Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[EEM] Disable authorization checks on endpoints #198695

Merged
merged 17 commits into from
Nov 14, 2024

Conversation

miltonhultgren
Copy link
Contributor

@miltonhultgren miltonhultgren commented Nov 1, 2024

Disable authorization checks on all entity manager endpoints.

Also makes two notable changes to the endpoints/EntityClient behaviour:

  • previously the EntityClient accepted a IScopedClusterClient and abstracted usage of asInternalUser/asCurrentUser in its methods which may result in unwanted behavior for consumers. It now only accepts an ElasticsearchClient that is preauthenticated by the consumers
  • added permissions verifications to custom definition endpoints

@klacabane klacabane marked this pull request as ready for review November 8, 2024 15:59
@klacabane klacabane requested review from a team as code owners November 8, 2024 15:59
@klacabane klacabane requested a review from tiansivive November 8, 2024 15:59
@klacabane klacabane added release_note:skip Skip the PR/issue when compiling release notes backport:skip This commit does not require backporting labels Nov 8, 2024
@miltonhultgren
Copy link
Contributor Author

@klacabane This LGTM but I cannot approve since I opened the PR, so feel free to approve and merge 👍🏼

@elasticmachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

✅ unchanged

History

cc @klacabane

Copy link
Contributor

@tiansivive tiansivive left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM from EA

@klacabane klacabane merged commit 94d7df3 into elastic:main Nov 14, 2024
44 checks passed
@miltonhultgren
Copy link
Contributor Author

@klacabane I think we should backport this to 8.x

CAWilson94 pushed a commit to CAWilson94/kibana that referenced this pull request Nov 18, 2024
Disable authorization checks on all entity manager endpoints.

Also makes two notable changes to the endpoints/EntityClient behaviour:
- previously the EntityClient accepted a `IScopedClusterClient` and
abstracted usage of asInternalUser/asCurrentUser in its methods which
may result in unwanted behavior for consumers. It now only accepts an
`ElasticsearchClient` that is preauthenticated by the consumers
- added permissions verifications to custom definition endpoints

---------

Co-authored-by: Kevin Lacabane <[email protected]>
Co-authored-by: kibanamachine <[email protected]>
CAWilson94 pushed a commit to CAWilson94/kibana that referenced this pull request Nov 18, 2024
Disable authorization checks on all entity manager endpoints.

Also makes two notable changes to the endpoints/EntityClient behaviour:
- previously the EntityClient accepted a `IScopedClusterClient` and
abstracted usage of asInternalUser/asCurrentUser in its methods which
may result in unwanted behavior for consumers. It now only accepts an
`ElasticsearchClient` that is preauthenticated by the consumers
- added permissions verifications to custom definition endpoints

---------

Co-authored-by: Kevin Lacabane <[email protected]>
Co-authored-by: kibanamachine <[email protected]>
@klacabane klacabane added backport:prev-minor Backport to (8.x) the previous minor version (i.e. one version back from main) and removed backport:skip This commit does not require backporting labels Nov 18, 2024
@kibanamachine
Copy link
Contributor

Starting backport for target branches: 8.x

https://github.com/elastic/kibana/actions/runs/11893308484

@kibanamachine
Copy link
Contributor

Starting backport for target branches: 8.x

https://github.com/elastic/kibana/actions/runs/11893308515

kibanamachine pushed a commit to kibanamachine/kibana that referenced this pull request Nov 18, 2024
Disable authorization checks on all entity manager endpoints.

Also makes two notable changes to the endpoints/EntityClient behaviour:
- previously the EntityClient accepted a `IScopedClusterClient` and
abstracted usage of asInternalUser/asCurrentUser in its methods which
may result in unwanted behavior for consumers. It now only accepts an
`ElasticsearchClient` that is preauthenticated by the consumers
- added permissions verifications to custom definition endpoints

---------

Co-authored-by: Kevin Lacabane <[email protected]>
Co-authored-by: kibanamachine <[email protected]>
(cherry picked from commit 94d7df3)
@kibanamachine
Copy link
Contributor

💚 All backports created successfully

Status Branch Result
8.x

Note: Successful backport PRs will be merged automatically after passing CI.

Questions ?

