From e9042658fa7ed5f6a1c94e62f50d8b1da5dbf173 Mon Sep 17 00:00:00 2001 From: Matthew Kime Date: Sun, 22 Dec 2024 23:40:57 -0600 Subject: [PATCH] add authz info to REST api endpoints --- .../upgrade_assistant/server/routes/app.ts | 6 +++++ .../server/routes/cloud_backup_status.ts | 11 ++++++++- .../server/routes/cluster_settings.ts | 6 +++++ .../server/routes/cluster_upgrade_status.ts | 11 ++++++++- .../server/routes/deprecation_logging.ts | 24 +++++++++++++++++++ .../server/routes/es_deprecations.ts | 6 +++++ .../server/routes/ml_snapshots.ts | 12 ++++++++++ .../server/routes/node_disk_space.ts | 6 +++++ .../reindex_indices/batch_reindex_indices.ts | 12 ++++++++++ .../routes/reindex_indices/reindex_indices.ts | 6 +++++ .../server/routes/remote_clusters.ts | 6 +++++ .../upgrade_assistant/server/routes/status.ts | 6 +++++ .../server/routes/system_indices_migration.ts | 11 ++++++++- .../server/routes/update_index_settings.ts | 6 +++++ 14 files changed, 126 insertions(+), 3 deletions(-) diff --git a/x-pack/plugins/upgrade_assistant/server/routes/app.ts b/x-pack/plugins/upgrade_assistant/server/routes/app.ts index 01f47bcc87f87..e6e5bffcf2629 100644 --- a/x-pack/plugins/upgrade_assistant/server/routes/app.ts +++ b/x-pack/plugins/upgrade_assistant/server/routes/app.ts @@ -43,6 +43,12 @@ export function registerAppRoutes({ router.get( { path: `${API_BASE_PATH}/privileges`, + security: { + authz: { + enabled: false, + reason: 'Relies on es client for authorization', + }, + }, validate: false, }, versionCheckHandlerWrapper(async ({ core }, request, response) => { diff --git a/x-pack/plugins/upgrade_assistant/server/routes/cloud_backup_status.ts b/x-pack/plugins/upgrade_assistant/server/routes/cloud_backup_status.ts index 17b80f6a685b3..0ae3b03eb7618 100644 --- a/x-pack/plugins/upgrade_assistant/server/routes/cloud_backup_status.ts +++ b/x-pack/plugins/upgrade_assistant/server/routes/cloud_backup_status.ts @@ -15,7 +15,16 @@ export function registerCloudBackupStatusRoutes({ }: RouteDependencies) { // GET most recent Cloud snapshot router.get( - { path: `${API_BASE_PATH}/cloud_backup_status`, validate: false }, + { + path: `${API_BASE_PATH}/cloud_backup_status`, + security: { + authz: { + enabled: false, + reason: 'Relies on es client for authorization', + }, + }, + validate: false, + }, versionCheckHandlerWrapper(async (context, request, response) => { const { client: clusterClient } = (await context.core).elasticsearch; diff --git a/x-pack/plugins/upgrade_assistant/server/routes/cluster_settings.ts b/x-pack/plugins/upgrade_assistant/server/routes/cluster_settings.ts index d85123ab3e7d6..c264df3eceaf5 100644 --- a/x-pack/plugins/upgrade_assistant/server/routes/cluster_settings.ts +++ b/x-pack/plugins/upgrade_assistant/server/routes/cluster_settings.ts @@ -17,6 +17,12 @@ export function registerClusterSettingsRoute({ router.post( { path: `${API_BASE_PATH}/cluster_settings`, + security: { + authz: { + enabled: false, + reason: 'Relies on es client for authorization', + }, + }, validate: { body: schema.object({ settings: schema.arrayOf(schema.string()), diff --git a/x-pack/plugins/upgrade_assistant/server/routes/cluster_upgrade_status.ts b/x-pack/plugins/upgrade_assistant/server/routes/cluster_upgrade_status.ts index 4ae1205d2daef..3f930ca0a67d0 100644 --- a/x-pack/plugins/upgrade_assistant/server/routes/cluster_upgrade_status.ts +++ b/x-pack/plugins/upgrade_assistant/server/routes/cluster_upgrade_status.ts @@ -11,7 +11,16 @@ import { RouteDependencies } from '../types'; export function registerClusterUpgradeStatusRoutes({ router }: RouteDependencies) { router.get( - { path: `${API_BASE_PATH}/cluster_upgrade_status`, validate: false }, + { + path: `${API_BASE_PATH}/cluster_upgrade_status`, + security: { + authz: { + enabled: false, + reason: 'Lightweight endpoint', + }, + }, + validate: false, + }, // We're just depending on the version check to return a 426. // Otherwise we just return a 200. versionCheckHandlerWrapper(async (context, request, response) => { diff --git a/x-pack/plugins/upgrade_assistant/server/routes/deprecation_logging.ts