mirror of
https://github.com/elastic/kibana.git
synced 2025-06-28 11:05:39 -04:00
4492d993a8
# Backport This will backport the following commits from `main` to `9.0`: - [[Authz] Migrated routes with access tags to security config (#209756)](https://github.com/elastic/kibana/pull/209756) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Elena Shostak","email":"165678770+elena-shostak@users.noreply.github.com"},"sourceCommit":{"committedDate":"2025-02-11T14:36:38Z","message":"[Authz] Migrated routes with access tags to security config (#209756)\n\n## Summary\r\n\r\nThis PR migrates the last routes with `access:<privilege>` tags used in\r\nroute definitions to new security configuration.\r\nPlease refer to the documentation for more information: [Authorization\r\nAPI](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)\r\n\r\n### **Before Migration:**\r\nAccess control tags were defined in the `options` object of the route:\r\n\r\n```ts\r\nrouter.get({\r\n path: '/api/path',\r\n options: {\r\n tags: ['access:<privilege_1>', 'access:<privilege_2>'],\r\n },\r\n ...\r\n}, handler);\r\n```\r\n\r\n### **After Migration:**\r\nTags have been replaced with the more robust\r\n`security.authz.requiredPrivileges` field under `security`:\r\n\r\n```ts\r\nrouter.get({\r\n path: '/api/path',\r\n security: {\r\n authz: {\r\n requiredPrivileges: ['<privilege_1>', '<privilege_2>'],\r\n },\r\n },\r\n ...\r\n}, handler);\r\n```\r\n\r\n### Checklist\r\n\r\n- [x]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas added for features that require explanation or tutorials\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"ad0e1d9d9d5ffba3c0bd7839affe0e885c3f2f03","branchLabelMapping":{"^v9.1.0$":"main","^v8.19.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:Security","release_note:skip","Feature:Security/Authorization","backport:prev-minor","backport:version","Authz: API migration","v9.1.0","v8.19.0"],"title":"[Authz] Migrated routes with access tags to security config","number":209756,"url":"https://github.com/elastic/kibana/pull/209756","mergeCommit":{"message":"[Authz] Migrated routes with access tags to security config (#209756)\n\n## Summary\r\n\r\nThis PR migrates the last routes with `access:<privilege>` tags used in\r\nroute definitions to new security configuration.\r\nPlease refer to the documentation for more information: [Authorization\r\nAPI](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)\r\n\r\n### **Before Migration:**\r\nAccess control tags were defined in the `options` object of the route:\r\n\r\n```ts\r\nrouter.get({\r\n path: '/api/path',\r\n options: {\r\n tags: ['access:<privilege_1>', 'access:<privilege_2>'],\r\n },\r\n ...\r\n}, handler);\r\n```\r\n\r\n### **After Migration:**\r\nTags have been replaced with the more robust\r\n`security.authz.requiredPrivileges` field under `security`:\r\n\r\n```ts\r\nrouter.get({\r\n path: '/api/path',\r\n security: {\r\n authz: {\r\n requiredPrivileges: ['<privilege_1>', '<privilege_2>'],\r\n },\r\n },\r\n ...\r\n}, handler);\r\n```\r\n\r\n### Checklist\r\n\r\n- [x]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas added for features that require explanation or tutorials\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"ad0e1d9d9d5ffba3c0bd7839affe0e885c3f2f03"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/209756","number":209756,"mergeCommit":{"message":"[Authz] Migrated routes with access tags to security config (#209756)\n\n## Summary\r\n\r\nThis PR migrates the last routes with `access:<privilege>` tags used in\r\nroute definitions to new security configuration.\r\nPlease refer to the documentation for more information: [Authorization\r\nAPI](https://docs.elastic.dev/kibana-dev-docs/key-concepts/security-api-authorization)\r\n\r\n### **Before Migration:**\r\nAccess control tags were defined in the `options` object of the route:\r\n\r\n```ts\r\nrouter.get({\r\n path: '/api/path',\r\n options: {\r\n tags: ['access:<privilege_1>', 'access:<privilege_2>'],\r\n },\r\n ...\r\n}, handler);\r\n```\r\n\r\n### **After Migration:**\r\nTags have been replaced with the more robust\r\n`security.authz.requiredPrivileges` field under `security`:\r\n\r\n```ts\r\nrouter.get({\r\n path: '/api/path',\r\n security: {\r\n authz: {\r\n requiredPrivileges: ['<privilege_1>', '<privilege_2>'],\r\n },\r\n },\r\n ...\r\n}, handler);\r\n```\r\n\r\n### Checklist\r\n\r\n- [x]\r\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\r\nwas added for features that require explanation or tutorials\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"ad0e1d9d9d5ffba3c0bd7839affe0e885c3f2f03"}},{"branch":"8.x","label":"v8.19.0","branchLabelMappingKey":"^v8.19.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Elena Shostak <165678770+elena-shostak@users.noreply.github.com>
91 lines
2.5 KiB
TypeScript
91 lines
2.5 KiB
TypeScript
/*
|
|
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
|
* or more contributor license agreements. Licensed under the "Elastic License
|
|
* 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
|
|
* Public License v 1"; you may not use this file except in compliance with, at
|
|
* your election, the "Elastic License 2.0", the "GNU Affero General Public
|
|
* License v3.0 only", or the "Server Side Public License, v 1".
|
|
*/
|
|
|
|
import { CoreSetup, DEFAULT_APP_CATEGORIES, Plugin } from '@kbn/core/server';
|
|
import {
|
|
FeaturesPluginSetup,
|
|
// PluginStartContract as FeaturesPluginStart,
|
|
} from '@kbn/features-plugin/server';
|
|
import { KibanaFeatureScope } from '@kbn/features-plugin/common';
|
|
import { FEATURE_PRIVILEGES_PLUGIN_ID } from '../common';
|
|
|
|
export interface FeatureControlExampleDeps {
|
|
features: FeaturesPluginSetup;
|
|
}
|
|
|
|
export class FeatureControlsPluginExample
|
|
implements Plugin<void, void, any, FeatureControlExampleDeps>
|
|
{
|
|
public setup(core: CoreSetup, { features }: FeatureControlExampleDeps) {
|
|
features.registerKibanaFeature({
|
|
id: FEATURE_PRIVILEGES_PLUGIN_ID,
|
|
name: 'Feature Plugin Examples',
|
|
category: DEFAULT_APP_CATEGORIES.management,
|
|
app: ['FeaturePluginExample'],
|
|
scope: [KibanaFeatureScope.Spaces, KibanaFeatureScope.Security],
|
|
privileges: {
|
|
all: {
|
|
app: ['FeaturePluginExample'],
|
|
savedObject: {
|
|
all: [],
|
|
read: [],
|
|
},
|
|
api: ['my_closed_example_api'],
|
|
ui: ['view', 'create', 'edit', 'delete', 'assign'],
|
|
},
|
|
read: {
|
|
app: ['FeaturePluginExample'],
|
|
savedObject: {
|
|
all: [],
|
|
read: ['tag'],
|
|
},
|
|
api: [],
|
|
ui: ['view'],
|
|
},
|
|
},
|
|
});
|
|
|
|
const router = core.http.createRouter();
|
|
router.get(
|
|
{
|
|
path: '/internal/my_plugin/read',
|
|
validate: false,
|
|
},
|
|
async (context, request, response) => {
|
|
return response.ok({
|
|
body: {
|
|
time: new Date().toISOString(),
|
|
},
|
|
});
|
|
}
|
|
);
|
|
router.get(
|
|
{
|
|
path: '/internal/my_plugin/sensitive_action',
|
|
validate: false,
|
|
security: {
|
|
authz: {
|
|
requiredPrivileges: ['my_closed_example_api'],
|
|
},
|
|
},
|
|
},
|
|
async (context, request, response) => {
|
|
return response.ok({
|
|
body: {
|
|
time: new Date().toISOString(),
|
|
},
|
|
});
|
|
}
|
|
);
|
|
}
|
|
|
|
start() {
|
|
return {};
|
|
}
|
|
}
|