[Authz]: added reason for authorization opt out for snapshot_restore routes (#213888)

## Summary Added reason for authorization opt out for `snapshot_restore` routes. ### Checklist - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
2025-04-23 09:19:04 -04:00 · 2025-03-17 13:15:45 +01:00 · 2025-03-17 13:15:45 +01:00 · 59e606cdc4
commit 59e606cdc4
parent 644cc2c974
4 changed files with 162 additions and 12 deletions
--- a/x-pack/platform/plugins/private/snapshot_restore/server/routes/api/policy.ts
+++ b/x-pack/platform/plugins/private/snapshot_restore/server/routes/api/policy.ts
@ -95,7 +95,16 @@ export function registerPolicyRoutes({

  // Create policy
  router.post(
-    { path: addBasePath('policies'), validate: { body: policySchema } },
+    {
+      path: addBasePath('policies'),
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
+      validate: { body: policySchema },
+    },
    license.guardApiRoute(async (ctx, req, res) => {
      const { client: clusterClient } = (await ctx.core).elasticsearch;

@ -134,6 +143,12 @@ export function registerPolicyRoutes({
  router.put(
    {
      path: addBasePath('policies/{name}'),
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
      validate: { params: nameParameterSchema, body: policySchema },
    },
    license.guardApiRoute(async (ctx, req, res) => {
@ -162,7 +177,16 @@ export function registerPolicyRoutes({

  // Delete policy
  router.delete(
-    { path: addBasePath('policies/{name}'), validate: { params: nameParameterSchema } },
+    {
+      path: addBasePath('policies/{name}'),
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
+      validate: { params: nameParameterSchema },
+    },
    license.guardApiRoute(async (ctx, req, res) => {
      const { client: clusterClient } = (await ctx.core).elasticsearch;
      const { name } = req.params as TypeOf<typeof nameParameterSchema>;
@ -193,7 +217,16 @@ export function registerPolicyRoutes({

  // Execute policy
  router.post(
-    { path: addBasePath('policy/{name}/run'), validate: { params: nameParameterSchema } },
+    {
+      path: addBasePath('policy/{name}/run'),
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
+      validate: { params: nameParameterSchema },
+    },
    license.guardApiRoute(async (ctx, req, res) => {
      const { client: clusterClient } = (await ctx.core).elasticsearch;
      const { name } = req.params as TypeOf<typeof nameParameterSchema>;
@ -212,7 +245,16 @@ export function registerPolicyRoutes({

  // Get policy indices
  router.get(
-    { path: addBasePath('policies/indices'), validate: false },
+    {
+      path: addBasePath('policies/indices'),
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
+      validate: false,
+    },
    license.guardApiRoute(async (ctx, req, res) => {
      const { client: clusterClient } = (await ctx.core).elasticsearch;

@ -243,7 +285,16 @@ export function registerPolicyRoutes({

  // Get policy feature states
  router.get(
-    { path: addBasePath('policies/features'), validate: false },
+    {
+      path: addBasePath('policies/features'),
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
+      validate: false,
+    },
    license.guardApiRoute(async (ctx, req, res) => {
      const { client: clusterClient } = (await ctx.core).elasticsearch;

@ -259,7 +310,16 @@ export function registerPolicyRoutes({

  // Get retention settings
  router.get(
-    { path: addBasePath('policies/retention_settings'), validate: false },
+    {
+      path: addBasePath('policies/retention_settings'),
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
+      validate: false,
+    },
    license.guardApiRoute(async (ctx, req, res) => {
      const { client: clusterClient } = (await ctx.core).elasticsearch;
      const { persistent, transient, defaults } =
@ -288,6 +348,12 @@ export function registerPolicyRoutes({
  router.put(
    {
      path: addBasePath('policies/retention_settings'),
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
      validate: { body: retentionSettingsSchema },
    },
    license.guardApiRoute(async (ctx, req, res) => {
@ -312,7 +378,16 @@ export function registerPolicyRoutes({

  // Execute retention
  router.post(
-    { path: addBasePath('policies/retention'), validate: false },
+    {
+      path: addBasePath('policies/retention'),
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
+      validate: false,
+    },
    license.guardApiRoute(async (ctx, req, res) => {
      const { client: clusterClient } = (await ctx.core).elasticsearch;
      const response = await clusterClient.asCurrentUser.slm.executeRetention();
@ -322,7 +397,16 @@ export function registerPolicyRoutes({

  // Get snapshot lifecycle management status
  router.get(
-    { path: addBasePath('policies/slm_status'), validate: false },
+    {
+      path: addBasePath('policies/slm_status'),
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
+      validate: false,
+    },
    license.guardApiRoute(async (ctx, req, res) => {
      const { client: clusterClient } = (await ctx.core).elasticsearch;

--- a/x-pack/platform/plugins/private/snapshot_restore/server/routes/api/repositories.ts
+++ b/x-pack/platform/plugins/private/snapshot_restore/server/routes/api/repositories.ts
@ -172,7 +172,16 @@ export function registerRepositoriesRoutes({

  // GET repository types
  router.get(
-    { path: addBasePath('repository_types'), validate: false },
+    {
+      path: addBasePath('repository_types'),
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
+      validate: false,
+    },
    license.guardApiRoute(async (ctx, req, res) => {
      const { client: clusterClient } = (await ctx.core).elasticsearch;
      // module repo types are available everywhere out of the box
@ -212,6 +221,12 @@ export function registerRepositoriesRoutes({
  router.get(
    {
      path: addBasePath('repositories/{name}/verify'),
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
      validate: { params: nameParameterSchema },
    },
    license.guardApiRoute(async (ctx, req, res) => {
@ -246,6 +261,12 @@ export function registerRepositoriesRoutes({
  router.post(
    {
      path: addBasePath('repositories/{name}/cleanup'),
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
      validate: { params: nameParameterSchema },
    },
    license.guardApiRoute(async (ctx, req, res) => {
@ -289,7 +310,16 @@ export function registerRepositoriesRoutes({

  // Create repository
  router.put(
-    { path: addBasePath('repositories'), validate: { body: repositorySchema } },
+    {
+      path: addBasePath('repositories'),
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
+      validate: { body: repositorySchema },
+    },
    license.guardApiRoute(async (ctx, req, res) => {
      const { client: clusterClient } = (await ctx.core).elasticsearch;
      const { name = '', type = '', settings = {} } = req.body as TypeOf<typeof repositorySchema>;
@ -328,6 +358,12 @@ export function registerRepositoriesRoutes({
  router.put(
    {
      path: addBasePath('repositories/{name}'),
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
      validate: { body: repositorySchema, params: nameParameterSchema },
    },
    license.guardApiRoute(async (ctx, req, res) => {
@ -362,7 +398,16 @@ export function registerRepositoriesRoutes({

  // Delete repository
  router.delete(
-    { path: addBasePath('repositories/{name}'), validate: { params: nameParameterSchema } },
+    {
+      path: addBasePath('repositories/{name}'),
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
+      validate: { params: nameParameterSchema },
+    },
    license.guardApiRoute(async (ctx, req, res) => {
      const { client: clusterClient } = (await ctx.core).elasticsearch;
      const { name } = req.params as TypeOf<typeof nameParameterSchema>;
--- a/x-pack/platform/plugins/private/snapshot_restore/server/routes/api/restore.ts
+++ b/x-pack/platform/plugins/private/snapshot_restore/server/routes/api/restore.ts
@ -104,6 +104,12 @@ export function registerRestoreRoutes({
  router.post(
    {
      path: addBasePath('restore/{repository}/{snapshot}'),
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
      validate: { body: restoreSettingsSchema, params: restoreParamsSchema },
    },
    license.guardApiRoute(async (ctx, req, res) => {
--- a/x-pack/platform/plugins/private/snapshot_restore/server/routes/api/snapshots.ts
+++ b/x-pack/platform/plugins/private/snapshot_restore/server/routes/api/snapshots.ts
@ -182,6 +182,12 @@ export function registerSnapshotsRoutes({
  router.get(
    {
      path: addBasePath('snapshots/{repository}/{snapshot}'),
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
      validate: { params: getOneParamsSchema },
    },
    license.guardApiRoute(async (ctx, req, res) => {
@ -239,7 +245,16 @@ export function registerSnapshotsRoutes({

  // DELETE one or multiple snapshots
  router.post(
-    { path: addBasePath('snapshots/bulk_delete'), validate: { body: deleteSchema } },
+    {
+      path: addBasePath('snapshots/bulk_delete'),
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
+      validate: { body: deleteSchema },
+    },
    license.guardApiRoute(async (ctx, req, res) => {
      const { client: clusterClient } = (await ctx.core).elasticsearch;