mirror of
https://github.com/elastic/kibana.git
synced 2025-04-23 09:19:04 -04:00
🌊 Streams: Define explicit authorization (#209787)
Related to https://github.com/elastic/kibana-team/issues/1236 Adds a couple missing explicity authorization opt-outs (since we rely on Elasticsearch everywhere). For some endpoints in the dashboards we didn't check Elasticsearch first, I added those checks.
This commit is contained in:
Joe Reuter
GitHub
parent
734fc175a3
commit
4f38cf96d2
2 changed files with 60 additions and 9 deletions
|
|
@ -57,8 +57,16 @@ const listDashboardsRoute = createServerRoute({
|
|||
id: z.string(),
|
||||
}),
|
||||
}),
|
||||
async handler({ params, request, assets }): Promise<ListDashboardsResponse> {
|
||||
const assetsClient = await assets.getClientWithRequest({ request });
|
||||
security: {
|
||||
authz: {
|
||||
enabled: false,
|
||||
reason:
|
||||
'This API delegates security to the currently logged in user and their Elasticsearch permissions.',
|
||||
},
|
||||
},
|
||||
async handler({ params, request, getScopedClients }): Promise<ListDashboardsResponse> {
|
||||
const { assetClient, streamsClient } = await getScopedClients({ request });
|
||||
await streamsClient.ensureStream(params.path.id);
|
||||
|
||||
const {
|
||||
path: { id: streamId },
|
||||
|
|
@ -70,7 +78,7 @@ const listDashboardsRoute = createServerRoute({
|
|||
|
||||
return {
|
||||
dashboards: (
|
||||
await assetsClient.getAssets({
|
||||
await assetClient.getAssets({
|
||||
entityId: streamId,
|
||||
entityType: 'stream',
|
||||
})
|
||||
|
|
@ -86,6 +94,13 @@ const linkDashboardRoute = createServerRoute({
|
|||
options: {
|
||||
access: 'internal',
|
||||
},
|
||||
security: {
|
||||
authz: {
|
||||
enabled: false,
|
||||
reason:
|
||||
'This API delegates security to the currently logged in user and their Elasticsearch permissions.',
|
||||
},
|
||||
},
|
||||
params: z.object({
|
||||
path: z.object({
|
||||
id: z.string(),
|
||||
|
|
@ -95,6 +110,7 @@ const linkDashboardRoute = createServerRoute({
|
|||
handler: async ({ params, request, getScopedClients }): Promise<LinkDashboardResponse> => {
|
||||
const { assetClient, streamsClient } = await getScopedClients({ request });
|
||||
|
||||
await streamsClient.ensureStream(params.path.id);
|
||||
const {
|
||||
path: { dashboardId, id: streamId },
|
||||
} = params;
|
||||
|
|
@ -119,20 +135,29 @@ const unlinkDashboardRoute = createServerRoute({
|
|||
options: {
|
||||
access: 'internal',
|
||||
},
|
||||
security: {
|
||||
authz: {
|
||||
enabled: false,
|
||||
reason:
|
||||
'This API delegates security to the currently logged in user and their Elasticsearch permissions.',
|
||||
},
|
||||
},
|
||||
params: z.object({
|
||||
path: z.object({
|
||||
id: z.string(),
|
||||
dashboardId: z.string(),
|
||||
}),
|
||||
}),
|
||||
handler: async ({ params, request, assets }): Promise<UnlinkDashboardResponse> => {
|
||||
const assetsClient = await assets.getClientWithRequest({ request });
|
||||
handler: async ({ params, request, getScopedClients }): Promise<UnlinkDashboardResponse> => {
|
||||
const { assetClient, streamsClient } = await getScopedClients({ request });
|
||||
|
||||
await streamsClient.ensureStream(params.path.id);
|
||||
|
||||
const {
|
||||
path: { dashboardId, id: streamId },
|
||||
} = params;
|
||||
|
||||
await assetsClient.unlinkAsset({
|
||||
await assetClient.unlinkAsset({
|
||||
entityId: streamId,
|
||||
entityType: 'stream',
|
||||
assetId: dashboardId,
|
||||
|
|
@ -150,6 +175,13 @@ const suggestDashboardsRoute = createServerRoute({
|
|||
options: {
|
||||
access: 'internal',
|
||||
},
|
||||
security: {
|
||||
authz: {
|
||||
enabled: false,
|
||||
reason:
|
||||
'This API delegates security to the currently logged in user and their Elasticsearch permissions.',
|
||||
},
|
||||
},
|
||||
params: z.object({
|
||||
path: z.object({
|
||||
id: z.string(),
|
||||
|
|
@ -161,8 +193,10 @@ const suggestDashboardsRoute = createServerRoute({
|
|||
tags: z.optional(z.array(z.string())),
|
||||
}),
|
||||
}),
|
||||
handler: async ({ params, request, assets }): Promise<SuggestDashboardResponse> => {
|
||||
const assetsClient = await assets.getClientWithRequest({ request });
|
||||
handler: async ({ params, request, getScopedClients }): Promise<SuggestDashboardResponse> => {
|
||||
const { assetClient, streamsClient } = await getScopedClients({ request });
|
||||
|
||||
await streamsClient.ensureStream(params.path.id);
|
||||
|
||||
const {
|
||||
query: { query },
|
||||
|
|
@ -170,7 +204,7 @@ const suggestDashboardsRoute = createServerRoute({
|
|||
} = params;
|
||||
|
||||
const suggestions = (
|
||||
await assetsClient.getSuggestions({
|
||||
await assetClient.getSuggestions({
|
||||
assetTypes: ['dashboard'],
|
||||
query,
|
||||
tags,
|
||||
|
|
@ -194,6 +228,13 @@ const bulkDashboardsRoute = createServerRoute({
|
|||
options: {
|
||||
access: 'internal',
|
||||
},
|
||||
security: {
|
||||
authz: {
|
||||
enabled: false,
|
||||
reason:
|
||||
'This API delegates security to the currently logged in user and their Elasticsearch permissions.',
|
||||
},
|
||||
},
|
||||
params: z.object({
|
||||
path: z.object({
|
||||
id: z.string(),
|
||||
|
|
|
|||
|
|
@ -18,6 +18,16 @@ import { createServerRoute } from '../create_server_route';
|
|||
|
||||
export const executeEsqlRoute = createServerRoute({
|
||||
endpoint: 'POST /internal/streams/esql',
|
||||
options: {
|
||||
access: 'internal',
|
||||
},
|
||||
security: {
|
||||
authz: {
|
||||
enabled: false,
|
||||
reason:
|
||||
'This API delegates security to the currently logged in user and their Elasticsearch permissions.',
|
||||
},
|
||||
},
|
||||
params: z.object({
|
||||
body: z.object({
|
||||
query: z.string(),
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue