control tags were defined in the options object of the route:

router.get({
  path: '/api/path',
  options: {
    tags: ['access:<privilege_1>', 'access:<privilege_2>'],
  },
  ...
}, handler);

After migration:

Tags have been replaced with the more robust security.authz.requiredPrivileges field under security:

router.get({
  path: '/api/path',
  security: {
    authz: {
      requiredPrivileges: ['<privilege_1>', '<privilege_2>'],
    },
  },
  ...
}, handler);

What to do next?

  1. Review the changes in this PR.
  2. You might need to update your tests to reflect the new security configuration:
  • If you have tests that rely on checking access tags.
  • If you have snapshot tests that include the route definition.
  • If you have FTR tests that rely on checking unauthorized error message. The error message changed to also include missing privileges.

Any questions?

If you have any questions or need help with API authorization, please reach out to the @elastic/kibana-security team.

@kibanamachine kibanamachine added Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc enhancement New value added to drive a business result release_note:skip Skip the PR/issue when compiling release notes Feature:Security/Authorization Platform Security - Authorization backport:prev-minor Backport to (8.x) the previous minor version (i.e. one version back from main) Authz: API migration labels Oct 29, 2024
@kibanamachine kibanamachine requested review from a team as code owners October 29, 2024 19:10
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-core (Team:Core)

@afharo afharo self-assigned this Oct 30, 2024
afharo
afharo approved these changes Oct 30, 2024
View reviewed changes
Copy link
Member

@afharo afharo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀

@afharo afharo enabled auto-merge (squash) October 30, 2024 14:14
@afharo afharo added the Team:Cloud Security Cloud Security team related label Nov 5, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-cloud-security-posture (Team:Cloud Security)

@opauloh opauloh self-requested a review November 7, 2024 22:54
@elasticmachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

✅ unchanged

History

cc @afharo

opauloh
opauloh approved these changes Nov 8, 2024
View reviewed changes
Copy link
Contributor

@opauloh opauloh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cloud Security Posture changes LGTM

Tested locally with a user with minimum permission to access cloud security posture pages and it's working as intended.

image

image

Tested locally on Serverless as well.

image

@afharo afharo merged commit 543cc2f into main Nov 8, 2024
23 checks passed
@afharo afharo deleted the authz-migration/authorized-routes-by-kibana-core branch November 8, 2024 00:48
@kibanamachine
Copy link
Contributor Author

Starting backport for target branches: 8.x

https://github.com/elastic/kibana/actions/runs/11733945263

@kibanamachine
Copy link
Contributor Author

💔 All backports failed

Status Branch Result
8.x Backport failed because of merge conflicts

Manual backport

To create the backport manually run:

node scripts/backport --pr 198187

Questions ?

Please refer to the Backport tool documentation

@afharo afharo removed the backport:prev-minor Backport to (8.x) the previous minor version (i.e. one version back from main) label Nov 8, 2024
@kibanamachine kibanamachine added the backport:skip This commit does not require backporting label Nov 8, 2024
@afharo afharo added backport:prev-minor Backport to (8.x) the previous minor version (i.e. one version back from main) and removed backport:skip This commit does not require backporting labels Nov 8, 2024
@kibanamachine
Copy link
Contributor Author

Starting backport for target branches: 8.x

https://github.com/elastic/kibana/actions/runs/11740548890

@kibanamachine
Copy link
Contributor Author

Starting backport for target branches: 8.x

https://github.com/elastic/kibana/actions/runs/11740548893

@kibanamachine
Copy link
Contributor Author

💔 All backports failed

Status Branch Result
8.x Backport failed because of merge conflicts

Manual backport

To create the backport manually run:

node scripts/backport --pr 198187

Questions ?

Please refer to the Backport tool documentation

1 similar comment
@kibanamachine
Copy link
Contributor Author

💔 All backports failed

Status Branch Result
8.x Backport failed because of merge conflicts

Manual backport

To create the backport manually run:

node scripts/backport --pr 198187

Questions ?

Please refer to the Backport tool documentation

mbondyra pushed a commit to mbondyra/kibana that referenced this pull request Nov 8, 2024
@kibanamachine @afharo @mbondyra
Authorized route migration for routes owned by @elastic/kibana-core (e…
08b89b6 
…lastic#198187)

Co-authored-by: Alejandro Fernández Haro <[email protected]>
CAWilson94 pushed a commit to CAWilson94/kibana that referenced this pull request Nov 8, 2024
@kibanamachine @afharo @CAWilson94
Authorized route migration for routes owned by @elastic/kibana-core (e…
20aaa7f 
…lastic#198187)

Co-authored-by: Alejandro Fernández Haro <[email protected]>
@afharo
Copy link
Member

afharo commented Nov 8, 2024

I will retry the backport when #199470 is merged

@afharo afharo removed the backport:prev-minor Backport to (8.x) the previous minor version (i.e. one version back from main) label Nov 8, 2024
@kibanamachine kibanamachine added the backport:skip This commit does not require backporting label Nov 8, 2024
@afharo afharo added backport:prev-minor Backport to (8.x) the previous minor version (i.e. one version back from main) and removed backport:skip This commit does not require backporting labels Nov 8, 2024
@kibanamachine
Copy link
Contributor Author

Starting backport for target branches: 8.x

https://github.com/elastic/kibana/actions/runs/11744133143

@kibanamachine
Copy link
Contributor Author

Starting backport for target branches: 8.x

https://github.com/elastic/kibana/actions/runs/11744133248

kibanamachine added a commit to kibanamachine/kibana that referenced this pull request Nov 8, 2024
@kibanamachine
Authorized route migration for routes owned by @elastic/kibana-core (e…
919eb55 
…lastic#198187)

Co-authored-by: Alejandro Fernández Haro <[email protected]>
(cherry picked from commit 543cc2f)
@kibanamachine kibanamachine mentioned this pull request Nov 8, 2024
Merged
@kibanamachine
Copy link
Contributor Author

💚 All backports created successfully

Status Branch Result
8.x

Note: Successful backport PRs will be merged automatically after passing CI.

Questions ?

Please refer to the Backport tool documentation

kibanamachine added a commit to kibanamachine/kibana that referenced this pull request Nov 8, 2024
@kibanamachine
Authorized route migration for routes owned by @elastic/kibana-core (e…
f5df05d 
…lastic#198187)

Co-authored-by: Alejandro Fernández Haro <[email protected]>
(cherry picked from commit 543cc2f)
@kibanamachine
Copy link
Contributor Author

💚 All backports created successfully

Status Branch Result
8.x

Note: Successful backport PRs will be merged automatically after passing CI.

Questions ?

Please refer to the Backport tool documentation

kibanamachine added a commit that referenced this pull request Nov 8, 2024
@kibanamachine
[8.x] Authorized route migration for routes owned by @elastic/kibana-…
b667b5a 
…core (#198187) (#199489)

# Backport

This will backport the following commits from `main` to `8.x`:
- [Authorized route migration for routes owned by @elastic/kibana-core
(#198187)](#198187)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Kibana
Machine","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-11-08T00:48:30Z","message":"Authorized
route migration for routes owned by @elastic/kibana-core
(#198187)\n\nCo-authored-by: Alejandro Fernández Haro
<[email protected]>","sha":"543cc2f494e11d50685ff07afeca49f45008ecdd","branchLabelMapping":{"^v9.0.0$":"main","^v8.17.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:Core","enhancement","release_note:skip","Feature:Security/Authorization","v9.0.0","Team:Cloud
Security","backport:prev-minor","Authz: API
migration"],"title":"Authorized route migration for routes owned by
@elastic/kibana-core","number":198187,"url":"https://github.com/elastic/kibana/pull/198187","mergeCommit":{"message":"Authorized
route migration for routes owned by @elastic/kibana-core
(#198187)\n\nCo-authored-by: Alejandro Fernández Haro
<[email protected]>","sha":"543cc2f494e11d50685ff07afeca49f45008ecdd"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/198187","number":198187,"mergeCommit":{"message":"Authorized
route migration for routes owned by @elastic/kibana-core
(#198187)\n\nCo-authored-by: Alejandro Fernández Haro
<[email protected]>","sha":"543cc2f494e11d50685ff07afeca49f45008ecdd"}}]}]
BACKPORT-->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@opauloh opauloh opauloh approved these changes

@afharo afharo afharo approved these changes

Assignees

@afharo afharo

Labels
Authz: API migration backport:prev-minor Backport to (8.x) the previous minor version (i.e. one version back from main) enhancement New value added to drive a business result Feature:Security/Authorization Platform Security - Authorization release_note:skip Skip the PR/issue when compiling release notes Team:Cloud Security Cloud Security team related Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc v8.17.0 v9.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@kibanamachine @elasticmachine @afharo @opauloh