Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authorized route migration for routes owned by security-defend-workflows #198381

Merged
merged 4 commits into from
Nov 11, 2024
Merged

Authorized route migration for routes owned by security-defend-workflows #198381

merged 4 commits into from
Nov 11, 2024

Conversation

kibanamachine
Copy link
Contributor

@kibanamachine kibanamachine commented Oct 30, 2024
edited
Loading

Authz API migration for authorized routes

This PR migrates access:<privilege> tags used in route definitions to new security configuration.
Please refer to the documentation for more information: Authorization API

Before migration:

Access control tags were defined in the options object of the route:

router.get({
  path: '/api/path',
  options: {
    tags: ['access:<privilege_1>', 'access:<privilege_2>'],
  },
  ...
}, handler);

After migration:

Tags have been replaced with the more robust security.authz.requiredPrivileges field under security:

router.get({
  path: '/api/path',
  security: {
    authz: {
      requiredPrivileges: ['<privilege_1>', '<privilege_2>'],
    },
  },
  ...
}, handler);

What to do next?

  1. Review the changes in this PR.
  2. You might need to update your tests to reflect the new security configuration:
  • If you have tests that rely on checking access tags.
  • If you have snapshot tests that include the route definition.
  • If you have FTR tests that rely on checking unauthorized error message. The error message changed to also include missing privileges.

Any questions?

If you have any questions or need help with API authorization, please reach out to the @elastic/kibana-security team.

@kibanamachine kibanamachine requested a review from a team as a code owner October 30, 2024 15:07
@kibanamachine kibanamachine added enhancement New value added to drive a business result release_note:skip Skip the PR/issue when compiling release notes Feature:Security/Authorization Platform Security - Authorization Team:Defend Workflows “EDR Workflows” sub-team of Security Solution backport:prev-minor Backport to (8.x) the previous minor version (i.e. one version back from main) Authz: API migration labels Oct 30, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-defend-workflows (Team:Defend Workflows)

@elena-shostak elena-shostak mentioned this pull request Oct 30, 2024
Closed
@pzl pzl requested review from paul-tavares and removed request for pzl October 30, 2024 16:07
szwarckonrad
szwarckonrad approved these changes Oct 31, 2024
View reviewed changes
Copy link
Contributor

@szwarckonrad szwarckonrad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All changes align well with the expected structure, and I haven’t noticed anything missing in the new version compared to the current one.

paul-tavares
paul-tavares approved these changes Nov 11, 2024
View reviewed changes
Copy link
Contributor

@paul-tavares paul-tavares left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

thanks @szwarckonrad for the updates to tests.

@paul-tavares paul-tavares enabled auto-merge (squash) November 11, 2024 16:15
@paul-tavares paul-tavares merged commit 68a5308 into main Nov 11, 2024
43 checks passed
@paul-tavares paul-tavares deleted the authz-migration/authorized-routes-security-defend-workflows branch November 11, 2024 17:56
@kibanamachine
Copy link
Contributor Author

Starting backport for target branches: 8.x

https://github.com/elastic/kibana/actions/runs/11783697819

@elasticmachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

✅ unchanged

History

kibanamachine added a commit to kibanamachine/kibana that referenced this pull request Nov 11, 2024
@kibanamachine
Authorized route migration for routes owned by security-defend-workfl…
de89c4b 
…ows (elastic#198381)

### Authz API migration for authorized routes

This PR migrates `access:<privilege>` tags used in route definitions to
new security configuration.

(cherry picked from commit 68a5308)
@kibanamachine kibanamachine mentioned this pull request Nov 11, 2024
Merged
@kibanamachine
Copy link
Contributor Author

💚 All backports created successfully

Status Branch Result
8.x

Note: Successful backport PRs will be merged automatically after passing CI.

Questions ?

Please refer to the Backport tool documentation

kibanamachine added a commit that referenced this pull request Nov 11, 2024
@kibanamachine
[8.x] Authorized route migration for routes owned by security-defend-…
4e89a6c 
…workflows (#198381) (#199680)

# Backport

This will backport the following commits from `main` to `8.x`:
- [Authorized route migration for routes owned by
security-defend-workflows
(#198381)](#198381)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Kibana
Machine","email":"42973632+kibanamachine@users.noreply.github.com"},"sourceCommit":{"committedDate":"2024-11-11T17:56:34Z","message":"Authorized
route migration for routes owned by security-defend-workflows
(#198381)\n\n### Authz API migration for authorized routes\r\n\r\nThis
PR migrates `access:<privilege>` tags used in route definitions
to\r\nnew security
configuration.","sha":"68a5308bd5b4a4caa0cdaaa5d6b6d80553ceee9a","branchLabelMapping":{"^v9.0.0$":"main","^v8.17.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["enhancement","release_note:skip","Feature:Security/Authorization","v9.0.0","Team:Defend
Workflows","backport:prev-minor","Authz: API
migration"],"title":"Authorized route migration for routes owned by
security-defend-workflows","number":198381,"url":"https://github.com/elastic/kibana/pull/198381","mergeCommit":{"message":"Authorized
route migration for routes owned by security-defend-workflows
(#198381)\n\n### Authz API migration for authorized routes\r\n\r\nThis
PR migrates `access:<privilege>` tags used in route definitions
to\r\nnew security
configuration.","sha":"68a5308bd5b4a4caa0cdaaa5d6b6d80553ceee9a"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/198381","number":198381,"mergeCommit":{"message":"Authorized
route migration for routes owned by security-defend-workflows
(#198381)\n\n### Authz API migration for authorized routes\r\n\r\nThis
PR migrates `access:<privilege>` tags used in route definitions
to\r\nnew security
configuration.","sha":"68a5308bd5b4a4caa0cdaaa5d6b6d80553ceee9a"}}]}]
BACKPORT-->
tkajtoch pushed a commit to tkajtoch/kibana that referenced this pull request Nov 12, 2024
@kibanamachine @tkajtoch
Authorized route migration for routes owned by security-defend-workfl…
cef180e 
…ows (elastic#198381)

### Authz API migration for authorized routes

This PR migrates `access:<privilege>` tags used in route definitions to
new security configuration.
CAWilson94 pushed a commit to CAWilson94/kibana that referenced this pull request Nov 18, 2024
@kibanamachine @CAWilson94
Authorized route migration for routes owned by security-defend-workfl…
187a591 
…ows (elastic#198381)

### Authz API migration for authorized routes

This PR migrates `access:<privilege>` tags used in route definitions to
new security configuration.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@paul-tavares paul-tavares paul-tavares approved these changes

@szwarckonrad szwarckonrad szwarckonrad approved these changes

Assignees
No one assigned
Labels
Authz: API migration backport:prev-minor Backport to (8.x) the previous minor version (i.e. one version back from main) enhancement New value added to drive a business result Feature:Security/Authorization Platform Security - Authorization release_note:skip Skip the PR/issue when compiling release notes Team:Defend Workflows “EDR Workflows” sub-team of Security Solution v8.17.0 v9.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@kibanamachine @elasticmachine @szwarckonrad @paul-tavares