Unauthorized route migration for routes owned by response-ops (#198336)

### Authz API migration for unauthorized routes This PR migrates unauthorized routes owned by your team to a new security configuration. Please refer to the documentation for more information: [Authorization API](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization) ### **Before migration:** ```ts router.get({ path: '/api/path', ... }, handler); ``` ### **After migration:** ```ts router.get({ path: '/api/path', security: { authz: { enabled: false, reason: 'This route is opted out from authorization because ...', }, }, ... }, handler); ``` ### What to do next? 1. Review the changes in this PR. 2. Elaborate on the reasoning to opt-out of authorization. 3. Routes without a compelling reason to opt-out of authorization should plan to introduce them as soon as possible. 2. You might need to update your tests to reflect the new security configuration: - If you have snapshot tests that include the route definition. ## Any questions? If you have any questions or need help with API authorization, please reach out to the `@elastic/kibana-security` team. --------- Co-authored-by: adcoelho <antonio.coelho@elastic.co>
2025-04-24 17:59:23 -04:00 · 2024-12-24 01:05:43 +11:00 · 2024-12-24 01:05:43 +11:00 · 1df66ad4c7
commit 1df66ad4c7
parent 3083706bc9
6 changed files with 43 additions and 0 deletions
--- a/x-pack/plugins/task_manager/server/routes/background_task_utilization.ts
+++ b/x-pack/plugins/task_manager/server/routes/background_task_utilization.ts
@ -111,6 +111,13 @@ export function backgroundTaskUtilizationRoute(
    router.get(
      {
        path: `/${routeOption.basePath}/task_manager/_background_task_utilization`,
+        security: {
+          authz: {
+            enabled: false,
+            reason:
+              'This route is opted out from authorization. It can be accessed with JWT credentials.',
+          },
+        },
        // Uncomment when we determine that we can restrict API usage to Global admins based on telemetry
        // options: { tags: ['access:taskManager'] },
        validate: false,
--- a/x-pack/plugins/task_manager/server/routes/health.ts
+++ b/x-pack/plugins/task_manager/server/routes/health.ts
@ -139,6 +139,14 @@ export function healthRoute(params: HealthRouteParams): {
  router.get(
    {
      path: '/api/task_manager/_health',
+      security: {
+        authz: {
+          enabled: false,
+          // https://github.com/elastic/kibana/issues/136157
+          reason:
+            'This route is opted out from authorization. Authorization is planned but not implemented yet(breaking change).',
+        },
+      },
      // Uncomment when we determine that we can restrict API usage to Global admins based on telemetry
      // options: { tags: ['access:taskManager'] },
      validate: false,
--- a/x-pack/plugins/task_manager/server/routes/metrics.ts
+++ b/x-pack/plugins/task_manager/server/routes/metrics.ts
@ -48,6 +48,13 @@ export function metricsRoute(params: MetricsRouteParams) {
  router.get(
    {
      path: `/api/task_manager/metrics`,
+      security: {
+        authz: {
+          enabled: false,
+          reason:
+            'This route is opted out from authorization. It can be accessed with JWT credentials.',
+        },
+      },
      options: {
        access: 'public',
        // The `security:acceptJWT` tag allows route to be accessed with JWT credentials. It points to
--- a/x-pack/plugins/triggers_actions_ui/server/data/routes/fields.ts
+++ b/x-pack/plugins/triggers_actions_ui/server/data/routes/fields.ts
@ -29,6 +29,13 @@ export function createFieldsRoute(logger: Logger, router: IRouter, baseRoute: st
  router.post(
    {
      path,
+      security: {
+        authz: {
+          enabled: false,
+          reason:
+            'This route is opted out of authorization as it relies on ES authorization instead.',
+        },
+      },
      validate: {
        body: bodySchema,
      },
--- a/x-pack/plugins/triggers_actions_ui/server/data/routes/indices.ts
+++ b/x-pack/plugins/triggers_actions_ui/server/data/routes/indices.ts
@ -33,6 +33,13 @@ export function createIndicesRoute(logger: Logger, router: IRouter, baseRoute: s
  router.post(
    {
      path,
+      security: {
+        authz: {
+          enabled: false,
+          reason:
+            'This route is opted out of authorization as it relies on ES authorization instead.',
+        },
+      },
      validate: {
        body: bodySchema,
      },
--- a/x-pack/plugins/triggers_actions_ui/server/data/routes/time_series_query.ts
+++ b/x-pack/plugins/triggers_actions_ui/server/data/routes/time_series_query.ts
@ -28,6 +28,13 @@ export function createTimeSeriesQueryRoute(
  router.post(
    {
      path,
+      security: {
+        authz: {
+          enabled: false,
+          reason:
+            'This route is opted out of authorization as it relies on ES authorization instead.',
+        },
+      },
      validate: {
        body: TimeSeriesQuerySchema,
      },