github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-06-27 18:51:07 -04:00
Code Issues Projects Releases Packages Wiki Activity

[Authz] Added allOf and anyOf nested conditions (#215516)

Browse source 
## Summary

Currently, our `requiredPrivileges` structure supports `allRequired` and
`anyRequired` for defining authorization logic. However, there is [a
need to
support](https://github.com/elastic/kibana/pull/205335#issuecomment-2569275302)
more complex scenarios as `(privilege1 AND privilege2) OR (privilege3
AND privilege4)`

To achieve `anyRequired` has been extended to allow defining multiple
AND conditions evaluated with OR logic:
```ts
security: {
  authz: {
    requiredPrivileges: [{
       anyRequired: [
          { allOf: ['privilege1', 'privilege2'] }, 
          { allOf: ['privilege3', 'privilege4'] }
        ] 
      }
    ]
  }
}
```

`allRequired` now also supports scenarios `(privilege1 OR privilege2)
AND (privilege3 OR privilege4)`
```ts
security: {
  authz: {
    requiredPrivileges: [{
       allRequired: [
          { anyOf: ['privilege1', 'privilege2'] }, 
          { anyOf: ['privilege3', 'privilege4'] }
        ] 
      }
    ]
  }
}
```

> [!IMPORTANT]
> We expect to have unique privileges in `anyOf` or `allOf` conditions,
assuming that most complex conditions can be simplified by boolean
algebra laws (OR/AND distributive etc).


### Checklist

- [x]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)

__Closes: https://github.com/elastic/kibana/issues/210977__

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
This commit is contained in:
Elena Shostak 2025-04-03 14:28:17 +02:00 committed by GitHub
parent cc4ed13cb5
commit ed058086e2
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
24 changed files with 1033 additions and 422 deletions
Download patch file Download diff file Expand all files Collapse all files

42
dev_docs/key_concepts/api_authorization.mdx
View file

@ -218,6 +218,48 @@ router.get({
}, handler);
```
**Example 4: Complex configuration with nested `allOf`.**
Requires (`<privilege_1>` AND `<privilege_2>`) OR (`<privilege_3>` AND `<privilege_4>`) to access the route.
```ts
router.get({
path: '/api/path',
security: {
authz: {
requiredPrivileges: [
{
anyRequired: [
{ allOf: ['<privilege_1>', '<privilege_2>']},
{ allOf: ['<privilege_3>', '<privilege_4>']}
],
}
],
},
},
...
}, handler);
```
**Example 5: Complex configuration with nested `anyOf`.**
Requires (`<privilege_1>` OR `<privilege_2>`) AND (`<privilege_3>` OR `<privilege_4>`) to access the route.
```ts
router.get({
path: '/api/path',
security: {
authz: {
requiredPrivileges: [
{
allRequired: [
{ anyOf: ['<privilege_1>', '<privilege_2>']},
{ anyOf: ['<privilege_3>', '<privilege_4>']}
],
}
],
},
},
...
}, handler);
```
### Versioned router security configuration examples
Different security configurations can be applied to each version when using the Versioned Router. This allows your authorization needs to evolve in lockstep with your API.