Audit security APIs for public/internal access #189833
Assignees
Labels
blocker
chore
Team:Security
Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
v9.0.0
Comments
legrego
added
blocker
chore
Team:Security
|
See "Security HTTP APIs - Access Audit" Google spreadsheet |
jeramysoucy
added a commit
that referenced
this issue
Oct 16, 2024
Related issue: #189833 ## Summary This PR explicitly sets the access level for platform security HTTP API endpoints. This is to address restriction of internal endpoints in v9. For details, see #189833. Additionally, this PR sets the `excludeFromOAS` option where applicable, in order to refrain from generating documentation for endpoints which are public but should either remain undocumented, or should be documented as part of a specific topic (e.g. external authentication flow). Note: the invalidate sessions API has been changed to internal in serverless Endpoints excluded from OAS: - GET /api/security/logout - GET /api/security/v1/logout - /api/security/oidc/implicit - /api/security/v1/oidc/implicit - /internal/security/oidc/implicit.js - GET /api/security/oidc/callback - GET /api/security/v1/oidc - POST /api/security/oidc/initiate_login - POST /api/security/v1/oidc - GET /api/security/oidc/initiate_login - POST /api/security/saml/callback - /internal/security/reset_session_page.js - /security/access_agreement - /security/account - /internal/security/capture-url - /security/logged_out - /login - /logout - /security/overwritten_session - /spaces/space_selector
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this issue
Oct 16, 2024
…195099) Related issue: elastic#189833 ## Summary This PR explicitly sets the access level for platform security HTTP API endpoints. This is to address restriction of internal endpoints in v9. For details, see elastic#189833. Additionally, this PR sets the `excludeFromOAS` option where applicable, in order to refrain from generating documentation for endpoints which are public but should either remain undocumented, or should be documented as part of a specific topic (e.g. external authentication flow). Note: the invalidate sessions API has been changed to internal in serverless Endpoints excluded from OAS: - GET /api/security/logout - GET /api/security/v1/logout - /api/security/oidc/implicit - /api/security/v1/oidc/implicit - /internal/security/oidc/implicit.js - GET /api/security/oidc/callback - GET /api/security/v1/oidc - POST /api/security/oidc/initiate_login - POST /api/security/v1/oidc - GET /api/security/oidc/initiate_login - POST /api/security/saml/callback - /internal/security/reset_session_page.js - /security/access_agreement - /security/account - /internal/security/capture-url - /security/logged_out - /login - /logout - /security/overwritten_session - /spaces/space_selector (cherry picked from commit 8d77cd4)
kibanamachine
added a commit
that referenced
this issue
Oct 16, 2024
…95099) (#196547) # Backport This will backport the following commits from `main` to `8.x`: - [Sets explicit access for public platform security endpoints (#195099)](#195099) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Jeramy Soucy","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-10-16T13:11:25Z","message":"Sets explicit access for public platform security endpoints (#195099)\n\nRelated issue: #189833\r\n\r\n## Summary\r\n\r\nThis PR explicitly sets the access level for platform security HTTP API\r\nendpoints. This is to address restriction of internal endpoints in v9.\r\nFor details, see https://github.com/elastic/kibana/issues/189833.\r\n\r\nAdditionally, this PR sets the `excludeFromOAS` option where applicable,\r\nin order to refrain from generating documentation for endpoints which\r\nare public but should either remain undocumented, or should be\r\ndocumented as part of a specific topic (e.g. external authentication\r\nflow).\r\n\r\nNote: the invalidate sessions API has been changed to internal in\r\nserverless\r\n\r\nEndpoints excluded from OAS:\r\n- GET /api/security/logout\r\n- GET /api/security/v1/logout\r\n- /api/security/oidc/implicit\r\n- /api/security/v1/oidc/implicit\r\n- /internal/security/oidc/implicit.js\r\n- GET /api/security/oidc/callback\r\n- GET /api/security/v1/oidc\r\n- POST /api/security/oidc/initiate_login\r\n- POST /api/security/v1/oidc\r\n- GET /api/security/oidc/initiate_login\r\n- POST /api/security/saml/callback\r\n- /internal/security/reset_session_page.js\r\n- /security/access_agreement\r\n- /security/account\r\n- /internal/security/capture-url\r\n- /security/logged_out\r\n- /login\r\n- /logout\r\n- /security/overwritten_session\r\n- /spaces/space_selector","sha":"8d77cd49996281e746a0a7138c7624867c047053","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:Security","release_note:skip","v9.0.0","backport:prev-minor"],"title":"Sets explicit access for public platform security endpoints","number":195099,"url":"https://github.com/elastic/kibana/pull/195099","mergeCommit":{"message":"Sets explicit access for public platform security endpoints (#195099)\n\nRelated issue: #189833\r\n\r\n## Summary\r\n\r\nThis PR explicitly sets the access level for platform security HTTP API\r\nendpoints. This is to address restriction of internal endpoints in v9.\r\nFor details, see https://github.com/elastic/kibana/issues/189833.\r\n\r\nAdditionally, this PR sets the `excludeFromOAS` option where applicable,\r\nin order to refrain from generating documentation for endpoints which\r\nare public but should either remain undocumented, or should be\r\ndocumented as part of a specific topic (e.g. external authentication\r\nflow).\r\n\r\nNote: the invalidate sessions API has been changed to internal in\r\nserverless\r\n\r\nEndpoints excluded from OAS:\r\n- GET /api/security/logout\r\n- GET /api/security/v1/logout\r\n- /api/security/oidc/implicit\r\n- /api/security/v1/oidc/implicit\r\n- /internal/security/oidc/implicit.js\r\n- GET /api/security/oidc/callback\r\n- GET /api/security/v1/oidc\r\n- POST /api/security/oidc/initiate_login\r\n- POST /api/security/v1/oidc\r\n- GET /api/security/oidc/initiate_login\r\n- POST /api/security/saml/callback\r\n- /internal/security/reset_session_page.js\r\n- /security/access_agreement\r\n- /security/account\r\n- /internal/security/capture-url\r\n- /security/logged_out\r\n- /login\r\n- /logout\r\n- /security/overwritten_session\r\n- /spaces/space_selector","sha":"8d77cd49996281e746a0a7138c7624867c047053"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/195099","number":195099,"mergeCommit":{"message":"Sets explicit access for public platform security endpoints (#195099)\n\nRelated issue: #189833\r\n\r\n## Summary\r\n\r\nThis PR explicitly sets the access level for platform security HTTP API\r\nendpoints. This is to address restriction of internal endpoints in v9.\r\nFor details, see https://github.com/elastic/kibana/issues/189833.\r\n\r\nAdditionally, this PR sets the `excludeFromOAS` option where applicable,\r\nin order to refrain from generating documentation for endpoints which\r\nare public but should either remain undocumented, or should be\r\ndocumented as part of a specific topic (e.g. external authentication\r\nflow).\r\n\r\nNote: the invalidate sessions API has been changed to internal in\r\nserverless\r\n\r\nEndpoints excluded from OAS:\r\n- GET /api/security/logout\r\n- GET /api/security/v1/logout\r\n- /api/security/oidc/implicit\r\n- /api/security/v1/oidc/implicit\r\n- /internal/security/oidc/implicit.js\r\n- GET /api/security/oidc/callback\r\n- GET /api/security/v1/oidc\r\n- POST /api/security/oidc/initiate_login\r\n- POST /api/security/v1/oidc\r\n- GET /api/security/oidc/initiate_login\r\n- POST /api/security/saml/callback\r\n- /internal/security/reset_session_page.js\r\n- /security/access_agreement\r\n- /security/account\r\n- /internal/security/capture-url\r\n- /security/logged_out\r\n- /login\r\n- /logout\r\n- /security/overwritten_session\r\n- /spaces/space_selector","sha":"8d77cd49996281e746a0a7138c7624867c047053"}}]}] BACKPORT--> Co-authored-by: Jeramy Soucy <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is a subset of #186781, focused on the APIs owned by @elastic/kibana-security.
Access to
internalAPIs is restricted in Serverless. With v9, we have an opportunity to make the breaking change in ESS and on-prem and restrict internal APIs by default.What this means to users & stack components:
Access to internal APIs is blocked by default. Access to public APIs remains.
Call to Action:
What this means to Kibana and solution devs:
accessroute configuration option explicitly set to"public".internalKibana APIs must migrate to public counterparts.Confirm correct access:
Historically, Kibana only used a naming convention to distinguish between internal (/internal) and public (/api) routes. This distinction no longer applies.
Teams should confirm that their APIs have the intended access configuration, especially in cases where:
path: "/api/foo...",access: internalpath: "/internal/bar..."andaccess: publicLogging config:
Public routes prefixed with
/internal/:@elastic/kibana-security
Internal routes prefixed by
/api/:"access [internal] [GET] for path [/api/spaces/space/{id}]", (marked as public in Set spaces and roles CRUD APIs to public #193534)
"access [internal] [GET] for path [/api/spaces/space]", (marked as public in Set spaces and roles CRUD APIs to public #193534)
"access [internal] [PUT] for path [/api/spaces/space/{id}]", (marked as public in Set spaces and roles CRUD APIs to public #193534)
"access [internal] [DELETE] for path [/api/spaces/space/{id}]", (marked as public in Set spaces and roles CRUD APIs to public #193534)
"access [internal] [POST] for path [/api/spaces/space]", (marked as public in Set spaces and roles CRUD APIs to public #193534)
"access [internal] [POST] for path [/api/spaces/_copy_saved_objects]", (marked as public for stateful and internal for serverless in [HTTP] Set explicit access for
publicHTTP APIs #192554)"access [internal] [POST] for path [/api/spaces/_resolve_copy_saved_objects_errors]", (marked as public for stateful and internal for serverless in [HTTP] Set explicit access for
publicHTTP APIs #192554)"access [internal] [POST] for path [/api/spaces/_update_objects_spaces]", (marked as public for stateful and internal for serverless in [HTTP] Set explicit access for
publicHTTP APIs #192554)"access [internal] [POST] for path [/api/spaces/_get_shareable_references]", (marked as public for stateful and internal for serverless in [HTTP] Set explicit access for
publicHTTP APIs #192554)"access [internal] [POST] for path [/api/spaces/_disable_legacy_url_aliases]", (marked as public for stateful and internal for serverless in [HTTP] Set explicit access for
publicHTTP APIs #192554)"access [internal] [GET] for path [/api/security/v1/me]", (marked as public in Sets explicit access for public platform security endpoints #195099, not registered in serverless)
"access [internal] [GET] for path [/api/security/privileges]", (marked as public in Sets explicit access for public platform security endpoints #195099)
"access [internal] [GET] for path [/api/security/role/{name}]", (marked as public in [HTTP] Set explicit access for
publicHTTP APIs #192554)"access [internal] [GET] for path [/api/security/role]", (marked as public in [HTTP] Set explicit access for
publicHTTP APIs #192554)"access [internal] [DELETE] for path [/api/security/role/{name}]", (marked as public in [HTTP] Set explicit access for
publicHTTP APIs #192554)"access [internal] [PUT] for path [/api/security/role/{name}]", (marked as public in [HTTP] Set explicit access for
publicHTTP APIs #192554)"access [internal] [POST] for path [/api/security/session/_invalidate]", (marked as public in [HTTP] Set explicit access for
publicHTTP APIs #192554, marked as internal for serverless in Sets explicit access for public platform security endpoints #195099)"access [internal] [POST] for path [/api/encrypted_saved_objects/_rotate_key]", (marked as public in Sets explicit access for public platform security endpoints #195099, marked as internal for serverless in Expose the encrypted saved objects key rotation API as internal in serverless #189238)
GET /api/security/oidc/callback (set as public in Sets explicit access for public platform security endpoints #195099)
GET /api/security/v1/oidc (set as public in Sets explicit access for public platform security endpoints #195099)
POST /api/security/oidc/initiate_login (set as public in Sets explicit access for public platform security endpoints #195099)
POST /api/security/v1/oidc (set as public in Sets explicit access for public platform security endpoints #195099)
GET /api/security/oidc/initiate_login' (set as public in Sets explicit access for public platform security endpoints #195099)
Routes that should be excluded from OAS:
The text was updated successfully, but these errors were encountered: