[http] Add config option to restrict internal API access #152293
Labels
Epic:VersionedAPIs
Kibana Versioned APIs
Feature:http
Team:Core
Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc
Comments
TinaHeiligers
added
Feature:http
Team:Core
|
Pinging @elastic/kibana-core (Team:Core) |
Unless we have an explicit reason to do so, I don't think this would be necessary. |
5 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This issue is to handle the work needed for step 6 and 7 in
[http] Prevent access to internal-only APIs when running in serverless:
Allowing internal API access to be configurable
Given we only want to restrict access to internal APIs for our serverless env (at least for now), given it would/could be considered a breaking change for other envs, we need a new configuration option to toggle access to APIs defined as
internal.A new
http.restrictInternalApis(final name TBD) will be introduced. By default, access to internal APIs will be allowed to avoid this being a breaking change. On serverless, we will set this new option to the proper value to properly restrict access to our internal APIs.Open questions:
Part of this work also involves making sure intra-stack components are appropriately configured to send the required header when needed.
(Not directly related to the implementation, but we will need to make sure that all internal actors are properly communicating with Kibana)
The text was updated successfully, but these errors were encountered: