github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 01:38:56 -04:00
Code Issues Projects Releases Packages Wiki Activity

Added DisabledAuthz utility (#216633)

Browse source 
## Summary

Added `DisabledAuthz` utility class, this will address the current
repetition of the reason string `'This route delegates authorization to
the ES/SO client` and other common scenarios.

__Closes: https://github.com/elastic/kibana/issues/216632__

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Jeramy Soucy <jeramy.soucy@elastic.co>
This commit is contained in:
Elena Shostak 2025-04-08 12:59:28 +02:00 committed by GitHub
parent 05712f2bf8
commit 18ca869d92
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
8 changed files with 37 additions and 25 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/core/packages/security/server/index.ts
View file

@ -50,5 +50,5 @@ export type {
export type { KibanaPrivilegesType, ElasticsearchPrivilegesType } from './src/roles';
export { isCreateRestAPIKeyParams } from './src/authentication/api_keys';
export type { CoreFipsService } from './src/fips';
export { AuthzDisabled, AuthzOptOutReason, unwindNestedSecurityPrivileges } from './src/authz';
export { ApiPrivileges, ApiOperation } from './src/api_privileges';
export { unwindNestedSecurityPrivileges } from './src/authz';

23
src/core/packages/security/server/src/authz.ts
View file

@ -7,6 +7,29 @@
* License v3.0 only", or the "Server Side Public License, v 1".
*/
export enum AuthzOptOutReason {
DelegateToESClient = 'Route delegates authorization to the scoped ES client',
DelegateToSOClient = 'Route delegates authorization to the scoped SO client',
ServeStaticFiles = 'Route serves static files that do not require authorization',
}
export class AuthzDisabled {
public static fromReason(reason: AuthzOptOutReason | string): { enabled: false; reason: string } {
return {
enabled: false,
reason,
};
}
static readonly delegateToESClient = AuthzDisabled.fromReason(
AuthzOptOutReason.DelegateToESClient
);
static readonly delegateToSOClient = AuthzDisabled.fromReason(
AuthzOptOutReason.DelegateToSOClient
);
static readonly serveStaticFiles = AuthzDisabled.fromReason(AuthzOptOutReason.ServeStaticFiles);
}
export const unwindNestedSecurityPrivileges = <
T extends Array<string | { allOf?: string[]; anyOf?: string[] }>
>(

6
x-pack/platform/plugins/shared/security/server/routes/authorization/roles/delete.ts
View file

@ -6,6 +6,7 @@
*/
import { schema } from '@kbn/config-schema';
import { AuthzDisabled } from '@kbn/core-security-server';
import type { RouteDefinitionParams } from '../..';
import { API_VERSIONS } from '../../../../common/constants';
@ -22,10 +23,7 @@ export function defineDeleteRolesRoutes({ router }: RouteDefinitionParams) {
tags: ['oas-tag:roles'],
},
security: {
authz: {
enabled: false,
reason: `This route delegates authorization to Core's scoped ES cluster client`,
},
authz: AuthzDisabled.delegateToESClient,
},
})
.addVersion(

6
x-pack/platform/plugins/shared/security/server/routes/authorization/roles/get.ts
View file

@ -6,6 +6,7 @@
*/
import { schema } from '@kbn/config-schema';
import { AuthzDisabled } from '@kbn/core-security-server';
import type { RouteDefinitionParams } from '../..';
import { API_VERSIONS } from '../../../../common/constants';
@ -29,10 +30,7 @@ export function defineGetRolesRoutes({
tags: ['oas-tag:roles'],
},
security: {
authz: {
enabled: false,
reason: `This route delegates authorization to Core's scoped ES cluster client`,
},
authz: AuthzDisabled.delegateToESClient,
},
})
.addVersion(

6
x-pack/platform/plugins/shared/security/server/routes/authorization/roles/get_all.ts
View file

@ -6,6 +6,7 @@
*/
import { schema } from '@kbn/config-schema';
import { AuthzDisabled } from '@kbn/core-security-server';
import type { RouteDefinitionParams } from '../..';
import { API_VERSIONS } from '../../../../common/constants';
@ -30,10 +31,7 @@ export function defineGetAllRolesRoutes({
tags: ['oas-tag:roles'],
},
security: {
authz: {
enabled: false,
reason: `This route delegates authorization to Core's scoped ES cluster client`,
},
authz: AuthzDisabled.delegateToESClient,
},
})
.addVersion(

7
x-pack/platform/plugins/shared/security/server/routes/authorization/roles/post.ts
View file

@ -5,6 +5,8 @@
* 2.0.
*/
import { AuthzDisabled } from '@kbn/core-security-server';
import { roleGrantsSubFeaturePrivileges } from './lib';
import {
getBulkCreateOrUpdatePayloadSchema,
@ -49,10 +51,7 @@ export function defineBulkCreateOrUpdateRolesRoutes({
tags: ['oas-tag:roles'],
},
security: {
authz: {
enabled: false,
reason: `This route delegates authorization to Core's scoped ES cluster client`,
},
authz: AuthzDisabled.delegateToESClient,
},
})
.addVersion(

6
x-pack/platform/plugins/shared/security/server/routes/authorization/roles/put.ts
View file

@ -6,6 +6,7 @@
*/
import { schema } from '@kbn/config-schema';
import { AuthzDisabled } from '@kbn/core-security-server';
import { roleGrantsSubFeaturePrivileges } from './lib';
import { getPutPayloadSchema, transformPutPayloadToElasticsearchRole } from './model';
@ -32,10 +33,7 @@ export function definePutRolesRoutes({
tags: ['oas-tag:roles'],
},
security: {
authz: {
enabled: false,
reason: `This route delegates authorization to Core's scoped ES cluster client`,
},
authz: AuthzDisabled.delegateToESClient,
},
})
.addVersion(

6
x-pack/platform/plugins/shared/security/server/routes/authorization/roles/query.ts
View file

@ -6,6 +6,7 @@
*/
import { schema } from '@kbn/config-schema';
import { AuthzDisabled } from '@kbn/core-security-server';
import type { QueryRolesResult } from '@kbn/security-plugin-types-common';
import type { RouteDefinitionParams } from '../..';
@ -34,10 +35,7 @@ export function defineQueryRolesRoutes({
tags: ['oas-tags:roles'],
},
security: {
authz: {
enabled: false,
reason: `This route delegates authorization to Core's scoped ES cluster client`,
},
authz: AuthzDisabled.delegateToESClient,
},
})
.addVersion(