Skip to content

[http] Default route access to internal#161672

Merged
TinaHeiligers merged 3 commits intoelastic:mainfrom
TinaHeiligers:kbn-161371-relax-API-access-restrictions
Jul 12, 2023
Merged

[http] Default route access to internal#161672
TinaHeiligers merged 3 commits intoelastic:mainfrom
TinaHeiligers:kbn-161371-relax-API-access-restrictions

Conversation

@TinaHeiligers
Copy link
Copy Markdown
Contributor

@TinaHeiligers TinaHeiligers commented Jul 11, 2023
edited
Loading

fix #161371
Kibana enforces restricting access to public APIs if a request can't be verified using a header.

By default, Kibana interprets if an API is internal or public based on the route path string if not explicitly set otherwise.

That means that all routes that don't have an internal prefix in the path string become public, and need the header to pass validation in core's server route handler.

We need to change that to rather set the default as internal and allow teams who specifically want their APIs to be public, to declare their route access property as public themselves.

Checklist

  • Unit or functional tests were updated or added to match the most common scenarios
  • If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list]

Risk Matrix

Risk Probability Severity Mitigation/Notes
Teams who specifically want their APIs as public don't override the default High High (serverless) Integration tests will verify that requests to public APIs without the required header will fail.

@TinaHeiligers TinaHeiligers added Feature:http Team:Core Platform Core services: plugins, logging, config, saved objects, http, ES client, i18n, etc t// Epic:VersionedAPIs Kibana Versioned APIs Project:Serverless Work as part of the Serverless project for its initial release labels Jul 11, 2023
@TinaHeiligers
Copy link
Copy Markdown
Contributor Author

TinaHeiligers commented Jul 11, 2023

cc @jloleysens Here's the draft for relaxing API restrictions

@kibana-ci
Copy link
Copy Markdown

kibana-ci commented Jul 11, 2023

💚 Build Succeeded

Metrics [docs]

Unknown metric groups

ESLint disabled line counts

id before after diff
enterpriseSearch 14 16 +2
securitySolution 409 413 +4
total +6

Total ESLint disabled count

id before after diff
enterpriseSearch 15 17 +2
securitySolution 488 492 +4
total +6

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@TinaHeiligers TinaHeiligers marked this pull request as ready for review July 11, 2023 22:35
@TinaHeiligers TinaHeiligers requested a review from a team as a code owner July 11, 2023 22:35
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Jul 11, 2023

Pinging @elastic/kibana-core (Team:Core)

pgayvallet
pgayvallet approved these changes Jul 12, 2023
View reviewed changes
Copy link
Copy Markdown
Contributor

@pgayvallet pgayvallet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@TinaHeiligers TinaHeiligers merged commit f022456 into elastic:main Jul 12, 2023
@TinaHeiligers TinaHeiligers deleted the kbn-161371-relax-API-access-restrictions branch July 12, 2023 17:19
@kibanamachine kibanamachine added the backport:skip This PR does not require backporting label Jul 12, 2023
@azasypkin azasypkin mentioned this pull request Jul 13, 2023
Closed
34 tasks
@TinaHeiligers TinaHeiligers mentioned this pull request Jul 20, 2023
Merged
This was referenced Jul 24, 2023
Merged
Merged
This was referenced Jul 24, 2023
Closed
Merged
jeramysoucy added a commit that referenced this pull request Jul 26, 2023
@jeramysoucy @kibanamachine
Sets logout and saml callback APIs as public in serverless (#162523)
e8a705e 
Subset of #161337
Unblocks #162149

## Summary

This PR uses the access 'public' option when registering the `GET
/api/security/logout` and `POST /api/security/saml/callback` APIs. This
will ensure they have public access in serverless, while all other APIs
will default to internal. PR #161672 changes default access of
registered endpoints to 'internal', meaning that API owners have to
explicitly set access: public to pass the API protection restriction.

This PR also adds internal headers to the existing serverless Spaces API
tests. This unblocks the PR to enable API protection in serverless
(#162149).

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
ThomThomson pushed a commit to ThomThomson/kibana that referenced this pull request Aug 1, 2023
@jeramysoucy @kibanamachine
Sets logout and saml callback APIs as public in serverless (elastic#1…
b786005 
…62523)

Subset of elastic#161337
Unblocks elastic#162149

## Summary

This PR uses the access 'public' option when registering the `GET
/api/security/logout` and `POST /api/security/saml/callback` APIs. This
will ensure they have public access in serverless, while all other APIs
will default to internal. PR elastic#161672 changes default access of
registered endpoints to 'internal', meaning that API owners have to
explicitly set access: public to pass the API protection restriction.

This PR also adds internal headers to the existing serverless Spaces API
tests. This unblocks the PR to enable API protection in serverless
(elastic#162149).

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pgayvallet pgayvallet pgayvallet approved these changes

@jloleysens jloleysens jloleysens approved these changes

Assignees

No one assigned

Labels

backport:skip This PR does not require backporting Epic:VersionedAPIs Kibana Versioned APIs Feature:http Project:Serverless Work as part of the Serverless project for its initial release release_note:fix Team:Core Platform Core services: plugins, logging, config, saved objects, http, ES client, i18n, etc t// v8.10.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[http] Relax API access restrictions

6 participants

@TinaHeiligers @kibana-ci @elasticmachine @pgayvallet @jloleysens @kibanamachine