[upgrade assistant] Add authz info to REST api endpoints (#205071)

## Summary Simply adding `authz` info to REST endpoints as part of https://github.com/elastic/kibana/pull/204531
2025-04-23 17:28:26 -04:00 · 2025-01-06 05:43:30 -06:00 · 2025-01-06 05:43:30 -06:00 · 4eb900651a
commit 4eb900651a
parent 69cb96654b
14 changed files with 126 additions and 3 deletions
--- a/x-pack/platform/plugins/private/upgrade_assistant/server/routes/app.ts
+++ b/x-pack/platform/plugins/private/upgrade_assistant/server/routes/app.ts
@ -43,6 +43,12 @@ export function registerAppRoutes({
  router.get(
    {
      path: `${API_BASE_PATH}/privileges`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
      validate: false,
    },
    versionCheckHandlerWrapper(async ({ core }, request, response) => {
--- a/x-pack/platform/plugins/private/upgrade_assistant/server/routes/cloud_backup_status.ts
+++ b/x-pack/platform/plugins/private/upgrade_assistant/server/routes/cloud_backup_status.ts
@ -15,7 +15,16 @@ export function registerCloudBackupStatusRoutes({
 }: RouteDependencies) {
  // GET most recent Cloud snapshot
  router.get(
-    { path: `${API_BASE_PATH}/cloud_backup_status`, validate: false },
+    {
+      path: `${API_BASE_PATH}/cloud_backup_status`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
+      validate: false,
+    },
    versionCheckHandlerWrapper(async (context, request, response) => {
      const { client: clusterClient } = (await context.core).elasticsearch;

--- a/x-pack/platform/plugins/private/upgrade_assistant/server/routes/cluster_settings.ts
+++ b/x-pack/platform/plugins/private/upgrade_assistant/server/routes/cluster_settings.ts
@ -17,6 +17,12 @@ export function registerClusterSettingsRoute({
  router.post(
    {
      path: `${API_BASE_PATH}/cluster_settings`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
      validate: {
        body: schema.object({
          settings: schema.arrayOf(schema.string()),
--- a/x-pack/platform/plugins/private/upgrade_assistant/server/routes/cluster_upgrade_status.ts
+++ b/x-pack/platform/plugins/private/upgrade_assistant/server/routes/cluster_upgrade_status.ts
@ -11,7 +11,16 @@ import { RouteDependencies } from '../types';

