[HTTP/OAS] Make SO CRUD and resolve APIs internal on serverless (#184408)

2025-04-24 01:38:56 -04:00 · 2024-06-11 17:40:03 +02:00 · 2024-06-11 17:40:03 +02:00 · dc78221e2a
commit dc78221e2a
parent 8faa5946c3
43 changed files with 245 additions and 46 deletions
--- a/packages/core/http/core-http-server/index.ts
+++ b/packages/core/http/core-http-server/index.ts
@ -105,6 +105,7 @@ export type {
  RouteValidatorFullConfigRequest,
  RouteValidatorFullConfigResponse,
  LazyValidator,
+  RouteAccess,
 } from './src/router';
 export {
  validBodyOutput,
--- a/packages/core/http/core-http-server/src/router/index.ts
+++ b/packages/core/http/core-http-server/src/router/index.ts
@ -51,6 +51,7 @@ export type {
  RouteConfigOptionsBody,
  RouteContentType,
  SafeRouteMethod,
+  RouteAccess,
 } from './route';
 export { validBodyOutput } from './route';
 export type {
--- a/packages/core/http/core-http-server/src/router/route.ts
+++ b/packages/core/http/core-http-server/src/router/route.ts
@ -100,6 +100,16 @@ export interface RouteConfigOptionsBody {
  parse?: boolean | 'gunzip';
 }

+/**
+ * Route access level.
+ *
+ * Public routes are stable and intended for external access and are subject to
+ * stricter change management and have long term maintenance windows.
+ *
+ * @remark On serverless access to internal routes is restricted.
+ */
+export type RouteAccess = 'public' | 'internal';
+
 /**
 * Additional route options.
 * @public
@ -133,7 +143,7 @@ export interface RouteConfigOptions<Method extends RouteMethod> {
   *
   * Defaults to 'internal' If not declared,
   */
-  access?: 'public' | 'internal';
+  access?: RouteAccess;

  /**
   * Additional metadata tag strings to attach to the route.
--- a/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/bulk_create.ts
+++ b/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/bulk_create.ts
@ -7,6 +7,7 @@
 */

 import { schema } from '@kbn/config-schema';
+import type { RouteAccess } from '@kbn/core-http-server';
 import { SavedObjectConfig } from '@kbn/core-saved-objects-base-server-internal';
 import type { InternalCoreUsageDataSetup } from '@kbn/core-usage-data-base-server-internal';
 import type { Logger } from '@kbn/logging';
@ -21,16 +22,21 @@ interface RouteDependencies {
  config: SavedObjectConfig;
  coreUsageData: InternalCoreUsageDataSetup;
  logger: Logger;
+  access: RouteAccess;
 }

 export const registerBulkCreateRoute = (
  router: InternalSavedObjectRouter,
-  { config, coreUsageData, logger }: RouteDependencies
+  { config, coreUsageData, logger, access }: RouteDependencies
 ) => {
  const { allowHttpApiAccess } = config;
  router.post(
    {
      path: '/_bulk_create',
+      options: {
+        access,
+        description: `Create saved objects`,
+      },
      validate: {
        query: schema.object({
          overwrite: schema.boolean({ defaultValue: false }),
--- a/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/bulk_delete.ts
+++ b/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/bulk_delete.ts
@ -7,6 +7,7 @@
 */

 import { schema } from '@kbn/config-schema';
+import type { RouteAccess } from '@kbn/core-http-server';
 import { SavedObjectConfig } from '@kbn/core-saved-objects-base-server-internal';
 import type { InternalCoreUsageDataSetup } from '@kbn/core-usage-data-base-server-internal';
 import type { Logger } from '@kbn/logging';
@ -21,16 +22,21 @@ interface RouteDependencies {
  config: SavedObjectConfig;
  coreUsageData: InternalCoreUsageDataSetup;
  logger: Logger;
+  access: RouteAccess;
 }

 export const registerBulkDeleteRoute = (
  router: InternalSavedObjectRouter,
-  { config, coreUsageData, logger }: RouteDependencies
+  { config, coreUsageData, logger, access }: RouteDependencies
 ) => {
  const { allowHttpApiAccess } = config;
  router.post(
    {
      path: '/_bulk_delete',
+      options: {
+        access,
+        description: `Remove saved objects`,
+      },
      validate: {
        body: schema.arrayOf(
          schema.object({
--- a/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/bulk_get.ts
+++ b/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/bulk_get.ts
@ -7,6 +7,7 @@
 */

 import { schema } from '@kbn/config-schema';
+import type { RouteAccess } from '@kbn/core-http-server';
 import { SavedObjectConfig } from '@kbn/core-saved-objects-base-server-internal';
 import type { InternalCoreUsageDataSetup } from '@kbn/core-usage-data-base-server-internal';
 import type { Logger } from '@kbn/logging';
@ -21,16 +22,21 @@ interface RouteDependencies {
  config: SavedObjectConfig;
  coreUsageData: InternalCoreUsageDataSetup;
  logger: Logger;
+  access: RouteAccess;
 }

 export const registerBulkGetRoute = (
  router: InternalSavedObjectRouter,
-  { config, coreUsageData, logger }: RouteDependencies
+  { config, coreUsageData, logger, access }: RouteDependencies
 ) => {
  const { allowHttpApiAccess } = config;
  router.post(
    {
      path: '/_bulk_get',
+      options: {
+        access,
+        description: `Get saved objects`,
+      },
      validate: {
        body: schema.arrayOf(
          schema.object({
--- a/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/bulk_resolve.ts
+++ b/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/bulk_resolve.ts
@ -7,6 +7,7 @@
 */

 import { schema } from '@kbn/config-schema';
+import type { RouteAccess } from '@kbn/core-http-server';
 import { SavedObjectConfig } from '@kbn/core-saved-objects-base-server-internal';
 import type { InternalCoreUsageDataSetup } from '@kbn/core-usage-data-base-server-internal';
 import type { Logger } from '@kbn/logging';
@ -21,16 +22,21 @@ interface RouteDependencies {
  config: SavedObjectConfig;
  coreUsageData: InternalCoreUsageDataSetup;
  logger: Logger;
+  access: RouteAccess;
 }

 export const registerBulkResolveRoute = (
  router: InternalSavedObjectRouter,
-  { config, coreUsageData, logger }: RouteDependencies
+  { config, coreUsageData, logger, access }: RouteDependencies
 ) => {
  const { allowHttpApiAccess } = config;
  router.post(
    {
      path: '/_bulk_resolve',
+      options: {
+        access,
+        description: `Resolve saved objects`,
+      },
      validate: {
        body: schema.arrayOf(
          schema.object({
--- a/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/bulk_update.ts
+++ b/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/bulk_update.ts
@ -7,6 +7,7 @@
 */

 import { schema } from '@kbn/config-schema';
+import type { RouteAccess } from '@kbn/core-http-server';
 import { SavedObjectConfig } from '@kbn/core-saved-objects-base-server-internal';
 import type { InternalCoreUsageDataSetup } from '@kbn/core-usage-data-base-server-internal';
 import type { Logger } from '@kbn/logging';
@ -21,16 +22,21 @@ interface RouteDependencies {
  config: SavedObjectConfig;
  coreUsageData: InternalCoreUsageDataSetup;
  logger: Logger;
+  access: RouteAccess;
 }

 export const registerBulkUpdateRoute = (
  router: InternalSavedObjectRouter,
-  { config, coreUsageData, logger }: RouteDependencies
+  { config, coreUsageData, logger, access }: RouteDependencies
 ) => {
  const { allowHttpApiAccess } = config;
  router.put(
    {
      path: '/_bulk_update',
+      options: {
+        access,
+        description: `Update saved objects`,
+      },
      validate: {
        body: schema.arrayOf(
          schema.object({
--- a/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/create.ts
+++ b/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/create.ts
@ -7,6 +7,7 @@
 */

 import { schema } from '@kbn/config-schema';
+import type { RouteAccess } from '@kbn/core-http-server';
 import { SavedObjectConfig } from '@kbn/core-saved-objects-base-server-internal';
 import type { InternalCoreUsageDataSetup } from '@kbn/core-usage-data-base-server-internal';
 import type { Logger } from '@kbn/logging';
@ -21,16 +22,21 @@ interface RouteDependencies {
  config: SavedObjectConfig;
  coreUsageData: InternalCoreUsageDataSetup;
  logger: Logger;
+  access: RouteAccess;
 }

 export const registerCreateRoute = (
  router: InternalSavedObjectRouter,
-  { config, coreUsageData, logger }: RouteDependencies
+  { config, coreUsageData, logger, access }: RouteDependencies
 ) => {
  const { allowHttpApiAccess } = config;
  router.post(
    {
      path: '/{type}/{id?}',
+      options: {
+        access,
+        description: `Create a saved object`,
+      },
      validate: {
        params: schema.object({
          type: schema.string(),
--- a/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/delete.ts
+++ b/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/delete.ts
@ -7,6 +7,7 @@
 */

