Skip to content

[9.0] [Authz] Added allOf and anyOf nested conditions (#215516) #217051

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Apr 4, 2025
Merged

[9.0] [Authz] Added allOf and anyOf nested conditions (#215516) #217051

merged 4 commits into from
Apr 4, 2025

Conversation

@elena-shostak
Copy link
Contributor

@elena-shostak elena-shostak commented Apr 3, 2025

Backport

This will backport the following commits from main to 9.0:

Questions ?

Please refer to the Backport tool documentation

@elena-shostak
[Authz] Added allOf and anyOf nested conditions (elastic#215516)
2cf42c1 
## Summary

Currently, our `requiredPrivileges` structure supports `allRequired` and
`anyRequired` for defining authorization logic. However, there is [a
need to
support](elastic#205335 (comment))
more complex scenarios as `(privilege1 AND privilege2) OR (privilege3
AND privilege4)`

To achieve `anyRequired` has been extended to allow defining multiple
AND conditions evaluated with OR logic:
```ts
security: {
  authz: {
    requiredPrivileges: [{
       anyRequired: [
          { allOf: ['privilege1', 'privilege2'] },
          { allOf: ['privilege3', 'privilege4'] }
        ]
      }
    ]
  }
}
```

`allRequired` now also supports scenarios `(privilege1 OR privilege2)
AND (privilege3 OR privilege4)`
```ts
security: {
  authz: {
    requiredPrivileges: [{
       allRequired: [
          { anyOf: ['privilege1', 'privilege2'] },
          { anyOf: ['privilege3', 'privilege4'] }
        ]
      }
    ]
  }
}
```

> [!IMPORTANT]
> We expect to have unique privileges in `anyOf` or `allOf` conditions,
assuming that most complex conditions can be simplified by boolean
algebra laws (OR/AND distributive etc).

### Checklist

- [x]
[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)
was added for features that require explanation or tutorials
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios
- [x] The PR description includes the appropriate Release Notes section,
and the correct `release_note:*` label is applied per the
[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)

__Closes: https://github.com/elastic/kibana/issues/210977__

---------

Co-authored-by: kibanamachine <[email protected]>
Co-authored-by: Elastic Machine <[email protected]>
(cherry picked from commit ed05808)

# Conflicts:
#	oas_docs/bundle.json
#	oas_docs/bundle.serverless.json
#	oas_docs/output/kibana.serverless.yaml
#	oas_docs/output/kibana.yaml
#	src/platform/packages/shared/kbn-router-to-openapispec/src/__snapshots__/generate_oas.test.ts.snap
#	src/platform/packages/shared/kbn-router-to-openapispec/src/generate_oas.test.fixture.ts
@elena-shostak elena-shostak added the backport This PR is a backport of another PR label Apr 3, 2025
@elena-shostak elena-shostak enabled auto-merge (squash) April 3, 2025 15:31
@elena-shostak elena-shostak mentioned this pull request Apr 3, 2025
Merged
3 tasks
kibanamachine and others added 3 commits April 3, 2025 15:47
@kibanamachine
[CI] Auto-commit changed files from 'node scripts/capture_oas_snapsho…
e4f4964 
…t --include-path /api/status --include-path /api/alerting/rule/ --include-path /api/alerting/rules --include-path /api/actions --include-path /api/security/role --include-path /api/spaces --include-path /api/fleet --include-path /api/dashboards --update --no-serverless'
@kibanamachine
[CI] Auto-commit changed files from 'make api-docs'
f57e0d1
@elena-shostak
Test fixes
1fab34a
@elasticmachine
Copy link
Contributor

elasticmachine commented Apr 3, 2025

💚 Build Succeeded

Metrics [docs]

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id before after diff
@kbn/core-http-server 244 246 +2
@kbn/core-security-server 63 65 +2
total +4

Public APIs missing exports

Total count of every type that is part of your API that should be exported but is not. This will cause broken links in the API documentation system. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats exports for more detailed information.

id before after diff
@kbn/core 866 868 +2
Unknown metric groups

API count

id before after diff
@kbn/core-http-server 571 573 +2
@kbn/core-security-server 147 149 +2
total +4

History

@elena-shostak elena-shostak merged commit 2ff384b into elastic:9.0 Apr 4, 2025
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@azasypkin azasypkin azasypkin approved these changes

@kibanamachine kibanamachine Awaiting requested review from kibanamachine kibanamachine is a code owner

Assignees

No one assigned

Labels

backport This PR is a backport of another PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@elena-shostak @elasticmachine @azasypkin @kibanamachine