[8.7] [Controls] Use Internal User to Get Value of allow_expensive_queries (#155430) (#155548)

# Backport This will backport the following commits from `main` to `8.7`: - [[Controls] Use Internal User to Get Value of `allow_expensive_queries` (#155430)](https://github.com/elastic/kibana/pull/155430)  ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport)  Co-authored-by: Devon Thomson <devon.thomson@elastic.co>
2025-04-24 09:48:58 -04:00 · 2023-04-21 15:32:28 -04:00 · 2023-04-21 15:32:28 -04:00 · d597ba5686
commit d597ba5686
parent 5d87ea710b
2 changed files with 7 additions and 15 deletions
--- a/src/plugins/controls/public/services/options_list/options_list_service.ts
+++ b/src/plugins/controls/public/services/options_list/options_list_service.ts
@ -99,7 +99,7 @@ class OptionsListService implements ControlsOptionsListService {
  private cachedAllowExpensiveQueries = memoize(async () => {
    const { allowExpensiveQueries } = await this.http.get<{
      allowExpensiveQueries: boolean;
-    }>('/api/kibana/controls/optionsList/getClusterSettings');
+    }>('/api/kibana/controls/optionsList/getExpensiveQueriesSetting');
    return allowExpensiveQueries;
  });

--- a/src/plugins/controls/server/options_list/options_list_cluster_settings_route.ts
+++ b/src/plugins/controls/server/options_list/options_list_cluster_settings_route.ts
@ -8,18 +8,21 @@

 import { getKbnServerError, reportServerError } from '@kbn/kibana-utils-plugin/server';
 import { CoreSetup } from '@kbn/core/server';
-import { errors } from '@elastic/elasticsearch';

 export const setupOptionsListClusterSettingsRoute = ({ http }: CoreSetup) => {
  const router = http.createRouter();
  router.get(
    {
-      path: '/api/kibana/controls/optionsList/getClusterSettings',
+      path: '/api/kibana/controls/optionsList/getExpensiveQueriesSetting',
      validate: false,
    },
    async (context, _, response) => {
      try {
-        const esClient = (await context.core).elasticsearch.client.asCurrentUser;
+        /**
+         *  using internal user here because in many cases the logged in user will not have the monitor permission required
+         * to check cluster settings. This endpoint does not take a query, params, or a body, so there is no chance of leaking info.
+         */
+        const esClient = (await context.core).elasticsearch.client.asInternalUser;
        const settings = await esClient.cluster.getSettings({
          include_defaults: true,
          filter_path: '**.allow_expensive_queries',
@ -40,17 +43,6 @@ export const setupOptionsListClusterSettingsRoute = ({ http }: CoreSetup) => {
          },
        });
      } catch (e) {
-        if (e instanceof errors.ResponseError && e.body.error.type === 'security_exception') {
-          /**
-           * in cases where the user does not have the 'monitor' permission this check will fail. In these cases, we will
-           * fall back to assume that the allowExpensiveQueries setting is on, because it defaults to true.
-           */
-          return response.ok({
-            body: {
-              allowExpensiveQueries: true,
-            },
-          });
-        }
        const kbnErr = getKbnServerError(e);
        return reportServerError(response, kbnErr);
      }