Unauthorized route migration for routes owned by kibana-visualizations (#198335)

### Authz API migration for unauthorized routes This PR migrates unauthorized routes owned by your team to a new security configuration. Please refer to the documentation for more information: [Authorization API](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization) ### **Before migration:** ```ts router.get({ path: '/api/path', ... }, handler); ``` ### **After migration:** ```ts router.get({ path: '/api/path', security: { authz: { enabled: false, reason: 'This route is opted out from authorization because ...', }, }, ... }, handler); ``` ### What to do next? 1. Review the changes in this PR. 2. Elaborate on the reasoning to opt-out of authorization. 3. Routes without a compelling reason to opt-out of authorization should plan to introduce them as soon as possible. 2. You might need to update your tests to reflect the new security configuration: - If you have snapshot tests that include the route definition. ## Any questions? If you have any questions or need help with API authorization, please reach out to the `@elastic/kibana-security` team. --------- Co-authored-by: Marco Vettorello <marco.vettorello@elastic.co>
2025-04-24 17:59:23 -04:00 · 2024-12-16 23:24:52 +11:00 · 2024-12-16 23:24:52 +11:00 · bc46f483de
commit bc46f483de
parent 25b171d6d7
7 changed files with 47 additions and 0 deletions
--- a/src/plugins/unified_search/server/autocomplete/value_suggestions_route.ts
+++ b/src/plugins/unified_search/server/autocomplete/value_suggestions_route.ts
@ -25,6 +25,13 @@ export function registerValueSuggestionsRoute(router: IRouter, config$: Observab
    .addVersion(
      {
        version: '1',
+        security: {
+          authz: {
+            enabled: false,
+            reason:
+              'This route is opted out from authorization because uses the current user authorizations.',
+          },
+        },
        validate: {
          request: {
            params: schema.object(
--- a/src/plugins/vis_types/timelion/server/routes/functions.ts
+++ b/src/plugins/vis_types/timelion/server/routes/functions.ts
@ -15,6 +15,13 @@ export function functionsRoute(router: IRouter, { functions }: { functions: Load
  router.get(
    {
      path: '/internal/timelion/functions',
+      security: {
+        authz: {
+          enabled: false,
+          reason:
+            'This route is opted out from authorization because it just returns a static list of function ids to use in timelion expression.',
+        },
+      },
      validate: false,
    },
    async (context, request, response) => {
--- a/src/plugins/vis_types/timelion/server/routes/run.ts
+++ b/src/plugins/vis_types/timelion/server/routes/run.ts
@ -39,6 +39,13 @@ export function runRoute(
  router.post(
    {
      path: '/internal/timelion/run',
+      security: {
+        authz: {
+          enabled: false,
+          reason:
+            'This route is opted out from authorization because it executes some server side data processing and uses the data-plugin to query ES following the data-plugin authz rules.',
+        },
+      },
      validate: {
        body: schema.object({
          sheet: schema.arrayOf(schema.string()),
--- a/src/plugins/vis_types/timeseries/server/routes/fields.ts
+++ b/src/plugins/vis_types/timeseries/server/routes/fields.ts
@ -18,6 +18,13 @@ export const fieldsRoutes = (router: VisTypeTimeseriesRouter, framework: Framewo
  router.get<{}, { index: string }, {}>(
    {
      path: ROUTES.FIELDS,
+      security: {
+        authz: {
+          enabled: false,
+          reason:
+            'This route is opted out from authorization because it uses the data-plugin to query ES following the data-plugin authz rules.',
+        },
+      },
      validate: {
        query: schema.object({ index: schema.string() }),
      },
--- a/src/plugins/vis_types/timeseries/server/routes/vis.ts
+++ b/src/plugins/vis_types/timeseries/server/routes/vis.ts
@ -21,6 +21,13 @@ export const visDataRoutes = (router: VisTypeTimeseriesRouter, framework: Framew
  router.post<{}, {}, VisPayload>(
    {
      path: ROUTES.VIS_DATA,
+      security: {
+        authz: {
+          enabled: false,
+          reason:
+            'This route is opted out from authorization because it uses the data-plugin to query ES following the data-plugin authz rules.',
+        },
+      },
      validate: {
        body: escapeHatch,
      },
--- a/x-pack/plugins/graph/server/routes/explore.ts
+++ b/x-pack/plugins/graph/server/routes/explore.ts
@ -27,6 +27,12 @@ export function registerExploreRoute({
  router.post(
    {
      path: '/internal/graph/graphExplore',
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'This route delegates authorization to the scoped ES client.',
+        },
+      },
      validate: {
        body: schema.object({
          index: schema.string(),
--- a/x-pack/plugins/graph/server/routes/search.ts
+++ b/x-pack/plugins/graph/server/routes/search.ts
@ -20,6 +20,12 @@ export function registerSearchRoute({
  router.post(
    {
      path: '/internal/graph/searchProxy',
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'This route delegates authorization to the scoped ES client.',
+        },
+      },
      validate: {
        body: schema.object({
          index: schema.string(),