Authorized route migration for routes owned by @elastic/kibana-cloud-security-posture (#198189)

### Authz API migration for authorized routes This PR migrates `access:<privilege>` tags used in route definitions to new security configuration. Please refer to the documentation for more information: [Authorization API](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization) ### **Before migration:** Access control tags were defined in the `options` object of the route: ```ts router.get({ path: '/api/path', options: { tags: ['access:<privilege_1>', 'access:<privilege_2>'], }, ... }, handler); ``` ### **After migration:** Tags have been replaced with the more robust `security.authz.requiredPrivileges` field under `security`: ```ts router.get({ path: '/api/path', security: { authz: { requiredPrivileges: ['<privilege_1>', '<privilege_2>'], }, }, ... }, handler); ``` ### What to do next? 1. Review the changes in this PR. 2. You might need to update your tests to reflect the new security configuration: - If you have tests that rely on checking `access` tags. - If you have snapshot tests that include the route definition. - If you have FTR tests that rely on checking unauthorized error message. The error message changed to also include missing privileges. ## Any questions? If you have any questions or need help with API authorization, please reach out to the `@elastic/kibana-security` team. --------- Co-authored-by: Paulo Silva <paulo.henrique@elastic.co>
2025-04-24 09:48:58 -04:00 · 2024-11-19 23:18:49 +11:00 · 2024-11-19 23:18:49 +11:00 · 2dc1ce3151
commit 2dc1ce3151
parent 75be9c30bf
2 changed files with 8 additions and 4 deletions
--- a/x-pack/plugins/cloud_defend/server/routes/policies/policies.ts
+++ b/x-pack/plugins/cloud_defend/server/routes/policies/policies.ts
@ -60,8 +60,10 @@ export const defineGetPoliciesRoute = (router: CloudDefendRouter) =>
    .get({
      access: 'internal',
      path: POLICIES_ROUTE_PATH,
-      options: {
-        tags: ['access:cloud-defend-read'],
+      security: {
+        authz: {
+          requiredPrivileges: ['cloud-defend-read'],
+        },
      },
    })
    .addVersion(
--- a/x-pack/plugins/cloud_defend/server/routes/status/status.ts
+++ b/x-pack/plugins/cloud_defend/server/routes/status/status.ts
@ -218,8 +218,10 @@ export const defineGetCloudDefendStatusRoute = (router: CloudDefendRouter) =>
    .get({
      access: 'internal',
      path: STATUS_ROUTE_PATH,
-      options: {
-        tags: ['access:cloud-defend-read'],
+      security: {
+        authz: {
+          requiredPrivileges: ['cloud-defend-read'],
+        },
      },
    })
    .addVersion({ version: '1', validate: {} }, async (context, request, response) => {