mirror of
https://github.com/elastic/kibana.git
synced 2025-04-25 02:09:32 -04:00
ad0e1d9d9d
## Summary This PR migrates the last routes with `access:<privilege>` tags used in route definitions to new security configuration. Please refer to the documentation for more information: [Authorization API](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization) ### **Before Migration:** Access control tags were defined in the `options` object of the route: ```ts router.get({ path: '/api/path', options: { tags: ['access:<privilege_1>', 'access:<privilege_2>'], }, ... }, handler); ``` ### **After Migration:** Tags have been replaced with the more robust `security.authz.requiredPrivileges` field under `security`: ```ts router.get({ path: '/api/path', security: { authz: { requiredPrivileges: ['<privilege_1>', '<privilege_2>'], }, }, ... }, handler); ``` ### Checklist - [x] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
81 lines
2.8 KiB
TypeScript
81 lines
2.8 KiB
TypeScript
/*
|
|
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
|
* or more contributor license agreements. Licensed under the "Elastic License
|
|
* 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
|
|
* Public License v 1"; you may not use this file except in compliance with, at
|
|
* your election, the "Elastic License 2.0", the "GNU Affero General Public
|
|
* License v3.0 only", or the "Server Side Public License, v 1".
|
|
*/
|
|
|
|
import type { Plugin, CoreSetup } from '@kbn/core/server';
|
|
import { FeaturesPluginSetup, FeaturesPluginStart } from '@kbn/features-plugin/server';
|
|
import { SecurityPluginSetup, SecurityPluginStart } from '@kbn/security-plugin/server';
|
|
import { SpacesPluginSetup, SpacesPluginStart } from '@kbn/spaces-plugin/server';
|
|
import { schema } from '@kbn/config-schema';
|
|
|
|
export interface SetupDeps {
|
|
features: FeaturesPluginSetup;
|
|
security: SecurityPluginSetup;
|
|
spaces: SpacesPluginSetup;
|
|
}
|
|
|
|
export interface StartDeps {
|
|
features: FeaturesPluginStart;
|
|
security: SecurityPluginStart;
|
|
spaces: SpacesPluginStart;
|
|
}
|
|
|
|
export class UserProfilesPlugin implements Plugin<void, void, SetupDeps, StartDeps> {
|
|
setup(core: CoreSetup<StartDeps>) {
|
|
const router = core.http.createRouter();
|
|
router.post(
|
|
{
|
|
path: '/internal/user_profiles_examples/_suggest',
|
|
validate: {
|
|
body: schema.object({
|
|
name: schema.string(),
|
|
dataPath: schema.maybe(schema.string()),
|
|
}),
|
|
},
|
|
/**
|
|
* Important: You must restrict access to this endpoint using access `tags`.
|
|
*/
|
|
security: {
|
|
authz: {
|
|
requiredPrivileges: ['suggestUserProfiles'],
|
|
},
|
|
},
|
|
},
|
|
async (context, request, response) => {
|
|
const [, pluginDeps] = await core.getStartServices();
|
|
|
|
/**
|
|
* Important: `requiredPrivileges` must be hard-coded server-side and cannot be exposed as a
|
|
* param client-side.
|
|
*
|
|
* If your app requires suggestions based on different privileges you must expose separate
|
|
* endpoints for each use-case.
|
|
*
|
|
* In this example we ensure that suggested users have access to the current space and are
|
|
* able to login but in your app you will want to change that to something more relevant.
|
|
*/
|
|
const profiles = await pluginDeps.security.userProfiles.suggest({
|
|
name: request.body.name,
|
|
dataPath: request.body.dataPath,
|
|
requiredPrivileges: {
|
|
spaceId: pluginDeps.spaces.spacesService.getSpaceId(request),
|
|
privileges: {
|
|
kibana: [pluginDeps.security.authz.actions.login],
|
|
},
|
|
},
|
|
});
|
|
|
|
return response.ok({ body: profiles });
|
|
}
|
|
);
|
|
}
|
|
|
|
start() {
|
|
return {};
|
|
}
|
|
}
|