[Files] Add files management privilege to find and metrics endpoints (#143274)

* added files management privileges definition and locked down metrics and find endpoint to management role * [CI] Auto-commit changed files from 'node scripts/precommit_hook.js --ref HEAD~1..HEAD --fix' Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
2025-04-23 17:28:26 -04:00 · 2022-10-26 08:48:05 +02:00 · 2022-10-26 08:48:05 +02:00 · 602de275fc
commit 602de275fc
parent 0afa9a507a
5 changed files with 57 additions and 6 deletions
--- a/x-pack/plugins/files/common/constants.ts
+++ b/x-pack/plugins/files/common/constants.ts
@ -27,3 +27,5 @@ export const FILE_SHARE_SO_TYPE = 'fileShare';
 * The name of the fixed size ES-backed blob store
 */
 export const ES_FIXED_SIZE_INDEX_BLOB_STORE = 'esFixedSizeIndex' as const;
+
+export const FILES_MANAGE_PRIVILEGE = 'files:manageFiles' as const;
--- a/x-pack/plugins/files/kibana.json
+++ b/x-pack/plugins/files/kibana.json
@ -9,7 +9,6 @@
  "description": "File upload, download, sharing, and serving over HTTP implementation in Kibana.",
  "server": true,
  "ui": true,
-  "requiredPlugins": [],
  "requiredBundles": ["kibanaUtils"],
  "optionalPlugins": ["security", "usageCollection"]
 }
--- a/x-pack/plugins/files/server/feature.ts
+++ b/x-pack/plugins/files/server/feature.ts
@ -0,0 +1,47 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { DEFAULT_APP_CATEGORIES } from '@kbn/core-application-common';
+import { KibanaFeatureConfig } from '@kbn/features-plugin/common';
+import { i18n } from '@kbn/i18n';
+import { PLUGIN_ID } from '../common';
+import { FILES_MANAGE_PRIVILEGE } from '../common/constants';
+import { hiddenTypes } from './saved_objects';
+
+// TODO: This should be registered once we have a management section for files content
+export const filesFeature: KibanaFeatureConfig = {
+  id: PLUGIN_ID,
+  name: i18n.translate('xpack.files.featureRegistry.filesFeatureName', {
+    defaultMessage: 'Files',
+  }),
+  minimumLicense: 'basic',
+  order: 10000,
+  category: DEFAULT_APP_CATEGORIES.management,
+  app: [PLUGIN_ID],
+  privilegesTooltip: i18n.translate('xpack.files.featureRegistry.filesPrivilegesTooltip', {
+    defaultMessage: 'Provide access to files across all apps',
+  }),
+  privileges: {
+    all: {
+      app: [PLUGIN_ID],
+      savedObject: {
+        all: hiddenTypes,
+        read: hiddenTypes,
+      },
+      ui: [],
+      api: [FILES_MANAGE_PRIVILEGE],
+    },
+    read: {
+      app: [PLUGIN_ID],
+      savedObject: {
+        all: hiddenTypes,
+        read: hiddenTypes,
+      },
+      ui: [],
+    },
+  },
+};
--- a/x-pack/plugins/files/server/routes/find.ts
+++ b/x-pack/plugins/files/server/routes/find.ts
@ -7,6 +7,7 @@
 import { schema } from '@kbn/config-schema';
 import type { CreateHandler, FilesRouter } from './types';
 import { FileJSON } from '../../common';
+import { FILES_MANAGE_PRIVILEGE } from '../../common/constants';
 import { FILES_API_ROUTES, CreateRouteDefinition } from './api_routes';

 const method = 'post' as const;
@ -63,16 +64,14 @@ const handler: CreateHandler<Endpoint> = async ({ files }, req, res) => {
  });
 };

-// TODO: Find out whether we want to add stricter access controls to this route.
-// Currently this is giving read-access to all files which bypasses the
-// security we set up on a per route level for the "getById" and "list" endpoints.
-// Alternatively, we can remove the access controls on the "file kind" endpoints
-// or remove them entirely.
 export function register(router: FilesRouter) {
  router[method](
    {
      path: FILES_API_ROUTES.find,
      validate: { ...rt },
+      options: {
+        tags: [`access:${FILES_MANAGE_PRIVILEGE}`],
+      },
    },
    handler
  );
--- a/x-pack/plugins/files/server/routes/metrics.ts
+++ b/x-pack/plugins/files/server/routes/metrics.ts
@ -4,6 +4,7 @@
 * 2.0; you may not use this file except in compliance with the Elastic License
 * 2.0.
 */
+import { FILES_MANAGE_PRIVILEGE } from '../../common/constants';
 import type { FilesRouter } from './types';

 import { FilesMetrics } from '../../common';
@ -27,6 +28,9 @@ export function register(router: FilesRouter) {
    {
      path: FILES_API_ROUTES.metrics,
      validate: {},
+      options: {
+        tags: [`access:${FILES_MANAGE_PRIVILEGE}`],
+      },
    },
    handler
  );