Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prepare the Security domain HTTP APIs for Serverless #162087

Merged
merged 71 commits into from
Aug 23, 2023
Merged

Prepare the Security domain HTTP APIs for Serverless #162087

merged 71 commits into from
Aug 23, 2023

Conversation

jeramysoucy
Copy link
Contributor

@jeramysoucy jeramysoucy commented Jul 17, 2023
edited
Loading

Closes #161337

Summary

Uses build flavor(see #161930) to disable specific Kibana security, spaces, and encrypted saved objects HTTP API routes in serverless (see details in #161337). HTTP APIs that will be public in serverless have been handled in #162523.

IMPORTANT: This PR leaves login, user, and role routes enabled. The primary reason for this is due to several testing mechanisms that rely on basic authentication and custom roles (UI, Cypress). These tests will be modified to use SAML authentication and serverless roles in the immediate future. Once this occurs, we will disable these routes.

Testing

This PR also implements testing API access in serverless.

  • The testing strategy for disabled routes in serverless is to verify a 404 not found response.
  • The testing strategy for internal access routes in serverless is to verify that without the internal request header (x-elastic-internal-origin), a 400 bad request response is received, then verify that with the internal request header, a 200 ok response is received.
  • The strategy for public routes in serverless is to verify a 200 ok or 203 redirect is received.

blocked by #161930
blocked by #162149 for test implementation

@jeramysoucy jeramysoucy added Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! release_note:skip Skip the PR/issue when compiling release notes v8.10.0 backport:skip This commit does not require backporting labels Jul 17, 2023
@jeramysoucy jeramysoucy self-assigned this Jul 20, 2023
@jeramysoucy jeramysoucy mentioned this pull request Jul 20, 2023
Closed
34 tasks
@jeramysoucy jeramysoucy mentioned this pull request Jul 24, 2023
Closed
jeramysoucy
jeramysoucy commented Jul 24, 2023
View reviewed changes
x-pack/plugins/spaces/server/plugin.ts Outdated
externalRouter,
const buildFlavor = this.initializerContext.env.packageInfo.buildFlavor;
const router = core.http.createRouter<SpacesRequestHandlerContext>();
if (buildFlavor !== 'serverless') {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I opted to make decisions as high-level as possible so we don't have to dig into each route to understand the impact of the build flavor.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

++, over time, if we still use buildFlavor, we might even re-organize our routes to make it easier to toggle them (e.g. common + {non-serverless-name-tbd}-routes)

@jeramysoucy jeramysoucy changed the title Disables spaces public APIs in serverless Prepare the Security domain HTTP APIs for Serverless Jul 26, 2023
@jeramysoucy jeramysoucy mentioned this pull request Aug 17, 2023
Open
pheyos
pheyos approved these changes Aug 21, 2023
View reviewed changes
Copy link
Member

@pheyos pheyos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@azasypkin
Copy link
Member

ACK: will review today or, at the latest, tomorrow.

@azasypkin azasypkin self-requested a review August 21, 2023 12:17
azasypkin
azasypkin reviewed Aug 21, 2023
View reviewed changes
x-pack/plugins/spaces/server/routes/api/external/index.ts Outdated
initGetSpaceApi(deps);
initGetAllSpacesApi(deps);
initPostSpacesApi(deps);
initPutSpacesApi(deps);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

note: iirc, we don't need initPutSpacesApi in Serverless for now as well.

azasypkin
azasypkin reviewed Aug 22, 2023
View reviewed changes
x-pack/test_serverless/functional/test_suites/security/cypress/tasks/login.ts
@@ -32,7 +31,7 @@ const sendApiLoginRequest = (
url: url.toString(),
body: {
providerType: 'basic',
providerName: isLocalhost(url.hostname) ? 'basic' : 'cloud-basic',
providerName: 'basic',
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jeramysoucy why do we need to make this change? I thought it was intentionally done like that to support tests in ESS?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Checked with Larry and got more context around the issue you were trying to solve here - sounds good to me. We can re-consider it in the future if we need to.

azasypkin
azasypkin approved these changes Aug 22, 2023
View reviewed changes
Copy link
Member

@azasypkin azasypkin left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks! Left one question regarding Cypress tests and pushed a few small fixes in 5e953fa.

