Unauthorized route migration for routes owned by fleet (#198330)

src/plugins/custom_integrations/server/routes/define_routes.ts

@@ -22,6 +22,11 @@ export function defineRoutes(
     {
       path: ROUTES_APPEND_CUSTOM_INTEGRATIONS,
       validate: false,
+      security: {
+        authz: {
+          requiredPrivileges: ['integrations-read'],
+        },
+      },
     },
     async (context, request, response) => {
       const integrations = customIntegrationsRegistry.getAppendCustomIntegrations();
@@ -35,6 +40,11 @@ export function defineRoutes(
     {
       path: ROUTES_REPLACEMENT_CUSTOM_INTEGRATIONS,
       validate: false,
+      security: {
+        authz: {
+          requiredPrivileges: ['integrations-read'],
+        },
+      },
     },
     async (context, request, response) => {
       const integrations = customIntegrationsRegistry.getReplacementCustomIntegrations();

x-pack/plugins/fleet/server/services/security/fleet_router.ts

@@ -14,7 +14,7 @@ import {
   type RequestHandler,
   type RouteMethod,
 } from '@kbn/core/server';
-import type { VersionedRouteConfig } from '@kbn/core-http-server';
+import type { RouteSecurity, VersionedRouteConfig } from '@kbn/core-http-server';
 
 import { PUBLIC_API_ACCESS } from '../../../common/constants';
 import type { FleetRequestHandlerContext } from '../..';
@@ -35,6 +35,14 @@ import {
   doesNotHaveRequiredFleetAuthz,
 } from './security';
 
+export const DEFAULT_FLEET_ROUTE_SECURITY: RouteSecurity = {
+  authz: {
+    enabled: false,
+    reason:
+      'This route is opted out from authorization because Fleet use his own authorization model.',
+  },
+};
+
 function withDefaultPublicAccess<Method extends RouteMethod>(
   options: FleetVersionedRouteConfig<Method>
 ): VersionedRouteConfig<Method> {
@@ -44,6 +52,7 @@ function withDefaultPublicAccess<Method extends RouteMethod>(
     return {
       ...options,
       access: PUBLIC_API_ACCESS,
+      security: DEFAULT_FLEET_ROUTE_SECURITY,
     };
   }
 }