Please refer to the Backport tool documentation

kibanamachine pushed a commit to kibanamachine/kibana that referenced this pull request Nov 18, 2024
Disable authorization checks on all entity manager endpoints.

Also makes two notable changes to the endpoints/EntityClient behaviour:
- previously the EntityClient accepted a `IScopedClusterClient` and
abstracted usage of asInternalUser/asCurrentUser in its methods which
may result in unwanted behavior for consumers. It now only accepts an
`ElasticsearchClient` that is preauthenticated by the consumers
- added permissions verifications to custom definition endpoints

---------

Co-authored-by: Kevin Lacabane <[email protected]>
Co-authored-by: kibanamachine <[email protected]>
(cherry picked from commit 94d7df3)
@kibanamachine
Copy link
Contributor

💚 All backports created successfully

Status Branch Result
8.x

Note: Successful backport PRs will be merged automatically after passing CI.

Questions ?

Please refer to the Backport tool documentation

kibanamachine added a commit that referenced this pull request Nov 18, 2024
)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[EEM] Disable authorization checks on endpoints
(#198695)](#198695)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Milton
Hultgren","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-11-14T08:32:57Z","message":"[EEM]
Disable authorization checks on endpoints (#198695)\n\nDisable
authorization checks on all entity manager endpoints.\r\n\r\nAlso makes
two notable changes to the endpoints/EntityClient behaviour:\r\n-
previously the EntityClient accepted a `IScopedClusterClient`
and\r\nabstracted usage of asInternalUser/asCurrentUser in its methods
which\r\nmay result in unwanted behavior for consumers. It now only
accepts an\r\n`ElasticsearchClient` that is preauthenticated by the
consumers\r\n- added permissions verifications to custom definition
endpoints\r\n\r\n---------\r\n\r\nCo-authored-by: Kevin Lacabane
<[email protected]>\r\nCo-authored-by: kibanamachine
<[email protected]>","sha":"94d7df3ae7ae6c482906ec8946e61a62e05b1960","branchLabelMapping":{"^v9.0.0$":"main","^v8.17.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","backport:prev-minor"],"title":"[EEM]
Disable authorization checks on
endpoints","number":198695,"url":"https://github.com/elastic/kibana/pull/198695","mergeCommit":{"message":"[EEM]
Disable authorization checks on endpoints (#198695)\n\nDisable
authorization checks on all entity manager endpoints.\r\n\r\nAlso makes
two notable changes to the endpoints/EntityClient behaviour:\r\n-
previously the EntityClient accepted a `IScopedClusterClient`
and\r\nabstracted usage of asInternalUser/asCurrentUser in its methods
which\r\nmay result in unwanted behavior for consumers. It now only
accepts an\r\n`ElasticsearchClient` that is preauthenticated by the
consumers\r\n- added permissions verifications to custom definition
endpoints\r\n\r\n---------\r\n\r\nCo-authored-by: Kevin Lacabane
<[email protected]>\r\nCo-authored-by: kibanamachine
<[email protected]>","sha":"94d7df3ae7ae6c482906ec8946e61a62e05b1960"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/198695","number":198695,"mergeCommit":{"message":"[EEM]
Disable authorization checks on endpoints (#198695)\n\nDisable
authorization checks on all entity manager endpoints.\r\n\r\nAlso makes
two notable changes to the endpoints/EntityClient behaviour:\r\n-
previously the EntityClient accepted a `IScopedClusterClient`
and\r\nabstracted usage of asInternalUser/asCurrentUser in its methods
which\r\nmay result in unwanted behavior for consumers. It now only
accepts an\r\n`ElasticsearchClient` that is preauthenticated by the
consumers\r\n- added permissions verifications to custom definition
endpoints\r\n\r\n---------\r\n\r\nCo-authored-by: Kevin Lacabane
<[email protected]>\r\nCo-authored-by: kibanamachine
<[email protected]>","sha":"94d7df3ae7ae6c482906ec8946e61a62e05b1960"}}]}]
BACKPORT-->

Co-authored-by: Milton Hultgren <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport:prev-minor Backport to (8.x) the previous minor version (i.e. one version back from main) release_note:skip Skip the PR/issue when compiling release notes v8.17.0 v9.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants