[Fleet] Make API routes public by default#163345
Merged
juliaElastic merged 4 commits intoelastic:mainfrom Aug 8, 2023
Merged
Conversation
nchaulet
added
release_note:skip
Contributor
|
Pinging @elastic/fleet (Team:Fleet) |
🤖 GitHub commentsExpand to view the GitHub comments
Just comment with:
|
…-ref HEAD~1..HEAD --fix'
Member
Author
|
@elasticmachine merge upstream |
💚 Build Succeeded
Metrics [docs]
History
To update your PR or re-run it, just comment with: cc @nchaulet |
juliaElastic
approved these changes
Aug 8, 2023
Contributor
juliaElastic
left a comment
juliaElastic
left a comment
There was a problem hiding this comment.
LGTM, I think we should review though if anything else can be made internal e.g. deprecated APIs.
bryce-b
pushed a commit
to bryce-b/kibana
that referenced
this pull request
Aug 9, 2023
## Summary Kibana API will not be public by default in serverless, this mean Fleet API will not be accessible. That PR fix that by changing the Fleet router to make Fleet API routes public unless they specify `options.access` in their config, the only route that I found that should be internal is the /internal/fleet/reset_preconfiguration` ## Test - [x] Added unit test to our router manual test run Kibana in serverless and check Fleet API are still publicly available Before that change <img width="1003" alt="Screenshot 2023-08-07 at 1 36 29 PM" src="https://github.com/elastic/kibana/assets/1336873/8e2fb113-f5e8-45e8-9892-f25bd9e722ad"> After that change <img width="679" alt="Screenshot 2023-08-07 at 1 36 55 PM" src="https://github.com/elastic/kibana/assets/1336873/3cade239-5b13-4caf-bd1a-1bc8e2495c31"> --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
2 tasks
criamico
added a commit
that referenced
this pull request
Sep 5, 2023
## Summary Add versioning to Fleet APIs in preparation for serverless. All the Fleet endpoints were made public by default in #163345. - Modify the fleet router to use the new `Router.versioned` provided by Kibana core. Our router is a wrapper around it so I had to do some modifications to use the new APIs. - Modify all the endpoints to use the new API. They'll now follow this format: ``` router.versioned. .post({ access: 'internal', // Specified only if the access is internal, otherwise all the endpoints are public path: '/api/my-app/foo/{id?}', fleetAuthz: { fleet: { all: true }, }, options: { timeout: { payload: 60000 } }, // optional }) // introduces first version .addVersion( { version: '2023-10-31', // The public version of this API validate: { request: endpointValidationSchema }, }, endpointHandler, ) ``` If a new version will be released, a new `addVersion` block can be added to the previous. - Introduce constants for the versions. These versions will be replaced in the future when new versions of the apis will be released: - Public endpoints will use version `API_VERSIONS.public.v1 = 2023-10-31` - Private endpoints will use version `API_VERSIONS.internal.v1 = 1` - Mark deprecated endpoints as private. List: - `GET /api/fleet/agent-status` - `GET /api/fleet/enrollment-api-keys` - `POST /api/fleet/enrollment-api-keys` - `GET /api/fleet/enrollment-api-keys/{keyId}` - `DELETE /api/fleet/enrollment-api-keys/{keyId}` - `POST /api/fleet/service-tokens` - `PUT /api/fleet/epm/packages/{pkgkey}` - `DELETE /api/fleet/epm/packages/{pkgkey}` - Pass these versions through the headers wherever the fleet apis are called (UI, other plugins, tests, etc). These headers have this format: ``` { Elastic-Api-Version: '2023-10-31' } ``` - All the browsers calls now specify the headers with the versions ### Notes 1. In dev the request of passing the headers is always enforced, to avoid it it's needed the following flag when starting the env: ``` server.versioned.versionResolution: oldest ``` This prevents the router to enforce the headers presence for all the public endpoints; internal endpoints however will need it regardless of this flag. 2. The kibana dev tools still don't accept the new headers, the api calls can be only tested through `curl` or equivalent for now 3. These deprecated endpoints are still marked as public because if we mark them as internal the router would always choose them over the correspondent public routes. ``` - `POST /api/fleet/epm/packages/{pkgkey}` - `GET /api/fleet/epm/packages/{pkgkey}` ``` ## Testing - Load Fleet in dev - The UI should work as normal and you should be able to see the new headers in the dev tools - API calls (via curl) should work as normal, with and without headers for public endpoints ### Checklist - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Nicolas Chaulet <nicolas.chaulet@elastic.co>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Kibana API will not be public by default in serverless, this mean Fleet API will not be accessible.
That PR fix that by changing the Fleet router to make Fleet API routes public unless they specify
options.accessin their config, the only route that I found that should be internal is the /internal/fleet/reset_preconfiguration`Test
manual test run Kibana in serverless and check Fleet API are still publicly available
Before that change
After that change