 import { schema } from '@kbn/config-schema';
+import type { RouteAccess } from '@kbn/core-http-server';
 import { SavedObjectConfig } from '@kbn/core-saved-objects-base-server-internal';
 import type { InternalCoreUsageDataSetup } from '@kbn/core-usage-data-base-server-internal';
 import type { Logger } from '@kbn/logging';
@ -21,16 +22,21 @@ interface RouteDependencies {
  config: SavedObjectConfig;
  coreUsageData: InternalCoreUsageDataSetup;
  logger: Logger;
+  access: RouteAccess;
 }

 export const registerDeleteRoute = (
  router: InternalSavedObjectRouter,
-  { config, coreUsageData, logger }: RouteDependencies
+  { config, coreUsageData, logger, access }: RouteDependencies
 ) => {
  const { allowHttpApiAccess } = config;
  router.delete(
    {
      path: '/{type}/{id}',
+      options: {
+        access,
+        description: `Delete a saved object`,
+      },
      validate: {
        params: schema.object({
          type: schema.string(),
--- a/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/export.ts
+++ b/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/export.ts
@ -143,6 +143,10 @@ export const registerExportRoute = (
  router.post(
    {
      path: '/_export',
+      options: {
+        access: 'public',
+        description: `Export saved objects`,
+      },
      validate: {
        body: schema.object({
          type: schema.maybe(schema.oneOf([schema.string(), schema.arrayOf(schema.string())])),
--- a/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/find.ts
+++ b/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/find.ts
@ -7,21 +7,24 @@
 */

 import { schema } from '@kbn/config-schema';
+import type { RouteAccess } from '@kbn/core-http-server';
 import { SavedObjectConfig } from '@kbn/core-saved-objects-base-server-internal';
 import type { InternalCoreUsageDataSetup } from '@kbn/core-usage-data-base-server-internal';
 import type { Logger } from '@kbn/logging';
 import type { InternalSavedObjectRouter } from '../internal_types';
 import { catchAndReturnBoomErrors, throwOnHttpHiddenTypes } from './utils';
 import { logWarnOnExternalRequest } from './utils';
+
 interface RouteDependencies {
  config: SavedObjectConfig;
  coreUsageData: InternalCoreUsageDataSetup;
  logger: Logger;
+  access: RouteAccess;
 }

 export const registerFindRoute = (
  router: InternalSavedObjectRouter,
-  { config, coreUsageData, logger }: RouteDependencies
+  { config, coreUsageData, logger, access }: RouteDependencies
 ) => {
  const referenceSchema = schema.object({
    type: schema.string(),
@ -34,6 +37,10 @@ export const registerFindRoute = (
  router.get(
    {
      path: '/_find',
+      options: {
+        access,
+        description: `Search for saved objects`,
+      },
      validate: {
        query: schema.object({
          per_page: schema.number({ min: 0, defaultValue: 20 }),
--- a/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/get.ts
+++ b/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/get.ts
@ -7,6 +7,7 @@
 */

 import { schema } from '@kbn/config-schema';
+import type { RouteAccess } from '@kbn/core-http-server';
 import { SavedObjectConfig } from '@kbn/core-saved-objects-base-server-internal';
 import type { InternalCoreUsageDataSetup } from '@kbn/core-usage-data-base-server-internal';
 import type { Logger } from '@kbn/logging';
@ -21,16 +22,21 @@ interface RouteDependencies {
  config: SavedObjectConfig;
  coreUsageData: InternalCoreUsageDataSetup;
  logger: Logger;
+  access: RouteAccess;
 }

 export const registerGetRoute = (
  router: InternalSavedObjectRouter,
-  { config, coreUsageData, logger }: RouteDependencies
+  { config, coreUsageData, logger, access }: RouteDependencies
 ) => {
  const { allowHttpApiAccess } = config;
  router.get(
    {
      path: '/{type}/{id}',
+      options: {
+        access,
+        description: `Get a saved object`,
+      },
      validate: {
        params: schema.object({
          type: schema.string(),
--- a/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/import.ts
+++ b/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/import.ts
@ -36,6 +36,8 @@ export const registerImportRoute = (
    {
      path: '/_import',
      options: {
+        access: 'public',
+        description: `Import saved objects`,
        body: {
          maxBytes: maxImportPayloadBytes,
          output: 'stream',
--- a/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/index.ts
+++ b/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/index.ts
@ -41,6 +41,7 @@ export function registerRoutes({
  migratorPromise,
  kibanaVersion,
  kibanaIndex,
+  isServerless,
 }: {
  http: InternalHttpServiceSetup;
  coreUsageData: InternalCoreUsageDataSetup;
@ -49,20 +50,30 @@ export function registerRoutes({
  migratorPromise: Promise<IKibanaMigrator>;
  kibanaVersion: string;
  kibanaIndex: string;
+  isServerless: boolean;
 }) {
  const router =
    http.createRouter<InternalSavedObjectsRequestHandlerContext>('/api/saved_objects/');
-  registerGetRoute(router, { config, coreUsageData, logger });
-  registerResolveRoute(router, { config, coreUsageData, logger });
-  registerCreateRoute(router, { config, coreUsageData, logger });
-  registerDeleteRoute(router, { config, coreUsageData, logger });
-  registerFindRoute(router, { config, coreUsageData, logger });
-  registerUpdateRoute(router, { config, coreUsageData, logger });
-  registerBulkGetRoute(router, { config, coreUsageData, logger });
-  registerBulkCreateRoute(router, { config, coreUsageData, logger });
-  registerBulkResolveRoute(router, { config, coreUsageData, logger });
-  registerBulkUpdateRoute(router, { config, coreUsageData, logger });
-  registerBulkDeleteRoute(router, { config, coreUsageData, logger });
+
+  const internalOnServerless = isServerless ? 'internal' : 'public';
+
+  registerGetRoute(router, { config, coreUsageData, logger, access: internalOnServerless });
+  registerResolveRoute(router, { config, coreUsageData, logger, access: internalOnServerless });
+  registerCreateRoute(router, {
+    config,
+    coreUsageData,
+    logger,
+    access: internalOnServerless,
+  });
+  registerDeleteRoute(router, { config, coreUsageData, logger, access: internalOnServerless });
+  registerFindRoute(router, { config, coreUsageData, logger, access: internalOnServerless });
+  registerUpdateRoute(router, { config, coreUsageData, logger, access: internalOnServerless });
+  registerBulkGetRoute(router, { config, coreUsageData, logger, access: internalOnServerless });
+  registerBulkCreateRoute(router, { config, coreUsageData, logger, access: internalOnServerless });
+  registerBulkResolveRoute(router, { config, coreUsageData, logger, access: internalOnServerless });
+  registerBulkUpdateRoute(router, { config, coreUsageData, logger, access: internalOnServerless });
+  registerBulkDeleteRoute(router, { config, coreUsageData, logger, access: internalOnServerless });
+
  registerExportRoute(router, { config, coreUsageData });
  registerImportRoute(router, { config, coreUsageData });
  registerResolveImportErrorsRoute(router, { config, coreUsageData });
--- a/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/resolve.ts
+++ b/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/resolve.ts
@ -7,6 +7,7 @@
 */

 import { schema } from '@kbn/config-schema';
+import type { RouteAccess } from '@kbn/core-http-server';
 import { SavedObjectConfig } from '@kbn/core-saved-objects-base-server-internal';
 import type { InternalCoreUsageDataSetup } from '@kbn/core-usage-data-base-server-internal';
 import type { Logger } from '@kbn/logging';
@ -17,16 +18,21 @@ interface RouteDependencies {
  config: SavedObjectConfig;
  coreUsageData: InternalCoreUsageDataSetup;
  logger: Logger;
+  access: RouteAccess;
 }

 export const registerResolveRoute = (
  router: InternalSavedObjectRouter,
-  { config, coreUsageData, logger }: RouteDependencies
+  { config, coreUsageData, logger, access }: RouteDependencies
 ) => {
  const { allowHttpApiAccess } = config;
  router.get(
    {
      path: '/resolve/{type}/{id}',
+      options: {
+        access,
+        description: `Resolve a saved object`,
+      },
      validate: {
        params: schema.object({
          type: schema.string(),
--- a/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/resolve_import_errors.ts
+++ b/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/resolve_import_errors.ts
@ -37,6 +37,8 @@ export const registerResolveImportErrorsRoute = (
    {
      path: '/_resolve_import_errors',
      options: {
+        access: 'public',
+        description: `Resolve import errors`,
        body: {
          maxBytes: maxImportPayloadBytes,
          output: 'stream',
--- a/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/update.ts
+++ b/packages/core/saved-objects/core-saved-objects-server-internal/src/routes/update.ts
@ -6,6 +6,7 @@
 * Side Public License, v 1.
 */

+import type { RouteAccess } from '@kbn/core-http-server';
 import { schema } from '@kbn/config-schema';
 import type { SavedObjectsUpdateOptions } from '@kbn/core-saved-objects-api-server';
 import type { Logger } from '@kbn/logging';
@ -22,16 +23,21 @@ interface RouteDependencies {
  config: SavedObjectConfig;
  coreUsageData: InternalCoreUsageDataSetup;
  logger: Logger;
+  access: RouteAccess;
 }

 export const registerUpdateRoute = (
  router: InternalSavedObjectRouter,
-  { config, coreUsageData, logger }: RouteDependencies
+  { config, coreUsageData, logger, access }: RouteDependencies
 ) => {
  const { allowHttpApiAccess } = config;
  router.put(
    {
      path: '/{type}/{id}',
+      options: {
+        access,
+        description: `Update a saved object`,
+      },
      validate: {
        params: schema.object({
          type: schema.string(),
--- a/packages/core/saved-objects/core-saved-objects-server-internal/src/saved_objects_service.ts
+++ b/packages/core/saved-objects/core-saved-objects-server-internal/src/saved_objects_service.ts
@ -162,6 +162,7 @@ export class SavedObjectsService
      migratorPromise: firstValueFrom(this.migrator$),
      kibanaIndex: MAIN_SAVED_OBJECT_INDEX,
      kibanaVersion: this.kibanaVersion,
+      isServerless: this.coreContext.env.packageInfo.buildFlavor === 'serverless',
    });

    registerCoreObjectTypes(this.typeRegistry);
--- a/src/core/server/integration_tests/saved_objects/routes/allow_api_access/bulk_create.test.ts
+++ b/src/core/server/integration_tests/saved_objects/routes/allow_api_access/bulk_create.test.ts
@ -54,7 +54,8 @@ describe('POST /api/saved_objects/_bulk_create with allowApiAccess true', () =>
    const coreUsageData = coreUsageDataServiceMock.createSetupContract(coreUsageStatsClient);
    const logger = loggerMock.create();
    const config = setupConfig(true);
-    registerBulkCreateRoute(router, { config, coreUsageData, logger });
+    const access = 'public';
+    registerBulkCreateRoute(router, { config, coreUsageData, logger, access });

    await server.start();
  });
--- a/src/core/server/integration_tests/saved_objects/routes/allow_api_access/bulk_delete.test.ts
+++ b/src/core/server/integration_tests/saved_objects/routes/allow_api_access/bulk_delete.test.ts
@ -58,8 +58,9 @@ describe('POST /api/saved_objects/_bulk_delete with allowApiAccess as true', ()
    const logger = loggerMock.create();

    const config = setupConfig(true);
+    const access = 'public';

-    registerBulkDeleteRoute(router, { config, coreUsageData, logger });
+    registerBulkDeleteRoute(router, { config, coreUsageData, logger, access });

    await server.start();
  });
--- a/src/core/server/integration_tests/saved_objects/routes/allow_api_access/bulk_get.test.ts
+++ b/src/core/server/integration_tests/saved_objects/routes/allow_api_access/bulk_get.test.ts
@ -56,7 +56,8 @@ describe('POST /api/saved_objects/_bulk_get with allowApiAccess true', () => {
    const logger = loggerMock.create();

    const config = setupConfig(true);
-    registerBulkGetRoute(router, { config, coreUsageData, logger });
+    const access = 'public';
+    registerBulkGetRoute(router, { config, coreUsageData, logger, access });

    await server.start();
  });
--- a/src/core/server/integration_tests/saved_objects/routes/allow_api_access/bulk_resolve.test.ts
+++ b/src/core/server/integration_tests/saved_objects/routes/allow_api_access/bulk_resolve.test.ts
@ -57,7 +57,8 @@ describe('POST /api/saved_objects/_bulk_resolve with allowApiAccess true', () =>
    const logger = loggerMock.create();

    const config = setupConfig(true);
-    registerBulkResolveRoute(router, { config, coreUsageData, logger });
+    const access = 'public';
+    registerBulkResolveRoute(router, { config, coreUsageData, logger, access });

    await server.start();
  });
--- a/src/core/server/integration_tests/saved_objects/routes/allow_api_access/bulk_update.test.ts
+++ b/src/core/server/integration_tests/saved_objects/routes/allow_api_access/bulk_update.test.ts
@ -50,7 +50,8 @@ describe('PUT /api/saved_objects/_bulk_update with allowApiAccess true', () => {
    const logger = loggerMock.create();

    const config = setupConfig(true);
-    registerBulkUpdateRoute(router, { config, coreUsageData, logger });
+    const access = 'public';
+    registerBulkUpdateRoute(router, { config, coreUsageData, logger, access });

    await server.start();
  });
--- a/src/core/server/integration_tests/saved_objects/routes/allow_api_access/create.test.ts
+++ b/src/core/server/integration_tests/saved_objects/routes/allow_api_access/create.test.ts
@ -56,8 +56,8 @@ describe('POST /api/saved_objects/{type} with allowApiAccess true', () => {
    const coreUsageData = coreUsageDataServiceMock.createSetupContract(coreUsageStatsClient);
    const logger = loggerMock.create();
    const config = setupConfig(true);
-
-    registerCreateRoute(router, { config, coreUsageData, logger });
+    const access = 'public';
+    registerCreateRoute(router, { config, coreUsageData, logger, access });

    handlerContext.savedObjects.typeRegistry.getType.mockImplementation((typename: string) => {
      return testTypes
--- a/src/core/server/integration_tests/saved_objects/routes/allow_api_access/delete.test.ts
+++ b/src/core/server/integration_tests/saved_objects/routes/allow_api_access/delete.test.ts
@ -53,7 +53,8 @@ describe('DELETE /api/saved_objects/{type}/{id} with allowApiAccess true', () =>
    const coreUsageData = coreUsageDataServiceMock.createSetupContract(coreUsageStatsClient);
    const logger = loggerMock.create();
    const config = setupConfig(true);
-    registerDeleteRoute(router, { config, coreUsageData, logger });
+    const access = 'public';
+    registerDeleteRoute(router, { config, coreUsageData, logger, access });

    await server.start();
  });
--- a/src/core/server/integration_tests/saved_objects/routes/allow_api_access/find.test.ts
+++ b/src/core/server/integration_tests/saved_objects/routes/allow_api_access/find.test.ts
@ -69,8 +69,9 @@ describe('GET /api/saved_objects/_find with allowApiAccess true', () => {
    const logger = loggerMock.create();

    const config = setupConfig(true);
+    const access = 'public';

-    registerFindRoute(router, { config, coreUsageData, logger });
+    registerFindRoute(router, { config, coreUsageData, logger, access });

    await server.start();
  });
--- a/src/core/server/integration_tests/saved_objects/routes/allow_api_access/get.test.ts
+++ b/src/core/server/integration_tests/saved_objects/routes/allow_api_access/get.test.ts
@ -78,7 +78,8 @@ describe('GET /api/saved_objects/{type}/{id} with allowApiAccess true', () => {
    const logger = loggerMock.create();

    const config = setupConfig(true);
-    registerGetRoute(router, { config, coreUsageData, logger });
+    const access = 'public';
+    registerGetRoute(router, { config, coreUsageData, logger, access });

    await server.start();
  });
--- a/src/core/server/integration_tests/saved_objects/routes/allow_api_access/resolve.test.ts
+++ b/src/core/server/integration_tests/saved_objects/routes/allow_api_access/resolve.test.ts
@ -78,8 +78,9 @@ describe('GET /api/saved_objects/resolve/{type}/{id} with allowApiAccess true',
    const logger = loggerMock.create();

    const config = setupConfig(true);
+    const access = 'public';

-    registerResolveRoute(router, { config, coreUsageData, logger });
+    registerResolveRoute(router, { config, coreUsageData, logger, access });

    await server.start();
  });
--- a/src/core/server/integration_tests/saved_objects/routes/allow_api_access/update.test.ts
+++ b/src/core/server/integration_tests/saved_objects/routes/allow_api_access/update.test.ts
@ -54,7 +54,8 @@ describe('PUT /api/saved_objects/{type}/{id?} with allowApiAccess true', () => {
    const logger = loggerMock.create();

    const config = setupConfig(true);
-    registerUpdateRoute(router, { config, coreUsageData, logger });
+    const access = 'public';
+    registerUpdateRoute(router, { config, coreUsageData, logger, access });

    await server.start();
  });
--- a/src/core/server/integration_tests/saved_objects/routes/bulk_create.test.ts
+++ b/src/core/server/integration_tests/saved_objects/routes/bulk_create.test.ts
@ -58,8 +58,9 @@ describe('POST /api/saved_objects/_bulk_create', () => {
    loggerWarnSpy = jest.spyOn(logger, 'warn').mockImplementation();

    const config = setupConfig();
+    const access = 'public';

-    registerBulkCreateRoute(router, { config, coreUsageData, logger });
+    registerBulkCreateRoute(router, { config, coreUsageData, logger, access });

    await server.start();
  });
--- a/src/core/server/integration_tests/saved_objects/routes/bulk_delete.test.ts
+++ b/src/core/server/integration_tests/saved_objects/routes/bulk_delete.test.ts
@ -60,8 +60,9 @@ describe('POST /api/saved_objects/_bulk_delete', () => {
    loggerWarnSpy = jest.spyOn(logger, 'warn').mockImplementation();

    const config = setupConfig();
+    const access = 'public';

-    registerBulkDeleteRoute(router, { config, coreUsageData, logger });
+    registerBulkDeleteRoute(router, { config, coreUsageData, logger, access });

    await server.start();
  });
--- a/src/core/server/integration_tests/saved_objects/routes/bulk_get.test.ts
+++ b/src/core/server/integration_tests/saved_objects/routes/bulk_get.test.ts
@ -58,7 +58,9 @@ describe('POST /api/saved_objects/_bulk_get', () => {
    loggerWarnSpy = jest.spyOn(logger, 'warn').mockImplementation();

    const config = setupConfig();
-    registerBulkGetRoute(router, { config, coreUsageData, logger });
+    const access = 'public';
+
+    registerBulkGetRoute(router, { config, coreUsageData, logger, access });

    await server.start();
  });
--- a/src/core/server/integration_tests/saved_objects/routes/bulk_resolve.test.ts
+++ b/src/core/server/integration_tests/saved_objects/routes/bulk_resolve.test.ts
@ -59,7 +59,9 @@ describe('POST /api/saved_objects/_bulk_resolve', () => {
    loggerWarnSpy = jest.spyOn(logger, 'warn').mockImplementation();

    const config = setupConfig();
-    registerBulkResolveRoute(router, { config, coreUsageData, logger });
+    const access = 'public';
+
+    registerBulkResolveRoute(router, { config, coreUsageData, logger, access });

    await server.start();
  });
--- a/src/core/server/integration_tests/saved_objects/routes/bulk_update.test.ts
+++ b/src/core/server/integration_tests/saved_objects/routes/bulk_update.test.ts
@ -57,7 +57,9 @@ describe('PUT /api/saved_objects/_bulk_update', () => {
    loggerWarnSpy = jest.spyOn(logger, 'warn').mockImplementation();

    const config = setupConfig();
-    registerBulkUpdateRoute(router, { config, coreUsageData, logger });
+    const access = 'public';
+
+    registerBulkUpdateRoute(router, { config, coreUsageData, logger, access });

    await server.start();
  });
--- a/src/core/server/integration_tests/saved_objects/routes/create.test.ts
+++ b/src/core/server/integration_tests/saved_objects/routes/create.test.ts
@ -58,7 +58,9 @@ describe('POST /api/saved_objects/{type}', () => {
    const logger = loggerMock.create();
    loggerWarnSpy = jest.spyOn(logger, 'warn').mockImplementation();
    const config = setupConfig();
-    registerCreateRoute(router, { config, coreUsageData, logger });
+    const access = 'public';
+
+    registerCreateRoute(router, { config, coreUsageData, logger, access });

    handlerContext.savedObjects.typeRegistry.getType.mockImplementation((typename: string) => {
      return testTypes
--- a/src/core/server/integration_tests/saved_objects/routes/delete.test.ts
+++ b/src/core/server/integration_tests/saved_objects/routes/delete.test.ts
@ -55,7 +55,8 @@ describe('DELETE /api/saved_objects/{type}/{id}', () => {
    const logger = loggerMock.create();
    loggerWarnSpy = jest.spyOn(logger, 'warn').mockImplementation();
    const config = setupConfig();
-    registerDeleteRoute(router, { config, coreUsageData, logger });
+    const access = 'public';
+    registerDeleteRoute(router, { config, coreUsageData, logger, access });

    await server.start();
  });
--- a/src/core/server/integration_tests/saved_objects/routes/find.test.ts
+++ b/src/core/server/integration_tests/saved_objects/routes/find.test.ts
@ -72,8 +72,9 @@ describe('GET /api/saved_objects/_find', () => {
    loggerWarnSpy = jest.spyOn(logger, 'warn').mockImplementation();

    const config = setupConfig();
+    const access = 'public';

-    registerFindRoute(router, { config, coreUsageData, logger });
+    registerFindRoute(router, { config, coreUsageData, logger, access });

    await server.start();
  });
--- a/src/core/server/integration_tests/saved_objects/routes/get.test.ts
+++ b/src/core/server/integration_tests/saved_objects/routes/get.test.ts
@ -80,7 +80,9 @@ describe('GET /api/saved_objects/{type}/{id}', () => {
    loggerWarnSpy = jest.spyOn(logger, 'warn').mockImplementation();

    const config = setupConfig();
-    registerGetRoute(router, { config, coreUsageData, logger });
+    const access = 'public';
+
+    registerGetRoute(router, { config, coreUsageData, logger, access });

    await server.start();
  });
--- a/src/core/server/integration_tests/saved_objects/routes/resolve.test.ts
+++ b/src/core/server/integration_tests/saved_objects/routes/resolve.test.ts
@ -79,8 +79,9 @@ describe('GET /api/saved_objects/resolve/{type}/{id}', () => {
    const logger = loggerMock.create();
    loggerWarnSpy = jest.spyOn(logger, 'warn').mockImplementation();
    const config = setupConfig();
+    const access = 'public';

-    registerResolveRoute(router, { config, coreUsageData, logger });
+    registerResolveRoute(router, { config, coreUsageData, logger, access });

    await server.start();
  });
--- a/src/core/server/integration_tests/saved_objects/routes/update.test.ts
+++ b/src/core/server/integration_tests/saved_objects/routes/update.test.ts
@ -67,7 +67,8 @@ describe('PUT /api/saved_objects/{type}/{id?}', () => {
    loggerWarnSpy = jest.spyOn(logger, 'warn').mockImplementation();

    const config = setupConfig();
-    registerUpdateRoute(router, { config, coreUsageData, logger });
+    const access = 'public';
+    registerUpdateRoute(router, { config, coreUsageData, logger, access });

    await server.start();
  });
--- a/x-pack/test_serverless/api_integration/test_suites/common/core/index.ts
+++ b/x-pack/test_serverless/api_integration/test_suites/common/core/index.ts
@ -15,5 +15,6 @@ export default function ({ loadTestFile }: FtrProviderContext) {
    loadTestFile(require.resolve('./translations'));
    loadTestFile(require.resolve('./capabilities'));
    loadTestFile(require.resolve('./ui_settings'));
+    loadTestFile(require.resolve('./saved_objects'));
  });
 }
--- a/x-pack/test_serverless/api_integration/test_suites/common/core/saved_objects.ts
+++ b/x-pack/test_serverless/api_integration/test_suites/common/core/saved_objects.ts
@ -0,0 +1,73 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import expect from '@kbn/expect';
+import { FtrProviderContext } from '../../../ftr_provider_context';
+
+export default function ({ getService }: FtrProviderContext) {
+  const supertest = getService('supertest');
+  const svlCommonApi = getService('svlCommonApi');
+
+  describe('Blocked internal SO API', () => {
+    const apis = [
+      {
+        path: '/api/saved_objects/_bulk_create',
+        method: 'post' as const,
+      },
+      {
+        path: '/api/saved_objects/_bulk_delete',
+        method: 'post' as const,
+      },
+      {
+        path: '/api/saved_objects/_bulk_get',
+        method: 'post' as const,
+      },
+      {
+        path: '/api/saved_objects/_bulk_resolve',
+        method: 'post' as const,
+      },
+      {
+        path: '/api/saved_objects/_bulk_update',
+        method: 'post' as const,
+      },
+      {
+        path: '/api/saved_objects/test/id',
+        method: 'get' as const,
+      },
+      {
+        path: '/api/saved_objects/test/id',
+        method: 'post' as const,
+      },
+      {
+        path: '/api/saved_objects/test/id',
+        method: 'delete' as const,
+      },
+      {
+        path: '/api/saved_objects/_find',
+        method: 'get' as const,
+      },
+      {
+        path: '/api/saved_objects/test/id',
+        method: 'put' as const,
+      },
+    ];
+
+    for (const { path, method } of apis) {
+      it(`${method} ${path}`, async () => {
+        const { body } = await supertest[method](path)
+          .set(svlCommonApi.getCommonRequestHeader())
+          .expect(400);
+
+        expect(body).to.eql({
+          statusCode: 400,
+          error: 'Bad Request',
+          message: `uri [${path}] with method [${method}] exists but is not available with the current configuration`,
+        });
+      });
+    }
+  });
+}