Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Breaking] Restrict internal APIs by default in 9.0 #163654

Closed
lukeelmers opened this issue Aug 10, 2023 · 4 comments · Fixed by #193792
Closed

[Breaking] Restrict internal APIs by default in 9.0 #163654

lukeelmers opened this issue Aug 10, 2023 · 4 comments · Fixed by #193792
Assignees
@TinaHeiligers
Labels
Breaking Change Feature:http Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc v9.0.0

Comments

@lukeelmers
Copy link
Member

lukeelmers commented Aug 10, 2023
edited by TinaHeiligers
Loading

For our serverless offering we introduced a mechanism to prevent access to internal-only APIs by setting server.restrictInternalApis: true.

We cannot enable this in on-prem / ESS Kibana in 8.x as it would be a breaking change, however we should remove this configuration in 9.0 so we can enforce internal API restrictions in all environments.

We also need to add a KB to communicate the change with Support.
Opening this issue as a reminder for whenever 9.0 rolls around.
@lukeelmers lukeelmers added Feature:http Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc v9.0.0 Breaking Change labels Aug 10, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-core (Team:Core)

@TinaHeiligers
Copy link
Contributor

whenever 9.0 rolls around.

it might happen sooner than we thought!

@TinaHeiligers
Copy link
Contributor

Part of #179467

@TinaHeiligers TinaHeiligers mentioned this issue Jun 23, 2024
Closed
20 tasks
@legrego legrego mentioned this issue Aug 2, 2024
Closed
45 tasks
This was referenced Aug 27, 2024
Closed
Closed
@TinaHeiligers TinaHeiligers mentioned this issue Sep 4, 2024
Closed
@TinaHeiligers
Copy link
Contributor

For PR review: Add how to enable the restriction for testing.

@TinaHeiligers TinaHeiligers mentioned this issue Sep 9, 2024
Merged
1 task
TinaHeiligers added a commit that referenced this issue Sep 12, 2024
@TinaHeiligers @elasticmachine
[http] api_integration tests handle internal route restriction (#192407)
3a68f8b 
fix #192052
## Summary

Internal APIs will be
[restricted](#163654) from
public access as of 9.0.0. In non-serverless environments, this breaking
change will result in a 400 error if an external request is made to an
internal Kibana API (route `access` option as `"internal"` or
`"public"`).
This PR allows API owners of non-xpack plugins to run their `ftr` API
integration tests against the restriction and adds examples of how to
handle it.

### Checklist
- [x] [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
were updated or added to match the most common scenarios


Note to reviewers: The header needed to allow access to internal apis
shouldn't change your test output, with or without the restriction
enabled.

### How to test the changes work:
#### Non x-pack:
1. Set `server.restrictInternalApis: true` in `test/common/config.js`
2. Ensure your tests pass

#### x-pack:
1. Set `server.restrictInternalApis: true` in
`x-pack/test/api_integration/apis/security/config.ts`
2. Ensure the spaces tests pass

---------

Co-authored-by: Elastic Machine <[email protected]>
@TinaHeiligers TinaHeiligers mentioned this issue Sep 23, 2024
Merged
4 tasks
@TinaHeiligers TinaHeiligers self-assigned this Sep 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@TinaHeiligers TinaHeiligers

Labels
Breaking Change Feature:http Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc v9.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Globally enforce internal API restriction TinaHeiligers/kibana
3 participants
@lukeelmers @TinaHeiligers @elasticmachine