 export function registerClusterUpgradeStatusRoutes({ router }: RouteDependencies) {
  router.get(
-    { path: `${API_BASE_PATH}/cluster_upgrade_status`, validate: false },
+    {
+      path: `${API_BASE_PATH}/cluster_upgrade_status`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Lightweight endpoint',
+        },
+      },
+      validate: false,
+    },
    // We're just depending on the version check to return a 426.
    // Otherwise we just return a 200.
    versionCheckHandlerWrapper(async (context, request, response) => {
--- a/x-pack/platform/plugins/private/upgrade_assistant/server/routes/deprecation_logging.ts
+++ b/x-pack/platform/plugins/private/upgrade_assistant/server/routes/deprecation_logging.ts
@ -28,6 +28,12 @@ export function registerDeprecationLoggingRoutes({
  router.get(
    {
      path: `${API_BASE_PATH}/deprecation_logging`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
      validate: false,
    },
    versionCheckHandlerWrapper(async ({ core }, request, response) => {
@ -46,6 +52,12 @@ export function registerDeprecationLoggingRoutes({
  router.put(
    {
      path: `${API_BASE_PATH}/deprecation_logging`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
      validate: {
        body: schema.object({
          isEnabled: schema.boolean(),
@ -70,6 +82,12 @@ export function registerDeprecationLoggingRoutes({
  router.get(
    {
      path: `${API_BASE_PATH}/deprecation_logging/count`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
      validate: {
        query: schema.object({
          from: schema.string(),
@ -124,6 +142,12 @@ export function registerDeprecationLoggingRoutes({
  router.delete(
    {
      path: `${API_BASE_PATH}/deprecation_logging/cache`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
      validate: false,
    },
    versionCheckHandlerWrapper(async ({ core }, request, response) => {
--- a/x-pack/platform/plugins/private/upgrade_assistant/server/routes/es_deprecations.ts
+++ b/x-pack/platform/plugins/private/upgrade_assistant/server/routes/es_deprecations.ts
@ -22,6 +22,12 @@ export function registerESDeprecationRoutes({
  router.get(
    {
      path: `${API_BASE_PATH}/es_deprecations`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es and saved object clients for authorization',
+        },
+      },
      validate: false,
    },
    versionCheckHandlerWrapper(async ({ core }, request, response) => {
--- a/x-pack/platform/plugins/private/upgrade_assistant/server/routes/ml_snapshots.ts
+++ b/x-pack/platform/plugins/private/upgrade_assistant/server/routes/ml_snapshots.ts
@ -145,6 +145,12 @@ export function registerMlSnapshotRoutes({
  router.post(
    {
      path: `${API_BASE_PATH}/ml_snapshots`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
      validate: {
        body: schema.object({
          snapshotId: schema.string(),
@ -195,6 +201,12 @@ export function registerMlSnapshotRoutes({
  router.get(
    {
      path: `${API_BASE_PATH}/ml_snapshots/{jobId}/{snapshotId}`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es and saved object clients for authorization',
+        },
+      },
      validate: {
        params: schema.object({
          snapshotId: schema.string(),
--- a/x-pack/platform/plugins/private/upgrade_assistant/server/routes/node_disk_space.ts
+++ b/x-pack/platform/plugins/private/upgrade_assistant/server/routes/node_disk_space.ts
@ -47,6 +47,12 @@ export function registerNodeDiskSpaceRoute({ router, lib: { handleEsError } }: R
  router.get(
    {
      path: `${API_BASE_PATH}/node_disk_space`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
      validate: false,
    },
    versionCheckHandlerWrapper(async ({ core }, request, response) => {
--- a/x-pack/platform/plugins/private/upgrade_assistant/server/routes/reindex_indices/batch_reindex_indices.ts
+++ b/x-pack/platform/plugins/private/upgrade_assistant/server/routes/reindex_indices/batch_reindex_indices.ts
@ -36,6 +36,12 @@ export function registerBatchReindexIndicesRoutes(
  router.get(
    {
      path: `${BASE_PATH}/batch/queue`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
      options: {
        access: 'public',
        summary: `Get the batch reindex queue`,
@ -75,6 +81,12 @@ export function registerBatchReindexIndicesRoutes(
  router.post(
    {
      path: `${BASE_PATH}/batch`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
      options: {
        access: 'public',
        summary: `Batch start or resume reindex`,
--- a/x-pack/platform/plugins/private/upgrade_assistant/server/routes/reindex_indices/reindex_indices.ts
+++ b/x-pack/platform/plugins/private/upgrade_assistant/server/routes/reindex_indices/reindex_indices.ts
@ -34,6 +34,12 @@ export function registerReindexIndicesRoutes(
  router.post(
    {
      path: `${BASE_PATH}/{indexName}`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es and saved object clients for authorization',
+        },
+      },
      options: {
        access: 'public',
        summary: `Start or resume reindex`,
--- a/x-pack/platform/plugins/private/upgrade_assistant/server/routes/remote_clusters.ts
+++ b/x-pack/platform/plugins/private/upgrade_assistant/server/routes/remote_clusters.ts
@ -13,6 +13,12 @@ export function registerRemoteClustersRoute({ router, lib: { handleEsError } }:
  router.get(
    {
      path: `${API_BASE_PATH}/remote_clusters`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
      validate: false,
    },
    versionCheckHandlerWrapper(async ({ core }, request, response) => {
--- a/x-pack/platform/plugins/private/upgrade_assistant/server/routes/status.ts
+++ b/x-pack/platform/plugins/private/upgrade_assistant/server/routes/status.ts
@ -24,6 +24,12 @@ export function registerUpgradeStatusRoute({
  router.get(
    {
      path: `${API_BASE_PATH}/status`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
      options: {
        access: 'public',
        summary: `Get upgrade readiness status`,
--- a/x-pack/platform/plugins/private/upgrade_assistant/server/routes/system_indices_migration.ts
+++ b/x-pack/platform/plugins/private/upgrade_assistant/server/routes/system_indices_migration.ts
@ -19,7 +19,16 @@ export function registerSystemIndicesMigrationRoutes({
 }: RouteDependencies) {
  // GET status of the system indices migration
  router.get(
-    { path: `${API_BASE_PATH}/system_indices_migration`, validate: false },
+    {
+      path: `${API_BASE_PATH}/system_indices_migration`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
+      validate: false,
+    },
    versionCheckHandlerWrapper(async ({ core }, request, response) => {
      try {
        const {
--- a/x-pack/platform/plugins/private/upgrade_assistant/server/routes/update_index_settings.ts
+++ b/x-pack/platform/plugins/private/upgrade_assistant/server/routes/update_index_settings.ts
@ -14,6 +14,12 @@ export function registerUpdateSettingsRoute({ router }: RouteDependencies) {
  router.post(
    {
      path: `${API_BASE_PATH}/{indexName}/index_settings`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
      validate: {
        params: schema.object({
          indexName: schema.string(),