# Backport
This will backport the following commits from `main` to `8.x`:
- [[Authz] Operator privileges
(#196583)](https://github.com/elastic/kibana/pull/196583)
<!--- Backport version: 9.4.3 -->
### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)
<!--BACKPORT [{"author":{"name":"Elena
Shostak","email":"165678770+elena-shostak@users.noreply.github.com"},"sourceCommit":{"committedDate":"2024-12-12T22:55:04Z","message":"[Authz]
Operator privileges (#196583)\n\n## Summary\r\n\r\nThis PR adds support
for explicit indication whether endpoint is\r\nrestricted to operator
only users.\r\n\r\n### Context\r\n1. If user has [all
operator\r\nprivileges](https://github.com/elastic/elasticsearch/blob/main/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/operator/DefaultOperatorOnlyRegistry.java#L35-#L53)\r\ngranted,
but is not listed as operator in `operator_users.yml`, ES would\r\nthrow
an unauthorized error.\r\n2. If user is listed as operator in
`operator_users.yml`, but doesn't\r\nhave necessary privileges granted,
ES would throw an unauthorized error.\r\n3. It’s not possible to
determine if a user is operator via any ES API,\r\ni.e.
`_has_privileges`.\r\n4. If operator privileges are disabled we skip the
the check for it,\r\nthat's why we require to explicitly specify
additional privileges to\r\nensure that the route is protected even when
operator privileges are\r\ndisabled.\r\n\r\n### Checklist\r\n\r\n-
[x]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas
added for features that require explanation or tutorials\r\n- [x] [Unit
or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n\r\n__Relates:
https://github.com/elastic/kibana/issues/196271__\r\n\r\n### How to
test\r\n\r\n1. Add your user to the operators
list\r\n1bd8144924/packages/kbn-es/src/serverless_resources/operator_users.yml (L4)\r\nor
use existing user from the list to log in.\r\n2. Run ES and Kibana
serverless\r\n3. Change any endpoint or create a new one with the
following security\r\nconfig\r\n```\r\n security: {\r\n authz: {\r\n
requiredPrivileges: [ReservedPrivilegesSet.operator],\r\n },\r\n
},\r\n```\r\n4. Check with enabled and disabled operator privileges
(set\r\n`xpack.security.operator_privileges.enabled`)\r\n\r\n## Release
Note\r\nAdded support for explicit indication whether endpoint is
restricted to\r\noperator only users at the route definition
level.\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine
<elasticmachine@users.noreply.github.com>","sha":"52dd7e17c4ee1bcada352b142532ca534002e8d5","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:enhancement","Team:Security","Feature:Security/Authorization","v9.0.0","backport:prev-minor"],"title":"[Authz]
Operator
privileges","number":196583,"url":"https://github.com/elastic/kibana/pull/196583","mergeCommit":{"message":"[Authz]
Operator privileges (#196583)\n\n## Summary\r\n\r\nThis PR adds support
for explicit indication whether endpoint is\r\nrestricted to operator
only users.\r\n\r\n### Context\r\n1. If user has [all
operator\r\nprivileges](https://github.com/elastic/elasticsearch/blob/main/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/operator/DefaultOperatorOnlyRegistry.java#L35-#L53)\r\ngranted,
but is not listed as operator in `operator_users.yml`, ES would\r\nthrow
an unauthorized error.\r\n2. If user is listed as operator in
`operator_users.yml`, but doesn't\r\nhave necessary privileges granted,
ES would throw an unauthorized error.\r\n3. It’s not possible to
determine if a user is operator via any ES API,\r\ni.e.
`_has_privileges`.\r\n4. If operator privileges are disabled we skip the
the check for it,\r\nthat's why we require to explicitly specify
additional privileges to\r\nensure that the route is protected even when
operator privileges are\r\ndisabled.\r\n\r\n### Checklist\r\n\r\n-
[x]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas
added for features that require explanation or tutorials\r\n- [x] [Unit
or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n\r\n__Relates:
https://github.com/elastic/kibana/issues/196271__\r\n\r\n### How to
test\r\n\r\n1. Add your user to the operators
list\r\n1bd8144924/packages/kbn-es/src/serverless_resources/operator_users.yml (L4)\r\nor
use existing user from the list to log in.\r\n2. Run ES and Kibana
serverless\r\n3. Change any endpoint or create a new one with the
following security\r\nconfig\r\n```\r\n security: {\r\n authz: {\r\n
requiredPrivileges: [ReservedPrivilegesSet.operator],\r\n },\r\n
},\r\n```\r\n4. Check with enabled and disabled operator privileges
(set\r\n`xpack.security.operator_privileges.enabled`)\r\n\r\n## Release
Note\r\nAdded support for explicit indication whether endpoint is
restricted to\r\noperator only users at the route definition
level.\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine
<elasticmachine@users.noreply.github.com>","sha":"52dd7e17c4ee1bcada352b142532ca534002e8d5"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/196583","number":196583,"mergeCommit":{"message":"[Authz]
Operator privileges (#196583)\n\n## Summary\r\n\r\nThis PR adds support
for explicit indication whether endpoint is\r\nrestricted to operator
only users.\r\n\r\n### Context\r\n1. If user has [all
operator\r\nprivileges](https://github.com/elastic/elasticsearch/blob/main/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/operator/DefaultOperatorOnlyRegistry.java#L35-#L53)\r\ngranted,
but is not listed as operator in `operator_users.yml`, ES would\r\nthrow
an unauthorized error.\r\n2. If user is listed as operator in
`operator_users.yml`, but doesn't\r\nhave necessary privileges granted,
ES would throw an unauthorized error.\r\n3. It’s not possible to
determine if a user is operator via any ES API,\r\ni.e.
`_has_privileges`.\r\n4. If operator privileges are disabled we skip the
the check for it,\r\nthat's why we require to explicitly specify
additional privileges to\r\nensure that the route is protected even when
operator privileges are\r\ndisabled.\r\n\r\n### Checklist\r\n\r\n-
[x]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas
added for features that require explanation or tutorials\r\n- [x] [Unit
or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n\r\n__Relates:
https://github.com/elastic/kibana/issues/196271__\r\n\r\n### How to
test\r\n\r\n1. Add your user to the operators
list\r\n1bd8144924/packages/kbn-es/src/serverless_resources/operator_users.yml (L4)\r\nor
use existing user from the list to log in.\r\n2. Run ES and Kibana
serverless\r\n3. Change any endpoint or create a new one with the
following security\r\nconfig\r\n```\r\n security: {\r\n authz: {\r\n
requiredPrivileges: [ReservedPrivilegesSet.operator],\r\n },\r\n
},\r\n```\r\n4. Check with enabled and disabled operator privileges
(set\r\n`xpack.security.operator_privileges.enabled`)\r\n\r\n## Release
Note\r\nAdded support for explicit indication whether endpoint is
restricted to\r\noperator only users at the route definition
level.\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine
<elasticmachine@users.noreply.github.com>","sha":"52dd7e17c4ee1bcada352b142532ca534002e8d5"}}]}]
BACKPORT-->
Co-authored-by: Elena Shostak <165678770+elena-shostak@users.noreply.github.com>
efdca2db51