mirror of
https://github.com/elastic/kibana.git
synced 2025-06-27 18:51:07 -04:00
4492d993a8
# Backport This will backport the following commits from `main` to `9.0`: - [[Authz] Migrated routes with access tags to security config (#209756)](https://github.com/elastic/kibana/pull/209756) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Elena Shostak","email":"165678770+elena-shostak@users.noreply.github.com"},"sourceCommit":{"committedDate":"2025-02-11T14:36:38Z","message":"[Authz] Migrated routes with access tags to security config (#209756)\n\n## Summary\r\n\r\nThis PR migrates the last routes with `access:<privilege>` tags used in\r\nroute definitions to new security configuration.\r\nPlease refer to the documentation for more information: [Authorization\r\nAPI](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)\r\n\r\n### **Before Migration:**\r\nAccess control tags were defined in the `options` object of the route:\r\n\r\n```ts\r\nrouter.get({\r\n path: '/api/path',\r\n options: {\r\n tags: ['access:<privilege_1>', 'access:<privilege_2>'],\r\n },\r\n ...\r\n}, handler);\r\n```\r\n\r\n### **After Migration:**\r\nTags have been replaced with the more robust\r\n`security.authz.requiredPrivileges` field under `security`:\r\n\r\n```ts\r\nrouter.get({\r\n path: '/api/path',\r\n security: {\r\n authz: {\r\n requiredPrivileges: ['<privilege_1>', '<privilege_2>'],\r\n },\r\n },\r\n ...\r\n}, handler);\r\n```\r\n\r\n### Checklist\r\n\r\n- [x]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas added for features that require explanation or tutorials\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"ad0e1d9d9d5ffba3c0bd7839affe0e885c3f2f03","branchLabelMapping":{"^v9.1.0$":"main","^v8.19.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:Security","release_note:skip","Feature:Security/Authorization","backport:prev-minor","backport:version","Authz: API migration","v9.1.0","v8.19.0"],"title":"[Authz] Migrated routes with access tags to security config","number":209756,"url":"https://github.com/elastic/kibana/pull/209756","mergeCommit":{"message":"[Authz] Migrated routes with access tags to security config (#209756)\n\n## Summary\r\n\r\nThis PR migrates the last routes with `access:<privilege>` tags used in\r\nroute definitions to new security configuration.\r\nPlease refer to the documentation for more information: [Authorization\r\nAPI](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)\r\n\r\n### **Before Migration:**\r\nAccess control tags were defined in the `options` object of the route:\r\n\r\n```ts\r\nrouter.get({\r\n path: '/api/path',\r\n options: {\r\n tags: ['access:<privilege_1>', 'access:<privilege_2>'],\r\n },\r\n ...\r\n}, handler);\r\n```\r\n\r\n### **After Migration:**\r\nTags have been replaced with the more robust\r\n`security.authz.requiredPrivileges` field under `security`:\r\n\r\n```ts\r\nrouter.get({\r\n path: '/api/path',\r\n security: {\r\n authz: {\r\n requiredPrivileges: ['<privilege_1>', '<privilege_2>'],\r\n },\r\n },\r\n ...\r\n}, handler);\r\n```\r\n\r\n### Checklist\r\n\r\n- [x]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas added for features that require explanation or tutorials\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"ad0e1d9d9d5ffba3c0bd7839affe0e885c3f2f03"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/209756","number":209756,"mergeCommit":{"message":"[Authz] Migrated routes with access tags to security config (#209756)\n\n## Summary\r\n\r\nThis PR migrates the last routes with `access:<privilege>` tags used in\r\nroute definitions to new security configuration.\r\nPlease refer to the documentation for more information: [Authorization\r\nAPI](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)\r\n\r\n### **Before Migration:**\r\nAccess control tags were defined in the `options` object of the route:\r\n\r\n```ts\r\nrouter.get({\r\n path: '/api/path',\r\n options: {\r\n tags: ['access:<privilege_1>', 'access:<privilege_2>'],\r\n },\r\n ...\r\n}, handler);\r\n```\r\n\r\n### **After Migration:**\r\nTags have been replaced with the more robust\r\n`security.authz.requiredPrivileges` field under `security`:\r\n\r\n```ts\r\nrouter.get({\r\n path: '/api/path',\r\n security: {\r\n authz: {\r\n requiredPrivileges: ['<privilege_1>', '<privilege_2>'],\r\n },\r\n },\r\n ...\r\n}, handler);\r\n```\r\n\r\n### Checklist\r\n\r\n- [x]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas added for features that require explanation or tutorials\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"ad0e1d9d9d5ffba3c0bd7839affe0e885c3f2f03"}},{"branch":"8.x","label":"v8.19.0","branchLabelMappingKey":"^v8.19.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Elena Shostak <165678770+elena-shostak@users.noreply.github.com>
81 lines
2.8 KiB
TypeScript
81 lines
2.8 KiB
TypeScript
/*
|
|
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
|
* or more contributor license agreements. Licensed under the "Elastic License
|
|
* 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
|
|
* Public License v 1"; you may not use this file except in compliance with, at
|
|
* your election, the "Elastic License 2.0", the "GNU Affero General Public
|
|
* License v3.0 only", or the "Server Side Public License, v 1".
|
|
*/
|
|
|
|
import type { Plugin, CoreSetup } from '@kbn/core/server';
|
|
import { FeaturesPluginSetup, FeaturesPluginStart } from '@kbn/features-plugin/server';
|
|
import { SecurityPluginSetup, SecurityPluginStart } from '@kbn/security-plugin/server';
|
|
import { SpacesPluginSetup, SpacesPluginStart } from '@kbn/spaces-plugin/server';
|
|
import { schema } from '@kbn/config-schema';
|
|
|
|
export interface SetupDeps {
|
|
features: FeaturesPluginSetup;
|
|
security: SecurityPluginSetup;
|
|
spaces: SpacesPluginSetup;
|
|
}
|
|
|
|
export interface StartDeps {
|
|
features: FeaturesPluginStart;
|
|
security: SecurityPluginStart;
|
|
spaces: SpacesPluginStart;
|
|
}
|
|
|
|
export class UserProfilesPlugin implements Plugin<void, void, SetupDeps, StartDeps> {
|
|
setup(core: CoreSetup<StartDeps>) {
|
|
const router = core.http.createRouter();
|
|
router.post(
|
|
{
|
|
path: '/internal/user_profiles_examples/_suggest',
|
|
validate: {
|
|
body: schema.object({
|
|
name: schema.string(),
|
|
dataPath: schema.maybe(schema.string()),
|
|
}),
|
|
},
|
|
/**
|
|
* Important: You must restrict access to this endpoint using access `tags`.
|
|
*/
|
|
security: {
|
|
authz: {
|
|
requiredPrivileges: ['suggestUserProfiles'],
|
|
},
|
|
},
|
|
},
|
|
async (context, request, response) => {
|
|
const [, pluginDeps] = await core.getStartServices();
|
|
|
|
/**
|
|
* Important: `requiredPrivileges` must be hard-coded server-side and cannot be exposed as a
|
|
* param client-side.
|
|
*
|
|
* If your app requires suggestions based on different privileges you must expose separate
|
|
* endpoints for each use-case.
|
|
*
|
|
* In this example we ensure that suggested users have access to the current space and are
|
|
* able to login but in your app you will want to change that to something more relevant.
|
|
*/
|
|
const profiles = await pluginDeps.security.userProfiles.suggest({
|
|
name: request.body.name,
|
|
dataPath: request.body.dataPath,
|
|
requiredPrivileges: {
|
|
spaceId: pluginDeps.spaces.spacesService.getSpaceId(request),
|
|
privileges: {
|
|
kibana: [pluginDeps.security.authz.actions.login],
|
|
},
|
|
},
|
|
});
|
|
|
|
return response.ok({ body: profiles });
|
|
}
|
|
);
|
|
}
|
|
|
|
start() {
|
|
return {};
|
|
}
|
|
}
|