[upgrade assistant] Add authz info to REST api endpoints (elastic#205071

) ## Summary Simply adding `authz` info to REST endpoints as part of elastic#204531
kibanamachine · Jan 6, 2025 · 4eb9006 · 4eb9006
1 parent 69cb966
commit 4eb9006
Show file tree

Hide file tree

Showing 14 changed files with 126 additions and 3 deletions.
diff --git a/x-pack/platform/plugins/private/upgrade_assistant/server/routes/app.ts b/x-pack/platform/plugins/private/upgrade_assistant/server/routes/app.ts
@@ -43,6 +43,12 @@ export function registerAppRoutes({
   router.get(
     {
       path: `${API_BASE_PATH}/privileges`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
       validate: false,
     },
     versionCheckHandlerWrapper(async ({ core }, request, response) => {

diff --git a/x-pack/platform/plugins/private/upgrade_assistant/server/routes/cloud_backup_status.ts b/x-pack/platform/plugins/private/upgrade_assistant/server/routes/cloud_backup_status.ts
@@ -15,7 +15,16 @@ export function registerCloudBackupStatusRoutes({
 }: RouteDependencies) {
   // GET most recent Cloud snapshot
   router.get(
-    { path: `${API_BASE_PATH}/cloud_backup_status`, validate: false },
+    {
+      path: `${API_BASE_PATH}/cloud_backup_status`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
+      validate: false,
+    },
     versionCheckHandlerWrapper(async (context, request, response) => {
       const { client: clusterClient } = (await context.core).elasticsearch;
 

diff --git a/x-pack/platform/plugins/private/upgrade_assistant/server/routes/cluster_settings.ts b/x-pack/platform/plugins/private/upgrade_assistant/server/routes/cluster_settings.ts
@@ -17,6 +17,12 @@ export function registerClusterSettingsRoute({
   router.post(
     {
       path: `${API_BASE_PATH}/cluster_settings`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
       validate: {
         body: schema.object({
           settings: schema.arrayOf(schema.string()),

diff --git a/x-pack/platform/plugins/private/upgrade_assistant/server/routes/cluster_upgrade_status.ts b/x-pack/platform/plugins/private/upgrade_assistant/server/routes/cluster_upgrade_status.ts
@@ -11,7 +11,16 @@ import { RouteDependencies } from '../types';
 
 export function registerClusterUpgradeStatusRoutes({ router }: RouteDependencies) {
   router.get(
-    { path: `${API_BASE_PATH}/cluster_upgrade_status`, validate: false },
+    {
+      path: `${API_BASE_PATH}/cluster_upgrade_status`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Lightweight endpoint',
+        },
+      },
+      validate: false,
+    },
     // We're just depending on the version check to return a 426.
     // Otherwise we just return a 200.
     versionCheckHandlerWrapper(async (context, request, response) => {

diff --git a/x-pack/platform/plugins/private/upgrade_assistant/server/routes/deprecation_logging.ts b/x-pack/platform/plugins/private/upgrade_assistant/server/routes/deprecation_logging.ts
@@ -28,6 +28,12 @@ export function registerDeprecationLoggingRoutes({
   router.get(
     {
       path: `${API_BASE_PATH}/deprecation_logging`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
       validate: false,
     },
     versionCheckHandlerWrapper(async ({ core }, request, response) => {
@@ -46,6 +52,12 @@ export function registerDeprecationLoggingRoutes({
   router.put(
     {
       path: `${API_BASE_PATH}/deprecation_logging`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
       validate: {
         body: schema.object({
           isEnabled: schema.boolean(),
@@ -70,6 +82,12 @@ export function registerDeprecationLoggingRoutes({
   router.get(
     {
       path: `${API_BASE_PATH}/deprecation_logging/count`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
       validate: {
         query: schema.object({
           from: schema.string(),
@@ -124,6 +142,12 @@ export function registerDeprecationLoggingRoutes({
   router.delete(
     {
       path: `${API_BASE_PATH}/deprecation_logging/cache`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
       validate: false,
     },
     versionCheckHandlerWrapper(async ({ core }, request, response) => {

diff --git a/x-pack/platform/plugins/private/upgrade_assistant/server/routes/es_deprecations.ts b/x-pack/platform/plugins/private/upgrade_assistant/server/routes/es_deprecations.ts
@@ -22,6 +22,12 @@ export function registerESDeprecationRoutes({
   router.get(
     {
       path: `${API_BASE_PATH}/es_deprecations`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es and saved object clients for authorization',
+        },
+      },
       validate: false,
     },
     versionCheckHandlerWrapper(async ({ core }, request, response) => {

diff --git a/x-pack/platform/plugins/private/upgrade_assistant/server/routes/ml_snapshots.ts b/x-pack/platform/plugins/private/upgrade_assistant/server/routes/ml_snapshots.ts
@@ -145,6 +145,12 @@ export function registerMlSnapshotRoutes({
   router.post(
     {
       path: `${API_BASE_PATH}/ml_snapshots`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
       validate: {
         body: schema.object({
           snapshotId: schema.string(),
@@ -195,6 +201,12 @@ export function registerMlSnapshotRoutes({
   router.get(
     {
       path: `${API_BASE_PATH}/ml_snapshots/{jobId}/{snapshotId}`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es and saved object clients for authorization',
+        },
+      },
       validate: {
         params: schema.object({
           snapshotId: schema.string(),

diff --git a/x-pack/platform/plugins/private/upgrade_assistant/server/routes/node_disk_space.ts b/x-pack/platform/plugins/private/upgrade_assistant/server/routes/node_disk_space.ts
@@ -47,6 +47,12 @@ export function registerNodeDiskSpaceRoute({ router, lib: { handleEsError } }: R
   router.get(
     {
       path: `${API_BASE_PATH}/node_disk_space`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
       validate: false,
     },
     versionCheckHandlerWrapper(async ({ core }, request, response) => {

diff --git a/.../plugins/private/upgrade_assistant/server/routes/reindex_indices/batch_reindex_indices.ts b/.../plugins/private/upgrade_assistant/server/routes/reindex_indices/batch_reindex_indices.ts
@@ -36,6 +36,12 @@ export function registerBatchReindexIndicesRoutes(
   router.get(
     {
       path: `${BASE_PATH}/batch/queue`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
       options: {
         access: 'public',
         summary: `Get the batch reindex queue`,
@@ -75,6 +81,12 @@ export function registerBatchReindexIndicesRoutes(
   router.post(
     {
       path: `${BASE_PATH}/batch`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
       options: {
         access: 'public',
         summary: `Batch start or resume reindex`,

diff --git a/...atform/plugins/private/upgrade_assistant/server/routes/reindex_indices/reindex_indices.ts b/...atform/plugins/private/upgrade_assistant/server/routes/reindex_indices/reindex_indices.ts
@@ -34,6 +34,12 @@ export function registerReindexIndicesRoutes(
   router.post(
     {
       path: `${BASE_PATH}/{indexName}`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es and saved object clients for authorization',
+        },
+      },
       options: {
         access: 'public',
         summary: `Start or resume reindex`,

diff --git a/x-pack/platform/plugins/private/upgrade_assistant/server/routes/remote_clusters.ts b/x-pack/platform/plugins/private/upgrade_assistant/server/routes/remote_clusters.ts
@@ -13,6 +13,12 @@ export function registerRemoteClustersRoute({ router, lib: { handleEsError } }:
   router.get(
     {
       path: `${API_BASE_PATH}/remote_clusters`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
       validate: false,
     },
     versionCheckHandlerWrapper(async ({ core }, request, response) => {

diff --git a/x-pack/platform/plugins/private/upgrade_assistant/server/routes/status.ts b/x-pack/platform/plugins/private/upgrade_assistant/server/routes/status.ts
@@ -24,6 +24,12 @@ export function registerUpgradeStatusRoute({
   router.get(
     {
       path: `${API_BASE_PATH}/status`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
       options: {
         access: 'public',
         summary: `Get upgrade readiness status`,

diff --git a/x-pack/platform/plugins/private/upgrade_assistant/server/routes/system_indices_migration.ts b/x-pack/platform/plugins/private/upgrade_assistant/server/routes/system_indices_migration.ts
@@ -19,7 +19,16 @@ export function registerSystemIndicesMigrationRoutes({
 }: RouteDependencies) {
   // GET status of the system indices migration
   router.get(
-    { path: `${API_BASE_PATH}/system_indices_migration`, validate: false },
+    {
+      path: `${API_BASE_PATH}/system_indices_migration`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
+      validate: false,
+    },
     versionCheckHandlerWrapper(async ({ core }, request, response) => {
       try {
         const {

diff --git a/x-pack/platform/plugins/private/upgrade_assistant/server/routes/update_index_settings.ts b/x-pack/platform/plugins/private/upgrade_assistant/server/routes/update_index_settings.ts
@@ -14,6 +14,12 @@ export function registerUpdateSettingsRoute({ router }: RouteDependencies) {
   router.post(
     {
       path: `${API_BASE_PATH}/{indexName}/index_settings`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
       validate: {
         params: schema.object({
           indexName: schema.string(),