@kibana-ci
Copy link
Collaborator

kibana-ci commented Aug 22, 2023
edited
Loading

💚 Build Succeeded

  • Buildkite Build
  • Commit: 710ca09
  • Kibana Serverless Image: docker.elastic.co/kibana-ci/kibana-serverless:pr-162087-710ca09bec2f

Metrics [docs]

Canvas Sharable Runtime

The Canvas "shareable runtime" is an bundle produced to enable running Canvas workpads outside of Kibana. This bundle is included in third-party webpages that embed canvas and therefor should be as slim as possible.

id before after diff
module count - 5577 +5577
total size - 6.1MB +6.1MB

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @jeramysoucy

@azasypkin azasypkin merged commit fe0ffab into elastic:main Aug 23, 2023
jloleysens added a commit to jloleysens/kibana that referenced this pull request Aug 23, 2023
@jloleysens
Merge branch 'main' into zdt-test-harness
fab26f8 
* main: (150 commits)
  Fixes unnecessary autocompletes on HTTP methods (elastic#163233)
  [Defend Workflows] Convert filterQuery to kql  (elastic#161806)
  [Fleet] copy `inactivity_timeout` when duplicating agent policy (elastic#164544)
  Fix 7.17 forward compatibility with 8.2+ (elastic#164274)
  [ML] Fixes dark mode in flyouts and modals (elastic#164399)
  [Defend Workflows]Changes to policy settings are not persistent until a refresh (elastic#164403)
  [Security Solution][Endpoint] Fixes kibana crash when going back to policy details page (elastic#164329)
  Prepare the Security domain HTTP APIs for Serverless (elastic#162087)
  skip failing test suite (elastic#160986)
  [Security Solution] Fix flaky Event Filters test (elastic#164473)
  [EDR workflows] Osquery serverless tests (elastic#163795)
  [Fleet] Only show agent dashboard links if there is more than one non-server agent and if the dashboards exist (elastic#164469)
  [Chrome UI] Fix background color in serverless (elastic#164419)
  [DOCS] Saved objects - resolve import errors API (elastic#162825)
  Remove 'Create Rule' button from Rule Group page (elastic#164167)
  [Security Solution] expandable flyout - fix infinite loop in correlations (elastic#163450)
  [Remote Clusters] Update copy about port help text (elastic#164442)
  [api-docs] 2023-08-23 Daily api_docs build (elastic#164524)
  [data views] Disable scripted fields in serverless environment (elastic#163228)
  [Reporting] Fix - show diagnostic only when image reporting is enabled (elastic#164336)
  ...
mistic added a commit to Ikuni17/kibana that referenced this pull request Aug 24, 2023
@mistic
Revert "Prepare the Security domain HTTP APIs for Serverless (elastic…
35e777e 
…#162087)"

This reverts commit fe0ffab.
Ikuni17 added a commit to Ikuni17/kibana that referenced this pull request Aug 25, 2023
@Ikuni17
Revert "Revert "Prepare the Security domain HTTP APIs for Serverless (e…
bc7b1ab 
…lastic#162087)""

This reverts commit 35e777e.
@kibanamachine kibanamachine mentioned this pull request Sep 7, 2023
Merged
@dmlemeshko dmlemeshko mentioned this pull request Sep 11, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@legrego legrego legrego left review comments

@azasypkin azasypkin azasypkin approved these changes

@thomheymann thomheymann thomheymann left review comments

@afharo afharo afharo approved these changes

@pheyos pheyos pheyos approved these changes

Assignees

@jeramysoucy jeramysoucy

Labels
backport:skip This commit does not require backporting blocker ci:build-serverless-image release_note:skip Skip the PR/issue when compiling release notes Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! v8.10.0 v8.11.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Prepare the Security, Spaces, and Encrypted Saved Objects HTTP APIs for the Serverless offering
9 participants
@jeramysoucy @elasticmachine @azasypkin @kibana-ci @thomheymann @pheyos @legrego @afharo @kibanamachine