b/x-pack/plugins/upgrade_assistant/server/routes/deprecation_logging.ts index 6770869233ab8..65771c0b85815 100644 --- a/x-pack/plugins/upgrade_assistant/server/routes/deprecation_logging.ts +++ b/x-pack/plugins/upgrade_assistant/server/routes/deprecation_logging.ts @@ -28,6 +28,12 @@ export function registerDeprecationLoggingRoutes({ router.get( { path: `${API_BASE_PATH}/deprecation_logging`, + security: { + authz: { + enabled: false, + reason: 'Relies on es client for authorization', + }, + }, validate: false, }, versionCheckHandlerWrapper(async ({ core }, request, response) => { @@ -46,6 +52,12 @@ export function registerDeprecationLoggingRoutes({ router.put( { path: `${API_BASE_PATH}/deprecation_logging`, + security: { + authz: { + enabled: false, + reason: 'Relies on es client for authorization', + }, + }, validate: { body: schema.object({ isEnabled: schema.boolean(), @@ -70,6 +82,12 @@ export function registerDeprecationLoggingRoutes({ router.get( { path: `${API_BASE_PATH}/deprecation_logging/count`, + security: { + authz: { + enabled: false, + reason: 'Relies on es client for authorization', + }, + }, validate: { query: schema.object({ from: schema.string(), @@ -124,6 +142,12 @@ export function registerDeprecationLoggingRoutes({ router.delete( { path: `${API_BASE_PATH}/deprecation_logging/cache`, + security: { + authz: { + enabled: false, + reason: 'Relies on es client for authorization', + }, + }, validate: false, }, versionCheckHandlerWrapper(async ({ core }, request, response) => { diff --git a/x-pack/plugins/upgrade_assistant/server/routes/es_deprecations.ts b/x-pack/plugins/upgrade_assistant/server/routes/es_deprecations.ts index 93c95d1437426..3b3d2387c196a 100644 --- a/x-pack/plugins/upgrade_assistant/server/routes/es_deprecations.ts +++ b/x-pack/plugins/upgrade_assistant/server/routes/es_deprecations.ts @@ -22,6 +22,12 @@ export function registerESDeprecationRoutes({ router.get( { path: `${API_BASE_PATH}/es_deprecations`, + security: { + authz: { + enabled: false, + reason: 'Relies on es and saved object clients for authorization', + }, + }, validate: false, }, versionCheckHandlerWrapper(async ({ core }, request, response) => { diff --git a/x-pack/plugins/upgrade_assistant/server/routes/ml_snapshots.ts b/x-pack/plugins/upgrade_assistant/server/routes/ml_snapshots.ts index 0ad6543de5251..feb52c2ddd9e7 100644 --- a/x-pack/plugins/upgrade_assistant/server/routes/ml_snapshots.ts +++ b/x-pack/plugins/upgrade_assistant/server/routes/ml_snapshots.ts @@ -145,6 +145,12 @@ export function registerMlSnapshotRoutes({ router.post( { path: `${API_BASE_PATH}/ml_snapshots`, + security: { + authz: { + enabled: false, + reason: 'Relies on es client for authorization', + }, + }, validate: { body: schema.object({ snapshotId: schema.string(), @@ -195,6 +201,12 @@ export function registerMlSnapshotRoutes({ router.get( { path: `${API_BASE_PATH}/ml_snapshots/{jobId}/{snapshotId}`, + security: { + authz: { + enabled: false, + reason: 'Relies on es and saved object clients for authorization', + }, + }, validate: { params: schema.object({ snapshotId: schema.string(), diff --git a/x-pack/plugins/upgrade_assistant/server/routes/node_disk_space.ts b/x-pack/plugins/upgrade_assistant/server/routes/node_disk_space.ts index 5f275be8b5d73..77d8de08eb86c 100644 --- a/x-pack/plugins/upgrade_assistant/server/routes/node_disk_space.ts +++ b/x-pack/plugins/upgrade_assistant/server/routes/node_disk_space.ts @@ -47,6 +47,12 @@ export function registerNodeDiskSpaceRoute({ router, lib: { handleEsError } }: R router.get( { path: `${API_BASE_PATH}/node_disk_space`, + security: { + authz: { + enabled: false, + reason: 'Relies on es client for authorization', + }, + }, validate: false, }, versionCheckHandlerWrapper(async ({ core }, request, response) => { diff --git a/x-pack/plugins/upgrade_assistant/server/routes/reindex_indices/batch_reindex_indices.ts b/x-pack/plugins/upgrade_assistant/server/routes/reindex_indices/batch_reindex_indices.ts index d2eb315aa4a66..31857ed979c07 100644 --- a/x-pack/plugins/upgrade_assistant/server/routes/reindex_indices/batch_reindex_indices.ts +++ b/x-pack/plugins/upgrade_assistant/server/routes/reindex_indices/batch_reindex_indices.ts @@ -36,6 +36,12 @@ export function registerBatchReindexIndicesRoutes( router.get( { path: `${BASE_PATH}/batch/queue`, + security: { + authz: { + enabled: false, + reason: 'Relies on es client for authorization', + }, + }, options: { access: 'public', summary: `Get the batch reindex queue`, @@ -75,6 +81,12 @@ export function registerBatchReindexIndicesRoutes( router.post( { path: `${BASE_PATH}/batch`, + security: { + authz: { + enabled: false, + reason: 'Relies on es client for authorization', + }, + }, options: { access: 'public', summary: `Batch start or resume reindex`, diff --git a/x-pack/plugins/upgrade_assistant/server/routes/reindex_indices/reindex_indices.ts b/x-pack/plugins/upgrade_assistant/server/routes/reindex_indices/reindex_indices.ts index 11d34d48820e2..67b3792ea044b 100644 --- a/x-pack/plugins/upgrade_assistant/server/routes/reindex_indices/reindex_indices.ts +++ b/x-pack/plugins/upgrade_assistant/server/routes/reindex_indices/reindex_indices.ts @@ -34,6 +34,12 @@ export function registerReindexIndicesRoutes( router.post( { path: `${BASE_PATH}/{indexName}`, + security: { + authz: { + enabled: false, + reason: 'Relies on es and saved object clients for authorization', + }, + }, options: { access: 'public', summary: `Start or resume reindex`, diff --git a/x-pack/plugins/upgrade_assistant/server/routes/remote_clusters.ts b/x-pack/plugins/upgrade_assistant/server/routes/remote_clusters.ts index 6598051e3c7f6..7b8ad1f046085 100644 --- a/x-pack/plugins/upgrade_assistant/server/routes/remote_clusters.ts +++ b/x-pack/plugins/upgrade_assistant/server/routes/remote_clusters.ts @@ -13,6 +13,12 @@ export function registerRemoteClustersRoute({ router, lib: { handleEsError } }: router.get( { path: `${API_BASE_PATH}/remote_clusters`, + security: { + authz: { + enabled: false, + reason: 'Relies on es client for authorization', + }, + }, validate: false, }, versionCheckHandlerWrapper(async ({ core }, request, response) => { diff --git a/x-pack/plugins/upgrade_assistant/server/routes/status.ts b/x-pack/plugins/upgrade_assistant/server/routes/status.ts index de621da5a23b1..19f3a5c07a944 100644 --- a/x-pack/plugins/upgrade_assistant/server/routes/status.ts +++ b/x-pack/plugins/upgrade_assistant/server/routes/status.ts @@ -24,6 +24,12 @@ export function registerUpgradeStatusRoute({ router.get( { path: `${API_BASE_PATH}/status`, + security: { + authz: { + enabled: false, + reason: 'Relies on es client for authorization', + }, + }, options: { access: 'public', summary: `Get upgrade readiness status`, diff --git a/x-pack/plugins/upgrade_assistant/server/routes/system_indices_migration.ts b/x-pack/plugins/upgrade_assistant/server/routes/system_indices_migration.ts index aae7df2f43f15..152703ef6c365 100644 --- a/x-pack/plugins/upgrade_assistant/server/routes/system_indices_migration.ts +++ b/x-pack/plugins/upgrade_assistant/server/routes/system_indices_migration.ts @@ -19,7 +19,16 @@ export function registerSystemIndicesMigrationRoutes({ }: RouteDependencies) { // GET status of the system indices migration router.get( - { path: `${API_BASE_PATH}/system_indices_migration`, validate: false }, + { + path: `${API_BASE_PATH}/system_indices_migration`, + security: { + authz: { + enabled: false, + reason: 'Relies on es client for authorization', + }, + }, + validate: false, + }, versionCheckHandlerWrapper(async ({ core }, request, response) => { try { const { diff --git a/x-pack/plugins/upgrade_assistant/server/routes/update_index_settings.ts b/x-pack/plugins/upgrade_assistant/server/routes/update_index_settings.ts index 382ac77721616..f037381a9f52a 100644 --- a/x-pack/plugins/upgrade_assistant/server/routes/update_index_settings.ts +++ b/x-pack/plugins/upgrade_assistant/server/routes/update_index_settings.ts @@ -14,6 +14,12 @@ export function registerUpdateSettingsRoute({ router }: RouteDependencies) { router.post( { path: `${API_BASE_PATH}/{indexName}/index_settings`, + security: { + authz: { + enabled: false, + reason: 'Relies on es client for authorization', + }, + }, validate: { params: schema.object({ indexName: schema.string(),