github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-23 17:28:26 -04:00
Code Issues Projects Releases Packages Wiki Activity

Authorized route migration for routes owned by @elastic/security-generative-ai (#198192)

Browse source 
### Authz API migration for authorized routes

This PR migrates `access:<privilege>` tags used in route definitions to
new security configuration.
Please refer to the documentation for more information: [Authorization
API](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)

### **Before migration:**
Access control tags were defined in the `options` object of the route:

```ts
router.get({
  path: '/api/path',
  options: {
    tags: ['access:<privilege_1>', 'access:<privilege_2>'],
  },
  ...
}, handler);
```

### **After migration:**
Tags have been replaced with the more robust
`security.authz.requiredPrivileges` field under `security`:

```ts
router.get({
  path: '/api/path',
  security: {
    authz: {
      requiredPrivileges: ['<privilege_1>', '<privilege_2>'],
    },
  },
  ...
}, handler);
```

### What to do next?
1. Review the changes in this PR.
2. You might need to update your tests to reflect the new security
configuration:
  - If you have tests that rely on checking `access` tags.
  - If you have snapshot tests that include the route definition.
- If you have FTR tests that rely on checking unauthorized error
message. The error message changed to also include missing privileges.

## Any questions?
If you have any questions or need help with API authorization, please
reach out to the `@elastic/kibana-security` team.

---------

Co-authored-by: Andrew Macri <andrew.macri@elastic.co>
This commit is contained in:
Kibana Machine 2024-12-11 02:30:42 +11:00 committed by GitHub
parent 7aa80ce530
commit 8477dc7af4
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
28 changed files with 120 additions and 48 deletions
Download patch file Download diff file Expand all files Collapse all files

6
x-pack/plugins/elastic_assistant/server/routes/anonymization_fields/bulk_actions_route.ts
View file

@ -118,8 +118,12 @@ export const bulkActionAnonymizationFieldsRoute = (
.post({
access: 'public',
path: ELASTIC_AI_ASSISTANT_ANONYMIZATION_FIELDS_URL_BULK_ACTION,
security: {
authz: {
requiredPrivileges: ['securitySolution-updateAIAssistantAnonymization'],
},
},
options: {
tags: ['access:securitySolution-updateAIAssistantAnonymization'],
timeout: {
idleSocket: moment.duration(15, 'minutes').asMilliseconds(),
},

6
x-pack/plugins/elastic_assistant/server/routes/anonymization_fields/find_route.ts
View file

@ -32,8 +32,10 @@ export const findAnonymizationFieldsRoute = (
.get({
access: 'public',
path: ELASTIC_AI_ASSISTANT_ANONYMIZATION_FIELDS_URL_FIND,
options: {
tags: ['access:elasticAssistant'],
security: {
authz: {
requiredPrivileges: ['elasticAssistant'],
},
},
})
.addVersion(

6
x-pack/plugins/elastic_assistant/server/routes/attack_discovery/get/get_attack_discovery.ts
View file

@ -24,8 +24,10 @@ export const getAttackDiscoveryRoute = (router: IRouter<ElasticAssistantRequestH
.get({
access: 'internal',
path: ATTACK_DISCOVERY_BY_CONNECTOR_ID,
options: {
tags: ['access:elasticAssistant'],
security: {
authz: {
requiredPrivileges: ['elasticAssistant'],
},
},
})
.addVersion(

6
x-pack/plugins/elastic_assistant/server/routes/attack_discovery/post/cancel/cancel_attack_discovery.ts
View file

@ -26,8 +26,10 @@ export const cancelAttackDiscoveryRoute = (
.post({
access: 'internal',
path: ATTACK_DISCOVERY_CANCEL_BY_CONNECTOR_ID,
options: {
tags: ['access:elasticAssistant'],
security: {
authz: {
requiredPrivileges: ['elasticAssistant'],
},
},
})
.addVersion(

6
x-pack/plugins/elastic_assistant/server/routes/attack_discovery/post/post_attack_discovery.ts
View file

@ -35,8 +35,12 @@ export const postAttackDiscoveryRoute = (
.post({
access: 'internal',
path: ATTACK_DISCOVERY,
security: {
authz: {
requiredPrivileges: ['elasticAssistant'],
},
},
options: {
tags: ['access:elasticAssistant'],
timeout: {
idleSocket: ROUTE_HANDLER_TIMEOUT,
},

6
x-pack/plugins/elastic_assistant/server/routes/capabilities/get_capabilities_route.ts
View file

@ -30,8 +30,10 @@ export const getCapabilitiesRoute = (router: IRouter<ElasticAssistantRequestHand
.get({
access: INTERNAL_API_ACCESS,
path: CAPABILITIES,
options: {
tags: ['access:elasticAssistant'],
security: {
authz: {
requiredPrivileges: ['elasticAssistant'],
},
},
})
.addVersion(

6
x-pack/plugins/elastic_assistant/server/routes/chat/chat_complete_route.ts
View file

@ -46,8 +46,10 @@ export const chatCompleteRoute = (
access: 'public',
path: ELASTIC_AI_ASSISTANT_CHAT_COMPLETE_URL,
options: {
tags: ['access:elasticAssistant'],
security: {
authz: {
requiredPrivileges: ['elasticAssistant'],
},
},
})
.addVersion(

6
x-pack/plugins/elastic_assistant/server/routes/defend_insights/get_defend_insight.ts
View file

@ -26,8 +26,10 @@ export const getDefendInsightRoute = (router: IRouter<ElasticAssistantRequestHan
.get({
access: 'internal',
path: DEFEND_INSIGHTS_BY_ID,
options: {
tags: ['access:elasticAssistant'],
security: {
authz: {
requiredPrivileges: ['elasticAssistant'],
},
},
})
.addVersion(

6
x-pack/plugins/elastic_assistant/server/routes/defend_insights/get_defend_insights.ts
View file

@ -26,8 +26,10 @@ export const getDefendInsightsRoute = (router: IRouter<ElasticAssistantRequestHa
.get({
access: 'internal',
path: DEFEND_INSIGHTS,
options: {
tags: ['access:elasticAssistant'],
security: {
authz: {
requiredPrivileges: ['elasticAssistant'],
},
},
})
.addVersion(

6
x-pack/plugins/elastic_assistant/server/routes/defend_insights/post_defend_insights.ts
View file

@ -42,11 +42,15 @@ export const postDefendInsightsRoute = (router: IRouter<ElasticAssistantRequestH
access: 'internal',
path: DEFEND_INSIGHTS,
options: {
tags: ['access:elasticAssistant'],
timeout: {
idleSocket: ROUTE_HANDLER_TIMEOUT,
},
},
security: {
authz: {
requiredPrivileges: ['elasticAssistant'],
},
},
})
.addVersion(
{

6
x-pack/plugins/elastic_assistant/server/routes/evaluate/get_evaluate.ts
View file

@ -26,8 +26,10 @@ export const getEvaluateRoute = (router: IRouter<ElasticAssistantRequestHandlerC
.get({
access: INTERNAL_API_ACCESS,
path: ELASTIC_AI_ASSISTANT_EVALUATE_URL,
options: {
tags: ['access:elasticAssistant'],
security: {
authz: {
requiredPrivileges: ['elasticAssistant'],
},
},
})
.addVersion(

6
x-pack/plugins/elastic_assistant/server/routes/evaluate/post_evaluate.ts
View file

@ -64,8 +64,12 @@ export const postEvaluateRoute = (
.post({
access: INTERNAL_API_ACCESS,
path: ELASTIC_AI_ASSISTANT_EVALUATE_URL,
security: {
authz: {
requiredPrivileges: ['elasticAssistant'],
},
},
options: {
tags: ['access:elasticAssistant'],
timeout: {
idleSocket: ROUTE_HANDLER_TIMEOUT,
},

6
x-pack/plugins/elastic_assistant/server/routes/knowledge_base/entries/bulk_actions_route.ts
View file

@ -125,8 +125,12 @@ export const bulkActionKnowledgeBaseEntriesRoute = (router: ElasticAssistantPlug
.post({
access: 'internal',
path: ELASTIC_AI_ASSISTANT_KNOWLEDGE_BASE_ENTRIES_URL_BULK_ACTION,
security: {
authz: {
requiredPrivileges: ['elasticAssistant'],
},
},
options: {
tags: ['access:elasticAssistant'],
timeout: {
idleSocket: moment.duration(15, 'minutes').asMilliseconds(),
},

6
x-pack/plugins/elastic_assistant/server/routes/knowledge_base/entries/create_route.ts
View file

@ -26,8 +26,10 @@ export const createKnowledgeBaseEntryRoute = (router: ElasticAssistantPluginRout
access: 'internal',
path: ELASTIC_AI_ASSISTANT_KNOWLEDGE_BASE_ENTRIES_URL,
options: {
tags: ['access:elasticAssistant'],
security: {
authz: {
requiredPrivileges: ['elasticAssistant'],
},
},
})
.addVersion(

6
x-pack/plugins/elastic_assistant/server/routes/knowledge_base/entries/find_route.ts
View file

@ -33,8 +33,10 @@ export const findKnowledgeBaseEntriesRoute = (router: ElasticAssistantPluginRout
.get({
access: 'internal',
path: ELASTIC_AI_ASSISTANT_KNOWLEDGE_BASE_ENTRIES_URL_FIND,
options: {
tags: ['access:elasticAssistant'],
security: {
authz: {
requiredPrivileges: ['elasticAssistant'],
},
},
})
.addVersion(

6
x-pack/plugins/elastic_assistant/server/routes/knowledge_base/get_knowledge_base_indices.ts
View file

@ -26,8 +26,10 @@ export const getKnowledgeBaseIndicesRoute = (router: ElasticAssistantPluginRoute
.get({
access: 'internal',
path: ELASTIC_AI_ASSISTANT_KNOWLEDGE_BASE_INDICES_URL,
options: {
tags: ['access:elasticAssistant'],
security: {
authz: {
requiredPrivileges: ['elasticAssistant'],
},
},
})
.addVersion(

6
x-pack/plugins/elastic_assistant/server/routes/knowledge_base/get_knowledge_base_status.ts
View file

@ -28,8 +28,10 @@ export const getKnowledgeBaseStatusRoute = (router: ElasticAssistantPluginRouter
.get({
access: 'internal',
path: ELASTIC_AI_ASSISTANT_KNOWLEDGE_BASE_URL,
options: {
tags: ['access:elasticAssistant'],
security: {
authz: {
requiredPrivileges: ['elasticAssistant'],
},
},
})
.addVersion(

6
x-pack/plugins/elastic_assistant/server/routes/knowledge_base/post_knowledge_base.ts
View file

@ -30,8 +30,12 @@ export const postKnowledgeBaseRoute = (router: ElasticAssistantPluginRouter) =>
.post({
access: 'internal',
path: ELASTIC_AI_ASSISTANT_KNOWLEDGE_BASE_URL,
security: {
authz: {
requiredPrivileges: ['elasticAssistant'],
},
},
options: {
tags: ['access:elasticAssistant'],
timeout: {
idleSocket: ROUTE_HANDLER_TIMEOUT,
},

6
x-pack/plugins/elastic_assistant/server/routes/post_actions_connector_execute.ts
View file

@ -38,8 +38,10 @@ export const postActionsConnectorExecuteRoute = (
.post({
access: 'internal',
path: POST_ACTIONS_CONNECTOR_EXECUTE,
options: {
tags: ['access:elasticAssistant'],
security: {
authz: {
requiredPrivileges: ['elasticAssistant'],
},
},
})
.addVersion(

6
x-pack/plugins/elastic_assistant/server/routes/prompts/bulk_actions_route.ts
View file

@ -112,8 +112,12 @@ export const bulkPromptsRoute = (router: ElasticAssistantPluginRouter, logger: L
.post({
access: 'public',
path: ELASTIC_AI_ASSISTANT_PROMPTS_URL_BULK_ACTION,
security: {
authz: {
requiredPrivileges: ['elasticAssistant'],
},
},
options: {
tags: ['access:elasticAssistant'],
timeout: {
idleSocket: moment.duration(15, 'minutes').asMilliseconds(),
},

6
x-pack/plugins/elastic_assistant/server/routes/prompts/find_route.ts
View file

@ -25,8 +25,10 @@ export const findPromptsRoute = (router: ElasticAssistantPluginRouter, logger: L
.get({
access: 'public',
path: ELASTIC_AI_ASSISTANT_PROMPTS_URL_FIND,
options: {
tags: ['access:elasticAssistant'],
security: {
authz: {
requiredPrivileges: ['elasticAssistant'],
},
},
})
.addVersion(

6
x-pack/plugins/elastic_assistant/server/routes/user_conversations/append_conversation_messages_route.ts
View file

@ -24,8 +24,10 @@ export const appendConversationMessageRoute = (router: ElasticAssistantPluginRou
.post({
access: 'internal',
path: ELASTIC_AI_ASSISTANT_CONVERSATIONS_URL_BY_ID_MESSAGES,
options: {
tags: ['access:elasticAssistant'],
security: {
authz: {
requiredPrivileges: ['elasticAssistant'],
},
},
})
.addVersion(

6
x-pack/plugins/elastic_assistant/server/routes/user_conversations/bulk_actions_route.ts
View file

@ -116,8 +116,12 @@ export const bulkActionConversationsRoute = (
.post({
access: 'internal',
path: ELASTIC_AI_ASSISTANT_CONVERSATIONS_URL_BULK_ACTION,
security: {
authz: {
requiredPrivileges: ['elasticAssistant'],
},
},
options: {
tags: ['access:elasticAssistant'],
timeout: {
idleSocket: moment.duration(15, 'minutes').asMilliseconds(),
},

6
x-pack/plugins/elastic_assistant/server/routes/user_conversations/create_route.ts
View file

@ -25,8 +25,10 @@ export const createConversationRoute = (router: ElasticAssistantPluginRouter): v
access: 'public',
path: ELASTIC_AI_ASSISTANT_CONVERSATIONS_URL,
options: {
tags: ['access:elasticAssistant'],
security: {
authz: {
requiredPrivileges: ['elasticAssistant'],
},
},
})
.addVersion(

6
x-pack/plugins/elastic_assistant/server/routes/user_conversations/delete_route.ts
View file

@ -21,8 +21,10 @@ export const deleteConversationRoute = (router: ElasticAssistantPluginRouter) =>
.delete({
access: 'public',
path: ELASTIC_AI_ASSISTANT_CONVERSATIONS_URL_BY_ID,
options: {
tags: ['access:elasticAssistant'],
security: {
authz: {
requiredPrivileges: ['elasticAssistant'],
},
},
})
.addVersion(

6
x-pack/plugins/elastic_assistant/server/routes/user_conversations/find_route.ts
View file

@ -28,8 +28,10 @@ export const findUserConversationsRoute = (router: ElasticAssistantPluginRouter)
.get({
access: 'public',
path: ELASTIC_AI_ASSISTANT_CONVERSATIONS_URL_FIND,
options: {
tags: ['access:elasticAssistant'],
security: {
authz: {
requiredPrivileges: ['elasticAssistant'],
},
},
})
.addVersion(

6
x-pack/plugins/elastic_assistant/server/routes/user_conversations/read_route.ts
View file

@ -23,8 +23,10 @@ export const readConversationRoute = (router: ElasticAssistantPluginRouter) => {
.get({
access: 'public',
path: ELASTIC_AI_ASSISTANT_CONVERSATIONS_URL_BY_ID,
options: {
tags: ['access:elasticAssistant'],
security: {
authz: {
requiredPrivileges: ['elasticAssistant'],
},
},
})
.addVersion(

6
x-pack/plugins/elastic_assistant/server/routes/user_conversations/update_route.ts
View file

@ -26,8 +26,10 @@ export const updateConversationRoute = (router: ElasticAssistantPluginRouter) =>
.put({
access: 'public',
path: ELASTIC_AI_ASSISTANT_CONVERSATIONS_URL_BY_ID,
options: {
tags: ['access:elasticAssistant'],
security: {
authz: {
requiredPrivileges: ['elasticAssistant'],
},
},
})
.addVersion(