Set spaces CRUD endpoints to public in serverless #192153
Assignees
Labels
Team:Security
Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Comments
jeramysoucy
added
the
Team:Security
|
Pinging @elastic/kibana-security (Team:Security) |
This was referenced Sep 11, 2024
jeramysoucy
added a commit
that referenced
this issue
Oct 3, 2024
Closes #192153 ## Summary This PR sets the spaces and roles CRUD operation HTTP API endpoints to public in both stateful and serverless offerings, and additionally, switches to the versioned router to register these endpoints. Prior to this PR, the access level was not explicitly set, thus any endpoints registered in serverless were by default internal. CRUD operations for spaces and roles are being set to public to support the rollout of custom roles in serverless, which coincides with enabling multiple spaces. ### Note - Currently, roles APIs are only available in serverless via a feature flag (`xpack.security.roleManagementEnabled`) - Spaces APIs are already registered in serverless, however, the maximum number of spaces is by default 1, rendering create and delete operations unusable. By overriding `xpack.spaces.maxSpaces` to a number greater than 1 (stateful default is 1000), it will effectively enable use of the spaces CRUD operations in serverless. ## Tests - x-pack/test_serverless/api_integration/test_suites/common/management/multiple_spaces_enabled.ts - x-pack/test_serverless/api_integration/test_suites/common/management/spaces.ts - x-pack/test_serverless/api_integration/test_suites/common/platform_security/authorization.ts - x-pack/test_serverless/api_integration/test_suites/common/platform_security/roles_routes_feature_flag.ts - Unit tests for each endpoint (to account for versioned router) - Flaky Test Runner: https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/7002 ## Manual Testing 1. Start ES & Kibana in serverless mode with config options to enable role management and multiple spaces Elasticsearch: ``` xpack.security.authc.native_roles.enabled: true ``` KIbana: ``` xpack.security.roleManagementEnabled: true xpack.spaces.maxSpaces: 100 ``` 3. Issue each CRUD HTTP API without including the internal origin header ('x-elastic-internal-origin') and verify you do not receive a 400 with the message "method [get|post|put|delete] exists but is not available with the current configuration" 4. Repeat steps 1 & 2 from the current head of main and verify that you DO receive a 400 with the message "method [get|post|put|delete] exists but is not available with the current configuration" Regression testing - ensure that interfaces which leverage spaces and roles APIs are functioning properly - Spaces management - Space navigation - Roles management --------- Co-authored-by: kibanamachine <[email protected]>
tiansivive
pushed a commit
to tiansivive/kibana
that referenced
this issue
Oct 7, 2024
Closes elastic#192153 ## Summary This PR sets the spaces and roles CRUD operation HTTP API endpoints to public in both stateful and serverless offerings, and additionally, switches to the versioned router to register these endpoints. Prior to this PR, the access level was not explicitly set, thus any endpoints registered in serverless were by default internal. CRUD operations for spaces and roles are being set to public to support the rollout of custom roles in serverless, which coincides with enabling multiple spaces. ### Note - Currently, roles APIs are only available in serverless via a feature flag (`xpack.security.roleManagementEnabled`) - Spaces APIs are already registered in serverless, however, the maximum number of spaces is by default 1, rendering create and delete operations unusable. By overriding `xpack.spaces.maxSpaces` to a number greater than 1 (stateful default is 1000), it will effectively enable use of the spaces CRUD operations in serverless. ## Tests - x-pack/test_serverless/api_integration/test_suites/common/management/multiple_spaces_enabled.ts - x-pack/test_serverless/api_integration/test_suites/common/management/spaces.ts - x-pack/test_serverless/api_integration/test_suites/common/platform_security/authorization.ts - x-pack/test_serverless/api_integration/test_suites/common/platform_security/roles_routes_feature_flag.ts - Unit tests for each endpoint (to account for versioned router) - Flaky Test Runner: https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/7002 ## Manual Testing 1. Start ES & Kibana in serverless mode with config options to enable role management and multiple spaces Elasticsearch: ``` xpack.security.authc.native_roles.enabled: true ``` KIbana: ``` xpack.security.roleManagementEnabled: true xpack.spaces.maxSpaces: 100 ``` 3. Issue each CRUD HTTP API without including the internal origin header ('x-elastic-internal-origin') and verify you do not receive a 400 with the message "method [get|post|put|delete] exists but is not available with the current configuration" 4. Repeat steps 1 & 2 from the current head of main and verify that you DO receive a 400 with the message "method [get|post|put|delete] exists but is not available with the current configuration" Regression testing - ensure that interfaces which leverage spaces and roles APIs are functioning properly - Spaces management - Space navigation - Roles management --------- Co-authored-by: kibanamachine <[email protected]>
20 tasks
jeramysoucy
added a commit
to jeramysoucy/kibana
that referenced
this issue
Oct 15, 2024
Closes elastic#192153 ## Summary This PR sets the spaces and roles CRUD operation HTTP API endpoints to public in both stateful and serverless offerings, and additionally, switches to the versioned router to register these endpoints. Prior to this PR, the access level was not explicitly set, thus any endpoints registered in serverless were by default internal. CRUD operations for spaces and roles are being set to public to support the rollout of custom roles in serverless, which coincides with enabling multiple spaces. ### Note - Currently, roles APIs are only available in serverless via a feature flag (`xpack.security.roleManagementEnabled`) - Spaces APIs are already registered in serverless, however, the maximum number of spaces is by default 1, rendering create and delete operations unusable. By overriding `xpack.spaces.maxSpaces` to a number greater than 1 (stateful default is 1000), it will effectively enable use of the spaces CRUD operations in serverless. ## Tests - x-pack/test_serverless/api_integration/test_suites/common/management/multiple_spaces_enabled.ts - x-pack/test_serverless/api_integration/test_suites/common/management/spaces.ts - x-pack/test_serverless/api_integration/test_suites/common/platform_security/authorization.ts - x-pack/test_serverless/api_integration/test_suites/common/platform_security/roles_routes_feature_flag.ts - Unit tests for each endpoint (to account for versioned router) - Flaky Test Runner: https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/7002 ## Manual Testing 1. Start ES & Kibana in serverless mode with config options to enable role management and multiple spaces Elasticsearch: ``` xpack.security.authc.native_roles.enabled: true ``` KIbana: ``` xpack.security.roleManagementEnabled: true xpack.spaces.maxSpaces: 100 ``` 3. Issue each CRUD HTTP API without including the internal origin header ('x-elastic-internal-origin') and verify you do not receive a 400 with the message "method [get|post|put|delete] exists but is not available with the current configuration" 4. Repeat steps 1 & 2 from the current head of main and verify that you DO receive a 400 with the message "method [get|post|put|delete] exists but is not available with the current configuration" Regression testing - ensure that interfaces which leverage spaces and roles APIs are functioning properly - Spaces management - Space navigation - Roles management --------- Co-authored-by: kibanamachine <[email protected]> (cherry picked from commit 26f2928) # Conflicts: # oas_docs/output/kibana.serverless.yaml # oas_docs/output/kibana.yaml
jeramysoucy
added a commit
that referenced
this issue
Oct 16, 2024
# Backport This will backport the following commits from `main` to `8.x`: - [Set spaces and roles CRUD APIs to public (#193534)](#193534) <!--- Backport version: 8.9.8 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Jeramy Soucy","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-10-03T14:28:54Z","message":"Set spaces and roles CRUD APIs to public (#193534)\n\nCloses #192153\r\n\r\n## Summary\r\n\r\nThis PR sets the spaces and roles CRUD operation HTTP API endpoints to\r\npublic in both stateful and serverless offerings, and additionally,\r\nswitches to the versioned router to register these endpoints.\r\n\r\nPrior to this PR, the access level was not explicitly set, thus any\r\nendpoints registered in serverless were by default internal. CRUD\r\noperations for spaces and roles are being set to public to support the\r\nrollout of custom roles in serverless, which coincides with enabling\r\nmultiple spaces.\r\n\r\n### Note\r\n- Currently, roles APIs are only available in serverless via a feature\r\nflag (`xpack.security.roleManagementEnabled`)\r\n- Spaces APIs are already registered in serverless, however, the maximum\r\nnumber of spaces is by default 1, rendering create and delete operations\r\nunusable. By overriding `xpack.spaces.maxSpaces` to a number greater\r\nthan 1 (stateful default is 1000), it will effectively enable use of the\r\nspaces CRUD operations in serverless.\r\n\r\n## Tests\r\n-\r\nx-pack/test_serverless/api_integration/test_suites/common/management/multiple_spaces_enabled.ts\r\n-\r\nx-pack/test_serverless/api_integration/test_suites/common/management/spaces.ts\r\n-\r\nx-pack/test_serverless/api_integration/test_suites/common/platform_security/authorization.ts\r\n-\r\nx-pack/test_serverless/api_integration/test_suites/common/platform_security/roles_routes_feature_flag.ts\r\n- Unit tests for each endpoint (to account for versioned router)\r\n- Flaky Test Runner:\r\nhttps://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/7002\r\n\r\n## Manual Testing\r\n1. Start ES & Kibana in serverless mode with config options to enable\r\nrole management and multiple spaces\r\n\r\nElasticsearch:\r\n```\r\nxpack.security.authc.native_roles.enabled: true\r\n```\r\n KIbana:\r\n```\r\n xpack.security.roleManagementEnabled: true\r\n xpack.spaces.maxSpaces: 100\r\n```\r\n3. Issue each CRUD HTTP API without including the internal origin header\r\n('x-elastic-internal-origin') and verify you do not receive a 400 with\r\nthe message \"method [get|post|put|delete] exists but is not available\r\nwith the current configuration\"\r\n4. Repeat steps 1 & 2 from the current head of main and verify that you\r\nDO receive a 400 with the message \"method [get|post|put|delete] exists\r\nbut is not available with the current configuration\"\r\n\r\nRegression testing - ensure that interfaces which leverage spaces and\r\nroles APIs are functioning properly\r\n- Spaces management\r\n- Space navigation\r\n- Roles management\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <[email protected]>","sha":"26f2928b0887c9fda4403c0ce3fcc332b7c0e69a","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:Security","Feature:Security/Spaces","release_note:skip","Feature:Security/Authorization","v9.0.0","backport:prev-minor","Project:Serverless"],"number":193534,"url":"https://github.com/elastic/kibana/pull/193534","mergeCommit":{"message":"Set spaces and roles CRUD APIs to public (#193534)\n\nCloses #192153\r\n\r\n## Summary\r\n\r\nThis PR sets the spaces and roles CRUD operation HTTP API endpoints to\r\npublic in both stateful and serverless offerings, and additionally,\r\nswitches to the versioned router to register these endpoints.\r\n\r\nPrior to this PR, the access level was not explicitly set, thus any\r\nendpoints registered in serverless were by default internal. CRUD\r\noperations for spaces and roles are being set to public to support the\r\nrollout of custom roles in serverless, which coincides with enabling\r\nmultiple spaces.\r\n\r\n### Note\r\n- Currently, roles APIs are only available in serverless via a feature\r\nflag (`xpack.security.roleManagementEnabled`)\r\n- Spaces APIs are already registered in serverless, however, the maximum\r\nnumber of spaces is by default 1, rendering create and delete operations\r\nunusable. By overriding `xpack.spaces.maxSpaces` to a number greater\r\nthan 1 (stateful default is 1000), it will effectively enable use of the\r\nspaces CRUD operations in serverless.\r\n\r\n## Tests\r\n-\r\nx-pack/test_serverless/api_integration/test_suites/common/management/multiple_spaces_enabled.ts\r\n-\r\nx-pack/test_serverless/api_integration/test_suites/common/management/spaces.ts\r\n-\r\nx-pack/test_serverless/api_integration/test_suites/common/platform_security/authorization.ts\r\n-\r\nx-pack/test_serverless/api_integration/test_suites/common/platform_security/roles_routes_feature_flag.ts\r\n- Unit tests for each endpoint (to account for versioned router)\r\n- Flaky Test Runner:\r\nhttps://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/7002\r\n\r\n## Manual Testing\r\n1. Start ES & Kibana in serverless mode with config options to enable\r\nrole management and multiple spaces\r\n\r\nElasticsearch:\r\n```\r\nxpack.security.authc.native_roles.enabled: true\r\n```\r\n KIbana:\r\n```\r\n xpack.security.roleManagementEnabled: true\r\n xpack.spaces.maxSpaces: 100\r\n```\r\n3. Issue each CRUD HTTP API without including the internal origin header\r\n('x-elastic-internal-origin') and verify you do not receive a 400 with\r\nthe message \"method [get|post|put|delete] exists but is not available\r\nwith the current configuration\"\r\n4. Repeat steps 1 & 2 from the current head of main and verify that you\r\nDO receive a 400 with the message \"method [get|post|put|delete] exists\r\nbut is not available with the current configuration\"\r\n\r\nRegression testing - ensure that interfaces which leverage spaces and\r\nroles APIs are functioning properly\r\n- Spaces management\r\n- Space navigation\r\n- Roles management\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <[email protected]>","sha":"26f2928b0887c9fda4403c0ce3fcc332b7c0e69a"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","labelRegex":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/193534","number":193534,"mergeCommit":{"message":"Set spaces and roles CRUD APIs to public (#193534)\n\nCloses #192153\r\n\r\n## Summary\r\n\r\nThis PR sets the spaces and roles CRUD operation HTTP API endpoints to\r\npublic in both stateful and serverless offerings, and additionally,\r\nswitches to the versioned router to register these endpoints.\r\n\r\nPrior to this PR, the access level was not explicitly set, thus any\r\nendpoints registered in serverless were by default internal. CRUD\r\noperations for spaces and roles are being set to public to support the\r\nrollout of custom roles in serverless, which coincides with enabling\r\nmultiple spaces.\r\n\r\n### Note\r\n- Currently, roles APIs are only available in serverless via a feature\r\nflag (`xpack.security.roleManagementEnabled`)\r\n- Spaces APIs are already registered in serverless, however, the maximum\r\nnumber of spaces is by default 1, rendering create and delete operations\r\nunusable. By overriding `xpack.spaces.maxSpaces` to a number greater\r\nthan 1 (stateful default is 1000), it will effectively enable use of the\r\nspaces CRUD operations in serverless.\r\n\r\n## Tests\r\n-\r\nx-pack/test_serverless/api_integration/test_suites/common/management/multiple_spaces_enabled.ts\r\n-\r\nx-pack/test_serverless/api_integration/test_suites/common/management/spaces.ts\r\n-\r\nx-pack/test_serverless/api_integration/test_suites/common/platform_security/authorization.ts\r\n-\r\nx-pack/test_serverless/api_integration/test_suites/common/platform_security/roles_routes_feature_flag.ts\r\n- Unit tests for each endpoint (to account for versioned router)\r\n- Flaky Test Runner:\r\nhttps://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/7002\r\n\r\n## Manual Testing\r\n1. Start ES & Kibana in serverless mode with config options to enable\r\nrole management and multiple spaces\r\n\r\nElasticsearch:\r\n```\r\nxpack.security.authc.native_roles.enabled: true\r\n```\r\n KIbana:\r\n```\r\n xpack.security.roleManagementEnabled: true\r\n xpack.spaces.maxSpaces: 100\r\n```\r\n3. Issue each CRUD HTTP API without including the internal origin header\r\n('x-elastic-internal-origin') and verify you do not receive a 400 with\r\nthe message \"method [get|post|put|delete] exists but is not available\r\nwith the current configuration\"\r\n4. Repeat steps 1 & 2 from the current head of main and verify that you\r\nDO receive a 400 with the message \"method [get|post|put|delete] exists\r\nbut is not available with the current configuration\"\r\n\r\nRegression testing - ensure that interfaces which leverage spaces and\r\nroles APIs are functioning properly\r\n- Spaces management\r\n- Space navigation\r\n- Roles management\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <[email protected]>","sha":"26f2928b0887c9fda4403c0ce3fcc332b7c0e69a"}}]}] BACKPORT--> --------- Co-authored-by: kibanamachine <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Custom spaces (enabled by multiple spaces in configuration) will be available in serverless, thus the CRUD spaces APIs should be made public in serverless as they are in stateful offerings.
All non-CRUD endpoints should remain internal for now.
The text was updated successfully, but these errors were encountered: