Skip to content

Added DisabledAuthz utility #216633

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
elena-shostak merged 15 commits into from
Apr 8, 2025
Merged

Added DisabledAuthz utility #216633

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
1371992
[Authz] Added DisabledAuthz utility class
elena-shostak Apr 1, 2025
ce9da1c
[CI] Auto-commit changed files from 'node scripts/yarn_deduplicate'
kibanamachine Apr 1, 2025
cd6a046
Fixes
elena-shostak Apr 1, 2025
27db633
[CI] Auto-commit changed files from 'node scripts/yarn_deduplicate'
kibanamachine Apr 1, 2025
f4580b5
Merge branch 'main' into 216632-disabled-authz-helper
elena-shostak Apr 1, 2025
5368de8
Fixes
elena-shostak Apr 1, 2025
6d1465f
Renaming
elena-shostak Apr 1, 2025
0275b57
Moved ownership of src/core/packages/security to @elastic/kibana-secu…
elena-shostak Apr 2, 2025
d120063
Merge branch 'main' into 216632-disabled-authz-helper
elena-shostak Apr 2, 2025
a432daf
[CI] Auto-commit changed files from 'node scripts/generate codeowners'
kibanamachine Apr 2, 2025
5a66df4
Merge branch 'main' into 216632-disabled-authz-helper
elena-shostak Apr 3, 2025
7b3c731
Merge branch 'main' into 216632-disabled-authz-helper
elena-shostak Apr 4, 2025
3c29b93
[CI] Auto-commit changed files from 'node scripts/eslint --no-cache -…
kibanamachine Apr 4, 2025
f5e3a80
Merge branch 'main' into 216632-disabled-authz-helper
elena-shostak Apr 7, 2025
29a4ff3
Update src/core/packages/security/server/src/authz.ts
elena-shostak Apr 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion src/core/packages/security/server/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,5 +50,5 @@ export type {
export type { KibanaPrivilegesType, ElasticsearchPrivilegesType } from './src/roles';
export { isCreateRestAPIKeyParams } from './src/authentication/api_keys';
export type { CoreFipsService } from './src/fips';
export { AuthzDisabled, AuthzOptOutReason, unwindNestedSecurityPrivileges } from './src/authz';
export { ApiPrivileges, ApiOperation } from './src/api_privileges';
export { unwindNestedSecurityPrivileges } from './src/authz';
23 changes: 23 additions & 0 deletions src/core/packages/security/server/src/authz.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,29 @@
* License v3.0 only", or the "Server Side Public License, v 1".
*/

export enum AuthzOptOutReason {
DelegateToESClient = 'Route delegates authorization to the scoped ES client',
DelegateToSOClient = 'Route delegates authorization to the scoped SO client',
ServeStaticFiles = 'Route serves static files that do not require authorization',
}

export class AuthzDisabled {
public static fromReason(reason: AuthzOptOutReason | string): { enabled: false; reason: string } {
return {
enabled: false,
reason,
};
}

static readonly delegateToESClient = AuthzDisabled.fromReason(
AuthzOptOutReason.DelegateToESClient
);
static readonly delegateToSOClient = AuthzDisabled.fromReason(
AuthzOptOutReason.DelegateToSOClient
);
static readonly serveStaticFiles = AuthzDisabled.fromReason(AuthzOptOutReason.ServeStaticFiles);
}

export const unwindNestedSecurityPrivileges = <
T extends Array<string | { allOf?: string[]; anyOf?: string[] }>
>(
Expand Down
6 changes: 2 additions & 4 deletions x-pack/platform/plugins/shared/security/server/routes/authorization/roles/delete.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
*/

import { schema } from '@kbn/config-schema';
import { AuthzDisabled } from '@kbn/core-security-server';

import type { RouteDefinitionParams } from '../..';
import { API_VERSIONS } from '../../../../common/constants';
Expand All @@ -22,10 +23,7 @@ export function defineDeleteRolesRoutes({ router }: RouteDefinitionParams) {
tags: ['oas-tag:roles'],
},
security: {
authz: {
enabled: false,
reason: `This route delegates authorization to Core's scoped ES cluster client`,
},
authz: AuthzDisabled.delegateToESClient,
Copy link
Copy Markdown
Contributor

@jeramysoucy jeramysoucy Apr 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will we replace all other cases where routes delegate to the ES or SO client? Or will that be follow-up work for other teams?

Copy link
Copy Markdown
Contributor Author

@elena-shostak elena-shostak Apr 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It will be a follow up work

},
})
.addVersion(
Expand Down
6 changes: 2 additions & 4 deletions x-pack/platform/plugins/shared/security/server/routes/authorization/roles/get.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
*/

import { schema } from '@kbn/config-schema';
import { AuthzDisabled } from '@kbn/core-security-server';

import type { RouteDefinitionParams } from '../..';
import { API_VERSIONS } from '../../../../common/constants';
Expand All @@ -29,10 +30,7 @@ export function defineGetRolesRoutes({
tags: ['oas-tag:roles'],
},
security: {
authz: {
enabled: false,
reason: `This route delegates authorization to Core's scoped ES cluster client`,
},
authz: AuthzDisabled.delegateToESClient,
},
})
.addVersion(
Expand Down
6 changes: 2 additions & 4 deletions x-pack/platform/plugins/shared/security/server/routes/authorization/roles/get_all.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
*/

import { schema } from '@kbn/config-schema';
import { AuthzDisabled } from '@kbn/core-security-server';

import type { RouteDefinitionParams } from '../..';
import { API_VERSIONS } from '../../../../common/constants';
Expand All @@ -30,10 +31,7 @@ export function defineGetAllRolesRoutes({
tags: ['oas-tag:roles'],
},
security: {
authz: {
enabled: false,
reason: `This route delegates authorization to Core's scoped ES cluster client`,
},
authz: AuthzDisabled.delegateToESClient,
},
})
.addVersion(
Expand Down
7 changes: 3 additions & 4 deletions x-pack/platform/plugins/shared/security/server/routes/authorization/roles/post.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@
* 2.0.
*/

import { AuthzDisabled } from '@kbn/core-security-server';

import { roleGrantsSubFeaturePrivileges } from './lib';
import {
getBulkCreateOrUpdatePayloadSchema,
Expand Down Expand Up @@ -49,10 +51,7 @@ export function defineBulkCreateOrUpdateRolesRoutes({
tags: ['oas-tag:roles'],
},
security: {
authz: {
enabled: false,
reason: `This route delegates authorization to Core's scoped ES cluster client`,
},
authz: AuthzDisabled.delegateToESClient,
},
})
.addVersion(
Expand Down
6 changes: 2 additions & 4 deletions x-pack/platform/plugins/shared/security/server/routes/authorization/roles/put.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
*/

import { schema } from '@kbn/config-schema';
import { AuthzDisabled } from '@kbn/core-security-server';

import { roleGrantsSubFeaturePrivileges } from './lib';
import { getPutPayloadSchema, transformPutPayloadToElasticsearchRole } from './model';
Expand All @@ -32,10 +33,7 @@ export function definePutRolesRoutes({
tags: ['oas-tag:roles'],
},
security: {
authz: {
enabled: false,
reason: `This route delegates authorization to Core's scoped ES cluster client`,
},
authz: AuthzDisabled.delegateToESClient,
},
})
.addVersion(
Expand Down
6 changes: 2 additions & 4 deletions x-pack/platform/plugins/shared/security/server/routes/authorization/roles/query.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
*/

import { schema } from '@kbn/config-schema';
import { AuthzDisabled } from '@kbn/core-security-server';
import type { QueryRolesResult } from '@kbn/security-plugin-types-common';

import type { RouteDefinitionParams } from '../..';
Expand Down Expand Up @@ -34,10 +35,7 @@ export function defineQueryRolesRoutes({
tags: ['oas-tags:roles'],
},
security: {
authz: {
enabled: false,
reason: `This route delegates authorization to Core's scoped ES cluster client`,
},
authz: AuthzDisabled.delegateToESClient,
},
})
.addVersion(
Expand Down