Globally enforce internal API restriction

[TinaHeiligers]

fix #163654

This PR enforces internal API restrictions in our standard offering.
Internal APIs are subject to rapid change and are intentionally not public. By restricting their access, we protect consumers from these rapid changes.

This PR does not change any public APIs and they remain available for external consumption.

Note to reviewers:

I chose the most practical way of resolving the failures (add the header or disable the restriction).

Details

Requests to internal Kibana APIs will be restricted globally. This allows more flexibility in making breaking changes to internal APIs, without a risk to external consumers.

Why are we doing this?

The restriction is there to help mitigate the risk of breaking external integrations consuming APIs. Internal APIs are subject to frequent changes, necessary for feature development.

What this means to plugin authors :

Kibana core applies the restriction when enabled through HTTP config.

What this means to Kibana consumers:

Explicitly restricting access to internal APIs has advantages for external consumers:

• Consumers can safely integrate with Kibana's stable, public APIs
• Consumers are protected from Internal route development, which may involve breaking changes
• Relevant information in Kibana's external documentation that is user-friendly and complete.

KB article explaining the change (tracked as part of https://github.com/elastic/kibana-team/issues/1044)

Release note

Starting with this release, requests to internal Kibana APIs are globally restricted by default. This change is designed to provide more flexibility in making breaking changes to internal APIs while protecting external consumers from unexpected disruptions.
Key Changes:
• Internal API Access: External consumers no longer have access to Kibana’s internal APIs, which are now strictly reserved for internal development and subject to frequent changes. This helps ensure that external integrations only interact with stable, public APIs.
• Error Handling: When a request is made to an internal API without the proper internal identifier (header or query parameter), Kibana will respond with a 400 Bad Request error, indicating that the route exists but is not allowed under the current Kibana configuration.

How to test this

Running kibana

1. Set server.restrictInternalApis: true in kibana.yml
2. Start es with any license
3. Start kibana
4. Make an external request to an internal API:

curl request to get the config for 9.0:

curl --location 'localhost:5601/abc/api/kibana/management/saved_objects/_bulk_get' \
--header 'Content-Type: application/json' \
--header 'kbn-xsrf: kibana' \
--header 'x-elastic-internal-origin: kibana' \
--header 'Authorization: Basic ZWxhc3RpYzpjaGFuZ2VtZQ==' \
--data '[
  {
      "type": "config",
      "id": "9.0.0"
  }
]'

The request should be successful.

5. Make the same curl request without the internal origin header

curl:

curl --location 'localhost:5601/abc/api/kibana/management/saved_objects/_bulk_get' \
--header 'Content-Type: application/json' \
--header 'kbn-xsrf: kibana' \
--header 'Authorization: Basic ZWxhc3RpYzpjaGFuZ2VtZQ==' \
--data '[
  {
      "type": "config",
      "id": "9.0.0"
  }
]'

The response should be an error similar to:
{"statusCode":400,"error":"Bad Request","message":"uri [/api/kibana/management/saved_objects/_bulk_get] with method [post] exists but is not available with the current configuration"}

6. Remove server.restrictInternalApis from kibana.yml or set it to false.

7. Repeat both curl requests above. Both should respond without an error.

Checklist

Delete any items that are not applicable to this PR.

• [Documentation] was added for features that require explanation or tutorials (In PR [docs] Document internal API restriction in 9.0 #191943)
• Unit or functional tests were updated or added to match the most common scenarios (and PR [http] api_integration tests handle internal route restriction #192407)
• If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the docker list (docker list updated in Enables preventing access to internal APIs  #156935, cloud stack packs for 9.0 kibana to follow)

Risk Matrix

Risk	Probability	Severity	Mitigation/Notes
The restriction is knowingly bypassed by end-users adding the required header to use internal APIs	Low	High	Kibana's internal APIs are not documented in the OAS specifications. External consumption will be prevented unless explicitly bypassed.
Upstream services don't include the header and requests to internal APIs fail	Medium	Medium	The Core team needs to ensure intra-stack components are updated too

For maintainers

• This was checked for breaking API changes and was labeled appropriately

[TinaHeiligers]

@elasticmachine merge upstream

[TinaHeiligers]

@elasticmachine merge upstream

[TinaHeiligers]

Leaves the restriction disabled for tests consuming createConfigService.

[TinaHeiligers]

self review.

[elasticmachine]

Pinging @elastic/kibana-core (Team:Core)

[lukeelmers]

Before we merge - I think we should investigate two things which I just realized weren't in the rollout plan:

1. Is it possible to surface a warning for this in UA similar to what we are discussing for Saved Objects APIs? e.g. Show a warning if we detect non-Kibana traffic to an internal API
2. We should plan to draft an internal KB article due to the widespread impact of this change

Let's also add a bit more detail to our breaking change note. Even though folks shouldn't be using these APIs, we know many are, so again this would be to address the potential wide impact of this change.

[TinaHeiligers]

PR is back in draft to take care of https://github.com/elastic/kibana/pull/193792#issuecomment-2372364457https://github.com/elastic/kibana/pull/193792#issuecomment-2372364457

[TinaHeiligers]

we should investigate two things which I just realized weren't in the rollout plan:

TBH, I've also been thinking along these lines because it's the right thing to do.

The tricky part is that restricting access to internal APIs isn't a classic deprecation and we'd need something within the http service to surface external calls in the UA. I'm unsure if that's possible from within the http lifecycle or maybe easier within the router itself. @jloleysens we should discuss our options.

As for the KB, I was going to add one anyway ;-)

Let's also add a bit more detail to our breaking change note

How about rewording something similar to #156935 to highlight how this change helps consumers?

[jloleysens]

...within the http lifecycle or maybe easier within the router itself...

We should be able to piggy-back off work Ahmad is doing. He is creating a core usage counter for HTTP stuff that we can use to make a new route counter. The "internal route usage" counter should be registered during setup time.

As for where we detect/increment this counter, I think we should do it just before returning the 400 here:

kibana/packages/core/http/core-http-server-internal/src/lifecycle_handlers.ts

Line 57 in 244ff7b

return response.badRequest({

That handler will just need the core usage service injected. But for that we are blocked on #193668

[TinaHeiligers]

@elasticmachine merge upstream

[TinaHeiligers]

Changing the default also meant updating tests to either disable the restriction or add the header required for internal requests.

[TinaHeiligers]

It's less work to disable the restriction in createTestServers than adding the header/query param to tests.
We disable the restriction by default for ftr tests too.

[jloleysens]

Should/do we have a task for updating these requests in the future or is the plan to leave them unrestricted in tests?

[TinaHeiligers]

Should/do we have a task for updating these requests in the future or is the plan to leave them unrestricted in tests

The plan is to update requests if and when we need to, which is consistent with the base config for our FTR tests.

As for this specific test, createRootWithSettings explicitly enables the restriction. Here, we change that in setup, and is an example of how consumers can override the default should they choose to.

[TinaHeiligers]

@elasticmachine merge upstream

[TinaHeiligers]

/ci

[TinaHeiligers]

/ci

[TinaHeiligers]

Let's also add a bit more detail to our breaking change note. Even though folks shouldn't be using these APIs, we know many are, so again this would be to address the potential wide impact of this change.

@lukeelmers I've fleshed out the release note and double-checked that the UA work and KB article are in the meta issue. The plan is to merge the implementation and follow up with the UA hook once that's ready.

[TinaHeiligers]

@elasticmachine merge upstream

[jloleysens]

Great work @TinaHeiligers for chasing down all those test cases. Implementation of new default LGTM. Left some minor comments.

[jloleysens]

Should/do we have a task for updating these requests in the future or is the plan to leave them unrestricted in tests?

[TinaHeiligers]

@elasticmachine merge upstream

[TinaHeiligers]

The FTR test failure is unrelated to this PR: #194425

[rudolf]

Let's also add a bit more detail to our breaking change note. Even though folks shouldn't be using these APIs, we know many are, so again this would be to address the potential wide impact of this change.

@lukeelmers I've fleshed out the release note and double-checked that the UA work and KB article are in the meta issue. The plan is to merge the implementation and follow up with the UA hook once that's ready.

I've created #194675 to track the work for surfacing internal API usage in the UA.

[TinaHeiligers]

@elasticmachine merge upstream

[SiddharthMantri]

Security changes LGTM.

[kibana-ci]

💚 Build Succeeded

• Buildkite Build
• Commit: 624a65d

Metrics [docs]

✅ unchanged

History

• 💛 Build #238498 was flaky d177cdb
• 💚 Build #238133 succeeded b42530a
• 💚 Build #237848 succeeded d9b3ea9
• 💚 Build #237829 succeeded d02ce7c
• 💔 Build #237819 failed 2d73f0b

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream