-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Migrate the rest of the API endpoints to the New Platform plugin #50695
Conversation
Pinging @elastic/kibana-security (Team:Security) |
23c9ff1
to
a70c46d
Compare
💚 Build Succeeded
|
a70c46d
to
88e35f7
Compare
@@ -5,8 +5,7 @@ | |||
*/ | |||
|
|||
import { kfetch } from 'ui/kfetch'; | |||
import { ApiKey, ApiKeyToInvalidate } from '../../common/model/api_key'; | |||
import { INTERNAL_API_BASE_PATH } from '../../common/constants'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
note: tbh I don't see much value in INTERNAL_API_BASE_PATH
constant and it makes it harder to copy-paste URL to find where it's defined. But let me know if you prefer to have it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm in favor of removing this as well. I enjoy being able to search on full API paths in code
@@ -39,7 +39,7 @@ const ELASTICSEARCH_PASSWORD = 'ELASTICSEARCH_PASSWORD'; | |||
/** | |||
* The Kibana server endpoint used for authentication | |||
*/ | |||
const LOGIN_API_ENDPOINT = '/api/security/v1/login'; | |||
const LOGIN_API_ENDPOINT = '/internal/security/login'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
question: @andrew-goldstein, this code looks a bit suspicious to me, I'd love to hear what it's doing and why? Or is it just test only code?
P.S. I don't see that anyone owns this plugin in .github/CODEOWNERS
.
💚 Build Succeeded
|
@@ -4,576 +4,573 @@ | |||
* you may not use this file except in compliance with the Elastic License. | |||
*/ | |||
|
|||
(function (root, factory) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
note: just removed this part and run the rest of the file through prettier.
88e35f7
to
43280e4
Compare
💚 Build Succeeded
|
getLegacyAPI, | ||
basePath, | ||
}: RouteDefinitionParams) { | ||
// Generate two identical routes with new and deprecated URL and issue a warning if route with deprecated URL is ever used. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
note: lots of BWC tricks in this file, but while I'm here I wanted to clean it up.....
43280e4
to
94018c1
Compare
createLicensedRouteHandler(async (context, request, response) => { | ||
const serverBasePath = basePath.serverBasePath; | ||
if (path === '/api/security/v1/logout') { | ||
logger.warn( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What do you think about integrating this with the upgrade assistant in a followup PR? I think it'd be helpful for folks when upgrading to the next major version if we make it known that something in their environment is relying on this deprecated endpoint.
To say this another way, I'd personally be annoyed if I ran the upgrade assistant, and it didn't warn me that this would stop working if I was relying on it 😄
Comment applies to the other deprecated endpoints as well
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's a great idea! I'll try to figure how hard/easy it would be. I tried it once in the distant past and UA wasn't ready for things like this back then, but I believe it's much more advanced now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great overall. Just a couple minor questions/nits on my end so far
validate: { query: schema.object({}, { allowUnknowns: true }) }, | ||
options: { authRequired: false }, | ||
}, | ||
createLicensedRouteHandler(async (context, request, response) => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The LP implementation for login/logout endpoints did not perform license checks. I think it makes sense to add it for our login routes, but what do you think about removing the check for the logout endpoints? It's an edge-case for sure, but I worry about blocking logout if there is a hiccup with Kibana's view of the current license.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, that's a good point, thanks! I'll remove license check from here.
{ path: '/internal/security/me', validate: false }, | ||
createLicensedRouteHandler(async (context, request, response) => { | ||
try { | ||
return response.ok({ body: (await authc.getCurrentUser(request)) as any }); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
note: authc.getCurrentUser
performs an additional round-trip to ES to retrieve the user details. The previous implementation did not have to do this, likely because of the intimate relationship it had with Hapi.
I don't think anything has to change here, but as we move the client-side security plugin to. the NP, we should evaluate all the places we are calling this endpoint. I recall seeing several calls as the page loads which we can likely trim down.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
authc.getCurrentUser performs an additional round-trip to ES to retrieve the user details. The previous implementation did not have to do this, likely because of the intimate relationship it had with Hapi.
Yep, that's correct.
I don't think anything has to change here, but as we move the client-side security plugin to. the NP, we should evaluate all the places we are calling this endpoint. I recall seeing several calls as the page loads which we can likely trim down.
If it becomes a perf problem for us, we'll ask platform to expose existing auth information to plugins: security plugin returns user info to core, core stores it in the internal cache, but just doesn't expose it for now.
validate: { | ||
query: schema.object( | ||
{ | ||
authenticationResponseURI: schema.maybe(schema.string({ minLength: 1 })), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
question: is there a reason authenticationResponseURI
can't be validated via schema.uri()
like error_uri
is below?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, I don't think there is a reason, just an oversight 🙈 Will fix.
target_link_uri: schema.maybe(schema.uri()), | ||
state: schema.maybe(schema.string()), | ||
}, | ||
{ allowUnknowns: true } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: unrelated to the migration, but can we add a comment explaining why we want to allow unknown object properties here? We're trying to reduce the number of places this is required in code, so documenting legitimate uses will be helpful going forward.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, added comments in all 3 places in this file.
loginAttempt: ProviderLoginAttempt | ||
) { | ||
try { | ||
// We handle the fact that the user might get redirected to Kibana while already having an session |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
super-nit
// We handle the fact that the user might get redirected to Kibana while already having an session | |
// We handle the fact that the user might get redirected to Kibana while already having a session |
if (authenticationResult.succeeded()) { | ||
return response.forbidden({ | ||
body: | ||
'Sorry, you already have an active Kibana session. ' + |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This can be done in a followup since it also existed in LP, but we should internationalize this message.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was hesitating to translate error messages as users usually copy-paste-google for similar cases. But this one is clear enough and actionable by itself, so agree we can translate it. Will fix in this PR.
} | ||
|
||
router.get( | ||
{ path: '/internal/security/me', validate: false }, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How do you feel about also keeping /api/security/v1/me
around for the remainder of 7.x
? Although it's not part of our public API, we have instructed both users and customers about this endpoint for quite some time, and I fear we'll break a lot of "custom" configurations by removing this endpoint.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, interesting, didn't know that. I can definitely keep it in 7.x. Also what was the use case for customers/users? Would it justify having this as a public API?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also what was the use case for customers/users? Would it justify having this as a public API?
I believe there are some custom/third-party plugins which use this endpoint. At the very least, we've put it out there in the public:
export function defineCreateOrUpdateUserRoutes({ router, clusterClient }: RouteDefinitionParams) { | ||
router.post( | ||
{ | ||
path: '/internal/security/users/{username}', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like we have a couple references to the old endpoint here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, good catch, it's a brand new script! Will fix.
…ep `/api/security/v1/me` in 7.x, validate OIDC `authenticationResponseURI` as a proper URI, explain the need for `allowUnknowns` in OIDC routes validation, localize error message, update APM dev script with new `users` internal routes.
{ path, validate: false }, | ||
createLicensedRouteHandler(async (context, request, response) => { | ||
if (path === '/api/security/v1/me') { | ||
logger.warn( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
note: Assuming we make this route internal I don't mention the name of the internal route as we don't provide any guarantees regarding it.
@legrego thanks for the review! PR is ready for another pass. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
