[Authz] Mandatory Security Config (#215180)

## Summary

This PR makes `security` a required field for route registration. To
incorporate the new required filed, changes has been made:

1. **Test file updates**. A lot of the updates made in this PR were made
in tests.
2. **Versioned route security configuration**. For the versioned route
`security` config has been lifted up to the top-level definition:

    Before
    ```ts
    router.versioned
      .get({
        path: '/api/path',
        options: { ... },
        ...
      }, handler)
      .addVersion({
         version: 1,
         validate: false,
         security: {
          authz: {
            requiredPrivileges: ['privilege'],
          },
         },
      });
    ```
    
    After
    ```ts
    router.versioned
      .get({
        path: '/api/path',
        options: { ... },
         security: {
          authz: {
            requiredPrivileges: ['privilege'],
          },
         },
        ...
      }, handler)
      .addVersion({
         version: 1,
         validate: false,
      });
    ```

3. **Type adjustments for route wrappers**. Type changes has been made
in:
-
`x-pack/solutions/observability/plugins/infra/server/lib/adapters/framework/adapter_types.ts`
-
`x-pack/solutions/observability/plugins/metrics_data_access/server/lib/adapters/framework/adapter_types.ts`
-
`x-pack/solutions/observability/plugins/synthetics/server/routes/types.ts`
-
`x-pack/solutions/observability/plugins/uptime/server/legacy_uptime/routes/types.ts`

Security was made an optional field for the wrappers defined in those
files, since the default security is provided in the wrapper itself and
then passed down to the core router.

### Checklist

- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)


__Closes: https://github.com/elastic/kibana/issues/215331__

---------

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>

examples/eso_model_version_example/server/plugin.ts

@@ -307,6 +307,12 @@ export class EsoModelVersionExample
       {
         path: '/internal/eso_mv_example/generate',
         validate: false,
+        security: {
+          authz: {
+            enabled: false,
+            reason: 'This routes delegates authorization to SO client.',
+          },
+        },
       },
       async (context, request, response) => {
         const { elasticsearch } = await context.core;
@@ -358,6 +364,12 @@ export class EsoModelVersionExample
       {
         path: '/internal/eso_mv_example/read_raw',
         validate: false,
+        security: {
+          authz: {
+            enabled: false,
+            reason: 'This routes delegates authorization to SO client.',
+          },
+        },
       },
       async (context, request, response) => {
         // Read the raw documents so we can display the model versions prior to migration transformations
@@ -394,6 +406,9 @@ export class EsoModelVersionExample
       {
         path: '/internal/eso_mv_example/get_objects',
         validate: false,
+        security: {
+          authz: { enabled: false, reason: 'This routes delegates authorization to SO client.' },
+        },
       },
       async (context, request, response) => {
         // Get the objects via the SO client so we can display how the objects are migrated via the MV definitions
@@ -431,6 +446,9 @@ export class EsoModelVersionExample
       {
         path: '/internal/eso_mv_example/get_decrypted',
         validate: false,
+        security: {
+          authz: { enabled: false, reason: 'This route delegates authorization to SO client.' },
+        },
       },
       async (context, request, response) => {
         // Decrypt the objects as the internal user so we can display the secrets

examples/feature_control_examples/server/plugin.ts

@@ -56,6 +56,7 @@ export class FeatureControlsPluginExample
       {
         path: '/internal/my_plugin/read',
         validate: false,
+        security: { authz: { requiredPrivileges: ['my_closed_example_api'] } },
       },
       async (context, request, response) => {
         return response.ok({

examples/feature_flags_example/server/routes/index.ts

@@ -16,6 +16,9 @@ export function defineRoutes(router: IRouter) {
     .get({
       path: '/api/feature_flags_example/example',
       access: 'public',
+      security: {
+        authz: { enabled: false, reason: 'Public route that does not require authorization' },
+      },
     })
     .addVersion(
       {

examples/preboot_example/server/plugin.ts

@@ -40,6 +40,12 @@ export class PrebootExamplePlugin implements PrebootPlugin {
       prebootRouter.get(
         {
           path: '/api/preboot/state',
+          security: {
+            authz: {
+              enabled: false,
+              reason: 'This route is opted out of authorization as it is a core preboot route',
+            },
+          },
           validate: false,
           options: { authRequired: false },
         },
@@ -55,6 +61,12 @@ export class PrebootExamplePlugin implements PrebootPlugin {
       prebootRouter.post(
         {
           path: '/api/preboot/complete_setup',
+          security: {
+            authz: {
+              enabled: false,
+              reason: 'This route is opted out of authorization as it is a core preboot route',
+            },
+          },
           validate: {
             body: schema.object({ shouldReloadConfig: schema.boolean() }),
           },
@@ -69,6 +81,12 @@ export class PrebootExamplePlugin implements PrebootPlugin {
       prebootRouter.post(
         {
           path: '/api/preboot/write_config',
+          security: {
+            authz: {
+              enabled: false,
+              reason: 'This route is opted out of authorization as it is a core preboot route',
+            },
+          },
           validate: {
             body: schema.object({ key: schema.string(), value: schema.string() }),
           },
@@ -91,6 +109,9 @@ export class PrebootExamplePlugin implements PrebootPlugin {
       prebootRouter.post(
         {
           path: '/api/preboot/connect_to_es',
+          security: {
+            authz: { enabled: false, reason: 'This route delegates authorization to es client' },
+          },
           validate: {
             body: schema.object({
               host: schema.string(),

examples/response_stream/server/routes/reducer_stream.ts

@@ -27,6 +27,12 @@ export const defineReducerStreamRoute = (router: IRouter, logger: Logger) => {
     .post({
       path: RESPONSE_STREAM_API_ENDPOINT.REDUCER_STREAM,
       access: 'internal',
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'This route is opted out of authorization as it is a developer example endpoint.',
+        },
+      },
     })
     .addVersion(
       {

examples/response_stream/server/routes/redux_stream.ts

@@ -27,6 +27,12 @@ export const defineReduxStreamRoute = (router: IRouter, logger: Logger) => {
     .post({
       path: RESPONSE_STREAM_API_ENDPOINT.REDUX_STREAM,
       access: 'internal',
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'This route is opted out of authorization as it is a developer example endpoint.',
+        },
+      },
     })
     .addVersion(
       {

examples/response_stream/server/routes/single_string_stream.ts

@@ -22,6 +22,12 @@ export const defineSimpleStringStreamRoute = (router: IRouter, logger: Logger) =
     .post({
       path: RESPONSE_STREAM_API_ENDPOINT.SIMPLE_STRING_STREAM,
       access: 'internal',
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'This route is opted out of authorization as it is a developer example endpoint.',
+        },
+      },
     })
     .addVersion(
       {

examples/routing_example/server/routes/deprecated_routes/internal.ts

@@ -14,6 +14,13 @@ export const registerInternalDeprecatedRoute = (router: IRouter) => {
   router.get(
     {
       path: DEPRECATED_ROUTES.INTERNAL_DEPRECATED_ROUTE,
+      security: {
+        authz: {
+          enabled: false,
+          reason:
+            'This route is opted out of authorization because it is only intended for test use',
+        },
+      },
       validate: false,
       options: {
         // Explicitly set access is to internal
@@ -40,6 +47,13 @@ export const registerInternalDeprecatedRoute = (router: IRouter) => {
     {
       path: DEPRECATED_ROUTES.INTERNAL_ONLY_ROUTE,
       validate: false,
+      security: {
+        authz: {
+          enabled: false,
+          reason:
+            'This route is opted out of authorization because it is only intended for test use',
+        },
+      },
       // If no access is specified then it defaults to internal
     },
     async (ctx, req, res) => {

examples/routing_example/server/routes/deprecated_routes/unversioned.ts

@@ -16,6 +16,13 @@ export const registerDeprecatedRoute = (router: IRouter) => {
     {
       path: DEPRECATED_ROUTES.DEPRECATED_ROUTE,
       validate: false,
+      security: {
+        authz: {
+          enabled: false,
+          reason:
+            'This route is opted out of authorization because it is only intended for test use',
+        },
+      },
       options: {
         access: 'public',
         deprecated: {
@@ -38,6 +45,13 @@ export const registerDeprecatedRoute = (router: IRouter) => {
     {
       path: DEPRECATED_ROUTES.REMOVED_ROUTE,
       validate: false,
+      security: {
+        authz: {
+          enabled: false,
+          reason:
+            'This route is opted out of authorization because it is only intended for test use',
+        },
+      },
       options: {
         access: 'public',
         deprecated: {
@@ -57,6 +71,13 @@ export const registerDeprecatedRoute = (router: IRouter) => {
   router.post(
     {
       path: DEPRECATED_ROUTES.MIGRATED_ROUTE,
+      security: {
+        authz: {
+          enabled: false,
+          reason:
+            'This route is opted out of authorization because it is only intended for test use',
+        },
+      },
       validate: {
         body: schema.object({
           test: schema.maybe(schema.boolean()),

examples/routing_example/server/routes/deprecated_routes/versioned.ts

@@ -14,6 +14,13 @@ export const registerVersionedDeprecatedRoute = (router: IRouter) => {
   router.versioned
     .get({
       path: DEPRECATED_ROUTES.VERSIONED_ROUTE,
+      security: {
+        authz: {
+          enabled: false,
+          reason:
+            'This route is opted out of authorization because it is only intended for test use',
+        },
+      },
       description: 'Routing example plugin deprecated versioned route.',
       access: 'public',
       options: {
@@ -43,6 +50,13 @@ export const registerVersionedDeprecatedRoute = (router: IRouter) => {
   router.versioned
     .get({
       path: DEPRECATED_ROUTES.VERSIONED_INTERNAL_ROUTE,
+      security: {
+        authz: {
+          enabled: false,
+          reason:
+            'This route is opted out of authorization because it is only intended for test use',
+        },
+      },
       description: 'Routing example plugin deprecated versioned route.',
       access: 'internal',
       options: {

examples/routing_example/server/routes/message_routes.ts

@@ -30,6 +30,13 @@ export function registerPostMessageRoute(router: IRouter) {
   router.post(
     {
       path: `${POST_MESSAGE_ROUTE_PATH}/{id}`,
+      security: {
+        authz: {
+          enabled: false,
+          reason:
+            'This route is opted out of authorization because it is only intended for test use',
+        },
+      },
       validate: {
         params: schema.object({
           // This parameter name matches the one in POST_MESSAGE_ROUTE_PATH: `api/post_message/{id}`.
@@ -63,6 +70,13 @@ export function registerGetMessageByIdRoute(router: IRouter) {
   router.get(
     {
       path: `${INTERNAL_GET_MESSAGE_BY_ID_ROUTE}/{id}`,
+      security: {
+        authz: {
+          enabled: false,
+          reason:
+            'This route is opted out of authorization because it is only intended for test use',
+        },
+      },
       options: {
         access: 'internal',
       },

examples/routing_example/server/routes/random_number_between_generator.ts

@@ -19,6 +19,13 @@ export function registerGetRandomNumberBetweenRoute(router: IRouter) {
   router.get(
     {
       path: RANDOM_NUMBER_BETWEEN_ROUTE_PATH,
+      security: {
+        authz: {
+          enabled: false,
+          reason:
+            'This route is opted out of authorization because it is only intended for test use',
+        },
+      },
       validate: {
         query: schema.object({
           max: schema.number({ defaultValue: 10 }),

examples/routing_example/server/routes/random_number_generator.ts

@@ -19,6 +19,13 @@ export function registerGetRandomNumberRoute(router: IRouter) {
   router.get(
     {
       path: RANDOM_NUMBER_ROUTE_PATH,
+      security: {
+        authz: {
+          enabled: false,
+          reason:
+            'This route is opted out of authorization because it is only intended for test use',
+        },
+      },
       validate: {},
     },
     async (context, request, response) => {

examples/screenshot_mode_example/server/routes.ts

@@ -12,7 +12,13 @@ import { BASE_API_ROUTE } from '../common';
 
 export const registerRoutes = ({ router, log, screenshotMode }: RouteDependencies) => {
   router.get(
-    { path: `${BASE_API_ROUTE}/check_is_screenshot`, validate: false },
+    {
+      path: `${BASE_API_ROUTE}/check_is_screenshot`,
+      validate: false,
+      security: {
+        authz: { enabled: false, reason: 'Screenshot api is public' },
+      },
+    },
     async (ctx, req, res) => {
       log.info(`Reading screenshot mode from a request: ${screenshotMode.isScreenshotMode(req)}`);
       log.info(`Reading is screenshot mode from ctx: ${(await ctx.screenshotMode).isScreenshot}`);

examples/search_examples/server/routes/server_search_route.ts

@@ -24,6 +24,12 @@ export function registerServerSearchRoute(router: IRouter<DataRequestHandlerCont
           field: schema.maybe(schema.string()),
         }),
       },
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'This route delegates authorization check to es.',
+        },
+      },
     },
     async (context, request, response) => {
       const { index, field } = request.query;

examples/sse_example/server/routes/index.ts

@@ -17,6 +17,12 @@ export function defineRoutes(router: IRouter, logger: Logger) {
     .get({
       path: '/internal/sse_examples/clock',
       access: 'internal',
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'This route is opted out of authorization since it is an example sse route',
+        },
+      },
     })
     .addVersion(
       {

examples/v8_profiler_examples/server/routes/cpu_profile.ts

@@ -24,6 +24,7 @@ const routeValidation = {
 const routeConfig = {
   path: '/_dev/cpu_profile',
   validate: routeValidation,
+  security: { authz: { requiredPrivileges: ['foo'] } },
 };
 
 export function registerRoute(logger: Logger, router: IRouter): void {

examples/v8_profiler_examples/server/routes/heap_profile.ts

@@ -26,6 +26,7 @@ const routeValidation = {
 const routeConfig = {
   path: '/_dev/heap_profile',
   validate: routeValidation,
+  security: { authz: { requiredPrivileges: ['foo'] } },
 };
 
 export function registerRoute(logger: Logger, router: IRouter): void {

packages/kbn-mock-idp-plugin/server/plugin.ts

@@ -71,6 +71,7 @@ export const plugin: PluginInitializer<
         path: MOCK_IDP_LOGIN_PATH,
         validate: false,
         options: { authRequired: false },
+        security: { authz: { enabled: false, reason: '' } },
       },
       async (context, request, response) => {
         return response.renderAnonymousCoreApp();
@@ -85,6 +86,7 @@ export const plugin: PluginInitializer<
         path: '/mock_idp/supported_roles',
         validate: false,
         options: { authRequired: false },
+        security: { authz: { enabled: false, reason: '' } },
       },
       (context, request, response) => {
         try {
@@ -110,6 +112,7 @@ export const plugin: PluginInitializer<
           body: createSAMLResponseSchema,
         },
         options: { authRequired: false },
+        security: { authz: { enabled: false, reason: '' } },
       },
       async (context, request, response) => {
         const { protocol, hostname, port } = core.http.getServerInfo();
@@ -134,6 +137,7 @@ export const plugin: PluginInitializer<
         path: MOCK_IDP_LOGOUT_PATH,
         validate: false,
         options: { authRequired: false },
+        security: { authz: { enabled: false, reason: '' } },
       },
       async (context, request, response) => {
         return response.redirected({ headers: { location: '/' } });

src/core/packages/apps/server-internal/src/bundle_routes/bundle_route.test.ts

@@ -48,6 +48,12 @@ describe('registerRouteForBundle', () => {
           httpResource: true,
         },
         validate: expect.any(Object),
+        security: {
+          authz: {
+            enabled: false,
+            reason: expect.any(String),
+          },
+        },
       },
       handler
     );

src/core/packages/apps/server-internal/src/bundle_routes/bundles_route.ts

@@ -41,6 +41,12 @@ export function registerRouteForBundle(
           path: schema.string(),
         }),
       },
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'This route is used for serving assets and does not require authorization.',
+        },
+      },
     },
     createDynamicAssetHandler({
       publicPath,

src/core/packages/http/resources-server-internal/src/http_resources_service.test.ts

@@ -48,7 +48,15 @@ describe('HttpResources service', () => {
       getDeps: () => PrebootDeps | SetupDeps
     ) {
       describe(`${name} register`, () => {
-        const routeConfig: RouteConfig<any, any, any, 'get'> = { path: '/', validate: false };
+        const routeConfig: RouteConfig<any, any, any, 'get'> = {
+          path: '/',
+          validate: false,
+          security: {
+            authz: {
+              requiredPrivileges: ['foo'],
+            },
+          },
+        };
         let register: HttpResources['register'];
 
         beforeEach(async () => {

src/core/packages/http/router-server-internal/src/router.test.ts

@@ -53,6 +53,11 @@ describe('Router', () => {
         {
           path: '/',
           validate: { body: validation, query: validation, params: validation },
+          security: {
+            authz: {
+              requiredPrivileges: ['foo'],
+            },
+          },
           options: {
             deprecated: {
               documentationUrl: 'https://fake-url.com',
@@ -103,12 +108,22 @@ describe('Router', () => {
         .post({
           path: '/versioned',
           access: 'internal',
+          security: {
+            authz: {
+              requiredPrivileges: ['foo'],
+            },
+          },
         })
         .addVersion({ version: '999', validate: false }, async (ctx, req, res) => res.ok());
       router.get(
         {
           path: '/unversioned',
           validate: { body: validation, query: validation, params: validation },
+          security: {
+            authz: {
+              requiredPrivileges: ['foo'],
+            },
+          },
         },
         (context, req, res) => res.ok()
       );
@@ -131,6 +146,11 @@ describe('Router', () => {
         {
           path: '/',
           validate: staticOrLazy ? fooValidation : () => fooValidation,
+          security: {
+            authz: {
+              requiredPrivileges: ['foo'],
+            },
+          },
         },
         (context, req, res) => res.ok()
       );
@@ -158,6 +178,11 @@ describe('Router', () => {
       router.post(
         {
           path: '/public',
+          security: {
+            authz: {
+              requiredPrivileges: ['foo'],
+            },
+          },
           options: {
             access: 'public',
           },
@@ -168,6 +193,11 @@ describe('Router', () => {
       router.post(
         {
           path: '/internal',
+          security: {
+            authz: {
+              requiredPrivileges: ['foo'],
+            },
+          },
           options: {
             access: 'internal',
           },
@@ -194,6 +224,11 @@ describe('Router', () => {
       router.post(
         {
           path: '/public',
+          security: {
+            authz: {
+              requiredPrivileges: ['foo'],
+            },
+          },
           options: {
             access: 'public',
           },
@@ -204,6 +239,11 @@ describe('Router', () => {
       router.post(
         {
           path: '/public-resource',
+          security: {
+            authz: {
+              requiredPrivileges: ['foo'],
+            },
+          },
           options: {
             access: 'public',
             httpResource: true,
@@ -240,6 +280,11 @@ describe('Router', () => {
     router.post(
       {
         path: '/',
+        security: {
+          authz: {
+            requiredPrivileges: ['foo'],
+          },
+        },
         validate: lazyValidation,
       },
       (context, req, res) => res.ok()
@@ -299,6 +344,11 @@ describe('Router', () => {
           {
             path: '/',
             validate: { params: { validate: () => 'error' } } as any,
+            security: {
+              authz: {
+                requiredPrivileges: ['foo'],
+              },
+            },
           },
           (context, req, res) => res.ok({})
         )
@@ -316,6 +366,11 @@ describe('Router', () => {
             path: '/',
             validate: false,
             options: { security: { authz: { requiredPrivileges: [] } } } as any,
+            security: {
+              authz: {
+                requiredPrivileges: ['foo'],
+              },
+            },
           },
           (context, req, res) => res.ok({})
         )
@@ -333,6 +388,11 @@ describe('Router', () => {
             path: '/',
             options: { body: { output: 'file' } } as any, // We explicitly don't support 'file'
             validate: { body: schema.object({}, { unknowns: 'allow' }) },
+            security: {
+              authz: {
+                requiredPrivileges: ['foo'],
+              },
+            },
           },
           (context, req, res) => res.ok({})
         )
@@ -384,7 +444,18 @@ describe('Router', () => {
 
     it('should default `output: "stream" and parse: false` when no body validation is required but not a GET', () => {
       const router = new Router('', logger, enhanceWithContext, routerOptions);
-      router.post({ path: '/', validate: {} }, (context, req, res) => res.ok({}));
+      router.post(
+        {
+          path: '/',
+          validate: {},
+          security: {
+            authz: {
+              requiredPrivileges: ['foo'],
+            },
+          },
+        },
+        (context, req, res) => res.ok({})
+      );
       const [route] = router.getRoutes();
       expect(route.options).toEqual({ body: { output: 'stream', parse: false } });
     });
@@ -392,7 +463,16 @@ describe('Router', () => {
     it('should NOT default `output: "stream" and parse: false` when the user has specified body options (he cares about it)', () => {
       const router = new Router('', logger, enhanceWithContext, routerOptions);
       router.post(
-        { path: '/', options: { body: { maxBytes: 1 } }, validate: {} },
+        {
+          path: '/',
+          security: {
+            authz: {
+              requiredPrivileges: ['foo'],
+            },
+          },
+          options: { body: { maxBytes: 1 } },
+          validate: {},
+        },
         (context, req, res) => res.ok({})
       );
       const [route] = router.getRoutes();
@@ -401,7 +481,18 @@ describe('Router', () => {
 
     it('should NOT default `output: "stream" and parse: false` when no body validation is required and GET', () => {
       const router = new Router('', logger, enhanceWithContext, routerOptions);
-      router.get({ path: '/', validate: {} }, (context, req, res) => res.ok({}));
+      router.get(
+        {
+          path: '/',
+          validate: {},
+          security: {
+            authz: {
+              requiredPrivileges: ['foo'],
+            },
+          },
+        },
+        (context, req, res) => res.ok({})
+      );
       const [route] = router.getRoutes();
       expect(route.options).toEqual({});
     });

src/core/packages/http/router-server-internal/src/versioned_router/core_versioned_route.test.ts

@@ -65,6 +65,11 @@ describe('Versioned route', () => {
           description: 'test',
           summary: 'test',
           enableQueryVersion: false,
+          security: {
+            authz: {
+              requiredPrivileges: ['foo'],
+            },
+          },
         })
         .addVersion({ version: '2023-10-31', validate: false }, handlerFn);
 
@@ -88,7 +93,15 @@ describe('Versioned route', () => {
 
   it('can register multiple handlers', () => {
     versionedRouter
-      .get({ path: '/test/{id}', access: 'internal' })
+      .get({
+        path: '/test/{id}',
+        access: 'internal',
+        security: {
+          authz: {
+            requiredPrivileges: ['foo'],
+          },
+        },
+      })
       .addVersion({ version: '1', validate: false }, handlerFn)
       .addVersion({ version: '2', validate: false }, handlerFn)
       .addVersion({ version: '3', validate: false }, handlerFn);
@@ -111,7 +124,15 @@ describe('Versioned route', () => {
   it('does not allow specifying a handler for the same version more than once', () => {
     expect(() =>
       versionedRouter
-        .get({ path: '/test/{id}', access: 'internal' })
+        .get({
+          path: '/test/{id}',
+          access: 'internal',
+          security: {
+            authz: {
+              requiredPrivileges: ['foo'],
+            },
+          },
+        })
         .addVersion({ version: '1', validate: false }, handlerFn)
         .addVersion({ version: '1', validate: false }, handlerFn)
         .addVersion({ version: '3', validate: false }, handlerFn)
@@ -123,22 +144,54 @@ describe('Versioned route', () => {
   it('only allows versions that are numbers greater than 0 for internal APIs', () => {
     expect(() =>
       versionedRouter
-        .get({ path: '/test/{id}', access: 'internal' })
+        .get({
+          path: '/test/{id}',
+          access: 'internal',
+          security: {
+            authz: {
+              requiredPrivileges: ['foo'],
+            },
+          },
+        })
         .addVersion({ version: 'foo' as ApiVersion, validate: false }, handlerFn)
     ).toThrowError(`Invalid version number`);
     expect(() =>
       versionedRouter
-        .get({ path: '/test/{id}', access: 'internal' })
+        .get({
+          path: '/test/{id}',
+          access: 'internal',
+          security: {
+            authz: {
+              requiredPrivileges: ['foo'],
+            },
+          },
+        })
         .addVersion({ version: '-1', validate: false }, handlerFn)
     ).toThrowError(`Invalid version number`);
     expect(() =>
       versionedRouter
-        .get({ path: '/test/{id}', access: 'internal' })
+        .get({
+          path: '/test/{id}',
+          access: 'internal',
+          security: {
+            authz: {
+              requiredPrivileges: ['foo'],
+            },
+          },
+        })
         .addVersion({ version: '1.1', validate: false }, handlerFn)
     ).toThrowError(`Invalid version number`);
     expect(() =>
       versionedRouter
-        .get({ path: '/test/{id}', access: 'internal' })
+        .get({
+          path: '/test/{id}',
+          access: 'internal',
+          security: {
+            authz: {
+              requiredPrivileges: ['foo'],
+            },
+          },
+        })
         .addVersion({ version: '1', validate: false }, handlerFn)
     ).not.toThrow();
   });
@@ -146,22 +199,54 @@ describe('Versioned route', () => {
   it('only allows correctly formatted version date strings for public APIs', () => {
     expect(() =>
       versionedRouter
-        .get({ path: '/test/{id}', access: 'public' })
+        .get({
+          path: '/test/{id}',
+          access: 'public',
+          security: {
+            authz: {
+              requiredPrivileges: ['foo'],
+            },
+          },
+        })
         .addVersion({ version: '1-1-2020' as ApiVersion, validate: false }, handlerFn)
     ).toThrowError(/Invalid version/);
     expect(() =>
       versionedRouter
-        .get({ path: '/test/{id}', access: 'public' })
+        .get({
+          path: '/test/{id}',
+          access: 'public',
+          security: {
+            authz: {
+              requiredPrivileges: ['foo'],
+            },
+          },
+        })
         .addVersion({ version: '', validate: false }, handlerFn)
     ).toThrowError(/Invalid version/);
     expect(() =>
       versionedRouter
-        .get({ path: '/test/{id}', access: 'public' })
+        .get({
+          path: '/test/{id}',
+          access: 'public',
+          security: {
+            authz: {
+              requiredPrivileges: ['foo'],
+            },
+          },
+        })
         .addVersion({ version: 'abc', validate: false }, handlerFn)
     ).toThrowError(/Invalid version/);
     expect(() =>
       versionedRouter
-        .get({ path: '/test/{id}', access: 'public' })
+        .get({
+          path: '/test/{id}',
+          access: 'public',
+          security: {
+            authz: {
+              requiredPrivileges: ['foo'],
+            },
+          },
+        })
         .addVersion({ version: '2023-10-31', validate: false }, handlerFn)
     ).not.toThrow();
   });
@@ -180,6 +265,11 @@ describe('Versioned route', () => {
         excludeFromOAS: true,
         httpResource: true,
       },
+      security: {
+        authz: {
+          requiredPrivileges: ['foo'],
+        },
+      },
     };
 
     versionedRouter.post(opts);
@@ -206,7 +296,15 @@ describe('Versioned route', () => {
   it('allows public versions other than "2023-10-31"', () => {
     expect(() =>
       CoreVersionedRouter.from({ router, log: loggingSystemMock.createLogger(), env: notDevEnv })
-        .get({ access: 'public', path: '/foo' })
+        .get({
+          access: 'public',
+          path: '/foo',
+          security: {
+            authz: {
+              requiredPrivileges: ['foo'],
+            },
+          },
+        })
         .addVersion({ version: '2023-01-31', validate: false }, (ctx, req, res) => res.ok())
     ).not.toThrow();
   });
@@ -219,13 +317,23 @@ describe('Versioned route', () => {
         testValidation;
 
       (router.registerRoute as jest.Mock).mockImplementation((opts) => (handler = opts.handler));
-      versionedRouter.post({ path: '/test/{id}', access: 'internal' }).addVersion(
+      versionedRouter
-        {
+        .post({
-          version: '1',
+          path: '/test/{id}',
-          validate: staticOrLazy === 'static' ? fooValidation : () => fooValidation,
+          access: 'internal',
-        },
+          security: {
-        handlerFn
+            authz: {
-      );
+              requiredPrivileges: ['foo'],
+            },
+          },
+        })
+        .addVersion(
+          {
+            version: '1',
+            validate: staticOrLazy === 'static' ? fooValidation : () => fooValidation,
+          },
+          handlerFn
+        );
 
       const kibanaResponse = await handler!(
         createRequest({
@@ -258,13 +366,23 @@ describe('Versioned route', () => {
 
     (router.registerRoute as jest.Mock).mockImplementation((opts) => (handler = opts.handler));
     const lazyValidation = jest.fn(() => fooValidation);
-    versionedRouter.post({ path: '/test/{id}', access: 'internal' }).addVersion(
+    versionedRouter
-      {
+      .post({
-        version: '1',
+        path: '/test/{id}',
-        validate: lazyValidation,
+        access: 'internal',
-      },
+        security: {
-      handlerFn
+          authz: {
-    );
+            requiredPrivileges: ['foo'],
+          },
+        },
+      })
+      .addVersion(
+        {
+          version: '1',
+          validate: lazyValidation,
+        },
+        handlerFn
+      );
 
     for (let i = 0; i < 10; i++) {
       const { status } = await handler!(
@@ -312,7 +430,15 @@ describe('Versioned route', () => {
     it('only allows "2023-10-31" as public route versions', () => {
       expect(() =>
         versionedRouter
-          .get({ access: 'public', path: '/foo' })
+          .get({
+            access: 'public',
+            path: '/foo',
+            security: {
+              authz: {
+                requiredPrivileges: ['foo'],
+              },
+            },
+          })
           .addVersion({ version: '2023-01-31', validate: false }, (ctx, req, res) => res.ok())
       ).toThrow(/Invalid public version/);
     });
@@ -323,13 +449,23 @@ describe('Versioned route', () => {
         testValidation;
 
       (router.registerRoute as jest.Mock).mockImplementation((opts) => (handler = opts.handler));
-      versionedRouter.post({ path: '/test/{id}', access: 'internal' }).addVersion(
+      versionedRouter
-        {
+        .post({
-          version: '1',
+          path: '/test/{id}',
-          validate: fooValidation,
+          access: 'internal',
-        },
+          security: {
-        handlerFn
+            authz: {
-      );
+              requiredPrivileges: ['foo'],
+            },
+          },
+        })
+        .addVersion(
+          {
+            version: '1',
+            validate: fooValidation,
+          },
+          handlerFn
+        );
 
       const kibanaResponse = await handler!(
         createRequest({
@@ -356,13 +492,23 @@ describe('Versioned route', () => {
         env: devEnv,
         log: loggingSystemMock.createLogger(),
       });
-      versionedRouter.post({ path: '/test/{id}', access: 'internal' }).addVersion(
+      versionedRouter
-        {
+        .post({
-          version: '1',
+          path: '/test/{id}',
-          validate: { response: { 500: { description: 'jest description', body: undefined } } },
+          access: 'internal',
-        },
+          security: {
-        async (ctx, req, res) => res.custom({ statusCode: 500 })
+            authz: {
-      );
+              requiredPrivileges: ['foo'],
+            },
+          },
+        })
+        .addVersion(
+          {
+            version: '1',
+            validate: { response: { 500: { description: 'jest description', body: undefined } } },
+          },
+          async (ctx, req, res) => res.custom({ statusCode: 500 })
+        );
 
       await expect(
         handler!(
@@ -389,13 +535,23 @@ describe('Versioned route', () => {
         env: devEnv,
         log: loggingSystemMock.createLogger(),
       });
-      versionedRouter.post({ path: '/test/{id}', access: 'internal' }).addVersion(
+      versionedRouter
-        {
+        .post({
-          version: '1',
+          path: '/test/{id}',
-          validate: fooValidation,
+          access: 'internal',
-        },
+          security: {
-        handlerFn
+            authz: {
-      );
+              requiredPrivileges: ['foo'],
+            },
+          },
+        })
+        .addVersion(
+          {
+            version: '1',
+            validate: fooValidation,
+          },
+          handlerFn
+        );
 
       const kibanaResponse = await handler!(
         createRequest({
@@ -427,37 +583,67 @@ describe('Versioned route', () => {
     (router.registerRoute as jest.Mock).mockImplementation(
       (opts) => (bypassVersionHandler = opts.handler)
     );
-    versionedRouter.post({ path: '/bypass_me/{id?}', access: 'internal' }).addVersion(
+    versionedRouter
-      {
+      .post({
-        version: '1',
+        path: '/bypass_me/{id?}',
-        validate: false,
+        access: 'internal',
-      },
+        security: {
-      handlerFn
+          authz: {
-    );
+            requiredPrivileges: ['foo'],
+          },
+        },
+      })
+      .addVersion(
+        {
+          version: '1',
+          validate: false,
+        },
+        handlerFn
+      );
 
     let doNotBypassHandler1: InternalRouteHandler;
     (router.registerRoute as jest.Mock).mockImplementation(
       (opts) => (doNotBypassHandler1 = opts.handler)
     );
-    versionedRouter.put({ path: '/do_not_bypass_me/{id}', access: 'internal' }).addVersion(
+    versionedRouter
-      {
+      .put({
-        version: '1',
+        path: '/do_not_bypass_me/{id}',
-        validate: false,
+        access: 'internal',
-      },
+        security: {
-      handlerFn
+          authz: {
-    );
+            requiredPrivileges: ['foo'],
+          },
+        },
+      })
+      .addVersion(
+        {
+          version: '1',
+          validate: false,
+        },
+        handlerFn
+      );
 
     let doNotBypassHandler2: InternalRouteHandler;
     (router.registerRoute as jest.Mock).mockImplementation(
       (opts) => (doNotBypassHandler2 = opts.handler)
     );
-    versionedRouter.get({ path: '/do_not_bypass_me_either', access: 'internal' }).addVersion(
+    versionedRouter
-      {
+      .get({
-        version: '1',
+        path: '/do_not_bypass_me_either',
-        validate: false,
+        access: 'internal',
-      },
+        security: {
-      handlerFn
+          authz: {
-    );
+            requiredPrivileges: ['foo'],
+          },
+        },
+      })
+      .addVersion(
+        {
+          version: '1',
+          validate: false,
+        },
+        handlerFn
+      );
 
     const byPassedVersionResponse = await bypassVersionHandler!(
       createRequest({ version: undefined })
@@ -497,7 +683,15 @@ describe('Versioned route', () => {
       },
     };
     versionedRouter
-      .get({ path: '/test/{id}', access: 'internal' })
+      .get({
+        path: '/test/{id}',
+        access: 'internal',
+        security: {
+          authz: {
+            requiredPrivileges: ['foo'],
+          },
+        },
+      })
       .addVersion(
         {
           version: '1',
@@ -705,20 +899,30 @@ describe('Versioned route', () => {
     it('for routes with validation', async () => {
       const { fooValidation } = testValidation;
       (router.registerRoute as jest.Mock).mockImplementation((opts) => (handler = opts.handler));
-      versionedRouter.post({ path: '/test/{id}', access: 'internal' }).addVersion(
+      versionedRouter
-        {
+        .post({
-          version: '1',
+          path: '/test/{id}',
-          validate: fooValidation,
+          access: 'internal',
-          options: {
+          security: {
-            deprecated: {
+            authz: {
-              severity: 'warning',
+              requiredPrivileges: ['foo'],
-              reason: { type: 'bump', newApiVersion: '123' },
-              documentationUrl: 'http://test.foo',
             },
           },
-        },
+        })
-        handlerFn
+        .addVersion(
-      );
+          {
+            version: '1',
+            validate: fooValidation,
+            options: {
+              deprecated: {
+                severity: 'warning',
+                reason: { type: 'bump', newApiVersion: '123' },
+                documentationUrl: 'http://test.foo',
+              },
+            },
+          },
+          handlerFn
+        );
 
       await handler!(
         createRequest({
@@ -762,20 +966,30 @@ describe('Versioned route', () => {
 
     it('for routes without validation', async () => {
       (router.registerRoute as jest.Mock).mockImplementation((opts) => (handler = opts.handler));
-      versionedRouter.post({ path: '/test/{id}', access: 'internal' }).addVersion(
+      versionedRouter
-        {
+        .post({
-          version: '1',
+          path: '/test/{id}',
-          validate: false,
+          access: 'internal',
-          options: {
+          security: {
-            deprecated: {
+            authz: {
-              severity: 'warning',
+              requiredPrivileges: ['foo'],
-              reason: { type: 'bump', newApiVersion: '123' },
-              documentationUrl: 'http://test.foo',
             },
           },
-        },
+        })
-        handlerFn
+        .addVersion(
-      );
+          {
+            version: '1',
+            validate: false,
+            options: {
+              deprecated: {
+                severity: 'warning',
+                reason: { type: 'bump', newApiVersion: '123' },
+                documentationUrl: 'http://test.foo',
+              },
+            },
+          },
+          handlerFn
+        );
 
       await handler!(createRequest({ version: '1' }));
       expect(router.emitPostValidate).toHaveBeenCalledTimes(1);

src/core/packages/http/router-server-internal/src/versioned_router/core_versioned_router.test.ts

@@ -27,9 +27,33 @@ describe('Versioned router', () => {
   });
 
   it('can register multiple routes', () => {
-    versionedRouter.get({ path: '/test/{id}', access: 'internal' });
+    versionedRouter.get({
-    versionedRouter.post({ path: '/test', access: 'internal' });
+      path: '/test/{id}',
-    versionedRouter.delete({ path: '/test', access: 'internal' });
+      security: {
+        authz: {
+          requiredPrivileges: ['foo'],
+        },
+      },
+      access: 'internal',
+    });
+    versionedRouter.post({
+      path: '/test',
+      security: {
+        authz: {
+          requiredPrivileges: ['foo'],
+        },
+      },
+      access: 'internal',
+    });
+    versionedRouter.delete({
+      path: '/test',
+      security: {
+        authz: {
+          requiredPrivileges: ['foo'],
+        },
+      },
+      access: 'internal',
+    });
     expect(versionedRouter.getRoutes()).toHaveLength(3);
   });
 
@@ -42,14 +66,32 @@ describe('Versioned router', () => {
       path: '/test/{id}',
       access: 'internal',
       discontinued: 'x.y.z',
+      security: {
+        authz: {
+          requiredPrivileges: ['foo'],
+        },
+      },
     });
     versionedRouter.post({
       path: '/test',
       access: 'internal',
       summary: 'Post test',
       description: 'Post test description',
+      security: {
+        authz: {
+          requiredPrivileges: ['foo'],
+        },
+      },
+    });
+    versionedRouter.delete({
+      path: '/test',
+      access: 'internal',
+      security: {
+        authz: {
+          requiredPrivileges: ['foo'],
+        },
+      },
     });
-    versionedRouter.delete({ path: '/test', access: 'internal' });
     expect(versionedRouter.getRoutes()).toMatchInlineSnapshot(`
       Array [
         Object {
@@ -59,6 +101,13 @@ describe('Versioned router', () => {
           "options": Object {
             "access": "internal",
             "discontinued": "x.y.z",
+            "security": Object {
+              "authz": Object {
+                "requiredPrivileges": Array [
+                  "foo",
+                ],
+              },
+            },
           },
           "path": "/test/{id}",
         },
@@ -69,6 +118,13 @@ describe('Versioned router', () => {
           "options": Object {
             "access": "internal",
             "description": "Post test description",
+            "security": Object {
+              "authz": Object {
+                "requiredPrivileges": Array [
+                  "foo",
+                ],
+              },
+            },
             "summary": "Post test",
           },
           "path": "/test",
@@ -79,6 +135,13 @@ describe('Versioned router', () => {
           "method": "delete",
           "options": Object {
             "access": "internal",
+            "security": Object {
+              "authz": Object {
+                "requiredPrivileges": Array [
+                  "foo",
+                ],
+              },
+            },
           },
           "path": "/test",
         },

src/core/packages/http/router-server-mocks/src/versioned_router_mock_route.test.ts

@@ -13,13 +13,29 @@ describe('createVersionedRouterMock#getRoute', () => {
   it('throws if no routes are registered', () => {
     const versionedRouter = createVersionedRouterMock();
     expect(() => versionedRouter.getRoute('get', '/foo')).toThrow(/No routes registered/);
-    versionedRouter.get({ path: '/foo', access: 'internal' });
+    versionedRouter.get({
+      path: '/foo',
+      access: 'internal',
+      security: {
+        authz: {
+          requiredPrivileges: ['foo'],
+        },
+      },
+    });
     expect(() => versionedRouter.getRoute('get', '/foo')).not.toThrow();
     expect(() => versionedRouter.getRoute('get', '/bar')).toThrow(/No routes registered/);
   });
   it('allows versioned routes to be introspected', () => {
     const versionedRouter = createVersionedRouterMock();
-    const route = versionedRouter.get({ path: '/foo', access: 'internal' });
+    const route = versionedRouter.get({
+      path: '/foo',
+      access: 'internal',
+      security: {
+        authz: {
+          requiredPrivileges: ['foo'],
+        },
+      },
+    });
 
     // Empty case
     expect(versionedRouter.getRoute('get', '/foo')).toMatchInlineSnapshot(`
@@ -27,6 +43,13 @@ describe('createVersionedRouterMock#getRoute', () => {
         "config": Object {
           "access": "internal",
           "path": "/foo",
+          "security": Object {
+            "authz": Object {
+              "requiredPrivileges": Array [
+                "foo",
+              ],
+            },
+          },
         },
         "versions": Object {},
       }
@@ -44,6 +67,13 @@ describe('createVersionedRouterMock#getRoute', () => {
         "config": Object {
           "access": "internal",
           "path": "/foo",
+          "security": Object {
+            "authz": Object {
+              "requiredPrivileges": Array [
+                "foo",
+              ],
+            },
+          },
         },
         "versions": Object {
           "1": Object {

src/core/packages/http/server-internal/src/http_server.test.ts

@@ -211,6 +211,11 @@ test('valid params', async () => {
           test: schema.string(),
         }),
       },
+      security: {
+        authz: {
+          requiredPrivileges: ['foo'],
+        },
+      },
     },
     (context, req, res) => {
       return res.ok({ body: req.params.test });
@@ -241,6 +246,11 @@ test('invalid params', async () => {
           test: schema.number(),
         }),
       },
+      security: {
+        authz: {
+          requiredPrivileges: ['foo'],
+        },
+      },
     },
     (context, req, res) => {
       return res.ok({ body: String(req.params.test) });
@@ -276,6 +286,11 @@ test('valid query', async () => {
           quux: schema.number(),
         }),
       },
+      security: {
+        authz: {
+          requiredPrivileges: ['foo'],
+        },
+      },
     },
     (context, req, res) => {
       return res.ok({ body: req.query });
@@ -306,6 +321,11 @@ test('invalid query', async () => {
           bar: schema.number(),
         }),
       },
+      security: {
+        authz: {
+          requiredPrivileges: ['foo'],
+        },
+      },
     },
     (context, req, res) => {
       return res.ok({ body: req.query });
@@ -341,6 +361,11 @@ test('valid body', async () => {
           baz: schema.number(),
         }),
       },
+      security: {
+        authz: {
+          requiredPrivileges: ['foo'],
+        },
+      },
     },
     (context, req, res) => {
       return res.ok({ body: req.body });
@@ -379,6 +404,11 @@ test('valid body with validate function', async () => {
           }
         },
       },
+      security: {
+        authz: {
+          requiredPrivileges: ['foo'],
+        },
+      },
     },
     (context, req, res) => {
       return res.ok({ body: req.body });
@@ -422,6 +452,11 @@ test('not inline validation - specifying params', async () => {
       validate: {
         body: bodyValidation,
       },
+      security: {
+        authz: {
+          requiredPrivileges: ['foo'],
+        },
+      },
     },
     (context, req, res) => {
       return res.ok({ body: req.body });
@@ -465,6 +500,11 @@ test('not inline validation - specifying validation handler', async () => {
       validate: {
         body: bodyValidation,
       },
+      security: {
+        authz: {
+          requiredPrivileges: ['foo'],
+        },
+      },
     },
     (context, req, res) => {
       return res.ok({ body: req.body });
@@ -517,6 +557,11 @@ test('not inline handler - KibanaRequest', async () => {
           }
         },
       },
+      security: {
+        authz: {
+          requiredPrivileges: ['foo'],
+        },
+      },
     },
     handler
   );
@@ -566,6 +611,11 @@ test('not inline handler - RequestHandler', async () => {
           }
         },
       },
+      security: {
+        authz: {
+          requiredPrivileges: ['foo'],
+        },
+      },
     },
     handler
   );
@@ -598,6 +648,11 @@ test('invalid body', async () => {
           bar: schema.number(),
         }),
       },
+      security: {
+        authz: {
+          requiredPrivileges: ['foo'],
+        },
+      },
     },
     (context, req, res) => {
       return res.ok({ body: req.body });
@@ -633,6 +688,11 @@ test('handles putting', async () => {
           key: schema.string(),
         }),
       },
+      security: {
+        authz: {
+          requiredPrivileges: ['foo'],
+        },
+      },
     },
     (context, req, res) => {
       return res.ok({ body: req.body });
@@ -664,6 +724,11 @@ test('handles deleting', async () => {
           id: schema.number(),
         }),
       },
+      security: {
+        authz: {
+          requiredPrivileges: ['foo'],
+        },
+      },
     },
     (context, req, res) => {
       return res.ok({ body: { key: req.params.id } });
@@ -695,9 +760,29 @@ describe('with `basepath: /bar` and `rewriteBasePath: false`', () => {
     } as HttpConfig;
 
     const router = new Router('/', logger, enhanceWithContext, routerOptions);
-    router.get({ path: '/', validate: false }, (context, req, res) => res.ok({ body: 'value:/' }));
+    router.get(
-    router.get({ path: '/foo', validate: false }, (context, req, res) =>
+      {
-      res.ok({ body: 'value:/foo' })
+        path: '/',
+        validate: false,
+        security: {
+          authz: {
+            requiredPrivileges: ['foo'],
+          },
+        },
+      },
+      (context, req, res) => res.ok({ body: 'value:/' })
+    );
+    router.get(
+      {
+        path: '/foo',
+        validate: false,
+        security: {
+          authz: {
+            requiredPrivileges: ['foo'],
+          },
+        },
+      },
+      (context, req, res) => res.ok({ body: 'value:/foo' })
     );
 
     const { registerRouter, server: innerServer } = await server.setup({
@@ -752,9 +837,29 @@ describe('with `basepath: /bar` and `rewriteBasePath: true`', () => {
     } as HttpConfig;
 
     const router = new Router('/', logger, enhanceWithContext, routerOptions);
-    router.get({ path: '/', validate: false }, (context, req, res) => res.ok({ body: 'value:/' }));
+    router.get(
-    router.get({ path: '/foo', validate: false }, (context, req, res) =>
+      {
-      res.ok({ body: 'value:/foo' })
+        path: '/',
+        validate: false,
+        security: {
+          authz: {
+            requiredPrivileges: ['foo'],
+          },
+        },
+      },
+      (context, req, res) => res.ok({ body: 'value:/' })
+    );
+    router.get(
+      {
+        path: '/foo',
+        validate: false,
+        security: {
+          authz: {
+            requiredPrivileges: ['foo'],
+          },
+        },
+      },
+      (context, req, res) => res.ok({ body: 'value:/foo' })
     );
 
     const { registerRouter, server: innerServer } = await server.setup({
@@ -804,7 +909,18 @@ describe('with `basepath: /bar` and `rewriteBasePath: true`', () => {
 
 test('with defined `redirectHttpFromPort`', async () => {
   const router = new Router('/', logger, enhanceWithContext, routerOptions);
-  router.get({ path: '/', validate: false }, (context, req, res) => res.ok({ body: 'value:/' }));
+  router.get(
+    {
+      path: '/',
+      validate: false,
+      security: {
+        authz: {
+          requiredPrivileges: ['foo'],
+        },
+      },
+    },
+    (context, req, res) => res.ok({ body: 'value:/' })
+  );
 
   const { registerRouter } = await server.setup({ config$: configWithSSL$ });
   registerRouter(router);
@@ -834,11 +950,30 @@ test('allows attaching metadata to attach meta-data tag strings to a route', asy
   const { registerRouter, server: innerServer } = await server.setup({ config$ });
 
   const router = new Router('', logger, enhanceWithContext, routerOptions);
-  router.get({ path: '/with-tags', validate: false, options: { tags } }, (context, req, res) =>
+  router.get(
-    res.ok({ body: { tags: req.route.options.tags } })
+    {
+      path: '/with-tags',
+      validate: false,
+      options: { tags },
+      security: {
+        authz: {
+          requiredPrivileges: ['foo'],
+        },
+      },
+    },
+    (context, req, res) => res.ok({ body: { tags: req.route.options.tags } })
   );
-  router.get({ path: '/without-tags', validate: false }, (context, req, res) =>
+  router.get(
-    res.ok({ body: { tags: req.route.options.tags } })
+    {
+      path: '/without-tags',
+      validate: false,
+      security: {
+        authz: {
+          requiredPrivileges: ['foo'],
+        },
+      },
+    },
+    (context, req, res) => res.ok({ body: { tags: req.route.options.tags } })
   );
   registerRouter(router);
 
@@ -853,11 +988,30 @@ test('allows declaring route access to flag a route as public or internal', asyn
   const { registerRouter, server: innerServer } = await server.setup({ config$ });
 
   const router = new Router('', logger, enhanceWithContext, routerOptions);
-  router.get({ path: '/with-access', validate: false, options: { access } }, (context, req, res) =>
+  router.get(
-    res.ok({ body: { access: req.route.options.access } })
+    {
+      path: '/with-access',
+      validate: false,
+      options: { access },
+      security: {
+        authz: {
+          requiredPrivileges: ['foo'],
+        },
+      },
+    },
+    (context, req, res) => res.ok({ body: { access: req.route.options.access } })
   );
-  router.get({ path: '/without-access', validate: false }, (context, req, res) =>
+  router.get(
-    res.ok({ body: { access: req.route.options.access } })
+    {
+      path: '/without-access',
+      validate: false,
+      security: {
+        authz: {
+          requiredPrivileges: ['foo'],
+        },
+      },
+    },
+    (context, req, res) => res.ok({ body: { access: req.route.options.access } })
   );
   registerRouter(router);
 
@@ -871,18 +1025,54 @@ test(`sets access flag to 'internal' if not defined`, async () => {
   const { registerRouter, server: innerServer } = await server.setup({ config$ });
 
   const router = new Router('', logger, enhanceWithContext, routerOptions);
-  router.get({ path: '/internal/foo', validate: false }, (context, req, res) =>
+  router.get(
-    res.ok({ body: { access: req.route.options.access } })
+    {
+      path: '/internal/foo',
+      validate: false,
+      security: {
+        authz: {
+          requiredPrivileges: ['foo'],
+        },
+      },
+    },
+    (context, req, res) => res.ok({ body: { access: req.route.options.access } })
   );
-  router.get({ path: '/random/foo', validate: false }, (context, req, res) =>
+  router.get(
-    res.ok({ body: { access: req.route.options.access } })
+    {
+      path: '/random/foo',
+      validate: false,
+      security: {
+        authz: {
+          requiredPrivileges: ['foo'],
+        },
+      },
+    },
+    (context, req, res) => res.ok({ body: { access: req.route.options.access } })
   );
-  router.get({ path: '/random/internal/foo', validate: false }, (context, req, res) =>
+  router.get(
-    res.ok({ body: { access: req.route.options.access } })
+    {
+      path: '/random/internal/foo',
+      validate: false,
+      security: {
+        authz: {
+          requiredPrivileges: ['foo'],
+        },
+      },
+    },
+    (context, req, res) => res.ok({ body: { access: req.route.options.access } })
   );
 
-  router.get({ path: '/api/foo/internal/my-foo', validate: false }, (context, req, res) =>
+  router.get(
-    res.ok({ body: { access: req.route.options.access } })
+    {
+      path: '/api/foo/internal/my-foo',
+      validate: false,
+      security: {
+        authz: {
+          requiredPrivileges: ['foo'],
+        },
+      },
+    },
+    (context, req, res) => res.ok({ body: { access: req.route.options.access } })
   );
   registerRouter(router);
 
@@ -902,7 +1092,18 @@ test('exposes route details of incoming request to a route handler', async () =>
   const { registerRouter, server: innerServer } = await server.setup({ config$ });
 
   const router = new Router('', logger, enhanceWithContext, routerOptions);
-  router.get({ path: '/', validate: false }, (context, req, res) => res.ok({ body: req.route }));
+  router.get(
+    {
+      path: '/',
+      validate: false,
+      security: {
+        authz: {
+          requiredPrivileges: ['foo'],
+        },
+      },
+    },
+    (context, req, res) => res.ok({ body: req.route })
+  );
   registerRouter(router);
 
   await server.start();
@@ -918,6 +1119,11 @@ test('exposes route details of incoming request to a route handler', async () =>
         access: 'internal',
         tags: [],
         timeout: {},
+        security: {
+          authz: {
+            requiredPrivileges: ['foo'],
+          },
+        },
       },
     });
 });
@@ -933,7 +1139,18 @@ describe('conditional compression', () => {
       body: 'hello'.repeat(500),
       headers: { 'Content-Type': 'text/html; charset=UTF-8' },
     };
-    router.get({ path: '/', validate: false }, (_context, _req, res) => res.ok(largeRequest));
+    router.get(
+      {
+        path: '/',
+        validate: false,
+        security: {
+          authz: {
+            requiredPrivileges: ['foo'],
+          },
+        },
+      },
+      (_context, _req, res) => res.ok(largeRequest)
+    );
     registerRouter(router);
     await server.start();
     return innerServer.listener;
@@ -1038,7 +1255,18 @@ describe('response headers', () => {
     });
 
     const router = new Router('', logger, enhanceWithContext, routerOptions);
-    router.get({ path: '/', validate: false }, (context, req, res) => res.ok({ body: req.route }));
+    router.get(
+      {
+        path: '/',
+        validate: false,
+        security: {
+          authz: {
+            requiredPrivileges: ['foo'],
+          },
+        },
+      },
+      (context, req, res) => res.ok({ body: req.route })
+    );
     registerRouter(router);
 
     await server.start();
@@ -1055,7 +1283,18 @@ describe('response headers', () => {
     const { registerRouter, server: innerServer } = await server.setup({ config$ });
 
     const router = new Router('', logger, enhanceWithContext, routerOptions);
-    router.get({ path: '/', validate: false }, (context, req, res) => res.ok({ body: req.route }));
+    router.get(
+      {
+        path: '/',
+        validate: false,
+        security: {
+          authz: {
+            requiredPrivileges: ['foo'],
+          },
+        },
+      },
+      (context, req, res) => res.ok({ body: req.route })
+    );
     registerRouter(router);
 
     await server.start();
@@ -1082,6 +1321,11 @@ test('exposes route details of incoming request to a route handler (POST + paylo
       path: '/',
       validate: { body: schema.object({ test: schema.number() }) },
       options: { body: { accepts: 'application/json' } },
+      security: {
+        authz: {
+          requiredPrivileges: ['foo'],
+        },
+      },
     },
     (context, req, res) => res.ok({ body: req.route })
   );
@@ -1103,6 +1347,11 @@ test('exposes route details of incoming request to a route handler (POST + paylo
         timeout: {
           payload: 10000,
         },
+        security: {
+          authz: {
+            requiredPrivileges: ['foo'],
+          },
+        },
         body: {
           parse: true, // hapi populates the default
           maxBytes: 1024, // hapi populates the default
@@ -1123,6 +1372,11 @@ describe('body options', () => {
         path: '/',
         validate: { body: schema.object({ test: schema.number() }) },
         options: { body: { accepts: 'multipart/form-data' } }, // supertest sends 'application/json'
+        security: {
+          authz: {
+            requiredPrivileges: ['foo'],
+          },
+        },
       },
       (context, req, res) => res.ok({ body: req.route })
     );
@@ -1145,6 +1399,11 @@ describe('body options', () => {
         path: '/',
         validate: { body: schema.object({ test: schema.number() }) },
         options: { body: { maxBytes: 1 } },
+        security: {
+          authz: {
+            requiredPrivileges: ['foo'],
+          },
+        },
       },
       (context, req, res) => res.ok({ body: req.route })
     );
@@ -1167,6 +1426,11 @@ describe('body options', () => {
         path: '/',
         validate: { body: schema.buffer() },
         options: { body: { parse: false } },
+        security: {
+          authz: {
+            requiredPrivileges: ['foo'],
+          },
+        },
       },
       (context, req, res) => {
         expect(req.body).toBeInstanceOf(Buffer);
@@ -1200,6 +1464,11 @@ describe('timeout options', () => {
               payload: 300000,
             },
           },
+          security: {
+            authz: {
+              requiredPrivileges: ['foo'],
+            },
+          },
         },
         (context, req, res) => {
           return res.ok({
@@ -1234,6 +1503,11 @@ describe('timeout options', () => {
               payload: 300000,
             },
           },
+          security: {
+            authz: {
+              requiredPrivileges: ['foo'],
+            },
+          },
         },
         (context, req, res) => {
           return res.ok({
@@ -1267,6 +1541,11 @@ describe('timeout options', () => {
               payload: 300000,
             },
           },
+          security: {
+            authz: {
+              requiredPrivileges: ['foo'],
+            },
+          },
         },
         (context, req, res) => {
           return res.ok({
@@ -1300,6 +1579,11 @@ describe('timeout options', () => {
               payload: 300000,
             },
           },
+          security: {
+            authz: {
+              requiredPrivileges: ['foo'],
+            },
+          },
         },
         (context, req, res) => {
           return res.ok({
@@ -1335,6 +1619,11 @@ describe('timeout options', () => {
         {
           path: '/',
           validate: { body: schema.maybe(schema.any()) },
+          security: {
+            authz: {
+              requiredPrivileges: ['foo'],
+            },
+          },
         },
         (context, req, res) => {
           return res.ok({
@@ -1371,6 +1660,11 @@ describe('timeout options', () => {
           path: '/',
           validate: { body: schema.maybe(schema.any()) },
           options: { timeout: { idleSocket: 12000 } },
+          security: {
+            authz: {
+              requiredPrivileges: ['foo'],
+            },
+          },
         },
         (context, req, res) => {
           return res.ok({
@@ -1407,6 +1701,11 @@ describe('timeout options', () => {
               idleSocket: 10,
             },
           },
+          security: {
+            authz: {
+              requiredPrivileges: ['foo'],
+            },
+          },
         },
         (context, req, res) => {
           return res.ok({ body: { timeout: req.route.options.timeout } });
@@ -1429,6 +1728,11 @@ test('should return a stream in the body', async () => {
       path: '/',
       validate: { body: schema.stream() },
       options: { body: { output: 'stream' } },
+      security: {
+        authz: {
+          requiredPrivileges: ['foo'],
+        },
+      },
     },
     (context, req, res) => {
       expect(req.body).toBeInstanceOf(Readable);
@@ -1454,11 +1758,33 @@ test('closes sockets on timeout', async () => {
   });
   const router = new Router('', logger, enhanceWithContext, routerOptions);
 
-  router.get({ path: '/a', validate: false }, async (context, req, res) => {
+  router.get(
-    await new Promise((resolve) => setTimeout(resolve, 2000));
+    {
-    return res.ok({});
+      path: '/a',
-  });
+      validate: false,
-  router.get({ path: '/b', validate: false }, (context, req, res) => res.ok({}));
+      security: {
+        authz: {
+          requiredPrivileges: ['foo'],
+        },
+      },
+    },
+    async (context, req, res) => {
+      await new Promise((resolve) => setTimeout(resolve, 2000));
+      return res.ok({});
+    }
+  );
+  router.get(
+    {
+      path: '/b',
+      validate: false,
+      security: {
+        authz: {
+          requiredPrivileges: ['foo'],
+        },
+      },
+    },
+    (context, req, res) => res.ok({})
+  );
 
   registerRouter(router);
 

src/core/packages/http/server/src/router/route.ts

@@ -557,7 +557,7 @@ export interface RouteConfig<P, Q, B, Method extends RouteMethod> {
   /**
    * Defines the security requirements for a route, including authorization and authentication.
    */
-  security?: RouteSecurity;
+  security: RouteSecurity;
 
   /**
    * Additional route options {@link RouteConfigOptions}.

src/core/packages/metrics/server-internal/src/routes/elu_history.ts

@@ -36,9 +36,18 @@ export function registerEluHistoryRoute(router: IRouter, elu: () => EluMetrics)
       enableQueryVersion: true,
       path: '/api/_elu_history',
       options: {
-        authRequired: false,
         excludeFromRateLimiter: true,
       },
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'This route is used for internal monitoring and does not require authorization.',
+        },
+        authc: {
+          enabled: false,
+          reason: 'This route is used for internal monitoring and does not require authentication.',
+        },
+      },
     })
     .addVersion(
       {

src/core/server/integration_tests/execution_context/tracing.test.ts

@@ -74,11 +74,18 @@ describe('trace', () => {
       const { createRouter } = http;
 
       const router = createRouter<RequestHandlerContext>('');
-      router.get({ path: '/execution-context', validate: false }, async (context, req, res) => {
+      router.get(
-        const esClient = (await context.core).elasticsearch.client;
+        {
-        const { headers } = await esClient.asInternalUser.ping({}, { meta: true });
+          path: '/execution-context',
-        return res.ok({ body: headers || {} });
+          validate: false,
-      });
+          security: { authz: { enabled: false, reason: '' } },
+        },
+        async (context, req, res) => {
+          const esClient = (await context.core).elasticsearch.client;
+          const { headers } = await esClient.asInternalUser.ping({}, { meta: true });
+          return res.ok({ body: headers || {} });
+        }
+      );
 
       await root.start();
 
@@ -97,11 +104,18 @@ describe('trace', () => {
       const { createRouter } = http;
 
       const router = createRouter<RequestHandlerContext>('');
-      router.get({ path: '/execution-context', validate: false }, async (context, req, res) => {
+      router.get(
-        const esClient = (await context.core).elasticsearch.client;
+        {
-        const { headers } = await esClient.asCurrentUser.ping({}, { meta: true });
+          path: '/execution-context',
-        return res.ok({ body: headers || {} });
+          validate: false,
-      });
+          security: { authz: { enabled: false, reason: '' } },
+        },
+        async (context, req, res) => {
+          const esClient = (await context.core).elasticsearch.client;
+          const { headers } = await esClient.asCurrentUser.ping({}, { meta: true });
+          return res.ok({ body: headers || {} });
+        }
+      );
 
       await root.start();
 
@@ -120,11 +134,18 @@ describe('trace', () => {
       const { createRouter } = http;
 
       const router = createRouter<RequestHandlerContext>('');
-      router.get({ path: '/execution-context', validate: false }, async (context, req, res) => {
+      router.get(
-        const esClient = (await context.core).elasticsearch.client;
+        {
-        const { headers } = await esClient.asInternalUser.ping({}, { meta: true });
+          path: '/execution-context',
-        return res.ok({ body: headers || {} });
+          validate: false,
-      });
+          security: { authz: { enabled: false, reason: '' } },
+        },
+        async (context, req, res) => {
+          const esClient = (await context.core).elasticsearch.client;
+          const { headers } = await esClient.asInternalUser.ping({}, { meta: true });
+          return res.ok({ body: headers || {} });
+        }
+      );
 
       await root.start();
 
@@ -139,11 +160,18 @@ describe('trace', () => {
       const { createRouter } = http;
 
       const router = createRouter<RequestHandlerContext>('');
-      router.get({ path: '/execution-context', validate: false }, async (context, req, res) => {
+      router.get(
-        const esClient = (await context.core).elasticsearch.client;
+        {
-        const { headers } = await esClient.asCurrentUser.ping({}, { meta: true });
+          path: '/execution-context',
-        return res.ok({ body: headers || {} });
+          validate: false,
-      });
+          security: { authz: { enabled: false, reason: '' } },
+        },
+        async (context, req, res) => {
+          const esClient = (await context.core).elasticsearch.client;
+          const { headers } = await esClient.asCurrentUser.ping({}, { meta: true });
+          return res.ok({ body: headers || {} });
+        }
+      );
 
       await root.start();
 
@@ -158,17 +186,24 @@ describe('trace', () => {
       const { createRouter } = http;
 
       const router = createRouter<RequestHandlerContext>('');
-      router.get({ path: '/execution-context', validate: false }, async (context, req, res) => {
+      router.get(
-        const esClient = (await context.core).elasticsearch.client;
+        {
-        const { headers } = await esClient.asInternalUser.ping(
+          path: '/execution-context',
-          {},
+          validate: false,
-          {
+          security: { authz: { enabled: false, reason: '' } },
-            opaqueId: 'new-opaque-id',
+        },
-            meta: true,
+        async (context, req, res) => {
-          }
+          const esClient = (await context.core).elasticsearch.client;
-        );
+          const { headers } = await esClient.asInternalUser.ping(
-        return res.ok({ body: headers || {} });
+            {},
-      });
+            {
+              opaqueId: 'new-opaque-id',
+              meta: true,
+            }
+          );
+          return res.ok({ body: headers || {} });
+        }
+      );
 
       await root.start();
 
@@ -206,11 +241,18 @@ describe('trace', () => {
         const { createRouter } = http;
 
         const router = createRouter<RequestHandlerContext>('');
-        router.get({ path: '/execution-context', validate: false }, async (context, req, res) => {
+        router.get(
-          const esClient = (await context.core).elasticsearch.client;
+          {
-          const { headers } = await esClient.asCurrentUser.ping({}, { meta: true });
+            path: '/execution-context',
-          return res.ok({ body: headers || {} });
+            validate: false,
-        });
+            security: { authz: { enabled: false, reason: '' } },
+          },
+          async (context, req, res) => {
+            const esClient = (await context.core).elasticsearch.client;
+            const { headers } = await esClient.asCurrentUser.ping({}, { meta: true });
+            return res.ok({ body: headers || {} });
+          }
+        );
 
         await rootExecutionContextDisabled.start();
 
@@ -229,17 +271,24 @@ describe('trace', () => {
         const { createRouter } = http;
 
         const router = createRouter<RequestHandlerContext>('');
-        router.get({ path: '/execution-context', validate: false }, async (context, req, res) => {
+        router.get(
-          executionContext.set(parentContext);
+          {
-          const esClient = (await context.core).elasticsearch.client;
+            path: '/execution-context',
-          const { headers } = await esClient.asCurrentUser.ping({}, { meta: true });
+            validate: false,
-          return res.ok({
+            security: { authz: { enabled: false, reason: '' } },
-            body: {
+          },
-              context: executionContext.get()?.toJSON(),
+          async (context, req, res) => {
-              header: headers?.['x-opaque-id'],
+            executionContext.set(parentContext);
-            },
+            const esClient = (await context.core).elasticsearch.client;
-          });
+            const { headers } = await esClient.asCurrentUser.ping({}, { meta: true });
-        });
+            return res.ok({
+              body: {
+                context: executionContext.get()?.toJSON(),
+                header: headers?.['x-opaque-id'],
+              },
+            });
+          }
+        );
 
         await rootExecutionContextDisabled.start();
 
@@ -262,10 +311,17 @@ describe('trace', () => {
       const { createRouter } = http;
 
       const router = createRouter<RequestHandlerContext>('');
-      router.get({ path: '/execution-context', validate: false }, async (context, req, res) => {
+      router.get(
-        executionContext.set(parentContext);
+        {
-        return res.ok({ body: executionContext.get() });
+          path: '/execution-context',
-      });
+          validate: false,
+          security: { authz: { enabled: false, reason: '' } },
+        },
+        async (context, req, res) => {
+          executionContext.set(parentContext);
+          return res.ok({ body: executionContext.get() });
+        }
+      );
 
       await root.start();
       const response = await kbnServerRequest.get(root, '/execution-context').expect(200);
@@ -277,11 +333,18 @@ describe('trace', () => {
       const { createRouter } = http;
 
       const router = createRouter<RequestHandlerContext>('');
-      router.get({ path: '/execution-context', validate: false }, async (context, req, res) => {
+      router.get(
-        executionContext.set(parentContext);
+        {
-        await delay(100);
+          path: '/execution-context',
-        return res.ok({ body: executionContext.get() });
+          validate: false,
-      });
+          security: { authz: { enabled: false, reason: '' } },
+        },
+        async (context, req, res) => {
+          executionContext.set(parentContext);
+          await delay(100);
+          return res.ok({ body: executionContext.get() });
+        }
+      );
 
       await root.start();
       const response = await kbnServerRequest.get(root, '/execution-context').expect(200);
@@ -294,11 +357,18 @@ describe('trace', () => {
 
       const router = createRouter<RequestHandlerContext>('');
       let id = 42;
-      router.get({ path: '/execution-context', validate: false }, async (context, req, res) => {
+      router.get(
-        executionContext.set({ ...parentContext, id: String(id++) });
+        {
-        await delay(100);
+          path: '/execution-context',
-        return res.ok({ body: executionContext.get() });
+          validate: false,
-      });
+          security: { authz: { enabled: false, reason: '' } },
+        },
+        async (context, req, res) => {
+          executionContext.set({ ...parentContext, id: String(id++) });
+          await delay(100);
+          return res.ok({ body: executionContext.get() });
+        }
+      );
 
       await root.start();
       const responseA = await kbnServerRequest.get(root, '/execution-context').expect(200);
@@ -314,11 +384,18 @@ describe('trace', () => {
 
       const router = createRouter<RequestHandlerContext>('');
       let id = 2;
-      router.get({ path: '/execution-context', validate: false }, async (context, req, res) => {
+      router.get(
-        executionContext.set({ ...parentContext, id: String(id) });
+        {
-        await delay(id-- * 100);
+          path: '/execution-context',
-        return res.ok({ body: executionContext.get() });
+          validate: false,
-      });
+          security: { authz: { enabled: false, reason: '' } },
+        },
+        async (context, req, res) => {
+          executionContext.set({ ...parentContext, id: String(id) });
+          await delay(id-- * 100);
+          return res.ok({ body: executionContext.get() });
+        }
+      );
 
       await root.start();
       const responseA = kbnServerRequest.get(root, '/execution-context');
@@ -342,13 +419,20 @@ describe('trace', () => {
 
       const router = createRouter<RequestHandlerContext>('');
       let id = 2;
-      router.get({ path: '/execution-context', validate: false }, async (context, req, res) => {
+      router.get(
-        executionContext.set(parentContext);
+        {
-        await delay(id-- * 100);
+          path: '/execution-context',
-        const esClient = (await context.core).elasticsearch.client;
+          validate: false,
-        const { headers } = await esClient.asCurrentUser.ping({}, { meta: true });
+          security: { authz: { enabled: false, reason: '' } },
-        return res.ok({ body: headers || {} });
+        },
-      });
+        async (context, req, res) => {
+          executionContext.set(parentContext);
+          await delay(id-- * 100);
+          const esClient = (await context.core).elasticsearch.client;
+          const { headers } = await esClient.asCurrentUser.ping({}, { meta: true });
+          return res.ok({ body: headers || {} });
+        }
+      );
 
       await root.start();
       const responseA = kbnServerRequest
@@ -376,8 +460,13 @@ describe('trace', () => {
       const { createRouter } = http;
 
       const router = createRouter<RequestHandlerContext>('');
-      router.get({ path: '/execution-context', validate: false }, (context, req, res) =>
+      router.get(
-        res.ok({ body: executionContext.get() })
+        {
+          path: '/execution-context',
+          validate: false,
+          security: { authz: { enabled: false, reason: '' } },
+        },
+        (context, req, res) => res.ok({ body: executionContext.get() })
       );
 
       await root.start();
@@ -394,11 +483,18 @@ describe('trace', () => {
       const { createRouter } = http;
 
       const router = createRouter<RequestHandlerContext>('');
-      router.get({ path: '/execution-context', validate: false }, async (context, req, res) => {
+      router.get(
-        const esClient = (await context.core).elasticsearch.client;
+        {
-        const { headers } = await esClient.asCurrentUser.ping({}, { meta: true });
+          path: '/execution-context',
-        return res.ok({ body: headers || {} });
+          validate: false,
-      });
+          security: { authz: { enabled: false, reason: '' } },
+        },
+        async (context, req, res) => {
+          const esClient = (await context.core).elasticsearch.client;
+          const { headers } = await esClient.asCurrentUser.ping({}, { meta: true });
+          return res.ok({ body: headers || {} });
+        }
+      );
 
       await root.start();
       const response = await kbnServerRequest
@@ -428,9 +524,16 @@ describe('trace', () => {
       } = http;
 
       const router = createRouter<RequestHandlerContext>('');
-      router.get({ path: '/execution-context', validate: false }, async (context, req, res) => {
+      router.get(
-        return res.ok({ body: executionContext.get()?.toJSON() });
+        {
-      });
+          path: '/execution-context',
+          validate: false,
+          security: { authz: { enabled: false, reason: '' } },
+        },
+        async (context, req, res) => {
+          return res.ok({ body: executionContext.get()?.toJSON() });
+        }
+      );
 
       let onPreRoutingContext;
       registerOnPreRouting((request, response, t) => {
@@ -482,11 +585,18 @@ describe('trace', () => {
       const { createRouter } = http;
 
       const router = createRouter<RequestHandlerContext>('');
-      router.get({ path: '/execution-context', validate: false }, async (context, req, res) => {
+      router.get(
-        const esClient = (await context.core).elasticsearch.client;
+        {
-        const { headers } = await esClient.asCurrentUser.ping({}, { meta: true });
+          path: '/execution-context',
-        return res.ok({ body: headers || {} });
+          validate: false,
-      });
+          security: { authz: { enabled: false, reason: '' } },
+        },
+        async (context, req, res) => {
+          const esClient = (await context.core).elasticsearch.client;
+          const { headers } = await esClient.asCurrentUser.ping({}, { meta: true });
+          return res.ok({ body: headers || {} });
+        }
+      );
 
       await root.start();
 
@@ -504,11 +614,18 @@ describe('trace', () => {
       const { createRouter } = http;
 
       const router = createRouter<RequestHandlerContext>('');
-      router.get({ path: '/execution-context', validate: false }, async (context, req, res) => {
+      router.get(
-        const esClient = (await context.core).elasticsearch.client;
+        {
-        const { headers } = await esClient.asInternalUser.ping({}, { meta: true });
+          path: '/execution-context',
-        return res.ok({ body: headers || {} });
+          validate: false,
-      });
+          security: { authz: { enabled: false, reason: '' } },
+        },
+        async (context, req, res) => {
+          const esClient = (await context.core).elasticsearch.client;
+          const { headers } = await esClient.asInternalUser.ping({}, { meta: true });
+          return res.ok({ body: headers || {} });
+        }
+      );
 
       await root.start();
 
@@ -526,11 +643,18 @@ describe('trace', () => {
       const { createRouter } = http;
 
       const router = createRouter<RequestHandlerContext>('');
-      router.get({ path: '/execution-context', validate: false }, async (context, req, res) => {
+      router.get(
-        const esClient = (await context.core).elasticsearch.client;
+        {
-        const { headers } = await esClient.asCurrentUser.ping({}, { meta: true });
+          path: '/execution-context',
-        return res.ok({ body: headers || {} });
+          validate: false,
-      });
+          security: { authz: { enabled: false, reason: '' } },
+        },
+        async (context, req, res) => {
+          const esClient = (await context.core).elasticsearch.client;
+          const { headers } = await esClient.asCurrentUser.ping({}, { meta: true });
+          return res.ok({ body: headers || {} });
+        }
+      );
 
       await root.start();
 
@@ -549,12 +673,19 @@ describe('trace', () => {
       const { createRouter } = http;
 
       const router = createRouter<RequestHandlerContext>('');
-      router.get({ path: '/execution-context', validate: false }, async (context, req, res) => {
+      router.get(
-        executionContext.set(parentContext);
+        {
-        const esClient = (await context.core).elasticsearch.client;
+          path: '/execution-context',
-        const { headers } = await esClient.asCurrentUser.ping({}, { meta: true });
+          validate: false,
-        return res.ok({ body: headers || {} });
+          security: { authz: { enabled: false, reason: '' } },
-      });
+        },
+        async (context, req, res) => {
+          executionContext.set(parentContext);
+          const esClient = (await context.core).elasticsearch.client;
+          const { headers } = await esClient.asCurrentUser.ping({}, { meta: true });
+          return res.ok({ body: headers || {} });
+        }
+      );
 
       await root.start();
 
@@ -579,12 +710,19 @@ describe('trace', () => {
         id: '42',
         description: 'какое-то описание',
       };
-      router.get({ path: '/execution-context', validate: false }, async (context, req, res) => {
+      router.get(
-        executionContext.set(ctx);
+        {
-        const esClient = (await context.core).elasticsearch.client;
+          path: '/execution-context',
-        const { headers } = await esClient.asCurrentUser.ping({}, { meta: true });
+          validate: false,
-        return res.ok({ body: headers || {} });
+          security: { authz: { enabled: false, reason: '' } },
-      });
+        },
+        async (context, req, res) => {
+          executionContext.set(ctx);
+          const esClient = (await context.core).elasticsearch.client;
+          const { headers } = await esClient.asCurrentUser.ping({}, { meta: true });
+          return res.ok({ body: headers || {} });
+        }
+      );
 
       await root.start();
 
@@ -600,11 +738,18 @@ describe('trace', () => {
         const { createRouter } = http;
 
         const router = createRouter<RequestHandlerContext>('');
-        router.get({ path: '/execution-context', validate: false }, async (context, req, res) => {
+        router.get(
-          return executionContext.withContext(parentContext, () =>
+          {
-            res.ok({ body: executionContext.get() })
+            path: '/execution-context',
-          );
+            validate: false,
-        });
+            security: { authz: { enabled: false, reason: '' } },
+          },
+          async (context, req, res) => {
+            return executionContext.withContext(parentContext, () =>
+              res.ok({ body: executionContext.get() })
+            );
+          }
+        );
 
         await root.start();
         const response = await kbnServerRequest.get(root, '/execution-context').expect(200);
@@ -622,15 +767,22 @@ describe('trace', () => {
           id: '43',
           description: 'nested-description',
         };
-        router.get({ path: '/execution-context', validate: false }, async (context, req, res) => {
+        router.get(
-          return executionContext.withContext(parentContext, async () => {
+          {
-            await delay(100);
+            path: '/execution-context',
-            return executionContext.withContext(nestedContext, async () => {
+            validate: false,
+            security: { authz: { enabled: false, reason: '' } },
+          },
+          async (context, req, res) => {
+            return executionContext.withContext(parentContext, async () => {
               await delay(100);
-              return res.ok({ body: executionContext.get() });
+              return executionContext.withContext(nestedContext, async () => {
+                await delay(100);
+                return res.ok({ body: executionContext.get() });
+              });
             });
-          });
+          }
-        });
+        );
 
         await root.start();
         const response = await kbnServerRequest.get(root, '/execution-context').expect(200);
@@ -648,13 +800,20 @@ describe('trace', () => {
           id: '41',
           description: 'new-description',
         };
-        router.get({ path: '/execution-context', validate: false }, async (context, req, res) => {
+        router.get(
-          const esClient = (await context.core).elasticsearch.client;
+          {
-          const { headers } = await executionContext.withContext(newContext, () => {
+            path: '/execution-context',
-            return esClient.asCurrentUser.ping({}, { meta: true });
+            validate: false,
-          });
+            security: { authz: { enabled: false, reason: '' } },
-          return res.ok({ body: headers || {} });
+          },
-        });
+          async (context, req, res) => {
+            const esClient = (await context.core).elasticsearch.client;
+            const { headers } = await executionContext.withContext(newContext, () => {
+              return esClient.asCurrentUser.ping({}, { meta: true });
+            });
+            return res.ok({ body: headers || {} });
+          }
+        );
 
         await root.start();
 

src/core/server/integration_tests/http/cookie_session_storage.test.ts

@@ -121,11 +121,14 @@ describe('Cookie based SessionStorage', () => {
       const { server: innerServer, createRouter } = await server.setup(setupDeps);
       const router = createRouter('');
 
-      router.get({ path, validate: false }, (context, req, res) => {
+      router.get(
-        const sessionStorage = factory.asScoped(req);
+        { path, validate: false, security: { authz: { enabled: false, reason: '' } } },
-        sessionStorage.set(sessVal());
+        (context, req, res) => {
-        return res.ok({});
+          const sessionStorage = factory.asScoped(req);
-      });
+          sessionStorage.set(sessVal());
+          return res.ok({});
+        }
+      );
 
       const factory = await createCookieSessionStorageFactory(
         logger.get(),
@@ -156,15 +159,18 @@ describe('Cookie based SessionStorage', () => {
       const { server: innerServer, createRouter } = await server.setup(setupDeps);
       const router = createRouter('');
 
-      router.get({ path: '/', validate: false }, async (context, req, res) => {
+      router.get(
-        const sessionStorage = factory.asScoped(req);
+        { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
-        const sessionValue = await sessionStorage.get();
+        async (context, req, res) => {
-        if (!sessionValue) {
+          const sessionStorage = factory.asScoped(req);
-          sessionStorage.set(sessVal());
+          const sessionValue = await sessionStorage.get();
-          return res.ok();
+          if (!sessionValue) {
+            sessionStorage.set(sessVal());
+            return res.ok();
+          }
+          return res.ok({ body: { value: sessionValue.value } });
         }
-        return res.ok({ body: { value: sessionValue.value } });
+      );
-      });
 
       const factory = await createCookieSessionStorageFactory(
         logger.get(),
@@ -193,11 +199,14 @@ describe('Cookie based SessionStorage', () => {
       const { server: innerServer, createRouter } = await server.setup(setupDeps);
 
       const router = createRouter('');
-      router.get({ path: '/', validate: false }, async (context, req, res) => {
+      router.get(
-        const sessionStorage = factory.asScoped(req);
+        { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
-        const sessionValue = await sessionStorage.get();
+        async (context, req, res) => {
-        return res.ok({ body: { value: sessionValue } });
+          const sessionStorage = factory.asScoped(req);
-      });
+          const sessionValue = await sessionStorage.get();
+          return res.ok({ body: { value: sessionValue } });
+        }
+      );
 
       const factory = await createCookieSessionStorageFactory(
         logger.get(),
@@ -220,16 +229,19 @@ describe('Cookie based SessionStorage', () => {
       const router = createRouter('');
 
       let setOnce = false;
-      router.get({ path: '/', validate: false }, async (context, req, res) => {
+      router.get(
-        const sessionStorage = factory.asScoped(req);
+        { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
-        if (!setOnce) {
+        async (context, req, res) => {
-          setOnce = true;
+          const sessionStorage = factory.asScoped(req);
-          sessionStorage.set(sessVal());
+          if (!setOnce) {
-          return res.ok({ body: { value: userData } });
+            setOnce = true;
+            sessionStorage.set(sessVal());
+            return res.ok({ body: { value: userData } });
+          }
+          const sessionValue = await sessionStorage.get();
+          return res.ok({ body: { value: sessionValue } });
         }
-        const sessionValue = await sessionStorage.get();
+      );
-        return res.ok({ body: { value: sessionValue } });
-      });
 
       const factory = await createCookieSessionStorageFactory(
         logger.get(),
@@ -267,16 +279,19 @@ describe('Cookie based SessionStorage', () => {
       const router = createRouter('');
 
       let setOnce = false;
-      router.get({ path: '/', validate: false }, async (context, req, res) => {
+      router.get(
-        const sessionStorage = factory.asScoped(req);
+        { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
-        if (!setOnce) {
+        async (context, req, res) => {
-          setOnce = true;
+          const sessionStorage = factory.asScoped(req);
-          sessionStorage.set({ ...sessVal(), path: '/foo' });
+          if (!setOnce) {
-          return res.ok({ body: { value: userData } });
+            setOnce = true;
+            sessionStorage.set({ ...sessVal(), path: '/foo' });
+            return res.ok({ body: { value: userData } });
+          }
+          const sessionValue = await sessionStorage.get();
+          return res.ok({ body: { value: sessionValue } });
         }
-        const sessionValue = await sessionStorage.get();
+      );
-        return res.ok({ body: { value: sessionValue } });
-      });
 
       const factory = await createCookieSessionStorageFactory(
         logger.get(),
@@ -409,15 +424,18 @@ describe('Cookie based SessionStorage', () => {
 
       const router = createRouter('');
 
-      router.get({ path: '/', validate: false }, async (context, req, res) => {
+      router.get(
-        const sessionStorage = factory.asScoped(req);
+        { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
-        if (await sessionStorage.get()) {
+        async (context, req, res) => {
-          sessionStorage.clear();
+          const sessionStorage = factory.asScoped(req);
+          if (await sessionStorage.get()) {
+            sessionStorage.clear();
+            return res.ok({});
+          }
+          sessionStorage.set(sessVal());
           return res.ok({});
         }
-        sessionStorage.set(sessVal());
+      );
-        return res.ok({});
-      });
 
       const factory = await createCookieSessionStorageFactory(
         logger.get(),
@@ -471,15 +489,18 @@ describe('Cookie based SessionStorage', () => {
           const { server: innerServer, createRouter } = await server.setup(setupDeps);
           const router = createRouter('');
 
-          router.get({ path: '/', validate: false }, async (context, req, res) => {
+          router.get(
-            const sessionStorage = factory.asScoped(req);
+            { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
-            const sessionValue = await sessionStorage.get();
+            async (context, req, res) => {
-            if (!sessionValue) {
+              const sessionStorage = factory.asScoped(req);
-              sessionStorage.set(sessVal());
+              const sessionValue = await sessionStorage.get();
-              return res.ok();
+              if (!sessionValue) {
+                sessionStorage.set(sessVal());
+                return res.ok();
+              }
+              return res.ok({ body: { value: sessionValue.value } });
             }
-            return res.ok({ body: { value: sessionValue.value } });
+          );
-          });
 
           const factory = await createCookieSessionStorageFactory(
             logger.get(),

src/core/server/integration_tests/http/core_services.test.ts

@@ -54,8 +54,13 @@ describe('http service', () => {
         registerAuth((req, res, toolkit) => toolkit.authenticated());
 
         const router = createRouter('');
-        router.get({ path: '/is-auth', validate: false }, (context, req, res) =>
+        router.get(
-          res.ok({ body: { isAuthenticated: auth.isAuthenticated(req) } })
+          {
+            path: '/is-auth',
+            validate: false,
+            security: { authz: { enabled: false, reason: '' } },
+          },
+          (context, req, res) => res.ok({ body: { isAuthenticated: auth.isAuthenticated(req) } })
         );
 
         await root.start();
@@ -70,7 +75,12 @@ describe('http service', () => {
 
         const router = createRouter('');
         router.get(
-          { path: '/is-auth', validate: false, options: { authRequired: false } },
+          {
+            path: '/is-auth',
+            validate: false,
+            security: { authz: { enabled: false, reason: '' } },
+            options: { authRequired: false },
+          },
           (context, req, res) => res.ok({ body: { isAuthenticated: auth.isAuthenticated(req) } })
         );
 
@@ -84,7 +94,12 @@ describe('http service', () => {
 
         const router = createRouter('');
         router.get(
-          { path: '/is-auth', validate: false, options: { authRequired: false } },
+          {
+            path: '/is-auth',
+            validate: false,
+            security: { authz: { enabled: false, reason: '' } },
+            options: { authRequired: false },
+          },
           (context, req, res) => res.ok({ body: { isAuthenticated: auth.isAuthenticated(req) } })
         );
 
@@ -99,7 +114,12 @@ describe('http service', () => {
         registerAuth((req, res, toolkit) => toolkit.authenticated());
         const router = createRouter('');
         router.get(
-          { path: '/is-auth', validate: false, options: { authRequired: 'optional' } },
+          {
+            path: '/is-auth',
+            validate: false,
+            security: { authz: { enabled: false, reason: '' } },
+            options: { authRequired: 'optional' },
+          },
           (context, req, res) => res.ok({ body: { isAuthenticated: auth.isAuthenticated(req) } })
         );
 
@@ -115,7 +135,12 @@ describe('http service', () => {
 
         const router = createRouter('');
         router.get(
-          { path: '/is-auth', validate: false, options: { authRequired: 'optional' } },
+          {
+            path: '/is-auth',
+            validate: false,
+            security: { authz: { enabled: false, reason: '' } },
+            options: { authRequired: 'optional' },
+          },
           (context, req, res) => res.ok({ body: { isAuthenticated: auth.isAuthenticated(req) } })
         );
 
@@ -136,8 +161,13 @@ describe('http service', () => {
         });
 
         const router = createRouter('');
-        router.get({ path: '/get-auth', validate: false }, (context, req, res) =>
+        router.get(
-          res.ok({ body: auth.get<{ id: string }>(req) })
+          {
+            path: '/get-auth',
+            validate: false,
+            security: { authz: { enabled: false, reason: '' } },
+          },
+          (context, req, res) => res.ok({ body: auth.get<{ id: string }>(req) })
         );
 
         await root.start();
@@ -150,8 +180,13 @@ describe('http service', () => {
         const { createRouter, auth } = http;
 
         const router = createRouter('');
-        router.get({ path: '/get-auth', validate: false }, (context, req, res) =>
+        router.get(
-          res.ok({ body: auth.get(req) })
+          {
+            path: '/get-auth',
+            validate: false,
+            security: { authz: { enabled: false, reason: '' } },
+          },
+          (context, req, res) => res.ok({ body: auth.get(req) })
         );
 
         await root.start();
@@ -166,7 +201,12 @@ describe('http service', () => {
         registerAuth(authenticate);
         const router = createRouter('');
         router.get(
-          { path: '/get-auth', validate: false, options: { authRequired: false } },
+          {
+            path: '/get-auth',
+            validate: false,
+            security: { authz: { enabled: false, reason: '' } },
+            options: { authRequired: false },
+          },
           (context, req, res) => res.ok({ body: auth.get(req) })
         );
 
@@ -221,10 +261,13 @@ describe('http service', () => {
       );
 
       const router = createRouter('/new-platform');
-      router.get({ path: '/', validate: false }, async (context, req, res) => {
+      router.get(
-        await elasticsearch.client.asScoped(req).asInternalUser.ping();
+        { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
-        return res.ok();
+        async (context, req, res) => {
-      });
+          await elasticsearch.client.asScoped(req).asInternalUser.ping();
+          return res.ok();
+        }
+      );
 
       const coreStart = await root.start();
       elasticsearch = coreStart.elasticsearch;
@@ -257,10 +300,13 @@ describe('http service', () => {
       );
 
       const router = createRouter('/new-platform');
-      router.get({ path: '/', validate: false }, async (context, req, res) => {
+      router.get(
-        await elasticsearch.client.asScoped(req).asInternalUser.ping();
+        { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
-        return res.ok();
+        async (context, req, res) => {
-      });
+          await elasticsearch.client.asScoped(req).asInternalUser.ping();
+          return res.ok();
+        }
+      );
 
       const coreStart = await root.start();
       elasticsearch = coreStart.elasticsearch;
@@ -294,20 +340,23 @@ describe('http service', () => {
       );
 
       const router = createRouter('/new-platform');
-      router.get({ path: '/', validate: false }, async (context, req, res) => {
+      router.get(
-        try {
+        { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
-          const result = await elasticsearch.client
+        async (context, req, res) => {
-            .asScoped(req)
+          try {
-            .asInternalUser.ping({}, { meta: true });
+            const result = await elasticsearch.client
-          return res.ok({
+              .asScoped(req)
-            body: result,
+              .asInternalUser.ping({}, { meta: true });
-          });
+            return res.ok({
-        } catch (e) {
+              body: result,
-          return res.badRequest({
+            });
-            body: e,
+          } catch (e) {
-          });
+            return res.badRequest({
+              body: e,
+            });
+          }
         }
-      });
+      );
 
       const coreStart = await root.start();
       elasticsearch = coreStart.elasticsearch;

src/core/server/integration_tests/http/http2_protocol.test.ts

@@ -85,26 +85,38 @@ describe('Http2 - Smoke tests', () => {
         },
       });
 
-      router.post({ path: '/', validate: false }, async (context, req, res) => {
+      router.post(
-        return res.ok({
+        { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
-          body: { protocol: req.protocol, httpVersion: req.httpVersion },
+        async (context, req, res) => {
-        });
+          return res.ok({
-      });
+            body: { protocol: req.protocol, httpVersion: req.httpVersion },
-      router.get({ path: '/', validate: false }, async (context, req, res) => {
+          });
-        return res.ok({
+        }
-          body: { protocol: req.protocol, httpVersion: req.httpVersion },
+      );
-        });
+      router.get(
-      });
+        { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
-      router.put({ path: '/', validate: false }, async (context, req, res) => {
+        async (context, req, res) => {
-        return res.ok({
+          return res.ok({
-          body: { protocol: req.protocol, httpVersion: req.httpVersion },
+            body: { protocol: req.protocol, httpVersion: req.httpVersion },
-        });
+          });
-      });
+        }
-      router.delete({ path: '/', validate: false }, async (context, req, res) => {
+      );
-        return res.ok({
+      router.put(
-          body: { protocol: req.protocol, httpVersion: req.httpVersion },
+        { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
-        });
+        async (context, req, res) => {
-      });
+          return res.ok({
+            body: { protocol: req.protocol, httpVersion: req.httpVersion },
+          });
+        }
+      );
+      router.delete(
+        { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
+        async (context, req, res) => {
+          return res.ok({
+            body: { protocol: req.protocol, httpVersion: req.httpVersion },
+          });
+        }
+      );
 
       registerRouter(router);
 
@@ -188,14 +200,21 @@ describe('Http2 - Smoke tests', () => {
         },
       });
 
-      router.get({ path: '/illegal_headers', validate: false }, async (context, req, res) => {
+      router.get(
-        return res.ok({
+        {
-          headers: {
+          path: '/illegal_headers',
-            connection: 'close',
+          validate: false,
-          },
+          security: { authz: { enabled: false, reason: '' } },
-          body: { protocol: req.protocol },
+        },
-        });
+        async (context, req, res) => {
-      });
+          return res.ok({
+            headers: {
+              connection: 'close',
+            },
+            body: { protocol: req.protocol },
+          });
+        }
+      );
 
       registerRouter(router);
 

src/core/server/integration_tests/http/http_auth.test.ts

@@ -34,6 +34,7 @@ describe('http auth', () => {
     router.get(
       {
         path: '/route',
+        security: { authz: { enabled: false, reason: '' } },
         validate: false,
         options: {
           authRequired,

src/core/server/integration_tests/http/http_server.test.ts

@@ -73,6 +73,7 @@ describe('Http server', () => {
       router.post(
         {
           path: '/',
+          security: { authz: { enabled: false, reason: '' } },
           validate: false,
           options: { body: { accepts: 'application/json' } },
         },

src/core/server/integration_tests/http/lifecycle.test.ts

@@ -62,7 +62,10 @@ describe('OnPreRouting', () => {
     } = await server.setup(setupDeps);
     const router = createRouter('/');
 
-    router.get({ path: '/', validate: false }, (context, req, res) => res.ok({ body: 'ok' }));
+    router.get(
+      { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
+      (context, req, res) => res.ok({ body: 'ok' })
+    );
 
     const callingOrder: string[] = [];
     registerOnPreRouting((req, res, t) => {
@@ -89,11 +92,17 @@ describe('OnPreRouting', () => {
     } = await server.setup(setupDeps);
     const router = createRouter('/');
 
-    router.get({ path: '/initial', validate: false }, (context, req, res) =>
+    router.get(
-      res.ok({ body: 'initial' })
+      { path: '/initial', validate: false, security: { authz: { enabled: false, reason: '' } } },
+      (context, req, res) => res.ok({ body: 'initial' })
     );
-    router.get({ path: '/redirectUrl', validate: false }, (context, req, res) =>
+    router.get(
-      res.ok({ body: 'redirected' })
+      {
+        path: '/redirectUrl',
+        validate: false,
+        security: { authz: { enabled: false, reason: '' } },
+      },
+      (context, req, res) => res.ok({ body: 'redirected' })
     );
 
     let urlBeforeForwarding;
@@ -125,15 +134,18 @@ describe('OnPreRouting', () => {
     } = await server.setup(setupDeps);
     const router = createRouter('/');
 
-    router.get({ path: '/login', validate: false }, (context, req, res) => {
+    router.get(
-      return res.ok({
+      { path: '/login', validate: false, security: { authz: { enabled: false, reason: '' } } },
-        body: {
+      (context, req, res) => {
-          rewrittenUrl: req.rewrittenUrl
+        return res.ok({
-            ? `${req.rewrittenUrl.pathname}${req.rewrittenUrl.search}`
+          body: {
-            : undefined,
+            rewrittenUrl: req.rewrittenUrl
-        },
+              ? `${req.rewrittenUrl.pathname}${req.rewrittenUrl.search}`
-      });
+              : undefined,
-    });
+          },
+        });
+      }
+    );
 
     registerOnPreRouting((req, res, t) => t.rewriteUrl('/login'));
 
@@ -152,15 +164,18 @@ describe('OnPreRouting', () => {
     } = await server.setup(setupDeps);
     const router = createRouter('/');
 
-    router.get({ path: '/reroute-2', validate: false }, (context, req, res) => {
+    router.get(
-      return res.ok({
+      { path: '/reroute-2', validate: false, security: { authz: { enabled: false, reason: '' } } },
-        body: {
+      (context, req, res) => {
-          rewrittenUrl: req.rewrittenUrl
+        return res.ok({
-            ? `${req.rewrittenUrl.pathname}${req.rewrittenUrl.search}`
+          body: {
-            : undefined,
+            rewrittenUrl: req.rewrittenUrl
-        },
+              ? `${req.rewrittenUrl.pathname}${req.rewrittenUrl.search}`
-      });
+              : undefined,
-    });
+          },
+        });
+      }
+    );
 
     registerOnPreRouting((req, res, t) => t.rewriteUrl('/reroute-1'));
     registerOnPreRouting((req, res, t) => t.rewriteUrl('/reroute-2'));
@@ -180,15 +195,18 @@ describe('OnPreRouting', () => {
     } = await server.setup(setupDeps);
     const router = createRouter('/');
 
-    router.get({ path: '/login', validate: false }, (context, req, res) => {
+    router.get(
-      return res.ok({
+      { path: '/login', validate: false, security: { authz: { enabled: false, reason: '' } } },
-        body: {
+      (context, req, res) => {
-          rewrittenUrl: req.rewrittenUrl
+        return res.ok({
-            ? `${req.rewrittenUrl.pathname}${req.rewrittenUrl.search}`
+          body: {
-            : undefined,
+            rewrittenUrl: req.rewrittenUrl
-        },
+              ? `${req.rewrittenUrl.pathname}${req.rewrittenUrl.search}`
-      });
+              : undefined,
-    });
+          },
+        });
+      }
+    );
 
     registerOnPreRouting((req, res, t) => t.next());
 
@@ -206,7 +224,10 @@ describe('OnPreRouting', () => {
     const router = createRouter('/');
 
     const redirectUrl = '/redirectUrl';
-    router.get({ path: '/initial', validate: false }, (context, req, res) => res.ok());
+    router.get(
+      { path: '/initial', validate: false, security: { authz: { enabled: false, reason: '' } } },
+      (context, req, res) => res.ok()
+    );
 
     registerOnPreRouting((req, res, t) =>
       res.redirected({
@@ -230,7 +251,10 @@ describe('OnPreRouting', () => {
     } = await server.setup(setupDeps);
     const router = createRouter('/');
 
-    router.get({ path: '/', validate: false }, (context, req, res) => res.ok());
+    router.get(
+      { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
+      (context, req, res) => res.ok()
+    );
 
     registerOnPreRouting((req, res, t) =>
       res.unauthorized({
@@ -254,7 +278,10 @@ describe('OnPreRouting', () => {
     } = await server.setup(setupDeps);
     const router = createRouter('/');
 
-    router.get({ path: '/', validate: false }, (context, req, res) => res.ok());
+    router.get(
+      { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
+      (context, req, res) => res.ok()
+    );
 
     registerOnPreRouting((req, res, t) => {
       throw new Error('reason');
@@ -283,7 +310,10 @@ describe('OnPreRouting', () => {
     } = await server.setup(setupDeps);
     const router = createRouter('/');
 
-    router.get({ path: '/', validate: false }, (context, req, res) => res.ok());
+    router.get(
+      { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
+      (context, req, res) => res.ok()
+    );
 
     registerOnPreRouting((req, res, t) => ({} as any));
     await server.start();
@@ -322,9 +352,11 @@ describe('OnPreRouting', () => {
       }
       return t.next();
     });
-    router.get({ path: '/', validate: false }, (context, req, res) =>
+    router.get(
-      // don't complain customField is not defined on Request type
+      { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
-      res.ok({ body: { customField: String((req as any).customField) } })
+      (context, req, res) =>
+        // don't complain customField is not defined on Request type
+        res.ok({ body: { customField: String((req as any).customField) } })
     );
 
     await server.start();
@@ -338,7 +370,10 @@ describe('OnPreAuth', () => {
     const { registerOnPreAuth, server: innerServer, createRouter } = await server.setup(setupDeps);
     const router = createRouter('/');
 
-    router.get({ path: '/', validate: false }, (context, req, res) => res.ok({ body: 'ok' }));
+    router.get(
+      { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
+      (context, req, res) => res.ok({ body: 'ok' })
+    );
 
     const callingOrder: string[] = [];
     registerOnPreAuth((req, res, t) => {
@@ -362,7 +397,10 @@ describe('OnPreAuth', () => {
     const router = createRouter('/');
 
     const redirectUrl = '/redirectUrl';
-    router.get({ path: '/initial', validate: false }, (context, req, res) => res.ok());
+    router.get(
+      { path: '/initial', validate: false, security: { authz: { enabled: false, reason: '' } } },
+      (context, req, res) => res.ok()
+    );
 
     registerOnPreAuth((req, res, t) =>
       res.redirected({
@@ -382,7 +420,10 @@ describe('OnPreAuth', () => {
     const { registerOnPreAuth, server: innerServer, createRouter } = await server.setup(setupDeps);
     const router = createRouter('/');
 
-    router.get({ path: '/', validate: false }, (context, req, res) => res.ok());
+    router.get(
+      { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
+      (context, req, res) => res.ok()
+    );
 
     registerOnPreAuth((req, res, t) =>
       res.unauthorized({
@@ -402,7 +443,10 @@ describe('OnPreAuth', () => {
     const { registerOnPreAuth, server: innerServer, createRouter } = await server.setup(setupDeps);
     const router = createRouter('/');
 
-    router.get({ path: '/', validate: false }, (context, req, res) => res.ok());
+    router.get(
+      { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
+      (context, req, res) => res.ok()
+    );
 
     registerOnPreAuth((req, res, t) => {
       throw new Error('reason');
@@ -427,7 +471,10 @@ describe('OnPreAuth', () => {
     const { registerOnPreAuth, server: innerServer, createRouter } = await server.setup(setupDeps);
     const router = createRouter('/');
 
-    router.get({ path: '/', validate: false }, (context, req, res) => res.ok());
+    router.get(
+      { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
+      (context, req, res) => res.ok()
+    );
 
     registerOnPreAuth((req, res, t) => ({} as any));
     await server.start();
@@ -462,9 +509,11 @@ describe('OnPreAuth', () => {
       }
       return t.next();
     });
-    router.get({ path: '/', validate: false }, (context, req, res) =>
+    router.get(
-      // @ts-expect-error customField property is not defined on request object
+      { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
-      res.ok({ body: { customField: String(req.customField) } })
+      (context, req, res) =>
+        // @ts-expect-error customField property is not defined on request object
+        res.ok({ body: { customField: String(req.customField) } })
     );
 
     await server.start();
@@ -484,6 +533,7 @@ describe('OnPreAuth', () => {
     router.post(
       {
         path: '/',
+        security: { authz: { enabled: false, reason: '' } },
         validate: {
           body: schema.object({
             term: schema.string(),
@@ -511,7 +561,10 @@ describe('OnPostAuth', () => {
     const { registerOnPostAuth, server: innerServer, createRouter } = await server.setup(setupDeps);
     const router = createRouter('/');
 
-    router.get({ path: '/', validate: false }, (context, req, res) => res.ok({ body: 'ok' }));
+    router.get(
+      { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
+      (context, req, res) => res.ok({ body: 'ok' })
+    );
 
     const callingOrder: string[] = [];
     registerOnPostAuth((req, res, t) => {
@@ -535,7 +588,10 @@ describe('OnPostAuth', () => {
     const router = createRouter('/');
 
     const redirectUrl = '/redirectUrl';
-    router.get({ path: '/initial', validate: false }, (context, req, res) => res.ok());
+    router.get(
+      { path: '/initial', validate: false, security: { authz: { enabled: false, reason: '' } } },
+      (context, req, res) => res.ok()
+    );
 
     registerOnPostAuth((req, res, t) =>
       res.redirected({
@@ -555,7 +611,10 @@ describe('OnPostAuth', () => {
     const { registerOnPostAuth, server: innerServer, createRouter } = await server.setup(setupDeps);
     const router = createRouter('/');
 
-    router.get({ path: '/', validate: false }, (context, req, res) => res.ok(undefined));
+    router.get(
+      { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
+      (context, req, res) => res.ok(undefined)
+    );
     registerOnPostAuth((req, res, t) =>
       res.unauthorized({
         headers: {
@@ -574,7 +633,10 @@ describe('OnPostAuth', () => {
     const { registerOnPostAuth, server: innerServer, createRouter } = await server.setup(setupDeps);
     const router = createRouter('/');
 
-    router.get({ path: '/', validate: false }, (context, req, res) => res.ok(undefined));
+    router.get(
+      { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
+      (context, req, res) => res.ok(undefined)
+    );
     registerOnPostAuth((req, res, t) => {
       throw new Error('reason');
     });
@@ -598,7 +660,10 @@ describe('OnPostAuth', () => {
     const { registerOnPostAuth, server: innerServer, createRouter } = await server.setup(setupDeps);
     const router = createRouter('/');
 
-    router.get({ path: '/', validate: false }, (context, req, res) => res.ok());
+    router.get(
+      { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
+      (context, req, res) => res.ok()
+    );
     registerOnPostAuth((req, res, t) => ({} as any));
     await server.start();
 
@@ -633,9 +698,11 @@ describe('OnPostAuth', () => {
       return t.next();
     });
 
-    router.get({ path: '/', validate: false }, (context, req, res) =>
+    router.get(
-      // don't complain customField is not defined on Request type
+      { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
-      res.ok({ body: { customField: String((req as any).customField) } })
+      (context, req, res) =>
+        // don't complain customField is not defined on Request type
+        res.ok({ body: { customField: String((req as any).customField) } })
     );
 
     await server.start();
@@ -655,6 +722,7 @@ describe('OnPostAuth', () => {
     router.post(
       {
         path: '/',
+        security: { authz: { enabled: false, reason: '' } },
         validate: {
           body: schema.object({
             term: schema.string(),
@@ -697,8 +765,9 @@ describe('Auth', () => {
     const { registerAuth, server: innerServer, createRouter } = await server.setup(setupDeps);
     const router = createRouter('/');
 
-    router.get({ path: '/', validate: false }, (context, req, res) =>
+    router.get(
-      res.ok({ body: { content: 'ok' } })
+      { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
+      (context, req, res) => res.ok({ body: { content: 'ok' } })
     );
     registerAuth((req, res, t) => t.authenticated());
     await server.start();
@@ -710,8 +779,9 @@ describe('Auth', () => {
     const { registerAuth, server: innerServer, createRouter } = await server.setup(setupDeps);
     const router = createRouter('/');
 
-    router.get({ path: '/', validate: false }, (context, req, res) =>
+    router.get(
-      res.ok({ body: { content: 'ok' } })
+      { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
+      (context, req, res) => res.ok({ body: { content: 'ok' } })
     );
     registerAuth((req, res, t) => t.notHandled());
     await server.start();
@@ -725,8 +795,9 @@ describe('Auth', () => {
     const { registerAuth, server: innerServer, createRouter } = await server.setup(setupDeps);
     const router = createRouter('/');
 
-    router.get({ path: '/', validate: false }, (context, req, res) =>
+    router.get(
-      res.ok({ body: { authRequired: req.route.options.authRequired } })
+      { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
+      (context, req, res) => res.ok({ body: { authRequired: req.route.options.authRequired } })
     );
     const authenticate = jest.fn().mockImplementation((req, res, t) => t.authenticated());
     registerAuth(authenticate);
@@ -742,7 +813,12 @@ describe('Auth', () => {
     const router = createRouter('/');
 
     router.get(
-      { path: '/', validate: false, options: { authRequired: false } },
+      {
+        path: '/',
+        validate: false,
+        security: { authz: { enabled: false, reason: '' } },
+        options: { authRequired: false },
+      },
       (context, req, res) => res.ok({ body: { authRequired: req.route.options.authRequired } })
     );
 
@@ -760,7 +836,12 @@ describe('Auth', () => {
     const router = createRouter('/');
 
     router.get(
-      { path: '/', validate: false, options: { authRequired: true } },
+      {
+        path: '/',
+        validate: false,
+        security: { authz: { enabled: false, reason: '' } },
+        options: { authRequired: true },
+      },
       (context, req, res) => res.ok({ body: { authRequired: req.route.options.authRequired } })
     );
 
@@ -777,7 +858,10 @@ describe('Auth', () => {
     const { registerAuth, server: innerServer, createRouter } = await server.setup(setupDeps);
     const router = createRouter('/');
 
-    router.get({ path: '/', validate: false }, (context, req, res) => res.ok());
+    router.get(
+      { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
+      (context, req, res) => res.ok()
+    );
     registerAuth((req, res) => res.unauthorized());
     await server.start();
 
@@ -788,7 +872,10 @@ describe('Auth', () => {
     const { registerAuth, server: innerServer, createRouter } = await server.setup(setupDeps);
     const router = createRouter('/');
 
-    router.get({ path: '/', validate: false }, (context, req, res) => res.ok());
+    router.get(
+      { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
+      (context, req, res) => res.ok()
+    );
     const redirectTo = '/redirect-url';
     registerAuth((req, res, t) =>
       t.redirected({
@@ -805,7 +892,10 @@ describe('Auth', () => {
     const { registerAuth, server: innerServer, createRouter } = await server.setup(setupDeps);
     const router = createRouter('/');
 
-    router.get({ path: '/', validate: false }, (context, req, res) => res.ok());
+    router.get(
+      { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
+      (context, req, res) => res.ok()
+    );
     registerAuth((req, res, t) => t.redirected({} as any));
     await server.start();
 
@@ -816,7 +906,10 @@ describe('Auth', () => {
     const { registerAuth, server: innerServer, createRouter } = await server.setup(setupDeps);
     const router = createRouter('/');
 
-    router.get({ path: '/', validate: false }, (context, req, res) => res.ok());
+    router.get(
+      { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
+      (context, req, res) => res.ok()
+    );
     registerAuth((req, t) => {
       throw new Error('reason');
     });
@@ -845,7 +938,10 @@ describe('Auth', () => {
     } = await server.setup(setupDeps);
     const router = createRouter('/');
 
-    router.get({ path: '/', validate: false }, (context, req, res) => res.ok());
+    router.get(
+      { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
+      (context, req, res) => res.ok()
+    );
 
     const sessionStorageFactory = await createCookieSessionStorageFactory<StorageData>(
       cookieOptions
@@ -895,12 +991,22 @@ describe('Auth', () => {
       return toolkit.authenticated();
     });
 
-    router.get({ path: '/', validate: false }, (context, req, res) => res.ok());
+    router.get(
-    router.get({ path: '/with-cookie', validate: false }, (context, req, res) => {
+      { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
-      const sessionStorage = sessionStorageFactory.asScoped(req);
+      (context, req, res) => res.ok()
-      sessionStorage.clear();
+    );
-      return res.ok();
+    router.get(
-    });
+      {
+        path: '/with-cookie',
+        validate: false,
+        security: { authz: { enabled: false, reason: '' } },
+      },
+      (context, req, res) => {
+        const sessionStorage = sessionStorageFactory.asScoped(req);
+        sessionStorage.clear();
+        return res.ok();
+      }
+    );
     await server.start();
 
     const responseToSetCookie = await supertest(innerServer.listener).get('/').expect(200);
@@ -946,10 +1052,13 @@ describe('Auth', () => {
 
     let fromRouteHandler;
 
-    router.get({ path: '/', validate: false }, (context, req, res) => {
+    router.get(
-      fromRouteHandler = req.headers.authorization;
+      { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
-      return res.ok();
+      (context, req, res) => {
-    });
+        fromRouteHandler = req.headers.authorization;
+        return res.ok();
+      }
+    );
     await server.start();
 
     const token = 'Basic: user:password';
@@ -972,7 +1081,10 @@ describe('Auth', () => {
       return toolkit.authenticated({ responseHeaders: authResponseHeader });
     });
 
-    router.get({ path: '/', validate: false }, (context, req, res) => res.ok());
+    router.get(
+      { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
+      (context, req, res) => res.ok()
+    );
     await server.start();
 
     const response = await supertest(innerServer.listener).get('/').expect(200);
@@ -991,7 +1103,10 @@ describe('Auth', () => {
       return toolkit.authenticated({ responseHeaders: authResponseHeader });
     });
 
-    router.get({ path: '/', validate: false }, (context, req, res) => res.badRequest());
+    router.get(
+      { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
+      (context, req, res) => res.badRequest()
+    );
     await server.start();
 
     const response = await supertest(innerServer.listener).get('/').expect(400);
@@ -1011,13 +1126,15 @@ describe('Auth', () => {
       return toolkit.authenticated({ responseHeaders: authResponseHeader });
     });
 
-    router.get({ path: '/', validate: false }, (context, req, res) =>
+    router.get(
-      res.ok({
+      { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
-        headers: {
+      (context, req, res) =>
-          'www-authenticate': 'from handler',
+        res.ok({
-          'another-header': 'yet another header',
+          headers: {
-        },
+            'www-authenticate': 'from handler',
-      })
+            'another-header': 'yet another header',
+          },
+        })
     );
     await server.start();
 
@@ -1043,12 +1160,14 @@ describe('Auth', () => {
       return toolkit.authenticated({ responseHeaders: authResponseHeader });
     });
 
-    router.get({ path: '/', validate: false }, (context, req, res) =>
+    router.get(
-      res.badRequest({
+      { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
-        headers: {
+      (context, req, res) =>
-          'www-authenticate': 'from handler',
+        res.badRequest({
-        },
+          headers: {
-      })
+            'www-authenticate': 'from handler',
+          },
+        })
     );
     await server.start();
 
@@ -1072,7 +1191,10 @@ describe('Auth', () => {
     const router = createRouter('/');
 
     const redirectUrl = '/redirectUrl';
-    router.get({ path: '/initial', validate: false }, (context, req, res) => res.ok());
+    router.get(
+      { path: '/initial', validate: false, security: { authz: { enabled: false, reason: '' } } },
+      (context, req, res) => res.ok()
+    );
     registerOnPostAuth((req, res, t) =>
       res.redirected({
         headers: {
@@ -1091,7 +1213,10 @@ describe('Auth', () => {
     const { registerOnPostAuth, server: innerServer, createRouter } = await server.setup(setupDeps);
     const router = createRouter('/');
 
-    router.get({ path: '/', validate: false }, (context, req, res) => res.ok(undefined));
+    router.get(
+      { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
+      (context, req, res) => res.ok(undefined)
+    );
 
     registerOnPostAuth((req, res, t) =>
       res.unauthorized({
@@ -1111,7 +1236,10 @@ describe('Auth', () => {
     const { registerOnPostAuth, server: innerServer, createRouter } = await server.setup(setupDeps);
     const router = createRouter('/');
 
-    router.get({ path: '/', validate: false }, (context, req, res) => res.ok(undefined));
+    router.get(
+      { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
+      (context, req, res) => res.ok(undefined)
+    );
     registerOnPostAuth((req, res, t) => {
       throw new Error('reason');
     });
@@ -1135,7 +1263,10 @@ describe('Auth', () => {
     const { registerOnPostAuth, server: innerServer, createRouter } = await server.setup(setupDeps);
     const router = createRouter('/');
 
-    router.get({ path: '/', validate: false }, (context, req, res) => res.ok());
+    router.get(
+      { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
+      (context, req, res) => res.ok()
+    );
     registerOnPostAuth((req, res, t) => ({} as any));
     await server.start();
 
@@ -1169,9 +1300,11 @@ describe('Auth', () => {
       }
       return t.next();
     });
-    router.get({ path: '/', validate: false }, (context, req, res) =>
+    router.get(
-      // don't complain customField is not defined on Request type
+      { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
-      res.ok({ body: { customField: String((req as any).customField) } })
+      (context, req, res) =>
+        // don't complain customField is not defined on Request type
+        res.ok({ body: { customField: String((req as any).customField) } })
     );
 
     await server.start();
@@ -1191,6 +1324,7 @@ describe('Auth', () => {
     router.post(
       {
         path: '/',
+        security: { authz: { enabled: false, reason: '' } },
         validate: {
           body: schema.object({
             term: schema.string(),
@@ -1222,7 +1356,10 @@ describe('OnPreResponse', () => {
     } = await server.setup(setupDeps);
     const router = createRouter('/');
 
-    router.get({ path: '/', validate: false }, (context, req, res) => res.ok({ body: 'ok' }));
+    router.get(
+      { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
+      (context, req, res) => res.ok({ body: 'ok' })
+    );
 
     const callingOrder: string[] = [];
     registerOnPreResponse((req, res, t) => {
@@ -1249,12 +1386,14 @@ describe('OnPreResponse', () => {
     } = await server.setup(setupDeps);
     const router = createRouter('/');
 
-    router.get({ path: '/', validate: false }, (context, req, res) =>
+    router.get(
-      res.ok({
+      { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
-        headers: {
+      (context, req, res) =>
-          'x-my-header': 'foo',
+        res.ok({
-        },
+          headers: {
-      })
+            'x-my-header': 'foo',
+          },
+        })
     );
 
     registerOnPreResponse((req, res, t) =>
@@ -1280,10 +1419,12 @@ describe('OnPreResponse', () => {
     } = await server.setup(setupDeps);
     const router = createRouter('/');
 
-    router.get({ path: '/', validate: false }, (context, req, res) =>
+    router.get(
-      res.ok({
+      { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
-        headers: { 'x-kibana-header': 'value' },
+      (context, req, res) =>
-      })
+        res.ok({
+          headers: { 'x-kibana-header': 'value' },
+        })
     );
     registerOnPreResponse((req, res, t) =>
       t.next({
@@ -1309,7 +1450,10 @@ describe('OnPreResponse', () => {
     } = await server.setup(setupDeps);
     const router = createRouter('/');
 
-    router.get({ path: '/', validate: false }, (context, req, res) => res.ok(undefined));
+    router.get(
+      { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
+      (context, req, res) => res.ok(undefined)
+    );
     registerOnPreResponse((req, res, t) => {
       throw new Error('reason');
     });
@@ -1337,7 +1481,10 @@ describe('OnPreResponse', () => {
     } = await server.setup(setupDeps);
     const router = createRouter('/');
 
-    router.get({ path: '/', validate: false }, (context, req, res) => res.ok());
+    router.get(
+      { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
+      (context, req, res) => res.ok()
+    );
     registerOnPreResponse((req, res, t) => ({} as any));
     await server.start();
 
@@ -1368,7 +1515,10 @@ describe('OnPreResponse', () => {
       return t.next();
     });
 
-    router.get({ path: '/', validate: false }, (context, req, res) => res.ok({ body: 'ok' }));
+    router.get(
+      { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
+      (context, req, res) => res.ok({ body: 'ok' })
+    );
 
     await server.start();
 
@@ -1391,6 +1541,7 @@ describe('OnPreResponse', () => {
     router.post(
       {
         path: '/',
+        security: { authz: { enabled: false, reason: '' } },
         validate: {
           body: schema.object({
             term: schema.string(),
@@ -1420,14 +1571,17 @@ describe('OnPreResponse', () => {
     } = await server.setup(setupDeps);
     const router = createRouter('/');
 
-    router.get({ path: '/', validate: false }, (context, req, res) => {
+    router.get(
-      return res.ok({
+      { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
-        headers: {
+      (context, req, res) => {
-          'Original-Header-A': 'A',
+        return res.ok({
-        },
+          headers: {
-        body: 'original',
+            'Original-Header-A': 'A',
-      });
+          },
-    });
+          body: 'original',
+        });
+      }
+    );
 
     registerOnPreResponse((req, res, t) => {
       return t.render({ body: 'overridden' });
@@ -1448,15 +1602,18 @@ describe('OnPreResponse', () => {
     } = await server.setup(setupDeps);
     const router = createRouter('/');
 
-    router.get({ path: '/', validate: false }, (context, req, res) => {
+    router.get(
-      return res.ok({
+      { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
-        headers: {
+      (context, req, res) => {
-          'Original-Header-A': 'A',
+        return res.ok({
-          'Original-Header-B': 'B',
+          headers: {
-        },
+            'Original-Header-A': 'A',
-        body: 'original',
+            'Original-Header-B': 'B',
-      });
+          },
-    });
+          body: 'original',
+        });
+      }
+    );
 
     registerOnPreResponse((req, res, t) => {
       return t.render({
@@ -1483,15 +1640,17 @@ describe('runs with default preResponse handlers', () => {
     const { server: innerServer, createRouter } = await server.setup(setupDeps);
     const router = createRouter('/');
 
-    router.get({ path: '/', validate: false }, (context, req, res) =>
+    router.get(
-      res.ok({
+      { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
-        headers: {
+      (context, req, res) =>
-          foo: 'bar',
+        res.ok({
-          'kbn-name': 'hijacked!',
+          headers: {
-          'Content-Security-Policy': 'hijacked!',
+            foo: 'bar',
-          'Content-Security-Policy-Report-Only': 'hijacked!',
+            'kbn-name': 'hijacked!',
-        },
+            'Content-Security-Policy': 'hijacked!',
-      })
+            'Content-Security-Policy-Report-Only': 'hijacked!',
+          },
+        })
     );
     await server.start();
 
@@ -1520,6 +1679,7 @@ describe('runs with default preResponse deprecation handlers', () => {
       {
         path: '/deprecated',
         validate: false,
+        security: { authz: { enabled: false, reason: '' } },
         options: {
           deprecated: {
             documentationUrl: 'https://fake-url.com',
@@ -1547,6 +1707,7 @@ describe('runs with default preResponse deprecation handlers', () => {
       {
         path: '/test',
         validate: false,
+        security: { authz: { enabled: false, reason: '' } },
       },
       (context, req, res) => res.ok({})
     );
@@ -1567,6 +1728,7 @@ describe('runs with default preResponse deprecation handlers', () => {
       {
         path: '/deprecated',
         validate: false,
+        security: { authz: { enabled: false, reason: '' } },
         options: {
           deprecated: {
             documentationUrl: 'https://fake-url.com',
@@ -1593,11 +1755,13 @@ describe('runs with default preResponse deprecation handlers', () => {
       .get({
         access: 'internal',
         path: '/test',
+        security: { authz: { enabled: false, reason: '' } },
       })
       .addVersion(
         {
           version: '1',
           validate: false,
+          security: { authz: { enabled: false, reason: '' } },
           options: {
             deprecated: {
               documentationUrl: 'https://fake-url.com',
@@ -1615,6 +1779,7 @@ describe('runs with default preResponse deprecation handlers', () => {
         {
           version: '2',
           validate: false,
+          security: { authz: { enabled: false, reason: '' } },
         },
         async (ctx, req, res) => {
           return res.ok({ body: { v: '2' } });
@@ -1649,11 +1814,13 @@ describe('runs with default preResponse deprecation handlers', () => {
       .get({
         access: 'internal',
         path: '/test',
+        security: { authz: { enabled: false, reason: '' } },
       })
       .addVersion(
         {
           version: '1',
           validate: false,
+          security: { authz: { enabled: false, reason: '' } },
           options: {
             deprecated: {
               documentationUrl: 'https://fake-url.com',
@@ -1671,6 +1838,7 @@ describe('runs with default preResponse deprecation handlers', () => {
         {
           version: '2',
           validate: false,
+          security: { authz: { enabled: false, reason: '' } },
         },
         async (ctx, req, res) => {
           return res.ok({ body: { v: '2' } });
@@ -1733,7 +1901,10 @@ describe('run interceptors in the right order', () => {
       return t.next();
     });
 
-    router.get({ path: '/', validate: false }, (context, req, res) => res.ok({ body: 'ok' }));
+    router.get(
+      { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
+      (context, req, res) => res.ok({ body: 'ok' })
+    );
 
     await server.start();
 
@@ -1777,7 +1948,10 @@ describe('run interceptors in the right order', () => {
       return t.next();
     });
 
-    router.get({ path: '/', validate: false }, (context, req, res) => res.ok({ body: 'ok' }));
+    router.get(
+      { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
+      (context, req, res) => res.ok({ body: 'ok' })
+    );
 
     await server.start();
 
@@ -1820,7 +1994,10 @@ describe('run interceptors in the right order', () => {
       return t.next();
     });
 
-    router.get({ path: '/', validate: false }, (context, req, res) => res.ok({ body: 'ok' }));
+    router.get(
+      { path: '/', validate: false, security: { authz: { enabled: false, reason: '' } } },
+      (context, req, res) => res.ok({ body: 'ok' })
+    );
 
     await server.start();
 

src/core/server/integration_tests/http/lifecycle_handlers.test.ts

@@ -78,9 +78,12 @@ describe('core lifecycle handlers', () => {
     const testRoute = '/version_check/test/route';
 
     beforeEach(async () => {
-      router.get({ path: testRoute, validate: false }, (context, req, res) => {
+      router.get(
-        return res.ok({ body: 'ok' });
+        { path: testRoute, validate: false, security: { authz: { enabled: false, reason: '' } } },
-      });
+        (context, req, res) => {
+          return res.ok({ body: 'ok' });
+        }
+      );
       await server.start();
     });
 
@@ -123,12 +126,22 @@ describe('core lifecycle handlers', () => {
     };
 
     beforeEach(async () => {
-      router.get({ path: testRoute, validate: false }, (context, req, res) => {
+      router.get(
-        return res.ok({ body: 'ok' });
+        { path: testRoute, validate: false, security: { authz: { enabled: false, reason: '' } } },
-      });
+        (context, req, res) => {
-      router.get({ path: testErrorRoute, validate: false }, (context, req, res) => {
+          return res.ok({ body: 'ok' });
-        return res.badRequest({ body: 'bad request' });
+        }
-      });
+      );
+      router.get(
+        {
+          path: testErrorRoute,
+          validate: false,
+          security: { authz: { enabled: false, reason: '' } },
+        },
+        (context, req, res) => {
+          return res.badRequest({ body: 'bad request' });
+        }
+      );
       await server.start();
     });
 
@@ -155,25 +168,37 @@ describe('core lifecycle handlers', () => {
     };
 
     beforeEach(async () => {
-      router.get({ path: testPath, validate: false }, (context, req, res) => {
+      router.get(
-        return res.ok({ body: 'ok' });
+        { path: testPath, validate: false, security: { authz: { enabled: false, reason: '' } } },
-      });
+        (context, req, res) => {
+          return res.ok({ body: 'ok' });
+        }
+      );
 
       destructiveMethods.forEach((method) => {
         ((router as any)[method.toLowerCase()] as RouteRegistrar<any, any>)<any, any, any>(
-          { path: testPath, validate: false },
+          { path: testPath, validate: false, security: { authz: { enabled: false, reason: '' } } },
           (context, req, res) => {
             return res.ok({ body: 'ok' });
           }
         );
         ((router as any)[method.toLowerCase()] as RouteRegistrar<any, any>)<any, any, any>(
-          { path: allowlistedTestPath, validate: false },
+          {
+            path: allowlistedTestPath,
+            validate: false,
+            security: { authz: { enabled: false, reason: '' } },
+          },
           (context, req, res) => {
             return res.ok({ body: 'ok' });
           }
         );
         ((router as any)[method.toLowerCase()] as RouteRegistrar<any, any>)<any, any, any>(
-          { path: xsrfDisabledTestPath, validate: false, options: { xsrfRequired: false } },
+          {
+            path: xsrfDisabledTestPath,
+            validate: false,
+            security: { authz: { enabled: false, reason: '' } },
+            options: { xsrfRequired: false },
+          },
           (context, req, res) => {
             return res.ok({ body: 'ok' });
           }
@@ -253,6 +278,7 @@ describe('core lifecycle handlers', () => {
       router.get(
         {
           path: testInternalRoute,
+          security: { authz: { enabled: false, reason: '' } },
           validate: { query: schema.object({ myValue: schema.string() }) },
           options: { access: 'internal' },
         },
@@ -263,6 +289,7 @@ describe('core lifecycle handlers', () => {
       router.get(
         {
           path: testPublicRoute,
+          security: { authz: { enabled: false, reason: '' } },
           validate: { query: schema.object({ myValue: schema.string() }) },
           options: { access: 'public' },
         },
@@ -338,13 +365,23 @@ describe('core lifecycle handlers with restrict internal routes enforced', () =>
     const testPublicRoute = '/restrict_internal_routes/test/route_public';
     beforeEach(async () => {
       router.get(
-        { path: testInternalRoute, validate: false, options: { access: 'internal' } },
+        {
+          path: testInternalRoute,
+          validate: false,
+          security: { authz: { enabled: false, reason: '' } },
+          options: { access: 'internal' },
+        },
         (context, req, res) => {
           return res.ok({ body: 'ok()' });
         }
       );
       router.get(
-        { path: testPublicRoute, validate: false, options: { access: 'public' } },
+        {
+          path: testPublicRoute,
+          validate: false,
+          security: { authz: { enabled: false, reason: '' } },
+          options: { access: 'public' },
+        },
         (context, req, res) => {
           return res.ok({ body: 'ok()' });
         }
@@ -394,12 +431,18 @@ describe('core lifecycle handlers with no strict client version check', () => {
     await server.preboot({ context: contextServiceMock.createPrebootContract() });
     const serverSetup = await server.setup(setupDeps);
     router = serverSetup.createRouter('/');
-    router.get({ path: testRouteGood, validate: false }, (context, req, res) => {
+    router.get(
-      return res.ok({ body: 'ok' });
+      { path: testRouteGood, validate: false, security: { authz: { enabled: false, reason: '' } } },
-    });
+      (context, req, res) => {
-    router.get({ path: testRouteBad, validate: false }, (context, req, res) => {
+        return res.ok({ body: 'ok' });
-      return res.custom({ body: 'nok', statusCode: 500 });
+      }
-    });
+    );
+    router.get(
+      { path: testRouteBad, validate: false, security: { authz: { enabled: false, reason: '' } } },
+      (context, req, res) => {
+        return res.custom({ body: 'nok', statusCode: 500 });
+      }
+    );
     innerServer = serverSetup.server;
     await server.start();
   });

src/core/server/integration_tests/http/logging.test.ts

@@ -54,12 +54,15 @@ describe('request logging', () => {
         await root.preboot();
         const { http } = await root.setup();
 
-        http
+        http.createRouter('/').get(
-          .createRouter('/')
+          {
-          .get(
+            path: '/ping',
-            { path: '/ping', validate: false, options: { authRequired: 'optional' } },
+            security: { authz: { enabled: false, reason: '' } },
-            (context, req, res) => res.ok({ body: 'pong' })
+            validate: false,
-          );
+            options: { authRequired: 'optional' },
+          },
+          (context, req, res) => res.ok({ body: 'pong' })
+        );
         await root.start();
 
         await request.get(root, '/ping').expect(200, 'pong');
@@ -95,12 +98,15 @@ describe('request logging', () => {
         await root.preboot();
         const { http } = await root.setup();
 
-        http
+        http.createRouter('/').get(
-          .createRouter('/')
+          {
-          .get(
+            path: '/ping',
-            { path: '/ping', validate: false, options: { authRequired: 'optional' } },
+            security: { authz: { enabled: false, reason: '' } },
-            (context, req, res) => res.ok({ body: 'pong' })
+            validate: false,
-          );
+            options: { authRequired: 'optional' },
+          },
+          (context, req, res) => res.ok({ body: 'pong' })
+        );
         await root.start();
 
         await request.get(root, '/ping').expect(200, 'pong');
@@ -151,12 +157,15 @@ describe('request logging', () => {
         await root.preboot();
         const { http } = await root.setup();
 
-        http
+        http.createRouter('/').get(
-          .createRouter('/')
+          {
-          .get(
+            path: '/ping',
-            { path: '/ping', validate: false, options: { authRequired: 'optional' } },
+            security: { authz: { enabled: false, reason: '' } },
-            (context, req, res) => res.ok({ body: 'pong' })
+            validate: false,
-          );
+            options: { authRequired: 'optional' },
+          },
+          (context, req, res) => res.ok({ body: 'pong' })
+        );
         await root.start();
 
         await request.get(root, '/ping').expect(200, 'pong');
@@ -177,6 +186,7 @@ describe('request logging', () => {
         http.createRouter('/').post(
           {
             path: '/ping',
+            security: { authz: { enabled: false, reason: '' } },
             validate: {
               body: schema.object({ message: schema.string() }),
             },
@@ -206,12 +216,15 @@ describe('request logging', () => {
         await root.preboot();
         const { http } = await root.setup();
 
-        http
+        http.createRouter('/').get(
-          .createRouter('/')
+          {
-          .get(
+            path: '/a',
-            { path: '/a', validate: false, options: { authRequired: 'optional' } },
+            security: { authz: { enabled: false, reason: '' } },
-            (context, req, res) => res.ok({ body: 'pong' })
+            validate: false,
-          );
+            options: { authRequired: 'optional' },
+          },
+          (context, req, res) => res.ok({ body: 'pong' })
+        );
         await root.start();
 
         await request.get(root, '/b').expect(404);
@@ -227,12 +240,15 @@ describe('request logging', () => {
         await root.preboot();
         const { http } = await root.setup();
 
-        http
+        http.createRouter('/').get(
-          .createRouter('/')
+          {
-          .get(
+            path: '/ping',
-            { path: '/ping', validate: false, options: { authRequired: 'optional' } },
+            security: { authz: { enabled: false, reason: '' } },
-            (context, req, res) => res.ok({ body: 'pong' })
+            validate: false,
-          );
+            options: { authRequired: 'optional' },
+          },
+          (context, req, res) => res.ok({ body: 'pong' })
+        );
         await root.start();
 
         await request.get(root, '/ping').query({ hey: 'ya' }).expect(200, 'pong');
@@ -246,12 +262,15 @@ describe('request logging', () => {
         await root.preboot();
         const { http } = await root.setup();
 
-        http
+        http.createRouter('/').get(
-          .createRouter('/')
+          {
-          .get(
+            path: '/ping',
-            { path: '/ping', validate: false, options: { authRequired: 'optional' } },
+            security: { authz: { enabled: false, reason: '' } },
-            (context, req, res) => res.ok({ body: 'pong' })
+            validate: false,
-          );
+            options: { authRequired: 'optional' },
+          },
+          (context, req, res) => res.ok({ body: 'pong' })
+        );
         await root.start();
 
         const response = await request.get(root, '/ping').expect(200, 'pong');
@@ -265,12 +284,15 @@ describe('request logging', () => {
           await root.preboot();
           const { http } = await root.setup();
 
-          http
+          http.createRouter('/').get(
-            .createRouter('/')
+            {
-            .get(
+              path: '/ping',
-              { path: '/ping', validate: false, options: { authRequired: 'optional' } },
+              security: { authz: { enabled: false, reason: '' } },
-              (context, req, res) => res.ok({ headers: { bar: 'world' }, body: 'pong' })
+              validate: false,
-            );
+              options: { authRequired: 'optional' },
+            },
+            (context, req, res) => res.ok({ headers: { bar: 'world' }, body: 'pong' })
+          );
           await root.start();
 
           await request.get(root, '/ping').set('foo', 'hello').expect(200);
@@ -287,6 +309,7 @@ describe('request logging', () => {
           http.createRouter('/').post(
             {
               path: '/ping',
+              security: { authz: { enabled: false, reason: '' } },
               validate: {
                 body: schema.object({ message: schema.string() }),
               },
@@ -356,6 +379,7 @@ describe('request logging', () => {
           http.createRouter('/').post(
             {
               path: '/ping',
+              security: { authz: { enabled: false, reason: '' } },
               validate: {
                 body: schema.object({ message: schema.string() }),
               },
@@ -389,6 +413,7 @@ describe('request logging', () => {
           http.createRouter('/').post(
             {
               path: '/ping',
+              security: { authz: { enabled: false, reason: '' } },
               validate: {
                 body: schema.object({ message: schema.string() }),
               },
@@ -456,6 +481,7 @@ describe('request logging', () => {
           http.createRouter('/').post(
             {
               path: '/ping',
+              security: { authz: { enabled: false, reason: '' } },
               validate: {
                 body: schema.object({ message: schema.string() }),
               },
@@ -487,12 +513,15 @@ describe('request logging', () => {
         await root.preboot();
         const { http } = await root.setup();
 
-        http
+        http.createRouter('/').get(
-          .createRouter('/')
+          {
-          .get(
+            path: '/ping',
-            { path: '/ping', validate: false, options: { authRequired: 'optional' } },
+            security: { authz: { enabled: false, reason: '' } },
-            (context, req, res) => res.ok({ body: 'pong' })
+            validate: false,
-          );
+            options: { authRequired: 'optional' },
+          },
+          (context, req, res) => res.ok({ body: 'pong' })
+        );
         await root.start();
 
         await request.get(root, '/ping').set('user-agent', 'world').expect(200);

src/core/server/integration_tests/http/oas.test.ts

@@ -195,20 +195,36 @@ it.each([
       createRoutes: (getRouter) => {
         const router1 = getRouter(Symbol('myPlugin'));
         router1.get(
-          { path: '/api/public-test', validate: false, options: { access: 'public' } },
+          {
+            path: '/api/public-test',
+            security: { authz: { enabled: false, reason: '' } },
+            validate: false,
+            options: { access: 'public' },
+          },
           (_, __, res) => res.ok()
         );
         router1.post(
-          { path: '/api/public-test', validate: false, options: { access: 'public' } },
+          {
+            path: '/api/public-test',
+            security: { authz: { enabled: false, reason: '' } },
+            validate: false,
+            options: { access: 'public' },
+          },
           (_, __, res) => res.ok()
         );
         router1.get(
-          { path: '/api/public-test/{id}', validate: false, options: { access: 'public' } },
+          {
+            path: '/api/public-test/{id}',
+            security: { authz: { enabled: false, reason: '' } },
+            validate: false,
+            options: { access: 'public' },
+          },
           (_, __, res) => res.ok()
         );
         router1.get(
           {
             path: '/api/internal-test',
+            security: { authz: { enabled: false, reason: '' } },
             validate: false,
             options: {
               /* empty */
@@ -218,11 +234,19 @@ it.each([
         );
 
         router1.versioned
-          .get({ path: '/api/versioned', access: 'public' })
+          .get({
+            path: '/api/versioned',
+            security: { authz: { enabled: false, reason: '' } },
+            access: 'public',
+          })
           .addVersion({ version: '2023-10-31', validate: false }, (_, __, res) => res.ok());
 
         router1.versioned
-          .get({ path: '/api/versioned-internal', access: 'internal' })
+          .get({
+            path: '/api/versioned-internal',
+            security: { authz: { enabled: false, reason: '' } },
+            access: 'internal',
+          })
           .addVersion(
             {
               version: '1',
@@ -239,9 +263,30 @@ it.each([
           );
 
         const router2 = getRouter(Symbol('myOtherPlugin'));
-        router2.get({ path: '/api/my-other-plugin', validate: false }, (_, __, res) => res.ok());
+        router2.get(
-        router2.post({ path: '/api/my-other-plugin', validate: false }, (_, __, res) => res.ok());
+          {
-        router2.put({ path: '/api/my-other-plugin', validate: false }, (_, __, res) => res.ok());
+            path: '/api/my-other-plugin',
+            security: { authz: { enabled: false, reason: '' } },
+            validate: false,
+          },
+          (_, __, res) => res.ok()
+        );
+        router2.post(
+          {
+            path: '/api/my-other-plugin',
+            security: { authz: { enabled: false, reason: '' } },
+            validate: false,
+          },
+          (_, __, res) => res.ok()
+        );
+        router2.put(
+          {
+            path: '/api/my-other-plugin',
+            security: { authz: { enabled: false, reason: '' } },
+            validate: false,
+          },
+          (_, __, res) => res.ok()
+        );
       },
     });
     const result = await supertest(server.listener).get('/api/oas').query(queryParam);

src/core/server/integration_tests/http/preboot.test.ts

@@ -36,11 +36,21 @@ describe('Preboot HTTP server', () => {
   it('accepts requests before `setup`', async () => {
     const { server: innerPrebootServer, registerRoutes } = await server.preboot(prebootDeps);
     registerRoutes('', (router) => {
-      router.get({ path: '/preboot-get', validate: false }, (context, req, res) =>
+      router.get(
-        res.ok({ body: 'hello-get' })
+        {
+          path: '/preboot-get',
+          security: { authz: { enabled: false, reason: '' } },
+          validate: false,
+        },
+        (context, req, res) => res.ok({ body: 'hello-get' })
       );
-      router.post({ path: '/preboot-post', validate: false }, (context, req, res) =>
+      router.post(
-        res.ok({ body: 'hello-post' })
+        {
+          path: '/preboot-post',
+          security: { authz: { enabled: false, reason: '' } },
+          validate: false,
+        },
+        (context, req, res) => res.ok({ body: 'hello-post' })
       );
     });
 
@@ -60,21 +70,41 @@ describe('Preboot HTTP server', () => {
   it('accepts requests after `setup`, but before `start`', async () => {
     const { server: innerPrebootServer, registerRoutes } = await server.preboot(prebootDeps);
     registerRoutes('', (router) => {
-      router.get({ path: '/preboot-get', validate: false }, (context, req, res) =>
+      router.get(
-        res.ok({ body: 'hello-get' })
+        {
+          path: '/preboot-get',
+          security: { authz: { enabled: false, reason: '' } },
+          validate: false,
+        },
+        (context, req, res) => res.ok({ body: 'hello-get' })
       );
-      router.post({ path: '/preboot-post', validate: false }, (context, req, res) =>
+      router.post(
-        res.ok({ body: 'hello-post' })
+        {
+          path: '/preboot-post',
+          security: { authz: { enabled: false, reason: '' } },
+          validate: false,
+        },
+        (context, req, res) => res.ok({ body: 'hello-post' })
       );
     });
 
     const { createRouter, server: innerStandardServer } = await server.setup(setupDeps);
     const standardRouter = createRouter('');
-    standardRouter.get({ path: '/standard-get', validate: false }, (context, req, res) =>
+    standardRouter.get(
-      res.ok({ body: 'hello-get' })
+      {
+        path: '/standard-get',
+        security: { authz: { enabled: false, reason: '' } },
+        validate: false,
+      },
+      (context, req, res) => res.ok({ body: 'hello-get' })
     );
-    standardRouter.post({ path: '/standard-post', validate: false }, (context, req, res) =>
+    standardRouter.post(
-      res.ok({ body: 'hello-post' })
+      {
+        path: '/standard-post',
+        security: { authz: { enabled: false, reason: '' } },
+        validate: false,
+      },
+      (context, req, res) => res.ok({ body: 'hello-post' })
     );
 
     // Preboot routes should still work.
@@ -101,21 +131,41 @@ describe('Preboot HTTP server', () => {
   it('is not available after `start`', async () => {
     const { server: innerPrebootServer, registerRoutes } = await server.preboot(prebootDeps);
     registerRoutes('', (router) => {
-      router.get({ path: '/preboot-get', validate: false }, (context, req, res) =>
+      router.get(
-        res.ok({ body: 'hello-get' })
+        {
+          path: '/preboot-get',
+          security: { authz: { enabled: false, reason: '' } },
+          validate: false,
+        },
+        (context, req, res) => res.ok({ body: 'hello-get' })
       );
-      router.post({ path: '/preboot-post', validate: false }, (context, req, res) =>
+      router.post(
-        res.ok({ body: 'hello-post' })
+        {
+          path: '/preboot-post',
+          security: { authz: { enabled: false, reason: '' } },
+          validate: false,
+        },
+        (context, req, res) => res.ok({ body: 'hello-post' })
       );
     });
 
     const { createRouter, server: innerStandardServer } = await server.setup(setupDeps);
     const standardRouter = createRouter('');
-    standardRouter.get({ path: '/standard-get', validate: false }, (context, req, res) =>
+    standardRouter.get(
-      res.ok({ body: 'hello-get' })
+      {
+        path: '/standard-get',
+        security: { authz: { enabled: false, reason: '' } },
+        validate: false,
+      },
+      (context, req, res) => res.ok({ body: 'hello-get' })
     );
-    standardRouter.post({ path: '/standard-post', validate: false }, (context, req, res) =>
+    standardRouter.post(
-      res.ok({ body: 'hello-post' })
+      {
+        path: '/standard-post',
+        security: { authz: { enabled: false, reason: '' } },
+        validate: false,
+      },
+      (context, req, res) => res.ok({ body: 'hello-post' })
     );
 
     await server.start();

src/core/server/integration_tests/http/request.test.ts

@@ -48,7 +48,12 @@ describe('KibanaRequest', () => {
         const { server: innerServer, createRouter } = await server.setup(setupDeps);
         const router = createRouter('/');
         router.get(
-          { path: '/', validate: false, options: { authRequired: true } },
+          {
+            path: '/',
+            security: { authz: { enabled: false, reason: '' } },
+            validate: false,
+            options: { authRequired: true },
+          },
           (context, req, res) => res.ok({ body: { isAuthenticated: req.auth.isAuthenticated } })
         );
         await server.start();
@@ -62,7 +67,12 @@ describe('KibanaRequest', () => {
         const router = createRouter('/');
         registerAuth((req, res, toolkit) => toolkit.notHandled());
         router.get(
-          { path: '/', validate: false, options: { authRequired: 'optional' } },
+          {
+            path: '/',
+            security: { authz: { enabled: false, reason: '' } },
+            validate: false,
+            options: { authRequired: 'optional' },
+          },
           (context, req, res) => res.ok({ body: { isAuthenticated: req.auth.isAuthenticated } })
         );
         await server.start();
@@ -76,7 +86,12 @@ describe('KibanaRequest', () => {
         const router = createRouter('/');
         registerAuth((req, res, toolkit) => toolkit.redirected({ location: '/any' }));
         router.get(
-          { path: '/', validate: false, options: { authRequired: 'optional' } },
+          {
+            path: '/',
+            security: { authz: { enabled: false, reason: '' } },
+            validate: false,
+            options: { authRequired: 'optional' },
+          },
           (context, req, res) => res.ok({ body: { isAuthenticated: req.auth.isAuthenticated } })
         );
         await server.start();
@@ -90,7 +105,12 @@ describe('KibanaRequest', () => {
         const router = createRouter('/');
         registerAuth((req, res, toolkit) => toolkit.authenticated());
         router.get(
-          { path: '/', validate: false, options: { authRequired: 'optional' } },
+          {
+            path: '/',
+            security: { authz: { enabled: false, reason: '' } },
+            validate: false,
+            options: { authRequired: 'optional' },
+          },
           (context, req, res) => res.ok({ body: { isAuthenticated: req.auth.isAuthenticated } })
         );
         await server.start();
@@ -104,7 +124,12 @@ describe('KibanaRequest', () => {
         const router = createRouter('/');
         registerAuth((req, res, toolkit) => toolkit.authenticated());
         router.get(
-          { path: '/', validate: false, options: { authRequired: true } },
+          {
+            path: '/',
+            security: { authz: { enabled: false, reason: '' } },
+            validate: false,
+            options: { authRequired: true },
+          },
           (context, req, res) => res.ok({ body: { isAuthenticated: req.auth.isAuthenticated } })
         );
         await server.start();
@@ -123,7 +148,12 @@ describe('KibanaRequest', () => {
         registerAuth((req, res, t) => t.authenticated());
         const router = createRouter('/');
         router.get(
-          { path: '/', validate: false, options: { authRequired: false } },
+          {
+            path: '/',
+            security: { authz: { enabled: false, reason: '' } },
+            validate: false,
+            options: { authRequired: false },
+          },
           (context, req, res) => res.ok({ body: { authRequired: req.route.options.authRequired } })
         );
         await server.start();
@@ -137,7 +167,12 @@ describe('KibanaRequest', () => {
         registerAuth((req, res, t) => t.authenticated());
         const router = createRouter('/');
         router.get(
-          { path: '/', validate: false, options: { authRequired: 'optional' } },
+          {
+            path: '/',
+            security: { authz: { enabled: false, reason: '' } },
+            validate: false,
+            options: { authRequired: 'optional' },
+          },
           (context, req, res) => res.ok({ body: { authRequired: req.route.options.authRequired } })
         );
         await server.start();
@@ -151,7 +186,12 @@ describe('KibanaRequest', () => {
         registerAuth((req, res, t) => t.authenticated());
         const router = createRouter('/');
         router.get(
-          { path: '/', validate: false, options: { authRequired: true } },
+          {
+            path: '/',
+            security: { authz: { enabled: false, reason: '' } },
+            validate: false,
+            options: { authRequired: true },
+          },
           (context, req, res) => res.ok({ body: { authRequired: req.route.options.authRequired } })
         );
         await server.start();
@@ -173,16 +213,19 @@ describe('KibanaRequest', () => {
         const nextSpy = jest.fn();
 
         const done = new Promise<void>((resolve) => {
-          router.get({ path: '/', validate: false }, async (context, request, res) => {
+          router.get(
-            request.events.aborted$.subscribe({
+            { path: '/', security: { authz: { enabled: false, reason: '' } }, validate: false },
-              next: nextSpy,
+            async (context, request, res) => {
-              complete: resolve,
+              request.events.aborted$.subscribe({
-            });
+                next: nextSpy,
+                complete: resolve,
+              });
 
-            // prevents the server to respond
+              // prevents the server to respond
-            await delay(30000);
+              await delay(30000);
-            return res.ok({ body: 'ok' });
+              return res.ok({ body: 'ok' });
-          });
+            }
+          );
         });
 
         await server.start();
@@ -206,7 +249,11 @@ describe('KibanaRequest', () => {
 
         const done = new Promise<void>((resolve) => {
           router.post(
-            { path: '/', validate: { body: schema.any() } },
+            {
+              path: '/',
+              security: { authz: { enabled: false, reason: '' } },
+              validate: { body: schema.any() },
+            },
             async (context, request, res) => {
               request.events.aborted$.subscribe({
                 next: nextSpy,
@@ -239,14 +286,17 @@ describe('KibanaRequest', () => {
 
         const nextSpy = jest.fn();
         const completeSpy = jest.fn();
-        router.get({ path: '/', validate: false }, async (context, request, res) => {
+        router.get(
-          request.events.aborted$.subscribe({
+          { path: '/', security: { authz: { enabled: false, reason: '' } }, validate: false },
-            next: nextSpy,
+          async (context, request, res) => {
-            complete: completeSpy,
+            request.events.aborted$.subscribe({
-          });
+              next: nextSpy,
+              complete: completeSpy,
+            });
 
-          return res.ok({ body: 'ok' });
+            return res.ok({ body: 'ok' });
-        });
+          }
+        );
 
         await server.start();
 
@@ -262,14 +312,17 @@ describe('KibanaRequest', () => {
 
         const nextSpy = jest.fn();
         const completeSpy = jest.fn();
-        router.get({ path: '/', validate: false }, async (context, request, res) => {
+        router.get(
-          request.events.aborted$.subscribe({
+          { path: '/', security: { authz: { enabled: false, reason: '' } }, validate: false },
-            next: nextSpy,
+          async (context, request, res) => {
-            complete: completeSpy,
+            request.events.aborted$.subscribe({
-          });
+              next: nextSpy,
+              complete: completeSpy,
+            });
 
-          return res.badRequest();
+            return res.badRequest();
-        });
+          }
+        );
 
         await server.start();
 
@@ -299,7 +352,11 @@ describe('KibanaRequest', () => {
         });
 
         router.post(
-          { path: '/', validate: { body: schema.any() } },
+          {
+            path: '/',
+            security: { authz: { enabled: false, reason: '' } },
+            validate: { body: schema.any() },
+          },
           async (context, request, res) => {
             expect(completeSpy).not.toHaveBeenCalled();
             return res.ok({ body: 'ok' });
@@ -323,16 +380,19 @@ describe('KibanaRequest', () => {
         const nextSpy = jest.fn();
         const completeSpy = jest.fn();
 
-        router.get({ path: '/', validate: false }, async (context, req, res) => {
+        router.get(
-          req.events.completed$.subscribe({
+          { path: '/', security: { authz: { enabled: false, reason: '' } }, validate: false },
-            next: nextSpy,
+          async (context, req, res) => {
-            complete: completeSpy,
+            req.events.completed$.subscribe({
-          });
+              next: nextSpy,
+              complete: completeSpy,
+            });
 
-          expect(nextSpy).not.toHaveBeenCalled();
+            expect(nextSpy).not.toHaveBeenCalled();
-          expect(completeSpy).not.toHaveBeenCalled();
+            expect(completeSpy).not.toHaveBeenCalled();
-          return res.ok({ body: 'ok' });
+            return res.ok({ body: 'ok' });
-        });
+          }
+        );
 
         await server.start();
 
@@ -349,16 +409,19 @@ describe('KibanaRequest', () => {
         const nextSpy = jest.fn();
 
         const done = new Promise<void>((resolve) => {
-          router.get({ path: '/', validate: false }, async (context, req, res) => {
+          router.get(
-            req.events.completed$.subscribe({
+            { path: '/', security: { authz: { enabled: false, reason: '' } }, validate: false },
-              next: nextSpy,
+            async (context, req, res) => {
-              complete: resolve,
+              req.events.completed$.subscribe({
-            });
+                next: nextSpy,
+                complete: resolve,
+              });
 
-            expect(nextSpy).not.toHaveBeenCalled();
+              expect(nextSpy).not.toHaveBeenCalled();
-            await delay(30000);
+              await delay(30000);
-            return res.ok({ body: 'ok' });
+              return res.ok({ body: 'ok' });
-          });
+            }
+          );
         });
 
         await server.start();
@@ -381,7 +444,11 @@ describe('KibanaRequest', () => {
 
         const done = new Promise<void>((resolve) => {
           router.post(
-            { path: '/', validate: { body: schema.any() } },
+            {
+              path: '/',
+              security: { authz: { enabled: false, reason: '' } },
+              validate: { body: schema.any() },
+            },
             async (context, req, res) => {
               req.events.completed$.subscribe({
                 next: nextSpy,
@@ -413,9 +480,12 @@ describe('KibanaRequest', () => {
     it('accepts x-opaque-id header case-insensitively', async () => {
       const { server: innerServer, createRouter } = await server.setup(setupDeps);
       const router = createRouter('/');
-      router.get({ path: '/', validate: false }, async (context, req, res) => {
+      router.get(
-        return res.ok({ body: { requestId: req.id } });
+        { path: '/', security: { authz: { enabled: false, reason: '' } }, validate: false },
-      });
+        async (context, req, res) => {
+          return res.ok({ body: { requestId: req.id } });
+        }
+      );
       await server.start();
 
       const st = supertest(innerServer.listener);
@@ -433,9 +503,12 @@ describe('KibanaRequest', () => {
     it('generates a UUID', async () => {
       const { server: innerServer, createRouter } = await server.setup(setupDeps);
       const router = createRouter('/');
-      router.get({ path: '/', validate: false }, async (context, req, res) => {
+      router.get(
-        return res.ok({ body: { requestUuid: req.uuid } });
+        { path: '/', security: { authz: { enabled: false, reason: '' } }, validate: false },
-      });
+        async (context, req, res) => {
+          return res.ok({ body: { requestUuid: req.uuid } });
+        }
+      );
       await server.start();
 
       const st = supertest(innerServer.listener);
@@ -449,9 +522,12 @@ describe('KibanaRequest', () => {
     it('returns the correct values', async () => {
       const { server: innerServer, createRouter } = await server.setup(setupDeps);
       const router = createRouter('/');
-      router.get({ path: '/', validate: false }, async (context, req, res) => {
+      router.get(
-        return res.ok({ body: { httpVersion: req.httpVersion, protocol: req.protocol } });
+        { path: '/', security: { authz: { enabled: false, reason: '' } }, validate: false },
-      });
+        async (context, req, res) => {
+          return res.ok({ body: { httpVersion: req.httpVersion, protocol: req.protocol } });
+        }
+      );
       await server.start();
 
       const st = supertest(innerServer.listener);

src/core/server/integration_tests/http/request_representation.test.ts

@@ -49,7 +49,12 @@ describe('request logging', () => {
       const { server: innerServer, createRouter } = await server.setup(setupDeps);
       const router = createRouter('/');
       router.get(
-        { path: '/', validate: false, options: { authRequired: true } },
+        {
+          path: '/',
+          security: { authz: { enabled: false, reason: '' } },
+          validate: false,
+          options: { authRequired: true },
+        },
         (context, req, res) => {
           return res.ok({ body: { req: String(req) } });
         }
@@ -66,7 +71,12 @@ describe('request logging', () => {
       const { server: innerServer, createRouter } = await server.setup(setupDeps);
       const router = createRouter('/');
       router.get(
-        { path: '/', validate: false, options: { authRequired: true } },
+        {
+          path: '/',
+          security: { authz: { enabled: false, reason: '' } },
+          validate: false,
+          options: { authRequired: true },
+        },
         (context, req, res) => {
           return res.ok({ body: { req: JSON.stringify(req) } });
         }
@@ -98,7 +108,12 @@ describe('request logging', () => {
       const { server: innerServer, createRouter } = await server.setup(setupDeps);
       const router = createRouter('/');
       router.get(
-        { path: '/', validate: false, options: { authRequired: true } },
+        {
+          path: '/',
+          security: { authz: { enabled: false, reason: '' } },
+          validate: false,
+          options: { authRequired: true },
+        },
         (context, req, res) => {
           return res.ok({ body: { req: inspect(req) } });
         }
@@ -125,7 +140,7 @@ describe('request logging', () => {
               deprecated: undefined,
               access: 'internal',
               tags: [],
-              security: undefined,
+              security: [Object],
               timeout: [Object],
               body: undefined
             }
@@ -142,7 +157,12 @@ describe('request logging', () => {
       const { server: innerServer, createRouter } = await server.setup(setupDeps);
       const router = createRouter('/');
       router.get(
-        { path: '/', validate: false, options: { authRequired: true } },
+        {
+          path: '/',
+          security: { authz: { enabled: false, reason: '' } },
+          validate: false,
+          options: { authRequired: true },
+        },
         (context, req, res) => {
           const rawRequest = ensureRawRequest(req);
           return res.ok({ body: { req: String(rawRequest) } });
@@ -160,7 +180,12 @@ describe('request logging', () => {
       const { server: innerServer, createRouter } = await server.setup(setupDeps);
       const router = createRouter('/');
       router.get(
-        { path: '/', validate: false, options: { authRequired: true } },
+        {
+          path: '/',
+          security: { authz: { enabled: false, reason: '' } },
+          validate: false,
+          options: { authRequired: true },
+        },
         (context, req, res) => {
           const rawRequest = ensureRawRequest(req);
           return res.ok({ body: { req: JSON.stringify(rawRequest) } });
@@ -179,7 +204,12 @@ describe('request logging', () => {
       const { server: innerServer, createRouter } = await server.setup(setupDeps);
       const router = createRouter('/');
       router.get(
-        { path: '/', validate: false, options: { authRequired: true } },
+        {
+          path: '/',
+          security: { authz: { enabled: false, reason: '' } },
+          validate: false,
+          options: { authRequired: true },
+        },
         (context, req, res) => {
           const rawRequest = ensureRawRequest(req);
           return res.ok({ body: { req: inspect(rawRequest) } });
@@ -199,7 +229,12 @@ describe('request logging', () => {
       const { server: innerServer, createRouter } = await server.setup(setupDeps);
       const router = createRouter('/');
       router.get(
-        { path: '/', validate: false, options: { authRequired: true } },
+        {
+          path: '/',
+          security: { authz: { enabled: false, reason: '' } },
+          validate: false,
+          options: { authRequired: true },
+        },
         (context, req, res) => {
           const rawRawRequest = ensureRawRequest(req).raw.req;
           return res.ok({ body: { req: String(rawRawRequest) } });
@@ -217,7 +252,12 @@ describe('request logging', () => {
       const { server: innerServer, createRouter } = await server.setup(setupDeps);
       const router = createRouter('/');
       router.get(
-        { path: '/', validate: false, options: { authRequired: true } },
+        {
+          path: '/',
+          security: { authz: { enabled: false, reason: '' } },
+          validate: false,
+          options: { authRequired: true },
+        },
         (context, req, res) => {
           const rawRawRequest = ensureRawRequest(req).raw.req;
           return res.ok({ body: { req: JSON.stringify(rawRawRequest) } });
@@ -238,7 +278,12 @@ describe('request logging', () => {
       const { server: innerServer, createRouter } = await server.setup(setupDeps);
       const router = createRouter('/');
       router.get(
-        { path: '/', validate: false, options: { authRequired: true } },
+        {
+          path: '/',
+          security: { authz: { enabled: false, reason: '' } },
+          validate: false,
+          options: { authRequired: true },
+        },
         (context, req, res) => {
           const rawRawRequest = ensureRawRequest(req).raw.req;
           return res.ok({ body: { req: inspect(rawRawRequest) } });

src/core/server/integration_tests/http/tls_config_reload.test.ts

@@ -84,6 +84,7 @@ describe('HttpServer - TLS config', () => {
       {
         path: '/',
         validate: false,
+        security: { authz: { enabled: false, reason: '' } },
       },
       async (ctx, req, res) => {
         return res.ok({

src/core/server/integration_tests/http/versioned_router.test.ts

@@ -72,7 +72,11 @@ describe('Routing versioned requests', () => {
 
   it('routes requests to the expected handlers', async () => {
     router.versioned
-      .get({ path: '/my-path', access: 'internal' })
+      .get({
+        path: '/my-path',
+        security: { authz: { enabled: false, reason: '' } },
+        access: 'internal',
+      })
       .addVersion({ validate: false, version: '1' }, async (ctx, req, res) => {
         return res.ok({ body: { v: '1' } });
       })
@@ -102,7 +106,11 @@ describe('Routing versioned requests', () => {
   it('handles missing version header (defaults to oldest)', async () => {
     await setupServer({ dev: false });
     router.versioned
-      .get({ path: '/my-path', access: 'public' })
+      .get({
+        path: '/my-path',
+        security: { authz: { enabled: false, reason: '' } },
+        access: 'public',
+      })
       .addVersion({ validate: false, version: '2020-02-02' }, async (ctx, req, res) => {
         return res.ok({ body: { v: '1' } });
       })
@@ -122,7 +130,11 @@ describe('Routing versioned requests', () => {
 
   it('returns the expected output for badly formatted versions', async () => {
     router.versioned
-      .get({ path: '/my-path', access: 'internal' })
+      .get({
+        path: '/my-path',
+        security: { authz: { enabled: false, reason: '' } },
+        access: 'internal',
+      })
       .addVersion({ validate: false, version: '1' }, async (ctx, req, res) => {
         return res.ok({ body: { v: '1' } });
       });
@@ -142,7 +154,11 @@ describe('Routing versioned requests', () => {
 
   it('returns the expected responses for failed validation', async () => {
     router.versioned
-      .post({ path: '/my-path', access: 'internal' })
+      .post({
+        path: '/my-path',
+        security: { authz: { enabled: false, reason: '' } },
+        access: 'internal',
+      })
       // Bad request validation
       .addVersion(
         {
@@ -172,7 +188,11 @@ describe('Routing versioned requests', () => {
 
   it('returns the version in response headers', async () => {
     router.versioned
-      .get({ path: '/my-path', access: 'public' })
+      .get({
+        path: '/my-path',
+        security: { authz: { enabled: false, reason: '' } },
+        access: 'public',
+      })
       .addVersion({ validate: false, version: '2023-10-31' }, async (ctx, req, res) => {
         return res.ok({ body: { foo: 'bar' } });
       });
@@ -190,7 +210,12 @@ describe('Routing versioned requests', () => {
 
   it('returns the version in response headers, even for HTTP resources', async () => {
     router.versioned
-      .get({ path: '/my-path', access: 'public', options: { httpResource: true } })
+      .get({
+        path: '/my-path',
+        security: { authz: { enabled: false, reason: '' } },
+        access: 'public',
+        options: { httpResource: true },
+      })
       .addVersion({ validate: false, version: '2023-10-31' }, async (ctx, req, res) => {
         return res.ok({ body: { foo: 'bar' } });
       });
@@ -208,7 +233,11 @@ describe('Routing versioned requests', () => {
 
   it('runs response validation when in dev', async () => {
     router.versioned
-      .get({ path: '/my-path', access: 'internal' })
+      .get({
+        path: '/my-path',
+        security: { authz: { enabled: false, reason: '' } },
+        access: 'internal',
+      })
       .addVersion(
         { validate: { response: { 200: { body: () => schema.number() } } }, version: '1' },
         async (ctx, req, res) => {
@@ -278,7 +307,11 @@ describe('Routing versioned requests', () => {
     await setupServer({ dev: false });
 
     router.versioned
-      .get({ path: '/my-path', access: 'internal' })
+      .get({
+        path: '/my-path',
+        security: { authz: { enabled: false, reason: '' } },
+        access: 'internal',
+      })
       .addVersion(
         { validate: { response: { 200: { body: () => schema.number() } } }, version: '1' },
         async (ctx, req, res) => {
@@ -301,7 +334,11 @@ describe('Routing versioned requests', () => {
     await setupServer({ dev: false });
 
     router.versioned
-      .get({ path: '/my-internal-path', access: 'internal' })
+      .get({
+        path: '/my-internal-path',
+        security: { authz: { enabled: false, reason: '' } },
+        access: 'internal',
+      })
       .addVersion(
         { version: '1', validate: { response: { 200: { body: () => schema.number() } } } },
         async (ctx, req, res) => res.ok({ body: 'v1' })
@@ -326,6 +363,7 @@ describe('Routing versioned requests', () => {
     router.versioned
       .get({
         path: '/my-path',
+        security: { authz: { enabled: false, reason: '' } },
         access: 'public',
       })
       .addVersion({ version: '2023-10-31', validate: false }, async (ctx, req, res) => res.ok());
@@ -333,6 +371,7 @@ describe('Routing versioned requests', () => {
     router.versioned
       .get({
         path: '/my-internal-path',
+        security: { authz: { enabled: false, reason: '' } },
         access: 'internal',
       })
       .addVersion({ version: '1', validate: false }, async (ctx, req, res) => res.ok());
@@ -361,7 +400,11 @@ describe('Routing versioned requests', () => {
   });
 
   it('errors when no handler could be found', async () => {
-    router.versioned.get({ path: '/my-path', access: 'public' });
+    router.versioned.get({
+      path: '/my-path',
+      security: { authz: { enabled: false, reason: '' } },
+      access: 'public',
+    });
 
     await server.start();
 
@@ -379,7 +422,11 @@ describe('Routing versioned requests', () => {
     await setupServer({ serverless: true, dev: false });
 
     router.versioned
-      .get({ path: '/my-path', access: 'public' })
+      .get({
+        path: '/my-path',
+        security: { authz: { enabled: false, reason: '' } },
+        access: 'public',
+      })
       .addVersion({ validate: false, version: '2023-04-04' }, async (ctx, req, res) => {
         return res.ok({ body: { v: 'oldest' } });
       })
@@ -401,7 +448,11 @@ describe('Routing versioned requests', () => {
     await setupServer({ serverless: false, dev: false });
 
     router.versioned
-      .get({ path: '/my-path', access: 'public' })
+      .get({
+        path: '/my-path',
+        security: { authz: { enabled: false, reason: '' } },
+        access: 'public',
+      })
       .addVersion({ validate: false, version: '2023-04-04' }, async (ctx, req, res) => {
         return res.ok({ body: { v: 'oldest' } });
       })
@@ -423,7 +474,11 @@ describe('Routing versioned requests', () => {
     const error = new Error(`some error`);
 
     router.versioned
-      .get({ path: '/my-path', access: 'internal' })
+      .get({
+        path: '/my-path',
+        security: { authz: { enabled: false, reason: '' } },
+        access: 'internal',
+      })
       .addVersion({ validate: false, version: '1' }, async (ctx, req, res) => {
         throw error;
       });
@@ -438,19 +493,25 @@ describe('Routing versioned requests', () => {
 
   it('reserves the query parameter "apiVersion" for version negotiation', async () => {
     await setupServer({ serverless: false, dev: false });
-    router.versioned.get({ path: '/my-path', access: 'public' }).addVersion(
+    router.versioned
-      {
+      .get({
-        validate: {
+        path: '/my-path',
-          request: {
+        security: { authz: { enabled: false, reason: '' } },
-            query: schema.object({ [ELASTIC_HTTP_VERSION_QUERY_PARAM]: schema.string() }),
+        access: 'public',
+      })
+      .addVersion(
+        {
+          validate: {
+            request: {
+              query: schema.object({ [ELASTIC_HTTP_VERSION_QUERY_PARAM]: schema.string() }),
+            },
           },
+          version: '2023-04-04',
         },
-        version: '2023-04-04',
+        async (ctx, req, res) => {
-      },
+          return res.ok({ body: 'ok' });
-      async (ctx, req, res) => {
+        }
-        return res.ok({ body: 'ok' });
+      );
-      }
-    );
 
     await server.start();
 
@@ -476,7 +537,12 @@ describe('Routing versioned requests', () => {
         return res.ok({ body: 'ok' });
       });
       router.versioned
-        .get({ path: '/my-public', access: 'public', enableQueryVersion: true })
+        .get({
+          path: '/my-public',
+          security: { authz: { enabled: false, reason: '' } },
+          access: 'public',
+          enableQueryVersion: true,
+        })
         .addVersion(
           {
             validate: { request: { query: schema.object({ a: schema.number() }) } },
@@ -486,7 +552,12 @@ describe('Routing versioned requests', () => {
         );
 
       router.versioned
-        .get({ path: '/my-internal', access: 'internal', enableQueryVersion: true })
+        .get({
+          path: '/my-internal',
+          security: { authz: { enabled: false, reason: '' } },
+          access: 'internal',
+          enableQueryVersion: true,
+        })
         .addVersion(
           {
             validate: { request: { query: schema.object({ a: schema.number() }) } },
@@ -540,12 +611,20 @@ describe('Routing versioned requests', () => {
     );
 
     router.versioned
-      .get({ path: '/my_path_to_bypass/{id?}', access: 'internal' })
+      .get({
+        path: '/my_path_to_bypass/{id?}',
+        security: { authz: { enabled: false, reason: '' } },
+        access: 'internal',
+      })
       .addVersion({ validate: false, version: '1' }, async (ctx, req, res) => {
         return res.ok({ body: { ok: true } });
       });
     router.versioned
-      .get({ path: '/my_other_path', access: 'internal' })
+      .get({
+        path: '/my_other_path',
+        security: { authz: { enabled: false, reason: '' } },
+        access: 'internal',
+      })
       .addVersion({ validate: false, version: '1' }, async (ctx, req, res) => {
         return res.ok({ body: { ok: true } });
       });

src/core/server/integration_tests/http_resources/http_resources_service.test.ts

@@ -43,8 +43,13 @@ function applyTestsWithDisableUnsafeEvalSetTo(disableUnsafeEval: boolean) {
 
         const router = http.createRouter('');
         const resources = httpResources.createRegistrar(router);
-        resources.register({ path: '/render-core', validate: false }, (context, req, res) =>
+        resources.register(
-          res.renderAnonymousCoreApp()
+          {
+            path: '/render-core',
+            validate: false,
+            security: { authz: { requiredPrivileges: ['foo'] } },
+          },
+          (context, req, res) => res.renderAnonymousCoreApp()
         );
 
         await root.start();
@@ -58,8 +63,13 @@ function applyTestsWithDisableUnsafeEvalSetTo(disableUnsafeEval: boolean) {
 
         const router = http.createRouter('');
         const resources = httpResources.createRegistrar(router);
-        resources.register({ path: '/render-core', validate: false }, (context, req, res) =>
+        resources.register(
-          res.renderAnonymousCoreApp()
+          {
+            path: '/render-core',
+            validate: false,
+            security: { authz: { requiredPrivileges: ['foo'] } },
+          },
+          (context, req, res) => res.renderAnonymousCoreApp()
         );
 
         await root.start();
@@ -73,13 +83,19 @@ function applyTestsWithDisableUnsafeEvalSetTo(disableUnsafeEval: boolean) {
 
         const router = http.createRouter('');
         const resources = httpResources.createRegistrar(router);
-        resources.register({ path: '/render-core', validate: false }, (context, req, res) =>
+        resources.register(
-          res.renderAnonymousCoreApp({
+          {
-            headers: {
+            path: '/render-core',
-              'content-security-policy': "script-src 'unsafe-eval'",
+            validate: false,
-              'x-kibana': '42',
+            security: { authz: { requiredPrivileges: ['foo'] } },
-            },
+          },
-          })
+          (context, req, res) =>
+            res.renderAnonymousCoreApp({
+              headers: {
+                'content-security-policy': "script-src 'unsafe-eval'",
+                'x-kibana': '42',
+              },
+            })
         );
 
         await root.start();
@@ -104,8 +120,13 @@ function applyTestsWithDisableUnsafeEvalSetTo(disableUnsafeEval: boolean) {
             </body>
           </html>
         `;
-        resources.register({ path: '/render-html', validate: false }, (context, req, res) =>
+        resources.register(
-          res.renderHtml({ body: htmlBody })
+          {
+            path: '/render-html',
+            validate: false,
+            security: { authz: { requiredPrivileges: ['foo'] } },
+          },
+          (context, req, res) => res.renderHtml({ body: htmlBody })
         );
 
         await root.start();
@@ -121,8 +142,13 @@ function applyTestsWithDisableUnsafeEvalSetTo(disableUnsafeEval: boolean) {
         const router = http.createRouter('');
         const resources = httpResources.createRegistrar(router);
         const jsBody = 'window.alert("from js body");';
-        resources.register({ path: '/render-js', validate: false }, (context, req, res) =>
+        resources.register(
-          res.renderJs({ body: jsBody })
+          {
+            path: '/render-js',
+            validate: false,
+            security: { authz: { requiredPrivileges: ['foo'] } },
+          },
+          (context, req, res) => res.renderJs({ body: jsBody })
         );
 
         await root.start();
@@ -145,8 +171,13 @@ function applyTestsWithDisableUnsafeEvalSetTo(disableUnsafeEval: boolean) {
             </body>
           </html>
         `;
-        resources.register({ path: '/render-html', validate: false }, (context, req, res) =>
+        resources.register(
-          res.renderHtml({ body: htmlBody })
+          {
+            path: '/render-html',
+            validate: false,
+            security: { authz: { requiredPrivileges: ['foo'] } },
+          },
+          (context, req, res) => res.renderHtml({ body: htmlBody })
         );
 
         await root.start();
@@ -160,15 +191,21 @@ function applyTestsWithDisableUnsafeEvalSetTo(disableUnsafeEval: boolean) {
 
         const router = http.createRouter('');
         const resources = httpResources.createRegistrar(router);
-        resources.register({ path: '/render-core', validate: false }, (context, req, res) =>
+        resources.register(
-          res.renderHtml({
+          {
-            body: '<html><p>Hi</p></html>',
+            path: '/render-core',
-            headers: {
+            validate: false,
-              'content-security-policy': "script-src 'unsafe-eval'",
+            security: { authz: { requiredPrivileges: ['foo'] } },
-              'content-type': 'text/html',
+          },
-              'x-kibana': '42',
+          (context, req, res) =>
-            },
+            res.renderHtml({
-          })
+              body: '<html><p>Hi</p></html>',
+              headers: {
+                'content-security-policy': "script-src 'unsafe-eval'",
+                'content-type': 'text/html',
+                'x-kibana': '42',
+              },
+            })
         );
 
         await root.start();
@@ -189,8 +226,13 @@ function applyTestsWithDisableUnsafeEvalSetTo(disableUnsafeEval: boolean) {
           }),
         };
 
-        resources.register({ path: '/render-js-with-param/{id}', validate }, (context, req, res) =>
+        resources.register(
-          res.renderJs({ body: `window.alert(${req.params.id});` })
+          {
+            path: '/render-js-with-param/{id}',
+            validate,
+            security: { authz: { requiredPrivileges: ['foo'] } },
+          },
+          (context, req, res) => res.renderJs({ body: `window.alert(${req.params.id});` })
         );
 
         await root.start();
@@ -206,8 +248,13 @@ function applyTestsWithDisableUnsafeEvalSetTo(disableUnsafeEval: boolean) {
       const router = http.createRouter('');
       const resources = httpResources.createRegistrar(router);
       const htmlBody = `<p>HtMlr00lz</p>`;
-      resources.register({ path: '/render-html', validate: false }, (context, req, res) =>
+      resources.register(
-        res.renderHtml({ body: htmlBody })
+        {
+          path: '/render-html',
+          validate: false,
+          security: { authz: { requiredPrivileges: ['foo'] } },
+        },
+        (context, req, res) => res.renderHtml({ body: htmlBody })
       );
 
       await root.start();

src/core/server/integration_tests/metrics/server_collector.test.ts

@@ -46,9 +46,12 @@ describe('ServerMetricsCollector', () => {
   });
 
   it('collect requests infos', async () => {
-    router.get({ path: '/', validate: false }, async (ctx, req, res) => {
+    router.get(
-      return res.ok({ body: '' });
+      { path: '/', validate: false, security: { authz: { requiredPrivileges: ['foo'] } } },
-    });
+      async (ctx, req, res) => {
+        return res.ok({ body: '' });
+      }
+    );
 
     await server.start();
 
@@ -81,17 +84,27 @@ describe('ServerMetricsCollector', () => {
     const disconnectRequested$ = new Subject<void>(); // Controls the number of requests in the /disconnect endpoint
     const disconnectAborted$ = new Subject<void>(); // Controls the abort event in the /disconnect endpoint
 
-    router.get({ path: '/', validate: false }, async (ctx, req, res) => {
+    router.get(
-      return res.ok({ body: '' });
+      { path: '/', validate: false, security: { authz: { requiredPrivileges: ['foo'] } } },
-    });
+      async (ctx, req, res) => {
-    router.get({ path: '/disconnect', validate: false }, async (ctx, req, res) => {
+        return res.ok({ body: '' });
-      disconnectRequested$.next();
+      }
-      req.events.aborted$.subscribe(() => {
+    );
-        disconnectAborted$.next();
+    router.get(
-      });
+      {
-      await never; // Never resolve the request
+        path: '/disconnect',
-      return res.ok({ body: '' });
+        validate: false,
-    });
+        security: { authz: { requiredPrivileges: ['foo'] } },
+      },
+      async (ctx, req, res) => {
+        disconnectRequested$.next();
+        req.events.aborted$.subscribe(() => {
+          disconnectAborted$.next();
+        });
+        await never; // Never resolve the request
+        return res.ok({ body: '' });
+      }
+    );
     await server.start();
 
     await sendGet('/');
@@ -148,17 +161,26 @@ describe('ServerMetricsCollector', () => {
   });
 
   it('collect response times', async () => {
-    router.get({ path: '/no-delay', validate: false }, async (ctx, req, res) => {
+    router.get(
-      return res.ok({ body: '' });
+      { path: '/no-delay', validate: false, security: { authz: { requiredPrivileges: ['foo'] } } },
-    });
+      async (ctx, req, res) => {
-    router.get({ path: '/500-ms', validate: false }, async (ctx, req, res) => {
+        return res.ok({ body: '' });
-      await delay(500);
+      }
-      return res.ok({ body: '' });
+    );
-    });
+    router.get(
-    router.get({ path: '/250-ms', validate: false }, async (ctx, req, res) => {
+      { path: '/500-ms', validate: false, security: { authz: { requiredPrivileges: ['foo'] } } },
-      await delay(250);
+      async (ctx, req, res) => {
-      return res.ok({ body: '' });
+        await delay(500);
-    });
+        return res.ok({ body: '' });
+      }
+    );
+    router.get(
+      { path: '/250-ms', validate: false, security: { authz: { requiredPrivileges: ['foo'] } } },
+      async (ctx, req, res) => {
+        await delay(250);
+        return res.ok({ body: '' });
+      }
+    );
     await server.start();
 
     await Promise.all([sendGet('/no-delay'), sendGet('/250-ms')]);
@@ -178,11 +200,14 @@ describe('ServerMetricsCollector', () => {
     const waitSubject = new Subject();
     const hitSubject = new BehaviorSubject(0);
 
-    router.get({ path: '/', validate: false }, async (ctx, req, res) => {
+    router.get(
-      hitSubject.next(hitSubject.value + 1);
+      { path: '/', validate: false, security: { authz: { requiredPrivileges: ['foo'] } } },
-      await waitSubject.pipe(take(1)).toPromise();
+      async (ctx, req, res) => {
-      return res.ok({ body: '' });
+        hitSubject.next(hitSubject.value + 1);
-    });
+        await waitSubject.pipe(take(1)).toPromise();
+        return res.ok({ body: '' });
+      }
+    );
     await server.start();
 
     const waitForHits = (hits: number) =>
@@ -221,9 +246,12 @@ describe('ServerMetricsCollector', () => {
 
   describe('#reset', () => {
     it('reset the requests state', async () => {
-      router.get({ path: '/', validate: false }, async (ctx, req, res) => {
+      router.get(
-        return res.ok({ body: '' });
+        { path: '/', validate: false, security: { authz: { requiredPrivileges: ['foo'] } } },
-      });
+        async (ctx, req, res) => {
+          return res.ok({ body: '' });
+        }
+      );
       await server.start();
 
       await sendGet('/');
@@ -266,13 +294,23 @@ describe('ServerMetricsCollector', () => {
     });
 
     it('resets the response times', async () => {
-      router.get({ path: '/no-delay', validate: false }, async (ctx, req, res) => {
+      router.get(
-        return res.ok({ body: '' });
+        {
-      });
+          path: '/no-delay',
-      router.get({ path: '/500-ms', validate: false }, async (ctx, req, res) => {
+          validate: false,
-        await delay(500);
+          security: { authz: { requiredPrivileges: ['foo'] } },
-        return res.ok({ body: '' });
+        },
-      });
+        async (ctx, req, res) => {
+          return res.ok({ body: '' });
+        }
+      );
+      router.get(
+        { path: '/500-ms', validate: false, security: { authz: { requiredPrivileges: ['foo'] } } },
+        async (ctx, req, res) => {
+          await delay(500);
+          return res.ok({ body: '' });
+        }
+      );
 
       await server.start();
 

src/platform/packages/shared/content-management/content_insights/content_insights_server/src/register.ts

@@ -97,7 +97,11 @@ export const registerContentInsights = (
               },
             },
           }
-        : {}),
+        : {
+            security: {
+              authz: { enabled: false, reason: 'Route delegates authorization to the SO Client' },
+            },
+          }),
     },
     async (context, req, res) => {
       const { id, eventType } = req.params;
@@ -122,7 +126,11 @@ export const registerContentInsights = (
               },
             },
           }
-        : {}),
+        : {
+            security: {
+              authz: { enabled: false, reason: 'Route delegates authorization to the SO Client' },
+            },
+          }),
     },
     async (context, req, res) => {
       const { id, eventType } = req.params;

src/platform/packages/shared/kbn-router-to-openapispec/src/__snapshots__/generate_oas.test.ts.snap

@@ -126,6 +126,7 @@ Object {
     "/bar": Object {
       "get": Object {
         "deprecated": true,
+        "description": "[Required authorization] Route required privileges: ALL of [foo].",
         "operationId": "get-bar",
         "parameters": Array [],
         "requestBody": Object {
@@ -490,6 +491,7 @@ Object {
     "/no-xsrf/{id}/{path}": Object {
       "post": Object {
         "deprecated": true,
+        "description": "[Required authorization] Route required privileges: ALL of [foo].",
         "operationId": "post-no-xsrf-id-path",
         "parameters": Array [],
         "requestBody": Object {
@@ -702,6 +704,7 @@ Object {
     },
     "/test": Object {
       "get": Object {
+        "description": "[Required authorization] Route required privileges: ALL of [foo].",
         "operationId": "get-test",
         "parameters": Array [],
         "requestBody": Object {

src/platform/packages/shared/kbn-router-to-openapispec/src/generate_oas.test.fixture.ts

@@ -36,6 +36,7 @@ export const sharedOas = {
         deprecated: true,
         'x-discontinued': 'route discontinued version or date',
         operationId: 'get-bar',
+        description: '[Required authorization] Route required privileges: ALL of [foo].',
         parameters: [],
         requestBody: {
           content: {

src/platform/packages/shared/kbn-router-to-openapispec/src/generate_oas.test.ts

@@ -74,7 +74,15 @@ describe('generateOpenApiDocument', () => {
               {
                 method: 'post',
                 path: '/no-xsrf/{id}/{path*}',
-                options: { access: 'public', options: { xsrfRequired: false } },
+                options: {
+                  access: 'public',
+                  options: { xsrfRequired: false },
+                  security: {
+                    authz: {
+                      requiredPrivileges: ['foo'],
+                    },
+                  },
+                },
               },
             ],
           },
@@ -247,7 +255,14 @@ describe('generateOpenApiDocument', () => {
                     method: 'get',
                     path: '/test',
                     isVersioned: true,
-                    options: { access: 'public' },
+                    options: {
+                      access: 'public',
+                      security: {
+                        authz: {
+                          requiredPrivileges: ['foo'],
+                        },
+                      },
+                    },
                     handlers: [
                       {
                         fn: jest.fn(),
@@ -298,19 +313,46 @@ describe('generateOpenApiDocument', () => {
         versionedRouters: {
           testVersionedRouter1: {
             routes: [
-              { path: '/v1-1', options: { access: 'public', options: { tags: ['oas-tag:v1'] } } },
+              {
+                path: '/v1-1',
+                options: {
+                  access: 'public',
+                  options: { tags: ['oas-tag:v1'] },
+                  security: {
+                    authz: {
+                      requiredPrivileges: ['foo'],
+                    },
+                  },
+                },
+              },
               {
                 path: '/v1-2',
                 options: {
                   access: 'public',
                   options: { tags: ['foo', 'bar', 'oas-tag:v2', 'oas-tag:v3'] },
+                  security: {
+                    authz: {
+                      requiredPrivileges: ['foo'],
+                    },
+                  },
                 },
               },
             ],
           },
           testVersionedRouter2: {
             routes: [
-              { path: '/v2-1', options: { access: 'public', options: { tags: undefined } } },
+              {
+                path: '/v2-1',
+                options: {
+                  access: 'public',
+                  options: { tags: undefined },
+                  security: {
+                    authz: {
+                      requiredPrivileges: ['foo'],
+                    },
+                  },
+                },
+              },
             ],
           },
         },
@@ -369,6 +411,11 @@ describe('generateOpenApiDocument', () => {
                 options: {
                   access: 'public',
                   options: { availability: { stability: 'experimental' } },
+                  security: {
+                    authz: {
+                      requiredPrivileges: ['foo'],
+                    },
+                  },
                 },
               },
               {
@@ -376,6 +423,11 @@ describe('generateOpenApiDocument', () => {
                 options: {
                   access: 'public',
                   options: { availability: { stability: 'beta' } },
+                  security: {
+                    authz: {
+                      requiredPrivileges: ['foo'],
+                    },
+                  },
                 },
               },
               {
@@ -383,12 +435,29 @@ describe('generateOpenApiDocument', () => {
                 options: {
                   access: 'public',
                   options: { availability: { stability: 'stable' } },
+                  security: {
+                    authz: {
+                      requiredPrivileges: ['foo'],
+                    },
+                  },
                 },
               },
             ],
           },
           testVersionedRouter2: {
-            routes: [{ path: '/v2-1', options: { access: 'public' } }],
+            routes: [
+              {
+                path: '/v2-1',
+                options: {
+                  access: 'public',
+                  security: {
+                    authz: {
+                      requiredPrivileges: ['foo'],
+                    },
+                  },
+                },
+              },
+            ],
           },
         },
       });
@@ -471,6 +540,11 @@ describe('generateOpenApiDocument', () => {
             {
               options: {
                 access: 'public',
+                security: {
+                  authz: {
+                    requiredPrivileges: ['foo'],
+                  },
+                },
               },
             },
           ],

src/platform/packages/shared/kbn-router-to-openapispec/src/generate_oas.test.util.ts

@@ -69,6 +69,11 @@ export const getVersionedRouterDefaults = (bodySchema?: RuntimeSchema): Versione
     options: {
       tags: ['ignore-me', 'oas-tag:versioned'],
     },
+    security: {
+      authz: {
+        requiredPrivileges: ['foo'],
+      },
+    },
   },
   isVersioned: true,
   handlers: [

src/platform/packages/shared/kbn-server-route-repository/src/register_routes.ts

@@ -192,7 +192,12 @@ export function registerRoutes<TDependencies extends Record<string, any>>({
             ...options,
             access,
           },
-          security,
+          security: security ?? {
+            authz: {
+              enabled: false,
+              reason: 'Delegates authorization to the es client',
+            },
+          },
           validate: validationObject,
         },
         wrappedHandler
@@ -204,7 +209,12 @@ export function registerRoutes<TDependencies extends Record<string, any>>({
         summary: options.summary,
         description: options.description,
         options: omit(options, 'access', 'description', 'summary', 'deprecated', 'discontinued'),
-        security,
+        security: security ?? {
+          authz: {
+            enabled: false,
+            reason: 'Delegates authorization to the es client',
+          },
+        },
       }).addVersion(
         {
           version,

src/platform/plugins/shared/controls/server/options_list/options_list_cluster_settings_route.ts

@@ -16,17 +16,17 @@ export const setupOptionsListClusterSettingsRoute = ({ http }: CoreSetup) => {
     .get({
       access: 'internal',
       path: '/internal/controls/getExpensiveQueriesSetting',
+      security: {
+        authz: {
+          enabled: false,
+          reason:
+            'This route is opted out from authorization because it does not take a query, params, or a body, so there is no chance of leaking info.',
+        },
+      },
     })
     .addVersion(
       {
         version: '1',
-        security: {
-          authz: {
-            enabled: false,
-            reason:
-              'This route is opted out from authorization because it does not take a query, params, or a body, so there is no chance of leaking info.',
-          },
-        },
         validate: false,
       },
       async (context, _, response) => {

src/platform/plugins/shared/controls/server/options_list/options_list_suggestions_route.ts

@@ -29,17 +29,17 @@ export const setupOptionsListSuggestionsRoute = (
     .post({
       access: 'internal',
       path: '/internal/controls/optionsList/{index}',
+      security: {
+        authz: {
+          enabled: false,
+          reason:
+            'This route is opted out from authorization because permissions will be checked by elasticsearch.',
+        },
+      },
     })
     .addVersion(
       {
         version: '1',
-        security: {
-          authz: {
-            enabled: false,
-            reason:
-              'This route is opted out from authorization because permissions will be checked by elasticsearch.',
-          },
-        },
         validate: {
           request: {
             params: schema.object(

src/platform/plugins/shared/data/server/kql_telemetry/route.ts

@@ -20,16 +20,16 @@ export function registerKqlTelemetryRoute(
     .post({
       path: '/internal/kql_opt_in_stats',
       access: 'internal',
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'This route is opted out from authorization',
+        },
+      },
     })
     .addVersion(
       {
         version: KQL_TELEMETRY_ROUTE_LATEST_VERSION,
-        security: {
-          authz: {
-            enabled: false,
-            reason: 'This route is opted out from authorization',
-          },
-        },
         validate: {
           request: {
             body: schema.object({

src/platform/plugins/shared/data/server/query/routes.ts

@@ -40,236 +40,271 @@ const version = '1';
 export function registerSavedQueryRoutes({ http }: CoreSetup): void {
   const router = http.createRouter<SavedQueryRouteHandlerContext>();
 
-  router.versioned.post({ path: `${SAVED_QUERY_BASE_URL}/_is_duplicate_title`, access }).addVersion(
+  router.versioned
-    {
+    .post({
-      version,
+      path: `${SAVED_QUERY_BASE_URL}/_is_duplicate_title`,
+      access,
       security: {
         authz: {
           requiredPrivileges: ['savedQuery:read'],
         },
       },
-      validate: {
+    })
-        request: {
+    .addVersion(
-          body: schema.object({
+      {
-            title: schema.string(),
+        version,
-            id: schema.maybe(schema.string()),
+        validate: {
-          }),
+          request: {
-        },
+            body: schema.object({
-        response: {
+              title: schema.string(),
-          200: {
+              id: schema.maybe(schema.string()),
-            body: () =>
+            }),
-              schema.object({
+          },
-                isDuplicate: schema.boolean(),
+          response: {
-              }),
+            200: {
+              body: () =>
+                schema.object({
+                  isDuplicate: schema.boolean(),
+                }),
+            },
           },
         },
       },
-    },
+      async (context, request, response) => {
-    async (context, request, response) => {
+        try {
-      try {
+          const savedQuery = await context.savedQuery;
-        const savedQuery = await context.savedQuery;
+          const isDuplicate = await savedQuery.isDuplicateTitle(request.body);
-        const isDuplicate = await savedQuery.isDuplicateTitle(request.body);
+          return response.ok({ body: { isDuplicate } });
-        return response.ok({ body: { isDuplicate } });
+        } catch (e) {
-      } catch (e) {
+          const err = e.output?.payload ?? e;
-        const err = e.output?.payload ?? e;
+          return reportServerError(response, err);
-        return reportServerError(response, err);
+        }
       }
-    }
+    );
-  );
 
-  router.versioned.post({ path: `${SAVED_QUERY_BASE_URL}/_create`, access }).addVersion(
+  router.versioned
-    {
+    .post({
-      version,
+      path: `${SAVED_QUERY_BASE_URL}/_create`,
+      access,
       security: {
         authz: {
           requiredPrivileges: ['savedQuery:manage'],
         },
       },
-      validate: {
+    })
-        request: {
+    .addVersion(
-          body: SAVED_QUERY_ATTRS_CONFIG,
+      {
-        },
+        version,
-        response: {
+        validate: {
-          200: {
+          request: {
-            body: savedQueryResponseSchema,
+            body: SAVED_QUERY_ATTRS_CONFIG,
+          },
+          response: {
+            200: {
+              body: savedQueryResponseSchema,
+            },
           },
         },
       },
-    },
+      async (context, request, response) => {
-    async (context, request, response) => {
+        try {
-      try {
+          const savedQuery = await context.savedQuery;
-        const savedQuery = await context.savedQuery;
+          const body = await savedQuery.create(request.body);
-        const body = await savedQuery.create(request.body);
+          return response.ok({ body });
-        return response.ok({ body });
+        } catch (e) {
-      } catch (e) {
+          const err = e.output?.payload ?? e;
-        const err = e.output?.payload ?? e;
+          return reportServerError(response, err);
-        return reportServerError(response, err);
+        }
       }
-    }
+    );
-  );
 
-  router.versioned.put({ path: `${SAVED_QUERY_BASE_URL}/{id}`, access }).addVersion(
+  router.versioned
-    {
+    .put({
-      version,
+      path: `${SAVED_QUERY_BASE_URL}/{id}`,
+      access,
       security: {
         authz: {
           requiredPrivileges: ['savedQuery:manage'],
         },
       },
-      validate: {
+    })
-        request: {
+    .addVersion(
-          params: SAVED_QUERY_ID_CONFIG,
+      {
-          body: SAVED_QUERY_ATTRS_CONFIG,
+        version,
-        },
+        validate: {
-        response: {
+          request: {
-          200: {
+            params: SAVED_QUERY_ID_CONFIG,
-            body: savedQueryResponseSchema,
+            body: SAVED_QUERY_ATTRS_CONFIG,
+          },
+          response: {
+            200: {
+              body: savedQueryResponseSchema,
+            },
           },
         },
       },
-    },
+      async (context, request, response) => {
-    async (context, request, response) => {
+        const { id } = request.params;
-      const { id } = request.params;
+        try {
-      try {
+          const savedQuery = await context.savedQuery;
-        const savedQuery = await context.savedQuery;
+          const body = await savedQuery.update(id, request.body);
-        const body = await savedQuery.update(id, request.body);
+          return response.ok({ body });
-        return response.ok({ body });
+        } catch (e) {
-      } catch (e) {
+          const err = e.output?.payload ?? e;
-        const err = e.output?.payload ?? e;
+          return reportServerError(response, err);
-        return reportServerError(response, err);
+        }
       }
-    }
+    );
-  );
 
-  router.versioned.get({ path: `${SAVED_QUERY_BASE_URL}/{id}`, access }).addVersion(
+  router.versioned
-    {
+    .get({
-      version,
+      path: `${SAVED_QUERY_BASE_URL}/{id}`,
+      access,
       security: {
         authz: {
           requiredPrivileges: ['savedQuery:read'],
         },
       },
-      validate: {
+    })
-        request: {
+    .addVersion(
-          params: SAVED_QUERY_ID_CONFIG,
+      {
-        },
+        version,
-        response: {
+        validate: {
-          200: {
+          request: {
-            body: savedQueryResponseSchema,
+            params: SAVED_QUERY_ID_CONFIG,
+          },
+          response: {
+            200: {
+              body: savedQueryResponseSchema,
+            },
           },
         },
       },
-    },
+      async (context, request, response) => {
-    async (context, request, response) => {
+        const { id } = request.params;
-      const { id } = request.params;
+        try {
-      try {
+          const savedQuery = await context.savedQuery;
-        const savedQuery = await context.savedQuery;
+          const body = await savedQuery.get(id);
-        const body = await savedQuery.get(id);
+          return response.ok({ body });
-        return response.ok({ body });
+        } catch (e) {
-      } catch (e) {
+          const err = e.output?.payload ?? e;
-        const err = e.output?.payload ?? e;
+          return reportServerError(response, err);
-        return reportServerError(response, err);
+        }
       }
-    }
+    );
-  );
 
-  router.versioned.get({ path: `${SAVED_QUERY_BASE_URL}/_count`, access }).addVersion(
+  router.versioned
-    {
+    .get({
-      version,
+      path: `${SAVED_QUERY_BASE_URL}/_count`,
+      access,
       security: {
         authz: {
           requiredPrivileges: ['savedQuery:read'],
         },
       },
-      validate: {
+    })
-        request: {},
+    .addVersion(
-        response: {
+      {
-          200: {
+        version,
-            body: () => schema.number(),
+        validate: {
+          request: {},
+          response: {
+            200: {
+              body: () => schema.number(),
+            },
           },
         },
       },
-    },
+      async (context, request, response) => {
-    async (context, request, response) => {
+        try {
-      try {
+          const savedQuery = await context.savedQuery;
-        const savedQuery = await context.savedQuery;
+          const count: number = await savedQuery.count();
-        const count: number = await savedQuery.count();
+          return response.ok({ body: `${count}` });
-        return response.ok({ body: `${count}` });
+        } catch (e) {
-      } catch (e) {
+          const err = e.output?.payload ?? e;
-        const err = e.output?.payload ?? e;
+          return reportServerError(response, err);
-        return reportServerError(response, err);
+        }
       }
-    }
+    );
-  );
 
-  router.versioned.post({ path: `${SAVED_QUERY_BASE_URL}/_find`, access }).addVersion(
+  router.versioned
-    {
+    .post({
-      version,
+      path: `${SAVED_QUERY_BASE_URL}/_find`,
+      access,
       security: {
         authz: {
           requiredPrivileges: ['savedQuery:read'],
         },
       },
-      validate: {
+    })
-        request: {
+    .addVersion(
-          body: schema.object({
+      {
-            search: schema.string({ defaultValue: '' }),
+        version,
-            perPage: schema.number({ defaultValue: 50 }),
+        validate: {
-            page: schema.number({ defaultValue: 1 }),
+          request: {
-          }),
+            body: schema.object({
-        },
+              search: schema.string({ defaultValue: '' }),
-        response: {
+              perPage: schema.number({ defaultValue: 50 }),
-          200: {
+              page: schema.number({ defaultValue: 1 }),
-            body: () =>
+            }),
-              schema.object({
+          },
-                total: schema.number(),
+          response: {
-                savedQueries: schema.arrayOf(savedQueryResponseSchema()),
+            200: {
-              }),
+              body: () =>
+                schema.object({
+                  total: schema.number(),
+                  savedQueries: schema.arrayOf(savedQueryResponseSchema()),
+                }),
+            },
           },
         },
       },
-    },
+      async (context, request, response) => {
-    async (context, request, response) => {
+        try {
-      try {
+          const savedQuery = await context.savedQuery;
-        const savedQuery = await context.savedQuery;
+          const body = await savedQuery.find(request.body);
-        const body = await savedQuery.find(request.body);
+          return response.ok({ body });
-        return response.ok({ body });
+        } catch (e) {
-      } catch (e) {
+          const err = e.output?.payload ?? e;
-        const err = e.output?.payload ?? e;
+          return reportServerError(response, err);
-        return reportServerError(response, err);
+        }
       }
-    }
+    );
-  );
 
-  router.versioned.delete({ path: `${SAVED_QUERY_BASE_URL}/{id}`, access }).addVersion(
+  router.versioned
-    {
+    .delete({
-      version,
+      path: `${SAVED_QUERY_BASE_URL}/{id}`,
+      access,
       security: {
         authz: {
           requiredPrivileges: ['savedQuery:manage'],
         },
       },
-      validate: {
+    })
-        request: {
+    .addVersion(
-          params: SAVED_QUERY_ID_CONFIG,
+      {
-        },
+        version,
-        response: {
+        validate: {
-          200: {
+          request: {
-            body: () => schema.never(),
+            params: SAVED_QUERY_ID_CONFIG,
+          },
+          response: {
+            200: {
+              body: () => schema.never(),
+            },
           },
         },
       },
-    },
+      async (context, request, response) => {
-    async (context, request, response) => {
+        const { id } = request.params;
-      const { id } = request.params;
+        try {
-      try {
+          const savedQuery = await context.savedQuery;
-        const savedQuery = await context.savedQuery;
+          await savedQuery.delete(id);
-        await savedQuery.delete(id);
+          return response.ok();
-        return response.ok();
+        } catch (e) {
-      } catch (e) {
+          const err = e.output?.payload ?? e;
-        const err = e.output?.payload ?? e;
+          return reportServerError(response, err);
-        return reportServerError(response, err);
+        }
       }
-    }
+    );
-  );
 }

src/platform/plugins/shared/data/server/scripts/route.ts

@@ -16,16 +16,16 @@ export function registerScriptsRoute(router: IRouter) {
     .get({
       path: '/internal/scripts/languages',
       access: 'internal',
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'This route is opted out from authorization',
+        },
+      },
     })
     .addVersion(
       {
         version: SCRIPT_LANGUAGES_ROUTE_LATEST_VERSION,
-        security: {
-          authz: {
-            enabled: false,
-            reason: 'This route is opted out from authorization',
-          },
-        },
         validate: {
           response: {
             '200': {

src/platform/plugins/shared/data/server/search/routes/search.ts

@@ -30,16 +30,16 @@ export function registerSearchRoute(
     .post({
       path: `${SEARCH_API_BASE_URL}/{strategy}/{id?}`,
       access: 'internal',
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'This route is opted out from authorization',
+        },
+      },
     })
     .addVersion(
       {
         version: '1',
-        security: {
-          authz: {
-            enabled: false,
-            reason: 'This route is opted out from authorization',
-          },
-        },
         validate: {
           request: {
             params: schema.object({
@@ -128,16 +128,16 @@ export function registerSearchRoute(
     .delete({
       path: '/internal/search/{strategy}/{id}',
       access: 'internal',
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'This route is opted out from authorization',
+        },
+      },
     })
     .addVersion(
       {
         version: '1',
-        security: {
-          authz: {
-            enabled: false,
-            reason: 'This route is opted out from authorization',
-          },
-        },
         validate: {
           request: {
             params: schema.object({

src/platform/plugins/shared/data/server/search/routes/session.ts

@@ -34,321 +34,365 @@ const idAndAttrsOnly = (so?: SearchSessionRestResponse) =>
   so && { id: so.id, attributes: so.attributes };
 
 export function registerSessionRoutes(router: DataPluginRouter, logger: Logger): void {
-  router.versioned.post({ path: pathPrefix, access }).addVersion(
+  router.versioned
-    {
+    .post({
-      version,
+      path: pathPrefix,
+      access,
       security: {
         authz: { requiredPrivileges },
       },
-      validate: {
+    })
-        request: {
+    .addVersion(
-          body: schema.object({
+      {
-            sessionId: schema.string(),
+        version,
-            name: schema.string(),
+        validate: {
-            appId: schema.string(),
+          request: {
-            expires: schema.maybe(schema.string()),
+            body: schema.object({
-            locatorId: schema.string(),
+              sessionId: schema.string(),
-            initialState: schema.maybe(schema.object({}, { unknowns: 'allow' })),
+              name: schema.string(),
-            restoreState: schema.maybe(schema.object({}, { unknowns: 'allow' })),
+              appId: schema.string(),
-          }),
+              expires: schema.maybe(schema.string()),
-        },
+              locatorId: schema.string(),
-        response: {
+              initialState: schema.maybe(schema.object({}, { unknowns: 'allow' })),
-          200: {
+              restoreState: schema.maybe(schema.object({}, { unknowns: 'allow' })),
-            body: () => schema.maybe(searchSessionSchema()),
+            }),
+          },
+          response: {
+            200: {
+              body: () => schema.maybe(searchSessionSchema()),
+            },
           },
         },
       },
-    },
+      async (context, request, res) => {
-    async (context, request, res) => {
+        const { sessionId, name, expires, initialState, restoreState, appId, locatorId } =
-      const { sessionId, name, expires, initialState, restoreState, appId, locatorId } =
+          request.body;
-        request.body;
 
-      try {
+        try {
-        const searchContext = await context.search;
+          const searchContext = await context.search;
 
-        const response = await searchContext.saveSession(sessionId, {
+          const response = await searchContext.saveSession(sessionId, {
-          name,
+            name,
-          appId,
+            appId,
-          expires,
+            expires,
-          locatorId,
+            locatorId,
-          initialState,
+            initialState,
-          restoreState,
+            restoreState,
-        });
+          });
 
-        const body: SearchSessionRestResponse | undefined = idAndAttrsOnly(response);
+          const body: SearchSessionRestResponse | undefined = idAndAttrsOnly(response);
 
-        return res.ok({ body });
+          return res.ok({ body });
-      } catch (err) {
+        } catch (err) {
-        logger.error(err);
+          logger.error(err);
-        return reportServerError(res, err);
+          return reportServerError(res, err);
+        }
       }
-    }
+    );
-  );
 
-  router.versioned.get({ path: `${pathPrefix}/{id}`, access }).addVersion(
+  router.versioned
-    {
+    .get({
-      version,
+      path: `${pathPrefix}/{id}`,
+      access,
       security: {
         authz: { requiredPrivileges },
       },
-      validate: {
+    })
-        request: {
+    .addVersion(
-          params: schema.object({
+      {
-            id: schema.string(),
+        version,
-          }),
+        validate: {
-        },
+          request: {
-        response: {
+            params: schema.object({
-          200: {
+              id: schema.string(),
-            body: searchSessionSchema,
+            }),
+          },
+          response: {
+            200: {
+              body: searchSessionSchema,
+            },
           },
         },
       },
-    },
+      async (context, request, res) => {
-    async (context, request, res) => {
+        const { id } = request.params;
-      const { id } = request.params;
+        try {
-      try {
+          const searchContext = await context.search;
-        const searchContext = await context.search;
+          const response: SearchSessionRestResponse = await searchContext!.getSession(id);
-        const response: SearchSessionRestResponse = await searchContext!.getSession(id);
+          const body = idAndAttrsOnly(response);
-        const body = idAndAttrsOnly(response);
 
-        return res.ok({ body });
+          return res.ok({ body });
-      } catch (e) {
+        } catch (e) {
-        const err = e.output?.payload || e;
+          const err = e.output?.payload || e;
-        logger.error(err);
+          logger.error(err);
-        return reportServerError(res, err);
+          return reportServerError(res, err);
+        }
       }
-    }
+    );
-  );
 
-  router.versioned.get({ path: `${pathPrefix}/{id}/status`, access }).addVersion(
+  router.versioned
-    {
+    .get({
-      version,
+      path: `${pathPrefix}/{id}/status`,
+      access,
       security: {
         authz: { requiredPrivileges },
       },
-      validate: {
+    })
-        request: {
+    .addVersion(
-          params: schema.object({
+      {
-            id: schema.string(),
+        version,
-          }),
+        validate: {
-        },
+          request: {
-        response: {
+            params: schema.object({
-          200: {
+              id: schema.string(),
-            body: searchSessionStatusSchema,
+            }),
+          },
+          response: {
+            200: {
+              body: searchSessionStatusSchema,
+            },
           },
         },
       },
-    },
+      async (context, request, res) => {
-    async (context, request, res) => {
+        const { id } = request.params;
-      const { id } = request.params;
+        try {
-      try {
+          const searchContext = await context.search;
-        const searchContext = await context.search;
+          const response: SearchSessionStatusRestResponse = await searchContext!.getSessionStatus(
-        const response: SearchSessionStatusRestResponse = await searchContext!.getSessionStatus(id);
+            id
+          );
 
-        return res.ok({
+          return res.ok({
-          body: response,
+            body: response,
-        });
+          });
-      } catch (e) {
+        } catch (e) {
-        const err = e.output?.payload || e;
+          const err = e.output?.payload || e;
-        logger.error(err);
+          logger.error(err);
-        return reportServerError(res, err);
+          return reportServerError(res, err);
+        }
       }
-    }
+    );
-  );
 
-  router.versioned.post({ path: `${pathPrefix}/_find`, access }).addVersion(
+  router.versioned
-    {
+    .post({
-      version,
+      path: `${pathPrefix}/_find`,
+      access,
       security: {
         authz: { requiredPrivileges },
       },
-      validate: {
+    })
-        request: {
+    .addVersion(
-          body: schema.object({
+      {
-            page: schema.maybe(schema.number()),
+        version,
-            perPage: schema.maybe(schema.number()),
+        validate: {
-            sortField: schema.maybe(schema.string()),
+          request: {
-            sortOrder: schema.maybe(schema.oneOf([schema.literal('desc'), schema.literal('asc')])),
+            body: schema.object({
-            filter: schema.maybe(schema.string()),
+              page: schema.maybe(schema.number()),
-            searchFields: schema.maybe(schema.arrayOf(schema.string())),
+              perPage: schema.maybe(schema.number()),
-            search: schema.maybe(schema.string()),
+              sortField: schema.maybe(schema.string()),
-          }),
+              sortOrder: schema.maybe(
-        },
+                schema.oneOf([schema.literal('desc'), schema.literal('asc')])
-        response: {
+              ),
-          200: {
+              filter: schema.maybe(schema.string()),
-            body: searchSessionsFindSchema,
+              searchFields: schema.maybe(schema.arrayOf(schema.string())),
+              search: schema.maybe(schema.string()),
+            }),
+          },
+          response: {
+            200: {
+              body: searchSessionsFindSchema,
+            },
           },
         },
       },
-    },
+      async (context, request, res) => {
-    async (context, request, res) => {
+        const { page, perPage, sortField, sortOrder, filter, searchFields, search } = request.body;
-      const { page, perPage, sortField, sortOrder, filter, searchFields, search } = request.body;
+        try {
-      try {
+          const searchContext = await context.search;
-        const searchContext = await context.search;
+          const response: SearchSessionsFindRestResponse = await searchContext!.findSessions({
-        const response: SearchSessionsFindRestResponse = await searchContext!.findSessions({
+            page,
-          page,
+            perPage,
-          perPage,
+            sortField,
-          sortField,
+            sortOrder,
-          sortOrder,
+            filter,
-          filter,
+            searchFields,
-          searchFields,
+            search,
-          search,
+          });
-        });
 
-        const body = {
+          const body = {
-          total: response.total,
+            total: response.total,
-          saved_objects: response.saved_objects.map(idAndAttrsOnly),
+            saved_objects: response.saved_objects.map(idAndAttrsOnly),
-          statuses: response.statuses,
+            statuses: response.statuses,
-        };
+          };
 
-        return res.ok({ body });
+          return res.ok({ body });
-      } catch (err) {
+        } catch (err) {
-        logger.error(err);
+          logger.error(err);
-        return reportServerError(res, err);
+          return reportServerError(res, err);
+        }
       }
-    }
+    );
-  );
 
-  router.versioned.delete({ path: `${pathPrefix}/{id}`, access }).addVersion(
+  router.versioned
-    {
+    .delete({
-      version,
+      path: `${pathPrefix}/{id}`,
+      access,
       security: {
         authz: { requiredPrivileges },
       },
-      validate: {
+    })
-        request: {
+    .addVersion(
-          params: schema.object({
+      {
-            id: schema.string(),
+        version,
-          }),
+        validate: {
-        },
+          request: {
-      },
+            params: schema.object({
-    },
+              id: schema.string(),
-    async (context, request, res) => {
+            }),
-      const { id } = request.params;
-      try {
-        const searchContext = await context.search;
-        await searchContext.deleteSession(id);
-
-        return res.ok();
-      } catch (e) {
-        const err = e.output?.payload || e;
-        logger.error(err);
-        return reportServerError(res, err);
-      }
-    }
-  );
-
-  router.versioned.post({ path: `${pathPrefix}/{id}/cancel`, access }).addVersion(
-    {
-      version,
-      security: {
-        authz: { requiredPrivileges },
-      },
-      validate: {
-        request: {
-          params: schema.object({
-            id: schema.string(),
-          }),
-        },
-      },
-    },
-    async (context, request, res) => {
-      const { id } = request.params;
-      try {
-        const searchContext = await context.search;
-        await searchContext.cancelSession(id);
-
-        return res.ok();
-      } catch (e) {
-        const err = e.output?.payload || e;
-        logger.error(err);
-        return reportServerError(res, err);
-      }
-    }
-  );
-
-  router.versioned.put({ path: `${pathPrefix}/{id}`, access }).addVersion(
-    {
-      version,
-      security: {
-        authz: { requiredPrivileges },
-      },
-      validate: {
-        request: {
-          params: schema.object({
-            id: schema.string(),
-          }),
-          body: schema.object({
-            name: schema.maybe(schema.string()),
-            expires: schema.maybe(schema.string()),
-          }),
-        },
-        response: {
-          200: {
-            body: searchSessionsUpdateSchema,
           },
         },
       },
-    },
+      async (context, request, res) => {
-    async (context, request, res) => {
+        const { id } = request.params;
-      const { id } = request.params;
+        try {
-      const { name, expires } = request.body;
+          const searchContext = await context.search;
-      try {
+          await searchContext.deleteSession(id);
-        const searchContext = await context.search;
-        const response: SearchSessionsUpdateRestResponse = await searchContext.updateSession(id, {
-          name,
-          expires,
-        });
-        return res.ok({
-          body: response,
-        });
-      } catch (err) {
-        logger.error(err);
-        return reportServerError(res, err);
-      }
-    }
-  );
 
-  router.versioned.post({ path: `${pathPrefix}/{id}/_extend`, access }).addVersion(
+          return res.ok();
-    {
+        } catch (e) {
-      version,
+          const err = e.output?.payload || e;
+          logger.error(err);
+          return reportServerError(res, err);
+        }
+      }
+    );
+
+  router.versioned
+    .post({
+      path: `${pathPrefix}/{id}/cancel`,
+      access,
       security: {
         authz: { requiredPrivileges },
       },
-      validate: {
+    })
-        request: {
+    .addVersion(
-          params: schema.object({
+      {
-            id: schema.string(),
+        version,
-          }),
+        validate: {
-          body: schema.object({
+          request: {
-            expires: schema.string(),
+            params: schema.object({
-          }),
+              id: schema.string(),
-        },
+            }),
-        response: {
-          200: {
-            body: searchSessionsUpdateSchema,
           },
         },
       },
-    },
+      async (context, request, res) => {
-    async (context, request, res) => {
+        const { id } = request.params;
-      const { id } = request.params;
+        try {
-      const { expires } = request.body;
+          const searchContext = await context.search;
-      try {
+          await searchContext.cancelSession(id);
-        const searchContext = await context.search;
-        const response: SearchSessionsUpdateRestResponse = await searchContext.extendSession(
-          id,
-          new Date(expires)
-        );
 
-        return res.ok({
+          return res.ok();
-          body: response,
+        } catch (e) {
-        });
+          const err = e.output?.payload || e;
-      } catch (e) {
+          logger.error(err);
-        const err = e.output?.payload || e;
+          return reportServerError(res, err);
-        logger.error(err);
+        }
-        return reportServerError(res, err);
       }
-    }
+    );
-  );
+
+  router.versioned
+    .put({
+      path: `${pathPrefix}/{id}`,
+      access,
+      security: {
+        authz: { requiredPrivileges },
+      },
+    })
+    .addVersion(
+      {
+        version,
+        validate: {
+          request: {
+            params: schema.object({
+              id: schema.string(),
+            }),
+            body: schema.object({
+              name: schema.maybe(schema.string()),
+              expires: schema.maybe(schema.string()),
+            }),
+          },
+          response: {
+            200: {
+              body: searchSessionsUpdateSchema,
+            },
+          },
+        },
+      },
+      async (context, request, res) => {
+        const { id } = request.params;
+        const { name, expires } = request.body;
+        try {
+          const searchContext = await context.search;
+          const response: SearchSessionsUpdateRestResponse = await searchContext.updateSession(id, {
+            name,
+            expires,
+          });
+          return res.ok({
+            body: response,
+          });
+        } catch (err) {
+          logger.error(err);
+          return reportServerError(res, err);
+        }
+      }
+    );
+
+  router.versioned
+    .post({
+      path: `${pathPrefix}/{id}/_extend`,
+      access,
+      security: {
+        authz: { requiredPrivileges },
+      },
+    })
+    .addVersion(
+      {
+        version,
+        validate: {
+          request: {
+            params: schema.object({
+              id: schema.string(),
+            }),
+            body: schema.object({
+              expires: schema.string(),
+            }),
+          },
+          response: {
+            200: {
+              body: searchSessionsUpdateSchema,
+            },
+          },
+        },
+      },
+      async (context, request, res) => {
+        const { id } = request.params;
+        const { expires } = request.body;
+        try {
+          const searchContext = await context.search;
+          const response: SearchSessionsUpdateRestResponse = await searchContext.extendSession(
+            id,
+            new Date(expires)
+          );
+
+          return res.ok({
+            body: response,
+          });
+        } catch (e) {
+          const err = e.output?.payload || e;
+          logger.error(err);
+          return reportServerError(res, err);
+        }
+      }
+    );
 }

src/platform/plugins/shared/data_view_field_editor/server/routes/field_preview.ts

@@ -48,55 +48,60 @@ const responseSchema = () => {
 };
 
 export const registerFieldPreviewRoute = ({ router }: RouteDependencies): void => {
-  router.versioned.post({ path, access: 'internal' }).addVersion(
+  router.versioned
-    {
+    .post({
-      version: '1',
+      path,
+      access: 'internal',
       security: {
         authz: {
           enabled: false,
           reason: 'Authorization provided by Elasticsearch',
         },
       },
-      validate: {
+    })
-        request: {
+    .addVersion(
-          body: bodySchema,
+      {
-        },
+        version: '1',
-        response: {
+        validate: {
-          200: {
+          request: {
-            body: responseSchema,
+            body: bodySchema,
+          },
+          response: {
+            200: {
+              body: responseSchema,
+            },
           },
         },
       },
-    },
+      async (ctx, req, res) => {
-    async (ctx, req, res) => {
+        const { client } = (await ctx.core).elasticsearch;
-      const { client } = (await ctx.core).elasticsearch;
 
-      const body = {
+        const body = {
-        script: req.body.script,
+          script: req.body.script,
-        context: req.body.context,
+          context: req.body.context,
-        context_setup: {
+          context_setup: {
-          document: req.body.document,
+            document: req.body.document,
-          index: req.body.index,
+            index: req.body.index,
-        },
+          },
-      };
-
-      try {
-        // client types need to be updated to support this request format
-        // when it does, supply response types
-        const { result } = await client.asCurrentUser.scriptsPainlessExecute(body);
-
-        return res.ok({ body: { values: result } });
-      } catch (error) {
-        // Assume invalid painless script was submitted
-        // Return 200 with error object
-        const handleCustomError = () => {
-          return res.ok({
-            body: { values: [], error: error.body?.error, status: error.statusCode },
-          });
         };
 
-        return handleEsError({ error, response: res, handleCustomError });
+        try {
+          // client types need to be updated to support this request format
+          // when it does, supply response types
+          const { result } = await client.asCurrentUser.scriptsPainlessExecute(body);
+
+          return res.ok({ body: { values: result } });
+        } catch (error) {
+          // Assume invalid painless script was submitted
+          // Return 200 with error object
+          const handleCustomError = () => {
+            return res.ok({
+              body: { values: [], error: error.body?.error, status: error.statusCode },
+            });
+          };
+
+          return handleEsError({ error, response: res, handleCustomError });
+        }
       }
-    }
+    );
-  );
 };

src/platform/plugins/shared/data_views/server/rest_api_routes/internal/existing_indices.ts

@@ -56,16 +56,16 @@ export const registerExistingIndicesPath = (router: IRouter): void => {
     .get({
       path: EXISTING_INDICES_PATH,
       access: 'internal',
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'This route delegates authorization to the scoped ES client',
+        },
+      },
     })
     .addVersion(
       {
         version,
-        security: {
-          authz: {
-            enabled: false,
-            reason: 'This route is opted out from authorization',
-          },
-        },
         validate: {
           request: {
             query: schema.object({

src/platform/plugins/shared/data_views/server/rest_api_routes/internal/fields.ts

@@ -146,17 +146,23 @@ export const registerFields = (
   >,
   isRollupsEnabled: () => boolean
 ) => {
-  router.versioned.get({ path, access: 'internal', enableQueryVersion: true }).addVersion(
+  router.versioned
-    {
+    .get({
-      version: '1',
+      path,
+      access: 'internal',
+      enableQueryVersion: true,
       security: {
         authz: {
           enabled: false,
           reason: 'Authorization provided by Elasticsearch',
         },
       },
-      validate: { request: { query: querySchema }, response: validate.response },
+    })
-    },
+    .addVersion(
-    handler(isRollupsEnabled)
+      {
-  );
+        version: '1',
+        validate: { request: { query: querySchema }, response: validate.response },
+      },
+      handler(isRollupsEnabled)
+    );
 };

src/platform/plugins/shared/data_views/server/rest_api_routes/internal/fields_for.ts

@@ -250,26 +250,23 @@ export const registerFieldForWildcard = (
   const authz: RouteAuthz = { enabled: false, reason: 'Authorization provided by Elasticsearch' };
 
   // handler
-  router.versioned.put({ path, access }).addVersion(
+  router.versioned.put({ path, access, security: { authz } }).addVersion(
     {
       version,
-      security: { authz },
       validate,
     },
     configuredHandler
   );
-  router.versioned.post({ path, access }).addVersion(
+  router.versioned.post({ path, access, security: { authz } }).addVersion(
     {
       version,
-      security: { authz },
       validate,
     },
     configuredHandler
   );
-  router.versioned.get({ path, access }).addVersion(
+  router.versioned.get({ path, access, security: { authz } }).addVersion(
     {
       version,
-      security: { authz },
       validate: { request: { query: querySchema }, response: validate.response },
     },
     configuredHandler

src/platform/plugins/shared/data_views/server/rest_api_routes/internal/has_data_views.ts

@@ -41,16 +41,16 @@ export const registerHasDataViewsRoute = (router: IRouter): void => {
     .get({
       path: '/internal/data_views/has_data_views',
       access: 'internal',
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Authorization provided by saved objects client',
+        },
+      },
     })
     .addVersion(
       {
         version: '1',
-        security: {
-          authz: {
-            enabled: false,
-            reason: 'Authorization provided by saved objects client',
-          },
-        },
         validate: {
           response: {
             200: {

src/platform/plugins/shared/data_views/server/rest_api_routes/internal/has_es_data.ts

@@ -129,16 +129,16 @@ export const registerHasEsDataRoute = (
     .get({
       path: '/internal/data_views/has_es_data',
       access: 'internal',
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Authorization provided by Elasticsearch',
+        },
+      },
     })
     .addVersion(
       {
         version: '1',
-        security: {
-          authz: {
-            enabled: false,
-            reason: 'Authorization provided by Elasticsearch',
-          },
-        },
         validate: {
           response: {
             200: {

src/platform/plugins/shared/data_views/server/rest_api_routes/public/create_data_view.ts

@@ -58,78 +58,84 @@ const registerCreateDataViewRouteFactory =
     >,
     usageCollection?: UsageCounter
   ) => {
-    router.versioned.post({ path, access: 'public', description }).addVersion(
+    router.versioned
-      {
+      .post({
-        version: INITIAL_REST_VERSION,
+        path,
+        access: 'public',
+        description,
         security: {
           authz: {
             requiredPrivileges: ['indexPatterns:manage'],
           },
         },
-        validate: {
+      })
-          request: {
+      .addVersion(
-            body: schema.object({
+        {
-              override: schema.maybe(schema.boolean({ defaultValue: false })),
+          version: INITIAL_REST_VERSION,
-              refresh_fields: schema.maybe(schema.boolean({ defaultValue: false })),
+          validate: {
-              data_view: serviceKey === SERVICE_KEY ? dataViewSpecSchema : schema.never(),
+            request: {
-              index_pattern:
+              body: schema.object({
-                serviceKey === SERVICE_KEY_LEGACY ? dataViewSpecSchema : schema.never(),
+                override: schema.maybe(schema.boolean({ defaultValue: false })),
-            }),
+                refresh_fields: schema.maybe(schema.boolean({ defaultValue: false })),
-          },
+                data_view: serviceKey === SERVICE_KEY ? dataViewSpecSchema : schema.never(),
-          response: {
+                index_pattern:
-            200: {
+                  serviceKey === SERVICE_KEY_LEGACY ? dataViewSpecSchema : schema.never(),
-              body: () =>
+              }),
-                schema.object({
+            },
-                  [serviceKey]: dataViewSpecSchema,
+            response: {
-                }),
+              200: {
+                body: () =>
+                  schema.object({
+                    [serviceKey]: dataViewSpecSchema,
+                  }),
+              },
             },
           },
         },
-      },
+        router.handleLegacyErrors(
-      router.handleLegacyErrors(
+          handleErrors(async (ctx, req, res) => {
-        handleErrors(async (ctx, req, res) => {
+            const core = await ctx.core;
-          const core = await ctx.core;
+            const savedObjectsClient = core.savedObjects.client;
-          const savedObjectsClient = core.savedObjects.client;
+            const elasticsearchClient = core.elasticsearch.client.asCurrentUser;
-          const elasticsearchClient = core.elasticsearch.client.asCurrentUser;
+            const [, , { dataViewsServiceFactory }] = await getStartServices();
-          const [, , { dataViewsServiceFactory }] = await getStartServices();
 
-          const dataViewsService = await dataViewsServiceFactory(
+            const dataViewsService = await dataViewsServiceFactory(
-            savedObjectsClient,
+              savedObjectsClient,
-            elasticsearchClient,
+              elasticsearchClient,
-            req
+              req
-          );
+            );
-          const body = req.body;
+            const body = req.body;
 
-          const spec = serviceKey === SERVICE_KEY ? body.data_view : body.index_pattern;
+            const spec = serviceKey === SERVICE_KEY ? body.data_view : body.index_pattern;
 
-          const dataView = await createDataView({
+            const dataView = await createDataView({
-            dataViewsService,
+              dataViewsService,
-            usageCollection,
+              usageCollection,
-            spec: { ...spec, name: spec.name || spec.title } as DataViewSpec,
+              spec: { ...spec, name: spec.name || spec.title } as DataViewSpec,
-            override: body.override,
+              override: body.override,
-            refreshFields: body.refresh_fields,
+              refreshFields: body.refresh_fields,
-            counterName: `${req.route.method} ${path}`,
+              counterName: `${req.route.method} ${path}`,
-          });
+            });
 
-          const toSpecParams =
+            const toSpecParams =
-            body.refresh_fields === false ? {} : { fieldParams: { fieldName: ['*'] } };
+              body.refresh_fields === false ? {} : { fieldParams: { fieldName: ['*'] } };
 
-          const responseBody: Record<string, DataViewSpecRestResponse> = {
+            const responseBody: Record<string, DataViewSpecRestResponse> = {
-            [serviceKey]: {
+              [serviceKey]: {
-              ...(await dataView.toSpec(toSpecParams)),
+                ...(await dataView.toSpec(toSpecParams)),
-              namespaces: dataView.namespaces,
+                namespaces: dataView.namespaces,
-            },
+              },
-          };
+            };
 
-          return res.ok({
+            return res.ok({
-            headers: {
+              headers: {
-              'content-type': 'application/json',
+                'content-type': 'application/json',
-            },
+              },
-            body: responseBody,
+              body: responseBody,
-          });
+            });
-        })
+          })
-      )
+        )
-    );
+      );
   };
 
 export const registerCreateDataViewRoute = registerCreateDataViewRouteFactory(

src/platform/plugins/shared/data_views/server/rest_api_routes/public/default_data_view.ts

@@ -70,105 +70,117 @@ const manageDefaultIndexPatternRoutesFactory =
     >,
     usageCollection?: UsageCounter
   ) => {
-    router.versioned.get({ path, access: 'public', description: getDescription }).addVersion(
+    router.versioned
-      {
+      .get({
-        version: INITIAL_REST_VERSION,
+        path,
+        access: 'public',
+        description: getDescription,
         security: {
           authz: {
             enabled: false,
             reason: 'Authorization provided by saved objects client',
           },
         },
-        validate: {
+      })
-          request: {},
+      .addVersion(
-          response: {
+        {
-            200: {
+          version: INITIAL_REST_VERSION,
-              body: () => schema.object({ [`${serviceKey}_id`]: schema.string() }),
+          validate: {
+            request: {},
+            response: {
+              200: {
+                body: () => schema.object({ [`${serviceKey}_id`]: schema.string() }),
+              },
             },
           },
         },
-      },
+        handleErrors(async (ctx, req, res) => {
-      handleErrors(async (ctx, req, res) => {
+          const core = await ctx.core;
-        const core = await ctx.core;
+          const savedObjectsClient = core.savedObjects.client;
-        const savedObjectsClient = core.savedObjects.client;
+          const elasticsearchClient = core.elasticsearch.client.asCurrentUser;
-        const elasticsearchClient = core.elasticsearch.client.asCurrentUser;
+          const [, , { dataViewsServiceFactory }] = await getStartServices();
-        const [, , { dataViewsServiceFactory }] = await getStartServices();
+          const dataViewsService = await dataViewsServiceFactory(
-        const dataViewsService = await dataViewsServiceFactory(
+            savedObjectsClient,
-          savedObjectsClient,
+            elasticsearchClient,
-          elasticsearchClient,
+            req
-          req
+          );
-        );
 
-        const id = await getDefault({
+          const id = await getDefault({
-          dataViewsService,
+            dataViewsService,
-          usageCollection,
+            usageCollection,
-          counterName: `${req.route.method} ${path}`,
+            counterName: `${req.route.method} ${path}`,
-        });
+          });
 
-        return res.ok({
+          return res.ok({
-          body: {
+            body: {
-            [`${serviceKey}_id`]: id,
+              [`${serviceKey}_id`]: id,
-          },
+            },
-        });
+          });
-      })
+        })
-    );
+      );
 
-    router.versioned.post({ path, access: 'public', description: postDescription }).addVersion(
+    router.versioned
-      {
+      .post({
-        version: INITIAL_REST_VERSION,
+        path,
+        access: 'public',
+        description: postDescription,
         security: {
           authz: {
             requiredPrivileges: ['indexPatterns:manage'],
           },
         },
-        validate: {
+      })
-          request: {
+      .addVersion(
-            body: schema.object({
+        {
-              [`${serviceKey}_id`]: schema.nullable(
+          version: INITIAL_REST_VERSION,
-                schema.string({
+          validate: {
-                  minLength: 1,
+            request: {
-                  maxLength: 1_000,
+              body: schema.object({
-                })
+                [`${serviceKey}_id`]: schema.nullable(
-              ),
+                  schema.string({
-              force: schema.boolean({ defaultValue: false }),
+                    minLength: 1,
-            }),
+                    maxLength: 1_000,
-          },
+                  })
-          response: {
+                ),
-            200: {
+                force: schema.boolean({ defaultValue: false }),
-              body: () => schema.object({ acknowledged: schema.boolean() }),
+              }),
+            },
+            response: {
+              200: {
+                body: () => schema.object({ acknowledged: schema.boolean() }),
+              },
             },
           },
         },
-      },
+        handleErrors(async (ctx, req, res) => {
-      handleErrors(async (ctx, req, res) => {
+          const core = await ctx.core;
-        const core = await ctx.core;
+          const savedObjectsClient = core.savedObjects.client;
-        const savedObjectsClient = core.savedObjects.client;
+          const elasticsearchClient = core.elasticsearch.client.asCurrentUser;
-        const elasticsearchClient = core.elasticsearch.client.asCurrentUser;
+          const [, , { dataViewsServiceFactory }] = await getStartServices();
-        const [, , { dataViewsServiceFactory }] = await getStartServices();
+          const dataViewsService = await dataViewsServiceFactory(
-        const dataViewsService = await dataViewsServiceFactory(
+            savedObjectsClient,
-          savedObjectsClient,
+            elasticsearchClient,
-          elasticsearchClient,
+            req
-          req
+          );
-        );
 
-        const newDefaultId = req.body[`${serviceKey}_id`] as string;
+          const newDefaultId = req.body[`${serviceKey}_id`] as string;
-        const force = req.body.force as boolean;
+          const force = req.body.force as boolean;
 
-        await setDefault({
+          await setDefault({
-          dataViewsService,
+            dataViewsService,
-          usageCollection,
+            usageCollection,
-          counterName: `${req.route.method} ${path}`,
+            counterName: `${req.route.method} ${path}`,
-          newDefaultId,
+            newDefaultId,
-          force,
+            force,
-        });
+          });
 
-        return res.ok({
+          return res.ok({
-          body: {
+            body: {
-            acknowledged: true,
+              acknowledged: true,
-          },
+            },
-        });
+          });
-      })
+        })
-    );
+      );
   };
 
 export const registerManageDefaultDataViewRoute = manageDefaultIndexPatternRoutesFactory(

src/platform/plugins/shared/data_views/server/rest_api_routes/public/delete_data_view.ts

@@ -50,52 +50,58 @@ const deleteIndexPatternRouteFactory =
     >,
     usageCollection?: UsageCounter
   ) => {
-    router.versioned.delete({ path, access: 'public', description }).addVersion(
+    router.versioned
-      {
+      .delete({
-        version: INITIAL_REST_VERSION,
+        path,
+        access: 'public',
+        description,
         security: {
           authz: {
             requiredPrivileges: ['indexPatterns:manage'],
           },
         },
-        validate: {
+      })
-          request: {
+      .addVersion(
-            params: schema.object(
+        {
-              {
+          version: INITIAL_REST_VERSION,
-                id: schema.string({
+          validate: {
-                  minLength: 1,
+            request: {
-                  maxLength: 1_000,
+              params: schema.object(
-                }),
+                {
-              },
+                  id: schema.string({
-              { unknowns: 'allow' }
+                    minLength: 1,
-            ),
+                    maxLength: 1_000,
+                  }),
+                },
+                { unknowns: 'allow' }
+              ),
+            },
           },
         },
-      },
+        router.handleLegacyErrors(
-      router.handleLegacyErrors(
+          handleErrors(async (ctx, req, res) => {
-        handleErrors(async (ctx, req, res) => {
+            const core = await ctx.core;
-          const core = await ctx.core;
+            const savedObjectsClient = core.savedObjects.client;
-          const savedObjectsClient = core.savedObjects.client;
+            const elasticsearchClient = core.elasticsearch.client.asCurrentUser;
-          const elasticsearchClient = core.elasticsearch.client.asCurrentUser;
+            const [, , { dataViewsServiceFactory }] = await getStartServices();
-          const [, , { dataViewsServiceFactory }] = await getStartServices();
+            const dataViewsService = await dataViewsServiceFactory(
-          const dataViewsService = await dataViewsServiceFactory(
+              savedObjectsClient,
-            savedObjectsClient,
+              elasticsearchClient,
-            elasticsearchClient,
+              req
-            req
+            );
-          );
+            const id = req.params.id;
-          const id = req.params.id;
 
-          await deleteDataView({
+            await deleteDataView({
-            dataViewsService,
+              dataViewsService,
-            usageCollection,
+              usageCollection,
-            counterName: `${req.route.method} ${path}`,
+              counterName: `${req.route.method} ${path}`,
-            id,
+              id,
-          });
+            });
 
-          return res.ok();
+            return res.ok();
-        })
+          })
-      )
+        )
-    );
+      );
   };
 
 export const registerDeleteDataViewRoute = deleteIndexPatternRouteFactory(

src/platform/plugins/shared/data_views/server/rest_api_routes/public/fields/update_fields.ts

@@ -128,80 +128,86 @@ const updateFieldsActionRouteFactory = (path: string, serviceKey: string, descri
     >,
     usageCollection?: UsageCounter
   ) => {
-    router.versioned.post({ path, access: 'public', description }).addVersion(
+    router.versioned
-      {
+      .post({
-        version: INITIAL_REST_VERSION,
+        path,
+        access: 'public',
+        description,
         security: {
           authz: {
             requiredPrivileges: ['indexPatterns:manage'],
           },
         },
-        validate: {
+      })
-          request: {
+      .addVersion(
-            params: schema.object(
+        {
-              {
+          version: INITIAL_REST_VERSION,
-                id: schema.string({
+          validate: {
-                  minLength: 1,
+            request: {
-                  maxLength: 1_000,
+              params: schema.object(
-                }),
+                {
-              },
+                  id: schema.string({
-              { unknowns: 'allow' }
+                    minLength: 1,
-            ),
+                    maxLength: 1_000,
-            body: schema.object({
+                  }),
-              fields: schema.recordOf(
+                },
-                schema.string({
+                { unknowns: 'allow' }
-                  minLength: 1,
-                  maxLength: 1_000,
-                }),
-                fieldUpdateSchema
               ),
-            }),
+              body: schema.object({
-          },
+                fields: schema.recordOf(
-          response: {
+                  schema.string({
-            200: {
+                    minLength: 1,
-              body: () =>
+                    maxLength: 1_000,
-                schema.object({
+                  }),
-                  [serviceKey]: dataViewSpecSchema,
+                  fieldUpdateSchema
-                }),
+                ),
+              }),
+            },
+            response: {
+              200: {
+                body: () =>
+                  schema.object({
+                    [serviceKey]: dataViewSpecSchema,
+                  }),
+              },
             },
           },
         },
-      },
+        router.handleLegacyErrors(
-      router.handleLegacyErrors(
+          handleErrors(async (ctx, req, res) => {
-        handleErrors(async (ctx, req, res) => {
+            const core = await ctx.core;
-          const core = await ctx.core;
+            const savedObjectsClient = core.savedObjects.client;
-          const savedObjectsClient = core.savedObjects.client;
+            const elasticsearchClient = core.elasticsearch.client.asCurrentUser;
-          const elasticsearchClient = core.elasticsearch.client.asCurrentUser;
+            const [, , { dataViewsServiceFactory }] = await getStartServices();
-          const [, , { dataViewsServiceFactory }] = await getStartServices();
+            const dataViewsService = await dataViewsServiceFactory(
-          const dataViewsService = await dataViewsServiceFactory(
+              savedObjectsClient,
-            savedObjectsClient,
+              elasticsearchClient,
-            elasticsearchClient,
+              req
-            req
+            );
-          );
+            const id = req.params.id;
-          const id = req.params.id;
+            const { fields } = req.body;
-          const { fields } = req.body;
 
-          const dataView = await updateFields({
+            const dataView = await updateFields({
-            dataViewsService,
+              dataViewsService,
-            usageCollection,
+              usageCollection,
-            id,
+              id,
-            fields,
+              fields,
-            counterName: `${req.route.method} ${path}`,
+              counterName: `${req.route.method} ${path}`,
-          });
+            });
 
-          const body: Record<string, DataViewSpecRestResponse> = {
+            const body: Record<string, DataViewSpecRestResponse> = {
-            [serviceKey]: await dataView.toSpec({ fieldParams: { fieldName: ['*'] } }),
+              [serviceKey]: await dataView.toSpec({ fieldParams: { fieldName: ['*'] } }),
-          };
+            };
 
-          return res.ok({
+            return res.ok({
-            headers: {
+              headers: {
-              'content-type': 'application/json',
+                'content-type': 'application/json',
-            },
+              },
-            body,
+              body,
-          });
+            });
-        })
+          })
-      )
+        )
-    );
+      );
   };
 };
 

src/platform/plugins/shared/data_views/server/rest_api_routes/public/get_data_view.ts

@@ -54,73 +54,79 @@ const getDataViewRouteFactory =
     >,
     usageCollection?: UsageCounter
   ) => {
-    router.versioned.get({ path, access: 'public', description }).addVersion(
+    router.versioned
-      {
+      .get({
-        version: INITIAL_REST_VERSION,
+        path,
+        access: 'public',
+        description,
         security: {
           authz: {
             enabled: false,
             reason: 'Authorization provided by saved objects client',
           },
         },
-        validate: {
+      })
-          request: {
+      .addVersion(
-            params: schema.object(
+        {
-              {
+          version: INITIAL_REST_VERSION,
-                id: schema.string({
+          validate: {
-                  minLength: 1,
+            request: {
-                  maxLength: 1_000,
+              params: schema.object(
-                }),
+                {
+                  id: schema.string({
+                    minLength: 1,
+                    maxLength: 1_000,
+                  }),
+                },
+                { unknowns: 'allow' }
+              ),
+            },
+            response: {
+              200: {
+                body: () =>
+                  schema.object({
+                    [serviceKey]: dataViewSpecSchema,
+                  }),
               },
-              { unknowns: 'allow' }
-            ),
-          },
-          response: {
-            200: {
-              body: () =>
-                schema.object({
-                  [serviceKey]: dataViewSpecSchema,
-                }),
             },
           },
         },
-      },
+        router.handleLegacyErrors(
-      router.handleLegacyErrors(
+          handleErrors(async (ctx, req, res) => {
-        handleErrors(async (ctx, req, res) => {
+            const core = await ctx.core;
-          const core = await ctx.core;
+            const savedObjectsClient = core.savedObjects.client;
-          const savedObjectsClient = core.savedObjects.client;
+            const elasticsearchClient = core.elasticsearch.client.asCurrentUser;
-          const elasticsearchClient = core.elasticsearch.client.asCurrentUser;
+            const [, , { dataViewsServiceFactory }] = await getStartServices();
-          const [, , { dataViewsServiceFactory }] = await getStartServices();
+            const dataViewsService = await dataViewsServiceFactory(
-          const dataViewsService = await dataViewsServiceFactory(
+              savedObjectsClient,
-            savedObjectsClient,
+              elasticsearchClient,
-            elasticsearchClient,
+              req
-            req
+            );
-          );
+            const id = req.params.id;
-          const id = req.params.id;
 
-          const dataView = await getDataView({
+            const dataView = await getDataView({
-            dataViewsService,
+              dataViewsService,
-            usageCollection,
+              usageCollection,
-            counterName: `${req.route.method} ${path}`,
+              counterName: `${req.route.method} ${path}`,
-            id,
+              id,
-          });
+            });
 
-          const responseBody: Record<string, DataViewSpecRestResponse> = {
+            const responseBody: Record<string, DataViewSpecRestResponse> = {
-            [serviceKey]: {
+              [serviceKey]: {
-              ...(await dataView.toSpec({ fieldParams: { fieldName: ['*'] } })),
+                ...(await dataView.toSpec({ fieldParams: { fieldName: ['*'] } })),
-              namespaces: dataView.namespaces,
+                namespaces: dataView.namespaces,
-            },
+              },
-          };
+            };
 
-          return res.ok({
+            return res.ok({
-            headers: {
+              headers: {
-              'content-type': 'application/json',
+                'content-type': 'application/json',
-            },
+              },
-            body: responseBody,
+              body: responseBody,
-          });
+            });
-        })
+          })
-      )
+        )
-    );
+      );
   };
 
 export const registerGetDataViewRoute = getDataViewRouteFactory(

src/platform/plugins/shared/data_views/server/rest_api_routes/public/get_data_views.ts

@@ -63,51 +63,57 @@ const getDataViewsRouteFactory =
       return schema.object({ [serviceKey]: dataViewListSchema });
     };
 
-    router.versioned.get({ path, access: 'public', description }).addVersion(
+    router.versioned
-      {
+      .get({
-        version: INITIAL_REST_VERSION,
+        path,
+        access: 'public',
+        description,
         security: {
           authz: {
             enabled: false,
             reason: 'Authorization provided by saved objects client',
           },
         },
-        validate: {
+      })
-          request: {},
+      .addVersion(
-          response: { 200: { body: responseValidation } },
+        {
+          version: INITIAL_REST_VERSION,
+          validate: {
+            request: {},
+            response: { 200: { body: responseValidation } },
+          },
         },
-      },
+        router.handleLegacyErrors(
-      router.handleLegacyErrors(
+          handleErrors(async (ctx, req, res) => {
-        handleErrors(async (ctx, req, res) => {
+            const core = await ctx.core;
-          const core = await ctx.core;
+            const savedObjectsClient = core.savedObjects.client;
-          const savedObjectsClient = core.savedObjects.client;
+            const elasticsearchClient = core.elasticsearch.client.asCurrentUser;
-          const elasticsearchClient = core.elasticsearch.client.asCurrentUser;
+            const [, , { dataViewsServiceFactory }] = await getStartServices();
-          const [, , { dataViewsServiceFactory }] = await getStartServices();
+            const dataViewsService = await dataViewsServiceFactory(
-          const dataViewsService = await dataViewsServiceFactory(
+              savedObjectsClient,
-            savedObjectsClient,
+              elasticsearchClient,
-            elasticsearchClient,
+              req
-            req
+            );
-          );
 
-          const dataViews = await getDataViews({
+            const dataViews = await getDataViews({
-            dataViewsService,
+              dataViewsService,
-            usageCollection,
+              usageCollection,
-            counterName: `${req.route.method} ${path}`,
+              counterName: `${req.route.method} ${path}`,
-          });
+            });
 
-          const body: Record<string, DataViewListItemRestResponse[]> = {
+            const body: Record<string, DataViewListItemRestResponse[]> = {
-            [serviceKey]: dataViews,
+              [serviceKey]: dataViews,
-          };
+            };
 
-          return res.ok({
+            return res.ok({
-            headers: {
+              headers: {
-              'content-type': 'application/json',
+                'content-type': 'application/json',
-            },
+              },
-            body,
+              body,
-          });
+            });
-        })
+          })
-      )
+        )
-    );
+      );
   };
 
 export const registerGetDataViewsRoute = getDataViewsRouteFactory(

src/platform/plugins/shared/data_views/server/rest_api_routes/public/has_user_data_view.ts

@@ -43,54 +43,59 @@ const hasUserDataViewRouteFactory =
     >,
     usageCollection?: UsageCounter
   ) => {
-    router.versioned.get({ path, access: 'internal' }).addVersion(
+    router.versioned
-      {
+      .get({
-        version: '1',
+        path,
+        access: 'internal',
         security: {
           authz: {
             enabled: false,
             reason: 'Authorization provided by saved objects client',
           },
         },
-        validate: {
+      })
-          request: {},
+      .addVersion(
-          response: {
+        {
-            200: {
+          version: '1',
-              body: () =>
+          validate: {
-                schema.object({
+            request: {},
-                  result: schema.boolean(),
+            response: {
-                }),
+              200: {
+                body: () =>
+                  schema.object({
+                    result: schema.boolean(),
+                  }),
+              },
             },
           },
         },
-      },
+        router.handleLegacyErrors(
-      router.handleLegacyErrors(
+          handleErrors(async (ctx, req, res) => {
-        handleErrors(async (ctx, req, res) => {
+            const core = await ctx.core;
-          const core = await ctx.core;
+            const savedObjectsClient = core.savedObjects.client;
-          const savedObjectsClient = core.savedObjects.client;
+            const elasticsearchClient = core.elasticsearch.client.asCurrentUser;
-          const elasticsearchClient = core.elasticsearch.client.asCurrentUser;
+            const [, , { dataViewsServiceFactory }] = await getStartServices();
-          const [, , { dataViewsServiceFactory }] = await getStartServices();
 
-          const dataViewsService = await dataViewsServiceFactory(
+            const dataViewsService = await dataViewsServiceFactory(
-            savedObjectsClient,
+              savedObjectsClient,
-            elasticsearchClient,
+              elasticsearchClient,
-            req
+              req
-          );
+            );
 
-          const result = await hasUserDataView({
+            const result = await hasUserDataView({
-            dataViewsService,
+              dataViewsService,
-            usageCollection,
+              usageCollection,
-            counterName: `${req.route.method} ${path}`,
+              counterName: `${req.route.method} ${path}`,
-          });
+            });
 
-          const body: { result: boolean } = { result };
+            const body: { result: boolean } = { result };
 
-          return res.ok({
+            return res.ok({
-            body,
+              body,
-          });
+            });
-        })
+          })
-      )
+        )
-    );
+      );
   };
 
 export const registerHasUserDataViewRoute = hasUserDataViewRouteFactory(

src/platform/plugins/shared/data_views/server/rest_api_routes/public/runtime_fields/create_runtime_field.ts

@@ -79,68 +79,74 @@ const runtimeCreateFieldRouteFactory =
     >,
     usageCollection?: UsageCounter
   ) => {
-    router.versioned.post({ path, access: 'public', description }).addVersion(
+    router.versioned
-      {
+      .post({
-        version: INITIAL_REST_VERSION,
+        path,
+        access: 'public',
+        description,
         security: {
           authz: {
             requiredPrivileges: ['indexPatterns:manage'],
           },
         },
-        validate: {
+      })
-          request: {
+      .addVersion(
-            params: schema.object({
+        {
-              id: schema.string({
+          version: INITIAL_REST_VERSION,
-                minLength: 1,
+          validate: {
-                maxLength: 1_000,
+            request: {
+              params: schema.object({
+                id: schema.string({
+                  minLength: 1,
+                  maxLength: 1_000,
+                }),
               }),
-            }),
+              body: schema.object({
-            body: schema.object({
+                name: schema.string({
-              name: schema.string({
+                  minLength: 1,
-                minLength: 1,
+                  maxLength: 1_000,
-                maxLength: 1_000,
+                }),
+                runtimeField: runtimeFieldSchema,
               }),
-              runtimeField: runtimeFieldSchema,
+            },
-            }),
+            response: {
-          },
+              200: {
-          response: {
+                body: runtimeResponseSchema,
-            200: {
+              },
-              body: runtimeResponseSchema,
             },
           },
         },
-      },
+        handleErrors(async (ctx, req, res) => {
-      handleErrors(async (ctx, req, res) => {
+          const core = await ctx.core;
-        const core = await ctx.core;
+          const savedObjectsClient = core.savedObjects.client;
-        const savedObjectsClient = core.savedObjects.client;
+          const elasticsearchClient = core.elasticsearch.client.asCurrentUser;
-        const elasticsearchClient = core.elasticsearch.client.asCurrentUser;
+          const [, , { dataViewsServiceFactory }] = await getStartServices();
-        const [, , { dataViewsServiceFactory }] = await getStartServices();
+          const dataViewsService = await dataViewsServiceFactory(
-        const dataViewsService = await dataViewsServiceFactory(
+            savedObjectsClient,
-          savedObjectsClient,
+            elasticsearchClient,
-          elasticsearchClient,
+            req
-          req
+          );
-        );
+          const id = req.params.id;
-        const id = req.params.id;
+          const { name, runtimeField } = req.body;
-        const { name, runtimeField } = req.body;
 
-        const { dataView, fields } = await createRuntimeField({
+          const { dataView, fields } = await createRuntimeField({
-          dataViewsService,
+            dataViewsService,
-          usageCollection,
+            usageCollection,
-          counterName: `${req.route.method} ${path}`,
+            counterName: `${req.route.method} ${path}`,
-          id,
+            id,
-          name,
+            name,
-          runtimeField: runtimeField as RuntimeField,
+            runtimeField: runtimeField as RuntimeField,
-        });
+          });
 
-        const response: RuntimeResponseType = await responseFormatter({
+          const response: RuntimeResponseType = await responseFormatter({
-          serviceKey,
+            serviceKey,
-          dataView,
+            dataView,
-          fields,
+            fields,
-        });
+          });
 
-        return res.ok(response);
+          return res.ok(response);
-      })
+        })
-    );
+      );
   };
 
 export const registerCreateRuntimeFieldRoute = runtimeCreateFieldRouteFactory(

src/platform/plugins/shared/data_views/server/rest_api_routes/public/runtime_fields/delete_runtime_field.ts

@@ -62,58 +62,64 @@ const deleteRuntimeFieldRouteFactory =
     >,
     usageCollection?: UsageCounter
   ) => {
-    router.versioned.delete({ path, access: 'public', description }).addVersion(
+    router.versioned
-      {
+      .delete({
-        version: INITIAL_REST_VERSION,
+        path,
+        access: 'public',
+        description,
         security: {
           authz: {
             requiredPrivileges: ['indexPatterns:manage'],
           },
         },
-        validate: {
+      })
-          request: {
+      .addVersion(
-            params: schema.object({
+        {
-              id: schema.string({
+          version: INITIAL_REST_VERSION,
-                minLength: 1,
+          validate: {
-                maxLength: 1_000,
+            request: {
+              params: schema.object({
+                id: schema.string({
+                  minLength: 1,
+                  maxLength: 1_000,
+                }),
+                name: schema.string({
+                  minLength: 1,
+                  maxLength: 1_000,
+                }),
               }),
-              name: schema.string({
+            },
-                minLength: 1,
+            response: {
-                maxLength: 1_000,
+              200: {
-              }),
+                body: () => schema.never(),
-            }),
+              },
-          },
-          response: {
-            200: {
-              body: () => schema.never(),
             },
           },
         },
-      },
+        handleErrors(async (ctx, req, res) => {
-      handleErrors(async (ctx, req, res) => {
+          const core = await ctx.core;
-        const core = await ctx.core;
+          const savedObjectsClient = core.savedObjects.client;
-        const savedObjectsClient = core.savedObjects.client;
+          const elasticsearchClient = core.elasticsearch.client.asCurrentUser;
-        const elasticsearchClient = core.elasticsearch.client.asCurrentUser;
+          const [, , { dataViewsServiceFactory }] = await getStartServices();
-        const [, , { dataViewsServiceFactory }] = await getStartServices();
+          const dataViewsService = await dataViewsServiceFactory(
-        const dataViewsService = await dataViewsServiceFactory(
+            savedObjectsClient,
-          savedObjectsClient,
+            elasticsearchClient,
-          elasticsearchClient,
+            req
-          req
+          );
-        );
+          const id = req.params.id;
-        const id = req.params.id;
+          const name = req.params.name;
-        const name = req.params.name;
 
-        await deleteRuntimeField({
+          await deleteRuntimeField({
-          dataViewsService,
+            dataViewsService,
-          usageCollection,
+            usageCollection,
-          id,
+            id,
-          name,
+            name,
-          counterName: `${req.route.method} ${path}`,
+            counterName: `${req.route.method} ${path}`,
-        });
+          });
 
-        return res.ok();
+          return res.ok();
-      })
+        })
-    );
+      );
   };
 
 export const registerDeleteRuntimeFieldRoute = deleteRuntimeFieldRouteFactory(

src/platform/plugins/shared/data_views/server/rest_api_routes/public/runtime_fields/get_runtime_field.ts

@@ -70,65 +70,71 @@ const getRuntimeFieldRouteFactory =
     >,
     usageCollection?: UsageCounter
   ) => {
-    router.versioned.get({ path, access: 'public', description }).addVersion(
+    router.versioned
-      {
+      .get({
-        version: INITIAL_REST_VERSION,
+        path,
+        access: 'public',
+        description,
         security: {
           authz: {
             enabled: false,
             reason: 'Authorization provided by saved objects client',
           },
         },
-        validate: {
+      })
-          request: {
+      .addVersion(
-            params: schema.object({
+        {
-              id: schema.string({
+          version: INITIAL_REST_VERSION,
-                minLength: 1,
+          validate: {
-                maxLength: 1_000,
+            request: {
+              params: schema.object({
+                id: schema.string({
+                  minLength: 1,
+                  maxLength: 1_000,
+                }),
+                name: schema.string({
+                  minLength: 1,
+                  maxLength: 1_000,
+                }),
               }),
-              name: schema.string({
+            },
-                minLength: 1,
+            response: {
-                maxLength: 1_000,
+              200: {
-              }),
+                body: runtimeResponseSchema,
-            }),
+              },
-          },
-          response: {
-            200: {
-              body: runtimeResponseSchema,
             },
           },
         },
-      },
+        handleErrors(async (ctx, req, res) => {
-      handleErrors(async (ctx, req, res) => {
+          const core = await ctx.core;
-        const core = await ctx.core;
+          const savedObjectsClient = core.savedObjects.client;
-        const savedObjectsClient = core.savedObjects.client;
+          const elasticsearchClient = core.elasticsearch.client.asCurrentUser;
-        const elasticsearchClient = core.elasticsearch.client.asCurrentUser;
+          const [, , { dataViewsServiceFactory }] = await getStartServices();
-        const [, , { dataViewsServiceFactory }] = await getStartServices();
+          const dataViewsService = await dataViewsServiceFactory(
-        const dataViewsService = await dataViewsServiceFactory(
+            savedObjectsClient,
-          savedObjectsClient,
+            elasticsearchClient,
-          elasticsearchClient,
+            req
-          req
+          );
-        );
+          const id = req.params.id;
-        const id = req.params.id;
+          const name = req.params.name;
-        const name = req.params.name;
 
-        const { dataView, fields } = await getRuntimeField({
+          const { dataView, fields } = await getRuntimeField({
-          dataViewsService,
+            dataViewsService,
-          usageCollection,
+            usageCollection,
-          counterName: `${req.route.method} ${path}`,
+            counterName: `${req.route.method} ${path}`,
-          id,
+            id,
-          name,
+            name,
-        });
+          });
 
-        const response: RuntimeResponseType = await responseFormatter({
+          const response: RuntimeResponseType = await responseFormatter({
-          serviceKey,
+            serviceKey,
-          dataView,
+            dataView,
-          fields: fields || [],
+            fields: fields || [],
-        });
+          });
 
-        return res.ok(response);
+          return res.ok(response);
-      })
+        })
-    );
+      );
   };
 
 export const registerGetRuntimeFieldRoute = getRuntimeFieldRouteFactory(

src/platform/plugins/shared/data_views/server/rest_api_routes/public/runtime_fields/put_runtime_field.ts

@@ -78,71 +78,77 @@ const putRuntimeFieldRouteFactory =
     >,
     usageCollection?: UsageCounter
   ) => {
-    router.versioned.put({ path, access: 'public', description }).addVersion(
+    router.versioned
-      {
+      .put({
-        version: INITIAL_REST_VERSION,
+        path,
+        access: 'public',
+        description,
         security: {
           authz: {
             requiredPrivileges: ['indexPatterns:manage'],
           },
         },
-        validate: {
+      })
-          request: {
+      .addVersion(
-            params: schema.object({
+        {
-              id: schema.string({
+          version: INITIAL_REST_VERSION,
-                minLength: 1,
+          validate: {
-                maxLength: 1_000,
+            request: {
+              params: schema.object({
+                id: schema.string({
+                  minLength: 1,
+                  maxLength: 1_000,
+                }),
               }),
-            }),
+              body: schema.object({
-            body: schema.object({
+                name: schema.string({
-              name: schema.string({
+                  minLength: 1,
-                minLength: 1,
+                  maxLength: 1_000,
-                maxLength: 1_000,
+                }),
+                runtimeField: runtimeFieldSchema,
               }),
-              runtimeField: runtimeFieldSchema,
+            },
-            }),
+            response: {
-          },
+              200: {
-          response: {
+                body: runtimeResponseSchema,
-            200: {
+              },
-              body: runtimeResponseSchema,
             },
           },
         },
-      },
+        handleErrors(async (ctx, req, res) => {
-      handleErrors(async (ctx, req, res) => {
+          const core = await ctx.core;
-        const core = await ctx.core;
+          const savedObjectsClient = core.savedObjects.client;
-        const savedObjectsClient = core.savedObjects.client;
+          const elasticsearchClient = core.elasticsearch.client.asCurrentUser;
-        const elasticsearchClient = core.elasticsearch.client.asCurrentUser;
+          const [, , { dataViewsServiceFactory }] = await getStartServices();
-        const [, , { dataViewsServiceFactory }] = await getStartServices();
+          const dataViewsService = await dataViewsServiceFactory(
-        const dataViewsService = await dataViewsServiceFactory(
+            savedObjectsClient,
-          savedObjectsClient,
+            elasticsearchClient,
-          elasticsearchClient,
+            req
-          req
+          );
-        );
+          const id = req.params.id;
-        const id = req.params.id;
+          const { name, runtimeField } = req.body as {
-        const { name, runtimeField } = req.body as {
+            name: string;
-          name: string;
+            runtimeField: RuntimeField;
-          runtimeField: RuntimeField;
+          };
-        };
 
-        const { dataView, fields } = await putRuntimeField({
+          const { dataView, fields } = await putRuntimeField({
-          dataViewsService,
+            dataViewsService,
-          id,
+            id,
-          name,
+            name,
-          runtimeField,
+            runtimeField,
-          usageCollection,
+            usageCollection,
-          counterName: `${req.route.method} ${path}`,
+            counterName: `${req.route.method} ${path}`,
-        });
+          });
 
-        const response: RuntimeResponseType = await responseFormatter({
+          const response: RuntimeResponseType = await responseFormatter({
-          serviceKey,
+            serviceKey,
-          dataView,
+            dataView,
-          fields,
+            fields,
-        });
+          });
 
-        return res.ok(response);
+          return res.ok(response);
-      })
+        })
-    );
+      );
   };
 
 export const registerPutRuntimeFieldRoute = putRuntimeFieldRouteFactory(

src/platform/plugins/shared/data_views/server/rest_api_routes/public/runtime_fields/update_runtime_field.ts

@@ -78,70 +78,76 @@ const updateRuntimeFieldRouteFactory =
     >,
     usageCollection?: UsageCounter
   ) => {
-    router.versioned.post({ path, access: 'public', description }).addVersion(
+    router.versioned
-      {
+      .post({
-        version: INITIAL_REST_VERSION,
+        path,
+        access: 'public',
+        description,
         security: {
           authz: {
             requiredPrivileges: ['indexPatterns:manage'],
           },
         },
-        validate: {
+      })
-          request: {
+      .addVersion(
-            params: schema.object({
+        {
-              id: schema.string({
+          version: INITIAL_REST_VERSION,
-                minLength: 1,
+          validate: {
-                maxLength: 1_000,
+            request: {
+              params: schema.object({
+                id: schema.string({
+                  minLength: 1,
+                  maxLength: 1_000,
+                }),
+                name: schema.string({
+                  minLength: 1,
+                  maxLength: 1_000,
+                }),
               }),
-              name: schema.string({
+              body: schema.object({
-                minLength: 1,
+                name: schema.never(),
-                maxLength: 1_000,
+                runtimeField: runtimeFieldSchemaUpdate,
               }),
-            }),
+            },
-            body: schema.object({
+            response: {
-              name: schema.never(),
+              200: {
-              runtimeField: runtimeFieldSchemaUpdate,
+                body: runtimeResponseSchema,
-            }),
+              },
-          },
-          response: {
-            200: {
-              body: runtimeResponseSchema,
             },
           },
         },
-      },
+        handleErrors(async (ctx, req, res) => {
-      handleErrors(async (ctx, req, res) => {
+          const core = await ctx.core;
-        const core = await ctx.core;
+          const savedObjectsClient = core.savedObjects.client;
-        const savedObjectsClient = core.savedObjects.client;
+          const elasticsearchClient = core.elasticsearch.client.asCurrentUser;
-        const elasticsearchClient = core.elasticsearch.client.asCurrentUser;
+          const [, , { dataViewsServiceFactory }] = await getStartServices();
-        const [, , { dataViewsServiceFactory }] = await getStartServices();
+          const dataViewsService = await dataViewsServiceFactory(
-        const dataViewsService = await dataViewsServiceFactory(
+            savedObjectsClient,
-          savedObjectsClient,
+            elasticsearchClient,
-          elasticsearchClient,
+            req
-          req
+          );
-        );
+          const id = req.params.id;
-        const id = req.params.id;
+          const name = req.params.name;
-        const name = req.params.name;
+          const runtimeField = req.body.runtimeField as Partial<RuntimeField>;
-        const runtimeField = req.body.runtimeField as Partial<RuntimeField>;
 
-        const { dataView, fields } = await updateRuntimeField({
+          const { dataView, fields } = await updateRuntimeField({
-          dataViewsService,
+            dataViewsService,
-          usageCollection,
+            usageCollection,
-          counterName: `${req.route.method} ${path}`,
+            counterName: `${req.route.method} ${path}`,
-          id,
+            id,
-          name,
+            name,
-          runtimeField,
+            runtimeField,
-        });
+          });
 
-        const response: RuntimeResponseType = await responseFormatter({
+          const response: RuntimeResponseType = await responseFormatter({
-          serviceKey,
+            serviceKey,
-          dataView,
+            dataView,
-          fields,
+            fields,
-        });
+          });
 
-        return res.ok(response);
+          return res.ok(response);
-      })
+        })
-    );
+      );
   };
 
 export const registerUpdateRuntimeFieldRoute = updateRuntimeFieldRouteFactory(

src/platform/plugins/shared/data_views/server/rest_api_routes/public/scripted_fields/create_scripted_field.ts

@@ -27,15 +27,18 @@ export const registerCreateScriptedFieldRoute = (
   >
 ) => {
   router.versioned
-    .post({ path: '/api/index_patterns/index_pattern/{id}/scripted_field', access: 'public' })
+    .post({
+      path: '/api/index_patterns/index_pattern/{id}/scripted_field',
+      access: 'public',
+      security: {
+        authz: {
+          requiredPrivileges: ['indexPatterns:manage'],
+        },
+      },
+    })
     .addVersion(
       {
         version: INITIAL_REST_VERSION,
-        security: {
-          authz: {
-            requiredPrivileges: ['indexPatterns:manage'],
-          },
-        },
         validate: {
           request: {
             params: schema.object(

src/platform/plugins/shared/data_views/server/rest_api_routes/public/scripted_fields/delete_scripted_field.ts

@@ -28,15 +28,15 @@ export const registerDeleteScriptedFieldRoute = (
     .delete({
       path: '/api/index_patterns/index_pattern/{id}/scripted_field/{name}',
       access: 'public',
+      security: {
+        authz: {
+          requiredPrivileges: ['indexPatterns:manage'],
+        },
+      },
     })
     .addVersion(
       {
         version: INITIAL_REST_VERSION,
-        security: {
-          authz: {
-            requiredPrivileges: ['indexPatterns:manage'],
-          },
-        },
         validate: {
           request: {
             params: schema.object(

src/platform/plugins/shared/data_views/server/rest_api_routes/public/scripted_fields/get_scripted_field.ts

@@ -27,16 +27,19 @@ export const registerGetScriptedFieldRoute = (
   >
 ) => {
   router.versioned
-    .get({ path: '/api/index_patterns/index_pattern/{id}/scripted_field/{name}', access: 'public' })
+    .get({
+      path: '/api/index_patterns/index_pattern/{id}/scripted_field/{name}',
+      access: 'public',
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Authorization provided by saved objects client',
+        },
+      },
+    })
     .addVersion(
       {
         version: INITIAL_REST_VERSION,
-        security: {
-          authz: {
-            enabled: false,
-            reason: 'Authorization provided by saved objects client',
-          },
-        },
         validate: {
           request: {
             params: schema.object(

src/platform/plugins/shared/data_views/server/rest_api_routes/public/scripted_fields/put_scripted_field.ts

@@ -27,15 +27,18 @@ export const registerPutScriptedFieldRoute = (
   >
 ) => {
   router.versioned
-    .put({ path: '/api/index_patterns/index_pattern/{id}/scripted_field', access: 'public' })
+    .put({
+      path: '/api/index_patterns/index_pattern/{id}/scripted_field',
+      access: 'public',
+      security: {
+        authz: {
+          requiredPrivileges: ['indexPatterns:manage'],
+        },
+      },
+    })
     .addVersion(
       {
         version: INITIAL_REST_VERSION,
-        security: {
-          authz: {
-            requiredPrivileges: ['indexPatterns:manage'],
-          },
-        },
         validate: {
           request: {
             params: schema.object(

src/platform/plugins/shared/data_views/server/rest_api_routes/public/scripted_fields/update_scripted_field.ts

@@ -32,15 +32,15 @@ export const registerUpdateScriptedFieldRoute = (
     .post({
       path: '/api/index_patterns/index_pattern/{id}/scripted_field/{name}',
       access: 'public',
+      security: {
+        authz: {
+          requiredPrivileges: ['indexPatterns:manage'],
+        },
+      },
     })
     .addVersion(
       {
         version: INITIAL_REST_VERSION,
-        security: {
-          authz: {
-            requiredPrivileges: ['indexPatterns:manage'],
-          },
-        },
         validate: {
           request: {
             params: schema.object(

src/platform/plugins/shared/data_views/server/rest_api_routes/public/swap_references.ts

@@ -67,9 +67,11 @@ export const swapReferencesRoute =
     const description = previewRoute
       ? PREVIEW_SWAP_REFERENCES_DESCRIPTION
       : SWAP_REFERENCES_DESCRIPTION;
-    router.versioned.post({ path, access: 'public', description }).addVersion(
+    router.versioned
-      {
+      .post({
-        version: INITIAL_REST_VERSION,
+        path,
+        access: 'public',
+        description,
         security: {
           authz: {
             enabled: false,
@@ -78,132 +80,136 @@ export const swapReferencesRoute =
             reason: 'Authorization provided by saved objects client',
           },
         },
-        validate: {
+      })
-          request: {
+      .addVersion(
-            body: schema.object({
+        {
-              fromId: idSchema,
+          version: INITIAL_REST_VERSION,
-              fromType: schema.maybe(schema.string()),
+          validate: {
-              toId: idSchema,
+            request: {
-              forId: schema.maybe(schema.oneOf([idSchema, schema.arrayOf(idSchema)])),
+              body: schema.object({
-              forType: schema.maybe(schema.string()),
+                fromId: idSchema,
-              delete: schema.maybe(schema.boolean()),
+                fromType: schema.maybe(schema.string()),
-            }),
+                toId: idSchema,
-          },
+                forId: schema.maybe(schema.oneOf([idSchema, schema.arrayOf(idSchema)])),
-          response: {
+                forType: schema.maybe(schema.string()),
-            200: {
+                delete: schema.maybe(schema.boolean()),
-              body: () =>
+              }),
-                schema.object({
+            },
-                  result: schema.arrayOf(schema.object({ id: idSchema, type: schema.string() })),
+            response: {
-                  deleteStatus: schema.maybe(
+              200: {
-                    schema.object({
+                body: () =>
-                      remainingRefs: schema.number(),
+                  schema.object({
-                      deletePerformed: schema.boolean(),
+                    result: schema.arrayOf(schema.object({ id: idSchema, type: schema.string() })),
-                    })
+                    deleteStatus: schema.maybe(
-                  ),
+                      schema.object({
-                }),
+                        remainingRefs: schema.number(),
+                        deletePerformed: schema.boolean(),
+                      })
+                    ),
+                  }),
+              },
             },
           },
         },
-      },
+        router.handleLegacyErrors(
-      router.handleLegacyErrors(
+          handleErrors(async (ctx, req, res) => {
-        handleErrors(async (ctx, req, res) => {
+            const savedObjectsClient = (await ctx.core).savedObjects.client;
-          const savedObjectsClient = (await ctx.core).savedObjects.client;
+            const [core] = await getStartServices();
-          const [core] = await getStartServices();
+            const types = core.savedObjects.getTypeRegistry().getAllTypes();
-          const types = core.savedObjects.getTypeRegistry().getAllTypes();
+            const type = req.body.fromType || DATA_VIEW_SAVED_OBJECT_TYPE;
-          const type = req.body.fromType || DATA_VIEW_SAVED_OBJECT_TYPE;
+            const searchId =
-          const searchId =
+              !Array.isArray(req.body.forId) && req.body.forId !== undefined
-            !Array.isArray(req.body.forId) && req.body.forId !== undefined
+                ? [req.body.forId]
-              ? [req.body.forId]
+                : req.body.forId;
-              : req.body.forId;
 
-          usageCollection?.incrementCounter({ counterName: 'swap_references' });
+            usageCollection?.incrementCounter({ counterName: 'swap_references' });
 
-          // verify 'to' object actually exists
+            // verify 'to' object actually exists
-          try {
+            try {
-            await savedObjectsClient.get(type, req.body.toId);
+              await savedObjectsClient.get(type, req.body.toId);
-          } catch (e) {
+            } catch (e) {
-            throw new Error(`Could not find object with type ${type} and id ${req.body.toId}`);
+              throw new Error(`Could not find object with type ${type} and id ${req.body.toId}`);
-          }
+            }
 
-          // assemble search params
+            // assemble search params
-          const findParams: SavedObjectsFindOptions = {
+            const findParams: SavedObjectsFindOptions = {
-            type: types.map((t) => t.name),
+              type: types.map((t) => t.name),
-            hasReference: { type, id: req.body.fromId },
+              hasReference: { type, id: req.body.fromId },
-          };
+            };
 
-          if (req.body.forType) {
+            if (req.body.forType) {
-            findParams.type = [req.body.forType];
+              findParams.type = [req.body.forType];
-          }
+            }
 
-          const { saved_objects: savedObjects } = await savedObjectsClient.find(findParams);
+            const { saved_objects: savedObjects } = await savedObjectsClient.find(findParams);
 
-          const filteredSavedObjects = searchId
+            const filteredSavedObjects = searchId
-            ? savedObjects.filter((so) => searchId?.includes(so.id))
+              ? savedObjects.filter((so) => searchId?.includes(so.id))
-            : savedObjects;
+              : savedObjects;
 
-          // create summary of affected objects
+            // create summary of affected objects
-          const resultSummary = filteredSavedObjects.map((savedObject) => ({
+            const resultSummary = filteredSavedObjects.map((savedObject) => ({
-            id: savedObject.id,
+              id: savedObject.id,
-            type: savedObject.type,
+              type: savedObject.type,
-          }));
+            }));
 
-          const body: SwapRefResponse = {
+            const body: SwapRefResponse = {
-            result: resultSummary,
+              result: resultSummary,
-          };
+            };
+
+            // bail if preview
+            if (previewRoute) {
+              return res.ok({
+                headers: {
+                  'content-type': 'application/json',
+                },
+                body,
+              });
+            }
+
+            // iterate over list and update references
+            for (const savedObject of filteredSavedObjects) {
+              const updatedRefs = savedObject.references.map((ref) => {
+                if (ref.type === type && ref.id === req.body.fromId) {
+                  return { ...ref, id: req.body.toId };
+                } else {
+                  return ref;
+                }
+              });
+
+              await savedObjectsClient.update(
+                savedObject.type,
+                savedObject.id,
+                {},
+                {
+                  references: updatedRefs,
+                }
+              );
+            }
+
+            if (req.body.delete) {
+              const verifyNoMoreRefs = await savedObjectsClient.find(findParams);
+              if (verifyNoMoreRefs.total > 0) {
+                body.deleteStatus = {
+                  remainingRefs: verifyNoMoreRefs.total,
+                  deletePerformed: false,
+                };
+              } else {
+                await savedObjectsClient.delete(type, req.body.fromId, { refresh: 'wait_for' });
+                body.deleteStatus = {
+                  remainingRefs: verifyNoMoreRefs.total,
+                  deletePerformed: true,
+                };
+              }
+            }
 
-          // bail if preview
-          if (previewRoute) {
             return res.ok({
               headers: {
                 'content-type': 'application/json',
               },
               body,
             });
-          }
+          })
-
+        )
-          // iterate over list and update references
+      );
-          for (const savedObject of filteredSavedObjects) {
-            const updatedRefs = savedObject.references.map((ref) => {
-              if (ref.type === type && ref.id === req.body.fromId) {
-                return { ...ref, id: req.body.toId };
-              } else {
-                return ref;
-              }
-            });
-
-            await savedObjectsClient.update(
-              savedObject.type,
-              savedObject.id,
-              {},
-              {
-                references: updatedRefs,
-              }
-            );
-          }
-
-          if (req.body.delete) {
-            const verifyNoMoreRefs = await savedObjectsClient.find(findParams);
-            if (verifyNoMoreRefs.total > 0) {
-              body.deleteStatus = {
-                remainingRefs: verifyNoMoreRefs.total,
-                deletePerformed: false,
-              };
-            } else {
-              await savedObjectsClient.delete(type, req.body.fromId, { refresh: 'wait_for' });
-              body.deleteStatus = {
-                remainingRefs: verifyNoMoreRefs.total,
-                deletePerformed: true,
-              };
-            }
-          }
-
-          return res.ok({
-            headers: {
-              'content-type': 'application/json',
-            },
-            body,
-          });
-        })
-      )
-    );
   };

src/platform/plugins/shared/data_views/server/rest_api_routes/public/update_data_view.ts

@@ -144,83 +144,89 @@ const updateDataViewRouteFactory =
     >,
     usageCollection?: UsageCounter
   ) => {
-    router.versioned.post({ path, access: 'public', description }).addVersion(
+    router.versioned
-      {
+      .post({
-        version: INITIAL_REST_VERSION,
+        path,
+        access: 'public',
+        description,
         security: {
           authz: {
             requiredPrivileges: ['indexPatterns:manage'],
           },
         },
-        validate: {
+      })
-          request: {
+      .addVersion(
-            params: schema.object(
+        {
-              {
+          version: INITIAL_REST_VERSION,
-                id: schema.string({
+          validate: {
-                  minLength: 1,
+            request: {
-                  maxLength: 1_000,
+              params: schema.object(
-                }),
+                {
+                  id: schema.string({
+                    minLength: 1,
+                    maxLength: 1_000,
+                  }),
+                },
+                { unknowns: 'allow' }
+              ),
+              body: schema.object({
+                refresh_fields: schema.maybe(schema.boolean({ defaultValue: false })),
+                [serviceKey]: indexPatternUpdateSchema,
+              }),
+            },
+            response: {
+              200: {
+                body: () =>
+                  schema.object({
+                    [serviceKey]: dataViewSpecSchema,
+                  }),
               },
-              { unknowns: 'allow' }
-            ),
-            body: schema.object({
-              refresh_fields: schema.maybe(schema.boolean({ defaultValue: false })),
-              [serviceKey]: indexPatternUpdateSchema,
-            }),
-          },
-          response: {
-            200: {
-              body: () =>
-                schema.object({
-                  [serviceKey]: dataViewSpecSchema,
-                }),
             },
           },
         },
-      },
+        router.handleLegacyErrors(
-      router.handleLegacyErrors(
+          handleErrors(async (ctx, req, res) => {
-        handleErrors(async (ctx, req, res) => {
+            const core = await ctx.core;
-          const core = await ctx.core;
+            const savedObjectsClient = core.savedObjects.client;
-          const savedObjectsClient = core.savedObjects.client;
+            const elasticsearchClient = core.elasticsearch.client.asCurrentUser;
-          const elasticsearchClient = core.elasticsearch.client.asCurrentUser;
+            const [, , { dataViewsServiceFactory }] = await getStartServices();
-          const [, , { dataViewsServiceFactory }] = await getStartServices();
 
-          const dataViewsService = await dataViewsServiceFactory(
+            const dataViewsService = await dataViewsServiceFactory(
-            savedObjectsClient,
+              savedObjectsClient,
-            elasticsearchClient,
+              elasticsearchClient,
-            req
+              req
-          );
+            );
-          const id = req.params.id;
+            const id = req.params.id;
 
-          const {
+            const {
-            // eslint-disable-next-line @typescript-eslint/naming-convention
+              // eslint-disable-next-line @typescript-eslint/naming-convention
-            refresh_fields = true,
+              refresh_fields = true,
-          } = req.body;
+            } = req.body;
 
-          const spec = req.body[serviceKey] as DataViewSpec;
+            const spec = req.body[serviceKey] as DataViewSpec;
 
-          const dataView = await updateDataView({
+            const dataView = await updateDataView({
-            dataViewsService,
+              dataViewsService,
-            usageCollection,
+              usageCollection,
-            id,
+              id,
-            refreshFields: refresh_fields as boolean,
+              refreshFields: refresh_fields as boolean,
-            spec,
+              spec,
-            counterName: `${req.route.method} ${path}`,
+              counterName: `${req.route.method} ${path}`,
-          });
+            });
 
-          const body: Record<string, DataViewSpecRestResponse> = {
+            const body: Record<string, DataViewSpecRestResponse> = {
-            [serviceKey]: await dataView.toSpec({ fieldParams: { fieldName: ['*'] } }),
+              [serviceKey]: await dataView.toSpec({ fieldParams: { fieldName: ['*'] } }),
-          };
+            };
 
-          return res.ok({
+            return res.ok({
-            headers: {
+              headers: {
-              'content-type': 'application/json',
+                'content-type': 'application/json',
-            },
+              },
-            body,
+              body,
-          });
+            });
-        })
+          })
-      )
+        )
-    );
+      );
   };
 
 export const registerUpdateDataViewRoute = updateDataViewRouteFactory(

src/platform/plugins/shared/telemetry/server/local_shipper/initialize_local_shipper.ts

@@ -44,6 +44,12 @@ function registerRoute(
     .versioned.post({
       path: '/internal/telemetry/ebt_local_shipper',
       access: 'internal',
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'This route delegates authorization to the Elasticsearch client',
+        },
+      },
     })
     .addVersion(
       {

src/platform/plugins/shared/telemetry/server/routes/telemetry_config.ts

@@ -100,17 +100,17 @@ export function registerTelemetryConfigRoutes({
       access: 'internal',
       path: FetchTelemetryConfigRoute,
       options: { authRequired: 'optional' },
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'This route is opted out from authorization',
+        },
+      },
     })
     // Just because it used to be /v2/, we are creating identical v1 and v2.
     .addVersion(
       {
         version: '1',
-        security: {
-          authz: {
-            enabled: false,
-            reason: 'This route is opted out from authorization',
-          },
-        },
         validate: v2Validations,
       },
       v2Handler
@@ -131,17 +131,22 @@ export function registerTelemetryConfigRoutes({
 
   // Register the deprecated public and path-based for BWC
   // as we know this one is used by other Elastic products to fetch the opt-in status.
-  router.versioned.get({ access: 'public', path: FetchTelemetryConfigRoutePathBasedV2 }).addVersion(
+  router.versioned
-    {
+    .get({
-      version: '2023-10-31',
+      access: 'public',
+      path: FetchTelemetryConfigRoutePathBasedV2,
       security: {
         authz: {
           enabled: false,
           reason: 'This route is opted out from authorization',
         },
       },
-      validate: v2Validations,
+    })
-    },
+    .addVersion(
-    v2Handler
+      {
-  );
+        version: '2023-10-31',
+        validate: v2Validations,
+      },
+      v2Handler
+    );
 }

src/platform/plugins/shared/telemetry/server/routes/telemetry_last_reported.ts

@@ -38,17 +38,20 @@ export function registerTelemetryLastReported(
   };
 
   router.versioned
-    .get({ access: 'internal', path: LastReportedRoute })
+    .get({
+      access: 'internal',
+      path: LastReportedRoute,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'This route is opted out from authorization',
+        },
+      },
+    })
     // Just because it used to be /v2/, we are creating identical v1 and v2.
     .addVersion(
       {
         version: '1',
-        security: {
-          authz: {
-            enabled: false,
-            reason: 'This route is opted out from authorization',
-          },
-        },
         validate: v2GetValidations,
       },
       v2GetHandler
@@ -56,12 +59,6 @@ export function registerTelemetryLastReported(
     .addVersion(
       {
         version: '2',
-        security: {
-          authz: {
-            enabled: false,
-            reason: 'This route is opted out from authorization',
-          },
-        },
         validate: v2GetValidations,
       },
       v2GetHandler
@@ -77,17 +74,20 @@ export function registerTelemetryLastReported(
   };
 
   router.versioned
-    .put({ access: 'internal', path: LastReportedRoute })
+    .put({
+      access: 'internal',
+      path: LastReportedRoute,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'This route is opted out from authorization',
+        },
+      },
+    })
     // Just because it used to be /v2/, we are creating identical v1 and v2.
     .addVersion(
       {
         version: '1',
-        security: {
-          authz: {
-            enabled: false,
-            reason: 'This route is opted out from authorization',
-          },
-        },
         validate: false,
       },
       v2PutHandler
@@ -95,12 +95,6 @@ export function registerTelemetryLastReported(
     .addVersion(
       {
         version: '2',
-        security: {
-          authz: {
-            enabled: false,
-            reason: 'This route is opted out from authorization',
-          },
-        },
         validate: false,
       },
       v2PutHandler

src/platform/plugins/shared/telemetry/server/routes/telemetry_opt_in.ts

@@ -126,17 +126,20 @@ export function registerTelemetryOptInRoutes({
   };
 
   router.versioned
-    .post({ access: 'internal', path: OptInRoute })
+    .post({
+      access: 'internal',
+      path: OptInRoute,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'This route is opted out from authorization',
+        },
+      },
+    })
     // Just because it used to be /v2/, we are creating identical v1 and v2.
     .addVersion(
       {
         version: '1',
-        security: {
-          authz: {
-            enabled: false,
-            reason: 'This route is opted out from authorization',
-          },
-        },
         validate: v2Validations,
       },
       v2Handler

src/platform/plugins/shared/telemetry/server/routes/telemetry_opt_in_stats.ts

@@ -68,16 +68,16 @@ export function registerTelemetryOptInStatsRoutes(
     .post({
       access: 'public', // It's not used across Kibana, and I didn't want to remove it in this PR just in case.
       path: GetOptInStatsRoutePathBasedV2,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'This route is opted out from authorization',
+        },
+      },
     })
     .addVersion(
       {
         version: '2023-10-31',
-        security: {
-          authz: {
-            enabled: false,
-            reason: 'This route is opted out from authorization',
-          },
-        },
         validate: {
           request: {
             body: schema.object({

src/platform/plugins/shared/telemetry/server/routes/telemetry_usage_stats.ts

@@ -93,6 +93,12 @@ export function registerTelemetryUsageStatsRoutes(
   router.versioned
     .post({
       access: 'internal',
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'This route is opted out from authorization',
+        },
+      },
       path: FetchSnapshotTelemetry,
       enableQueryVersion: true, // Allow specifying the version through querystring so that we can use it in Dev Console
     })
@@ -100,12 +106,6 @@ export function registerTelemetryUsageStatsRoutes(
     .addVersion(
       {
         version: '1',
-        security: {
-          authz: {
-            enabled: false,
-            reason: 'This route is opted out from authorization',
-          },
-        },
         validate: v2Validations,
       },
       v2Handler

src/platform/plugins/shared/telemetry/server/routes/telemetry_user_has_seen_notice.ts

@@ -54,17 +54,20 @@ export function registerTelemetryUserHasSeenNotice(router: IRouter, currentKiban
   };
 
   router.versioned
-    .put({ access: 'internal', path: UserHasSeenNoticeRoute })
+    .put({
+      access: 'internal',
+      path: UserHasSeenNoticeRoute,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'This route is opted out from authorization',
+        },
+      },
+    })
     // Just because it used to be /v2/, we are creating identical v1 and v2.
     .addVersion(
       {
         version: '1',
-        security: {
-          authz: {
-            enabled: false,
-            reason: 'This route is opted out from authorization',
-          },
-        },
         validate: false,
       },
       v2Handler

src/platform/plugins/shared/unified_search/server/autocomplete/value_suggestions_route.ts

@@ -21,17 +21,17 @@ export function registerValueSuggestionsRoute(router: IRouter, config$: Observab
     .post({
       path: '/internal/kibana/suggestions/values/{index}',
       access: 'internal',
+      security: {
+        authz: {
+          enabled: false,
+          reason:
+            'This route is opted out from authorization because uses the current user authorizations.',
+        },
+      },
     })
     .addVersion(
       {
         version: '1',
-        security: {
-          authz: {
-            enabled: false,
-            reason:
-              'This route is opted out from authorization because uses the current user authorizations.',
-          },
-        },
         validate: {
           request: {
             params: schema.object(

src/platform/test/analytics/plugins/analytics_ftr_helpers/server/plugin.ts

@@ -25,6 +25,12 @@ export class AnalyticsFTRHelpers implements Plugin {
     router.post(
       {
         path: '/internal/analytics_ftr_helpers/opt_in',
+        security: {
+          authz: {
+            enabled: false,
+            reason: 'This route is opted out from authorization',
+          },
+        },
         validate: {
           query: schema.object({
             consent: schema.boolean(),
@@ -43,6 +49,12 @@ export class AnalyticsFTRHelpers implements Plugin {
     router.get(
       {
         path: '/internal/analytics_ftr_helpers/events',
+        security: {
+          authz: {
+            enabled: false,
+            reason: 'This route is opted out from authorization',
+          },
+        },
         validate: {
           query: schema.object({
             takeNumberOfEvents: schema.number({ min: 1 }),
@@ -77,6 +89,12 @@ export class AnalyticsFTRHelpers implements Plugin {
     router.get(
       {
         path: '/internal/analytics_ftr_helpers/count_events',
+        security: {
+          authz: {
+            enabled: false,
+            reason: 'This route is opted out from authorization',
+          },
+        },
         validate: {
           query: schema.object({
             eventTypes: schema.arrayOf(schema.string()),

src/platform/test/analytics/plugins/analytics_plugin_a/server/plugin.ts

@@ -59,6 +59,12 @@ export class AnalyticsPluginAPlugin implements Plugin {
     router.get(
       {
         path: '/internal/analytics_plugin_a/stats',
+        security: {
+          authz: {
+            enabled: false,
+            reason: 'This route is opted out from authorization',
+          },
+        },
         validate: {
           query: schema.object({
             takeNumberOfCounters: schema.number({ min: 1 }),
@@ -84,6 +90,12 @@ export class AnalyticsPluginAPlugin implements Plugin {
     router.get(
       {
         path: '/internal/analytics_plugin_a/actions',
+        security: {
+          authz: {
+            enabled: false,
+            reason: 'This route is opted out from authorization',
+          },
+        },
         validate: false,
       },
       async (context, req, res) => {

src/platform/test/common/plugins/newsfeed/server/plugin.ts

@@ -19,6 +19,12 @@ export class NewsFeedSimulatorPlugin implements Plugin {
     router.get(
       {
         path: `/api/_newsfeed-FTS-external-service-simulators/kibana/v${version}.json`,
+        security: {
+          authz: {
+            enabled: false,
+            reason: 'This route is opted out from authorization',
+          },
+        },
         validate: false,
         options: { authRequired: false },
       },
@@ -30,6 +36,12 @@ export class NewsFeedSimulatorPlugin implements Plugin {
     router.get(
       {
         path: '/api/_newsfeed-FTS-external-service-simulators/kibana/crash.json',
+        security: {
+          authz: {
+            enabled: false,
+            reason: 'This route is opted out from authorization',
+          },
+        },
         validate: false,
         options: { authRequired: false },
       },

src/platform/test/common/plugins/otel_metrics/server/routes/generate_otel_metrics.ts

@@ -14,6 +14,12 @@ export const generateOtelMetrics = (router: IRouter, metrics: Metrics) => {
   router.post(
     {
       path: '/api/generate_otel_metrics',
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'This route is opted out from authorization',
+        },
+      },
       validate: {},
     },
     async function (_context, _req, res): Promise<IKibanaResponse<{}>> {

src/platform/test/health_gateway/plugins/status/server/plugin.ts

@@ -14,36 +14,64 @@ export class HealthGatewayStatusPlugin implements Plugin<void, void> {
   public setup(core: CoreSetup) {
     const router = core.http.createRouter();
 
-    router.get({ path: '/health/ok/api/status', validate: {} }, async (context, req, res) =>
+    router.get(
-      res.ok()
+      {
-    );
+        path: '/health/ok/api/status',
-
+        security: { authz: { enabled: false, reason: '' } },
-    router.get({ path: '/health/redirect/api/status', validate: {} }, async (context, req, res) =>
+        validate: {},
-      res.redirected({ headers: { location: '/health/ok/api/status' } })
+      },
+      async (context, req, res) => res.ok()
     );
 
     router.get(
-      { path: '/health/unauthorized/api/status', validate: {} },
+      {
+        path: '/health/redirect/api/status',
+        security: { authz: { enabled: false, reason: '' } },
+        validate: {},
+      },
+      async (context, req, res) =>
+        res.redirected({ headers: { location: '/health/ok/api/status' } })
+    );
+
+    router.get(
+      {
+        path: '/health/unauthorized/api/status',
+        security: { authz: { enabled: false, reason: '' } },
+        validate: {},
+      },
       async (context, req, res) =>
         res.unauthorized({
           headers: { 'www-authenticate': 'Basic' },
         })
     );
 
-    router.get({ path: '/health/not-found/api/status', validate: {} }, async (context, req, res) =>
+    router.get(
-      res.notFound()
+      {
+        path: '/health/not-found/api/status',
+        security: { authz: { enabled: false, reason: '' } },
+        validate: {},
+      },
+      async (context, req, res) => res.notFound()
     );
 
-    router.get({ path: '/health/slow/api/status', validate: {} }, async (context, req, res) => {
+    router.get(
-      await new Promise((resolve) => setTimeout(resolve, 5000));
+      {
+        path: '/health/slow/api/status',
+        security: { authz: { enabled: false, reason: '' } },
+        validate: {},
+      },
+      async (context, req, res) => {
+        await new Promise((resolve) => setTimeout(resolve, 5000));
 
-      return res.ok();
+        return res.ok();
-    });
+      }
+    );
 
     const sessions = new Set<string>();
     router.get(
       {
         path: '/health/flaky/api/status',
+        security: { authz: { enabled: false, reason: '' } },
         validate: {
           query: schema.object({ session: schema.string() }),
         },

src/platform/test/interactive_setup_api_integration/plugins/test_endpoints/server/index.ts

@@ -20,6 +20,12 @@ export const plugin: PluginInitializer<void, never> = async (
       router.get(
         {
           path: '/test_endpoints/verification_code',
+          security: {
+            authz: {
+              enabled: false,
+              reason: 'This route is opted out from authorization',
+            },
+          },
           validate: false,
           options: { authRequired: false },
         },

src/platform/test/interpreter_functional/plugins/kbn_tp_run_pipeline/server/plugin.ts

@@ -25,6 +25,12 @@ export class TestPlugin implements Plugin<TestPluginSetup, TestPluginStart, {},
     router.post(
       {
         path: '/api/interpreter_functional/run_expression',
+        security: {
+          authz: {
+            enabled: false,
+            reason: 'This route is opted out from authorization',
+          },
+        },
         validate: {
           body: schema.object({
             input: schema.maybe(schema.nullable(schema.object({}, { unknowns: 'allow' }))),