APM changes LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks for the changes! I only tested basic and token auth providers locally -- let me know if you'd like me to test any additional auth providers
Thanks for review and testing! I believe we're good, I tested OIDC and SAML locally as well and we have a good number of integration tests I believe. If we figure out that I broke something, then I'll add even more integration tests. Testing everything manually is hard and tedious and if we can't rely enough on the test coverage we built it's not going to scale anyway 🙈 |
7.x/7.6.0: bb8e383 |
💚 Build SucceededHistory
To update your PR or re-run it, just comment with: |
It looks like this moved the shield plugin. Is it possible to still use this within the old platform? |
@chrisronline Technically you can still import P.S. The latest version of |
Good question. I spoke with @kobelb about some other code and he mentioned we shouldn't use |
Are we using the non-legacy Elasticsearch client already? |
You mean |
) Closes #197389 ## Summary Uses the `deprecated` route configuration option on all Kibana Security "v1" endpoints. This will surface deprecation information in the Upgrade Assistant. ## Related PRs - #50695 - `7.6.0`, deprecated - `/api/security/v1/me` - `/api/security/v1/logout` - `/api/security/v1/oidc/implicit` - `/api/security/v1/oidc` (POST) - #53886 - `7.6.0`, deprecated `/api/security/v1/oidc` (GET) - #47929 - `8.0.0`, dropped `/api/security/v1/saml` (`breaking` release note) - #106665 - restored `/api/security/v1/saml` but warned as deprecated (no release note) ## Testing 1. Start ES & Kibana in trial license mode 2. Make several calls to one or more of the deprecated endpoints 3. Navigate to `Stack Management`->`Upgrade Assistant` 4. Click on Kibana warnings <img width="1003" alt="Screenshot 2024-11-18 at 10 01 10 AM" src="https://github.com/user-attachments/assets/da44af13-57eb-4ffd-a507-e423eb767a11"> 5. Confirm the called endpoints are displayed as warnings in the Upgrade Assistant <img width="1274" alt="Screenshot 2024-11-18 at 9 59 34 AM" src="https://github.com/user-attachments/assets/4c054fbe-6838-48cf-8b1b-8c161252db0f"> ## Previous release notes ### v7.6.0 https://www.elastic.co/guide/en/kibana/7.6/release-notes-7.6.0.html#deprecation-7.6.0 https://www.elastic.co/guide/en/kibana/7.6/breaking-changes-7.6.html The deprecations are not listed in the release notes or breaking changes notes. ### v8.0.0 https://www.elastic.co/guide/en/kibana/current/release-notes-8.0.0-alpha1.html#rest-api-changes SAML endpoint deprecation only appears in the 8.0.0-alpha1 release notes, and was reverted in 8.0.0-alpha2 # Release note See `docs/upgrade-notes.asciidoc` in file changes # Follow-up A follow-up PR must be created to create and backfill the docLinks. --------- Co-authored-by: kibanamachine <[email protected]>
…tic#199656) Closes elastic#197389 ## Summary Uses the `deprecated` route configuration option on all Kibana Security "v1" endpoints. This will surface deprecation information in the Upgrade Assistant. ## Related PRs - elastic#50695 - `7.6.0`, deprecated - `/api/security/v1/me` - `/api/security/v1/logout` - `/api/security/v1/oidc/implicit` - `/api/security/v1/oidc` (POST) - elastic#53886 - `7.6.0`, deprecated `/api/security/v1/oidc` (GET) - elastic#47929 - `8.0.0`, dropped `/api/security/v1/saml` (`breaking` release note) - elastic#106665 - restored `/api/security/v1/saml` but warned as deprecated (no release note) ## Testing 1. Start ES & Kibana in trial license mode 2. Make several calls to one or more of the deprecated endpoints 3. Navigate to `Stack Management`->`Upgrade Assistant` 4. Click on Kibana warnings <img width="1003" alt="Screenshot 2024-11-18 at 10 01 10 AM" src="https://github.com/user-attachments/assets/da44af13-57eb-4ffd-a507-e423eb767a11"> 5. Confirm the called endpoints are displayed as warnings in the Upgrade Assistant <img width="1274" alt="Screenshot 2024-11-18 at 9 59 34 AM" src="https://github.com/user-attachments/assets/4c054fbe-6838-48cf-8b1b-8c161252db0f"> ## Previous release notes ### v7.6.0 https://www.elastic.co/guide/en/kibana/7.6/release-notes-7.6.0.html#deprecation-7.6.0 https://www.elastic.co/guide/en/kibana/7.6/breaking-changes-7.6.html The deprecations are not listed in the release notes or breaking changes notes. ### v8.0.0 https://www.elastic.co/guide/en/kibana/current/release-notes-8.0.0-alpha1.html#rest-api-changes SAML endpoint deprecation only appears in the 8.0.0-alpha1 release notes, and was reverted in 8.0.0-alpha2 # Release note See `docs/upgrade-notes.asciidoc` in file changes # Follow-up A follow-up PR must be created to create and backfill the docLinks. --------- Co-authored-by: kibanamachine <[email protected]> (cherry picked from commit 742ae9f) # Conflicts: # docs/upgrade-notes.asciidoc # x-pack/plugins/security/tsconfig.json
…#199656) (#201320) # Backport This will backport the following commits from `main` to `8.x`: - [Surface Kibana security route deprecations in Upgrade Assistant (#199656)](#199656) <!--- Backport version: 8.9.8 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Jeramy Soucy","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-11-19T08:54:40Z","message":"Surface Kibana security route deprecations in Upgrade Assistant (#199656)\n\nCloses #197389\r\n\r\n## Summary\r\n\r\nUses the `deprecated` route configuration option on all Kibana Security\r\n\"v1\" endpoints. This will surface deprecation information in the Upgrade\r\nAssistant.\r\n\r\n## Related PRs\r\n- #50695 - `7.6.0`, deprecated\r\n - `/api/security/v1/me`\r\n - `/api/security/v1/logout`\r\n - `/api/security/v1/oidc/implicit`\r\n - `/api/security/v1/oidc` (POST)\r\n- #53886 - `7.6.0`, deprecated\r\n`/api/security/v1/oidc` (GET)\r\n- #47929 - `8.0.0`, dropped\r\n`/api/security/v1/saml` (`breaking` release note)\r\n- #106665 - restored\r\n`/api/security/v1/saml` but warned as deprecated (no release note)\r\n\r\n## Testing\r\n1. Start ES & Kibana in trial license mode\r\n2. Make several calls to one or more of the deprecated endpoints\r\n3. Navigate to `Stack Management`->`Upgrade Assistant`\r\n4. Click on Kibana warnings\r\n<img width=\"1003\" alt=\"Screenshot 2024-11-18 at 10 01 10 AM\"\r\nsrc=\"https://github.com/user-attachments/assets/da44af13-57eb-4ffd-a507-e423eb767a11\">\r\n5. Confirm the called endpoints are displayed as warnings in the Upgrade\r\nAssistant\r\n<img width=\"1274\" alt=\"Screenshot 2024-11-18 at 9 59 34 AM\"\r\nsrc=\"https://github.com/user-attachments/assets/4c054fbe-6838-48cf-8b1b-8c161252db0f\">\r\n\r\n## Previous release notes \r\n### v7.6.0\r\n\r\nhttps://www.elastic.co/guide/en/kibana/7.6/release-notes-7.6.0.html#deprecation-7.6.0\r\nhttps://www.elastic.co/guide/en/kibana/7.6/breaking-changes-7.6.html\r\nThe deprecations are not listed in the release notes or breaking changes\r\nnotes.\r\n\r\n### v8.0.0\r\n\r\nhttps://www.elastic.co/guide/en/kibana/current/release-notes-8.0.0-alpha1.html#rest-api-changes\r\nSAML endpoint deprecation only appears in the 8.0.0-alpha1 release\r\nnotes, and was reverted in 8.0.0-alpha2\r\n\r\n# Release note\r\nSee `docs/upgrade-notes.asciidoc` in file changes\r\n\r\n# Follow-up\r\nA follow-up PR must be created to create and backfill the docLinks.\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <[email protected]>","sha":"742ae9fd2a255d5ba15100d644e7de3540e28f60","branchLabelMapping":{"^v9.0.0$":"main","^v8.17.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:deprecation","Team:Security","backport missing","v9.0.0","backport:prev-minor","v8.18.0"],"number":199656,"url":"https://github.com/elastic/kibana/pull/199656","mergeCommit":{"message":"Surface Kibana security route deprecations in Upgrade Assistant (#199656)\n\nCloses #197389\r\n\r\n## Summary\r\n\r\nUses the `deprecated` route configuration option on all Kibana Security\r\n\"v1\" endpoints. This will surface deprecation information in the Upgrade\r\nAssistant.\r\n\r\n## Related PRs\r\n- #50695 - `7.6.0`, deprecated\r\n - `/api/security/v1/me`\r\n - `/api/security/v1/logout`\r\n - `/api/security/v1/oidc/implicit`\r\n - `/api/security/v1/oidc` (POST)\r\n- #53886 - `7.6.0`, deprecated\r\n`/api/security/v1/oidc` (GET)\r\n- #47929 - `8.0.0`, dropped\r\n`/api/security/v1/saml` (`breaking` release note)\r\n- #106665 - restored\r\n`/api/security/v1/saml` but warned as deprecated (no release note)\r\n\r\n## Testing\r\n1. Start ES & Kibana in trial license mode\r\n2. Make several calls to one or more of the deprecated endpoints\r\n3. Navigate to `Stack Management`->`Upgrade Assistant`\r\n4. Click on Kibana warnings\r\n<img width=\"1003\" alt=\"Screenshot 2024-11-18 at 10 01 10 AM\"\r\nsrc=\"https://github.com/user-attachments/assets/da44af13-57eb-4ffd-a507-e423eb767a11\">\r\n5. Confirm the called endpoints are displayed as warnings in the Upgrade\r\nAssistant\r\n<img width=\"1274\" alt=\"Screenshot 2024-11-18 at 9 59 34 AM\"\r\nsrc=\"https://github.com/user-attachments/assets/4c054fbe-6838-48cf-8b1b-8c161252db0f\">\r\n\r\n## Previous release notes \r\n### v7.6.0\r\n\r\nhttps://www.elastic.co/guide/en/kibana/7.6/release-notes-7.6.0.html#deprecation-7.6.0\r\nhttps://www.elastic.co/guide/en/kibana/7.6/breaking-changes-7.6.html\r\nThe deprecations are not listed in the release notes or breaking changes\r\nnotes.\r\n\r\n### v8.0.0\r\n\r\nhttps://www.elastic.co/guide/en/kibana/current/release-notes-8.0.0-alpha1.html#rest-api-changes\r\nSAML endpoint deprecation only appears in the 8.0.0-alpha1 release\r\nnotes, and was reverted in 8.0.0-alpha2\r\n\r\n# Release note\r\nSee `docs/upgrade-notes.asciidoc` in file changes\r\n\r\n# Follow-up\r\nA follow-up PR must be created to create and backfill the docLinks.\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <[email protected]>","sha":"742ae9fd2a255d5ba15100d644e7de3540e28f60"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","labelRegex":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/199656","number":199656,"mergeCommit":{"message":"Surface Kibana security route deprecations in Upgrade Assistant (#199656)\n\nCloses #197389\r\n\r\n## Summary\r\n\r\nUses the `deprecated` route configuration option on all Kibana Security\r\n\"v1\" endpoints. This will surface deprecation information in the Upgrade\r\nAssistant.\r\n\r\n## Related PRs\r\n- #50695 - `7.6.0`, deprecated\r\n - `/api/security/v1/me`\r\n - `/api/security/v1/logout`\r\n - `/api/security/v1/oidc/implicit`\r\n - `/api/security/v1/oidc` (POST)\r\n- #53886 - `7.6.0`, deprecated\r\n`/api/security/v1/oidc` (GET)\r\n- #47929 - `8.0.0`, dropped\r\n`/api/security/v1/saml` (`breaking` release note)\r\n- #106665 - restored\r\n`/api/security/v1/saml` but warned as deprecated (no release note)\r\n\r\n## Testing\r\n1. Start ES & Kibana in trial license mode\r\n2. Make several calls to one or more of the deprecated endpoints\r\n3. Navigate to `Stack Management`->`Upgrade Assistant`\r\n4. Click on Kibana warnings\r\n<img width=\"1003\" alt=\"Screenshot 2024-11-18 at 10 01 10 AM\"\r\nsrc=\"https://github.com/user-attachments/assets/da44af13-57eb-4ffd-a507-e423eb767a11\">\r\n5. Confirm the called endpoints are displayed as warnings in the Upgrade\r\nAssistant\r\n<img width=\"1274\" alt=\"Screenshot 2024-11-18 at 9 59 34 AM\"\r\nsrc=\"https://github.com/user-attachments/assets/4c054fbe-6838-48cf-8b1b-8c161252db0f\">\r\n\r\n## Previous release notes \r\n### v7.6.0\r\n\r\nhttps://www.elastic.co/guide/en/kibana/7.6/release-notes-7.6.0.html#deprecation-7.6.0\r\nhttps://www.elastic.co/guide/en/kibana/7.6/breaking-changes-7.6.html\r\nThe deprecations are not listed in the release notes or breaking changes\r\nnotes.\r\n\r\n### v8.0.0\r\n\r\nhttps://www.elastic.co/guide/en/kibana/current/release-notes-8.0.0-alpha1.html#rest-api-changes\r\nSAML endpoint deprecation only appears in the 8.0.0-alpha1 release\r\nnotes, and was reverted in 8.0.0-alpha2\r\n\r\n# Release note\r\nSee `docs/upgrade-notes.asciidoc` in file changes\r\n\r\n# Follow-up\r\nA follow-up PR must be created to create and backfill the docLinks.\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <[email protected]>","sha":"742ae9fd2a255d5ba15100d644e7de3540e28f60"}},{"branch":"8.18","label":"v8.18.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT-->
…tic#199656) Closes elastic#197389 ## Summary Uses the `deprecated` route configuration option on all Kibana Security "v1" endpoints. This will surface deprecation information in the Upgrade Assistant. ## Related PRs - elastic#50695 - `7.6.0`, deprecated - `/api/security/v1/me` - `/api/security/v1/logout` - `/api/security/v1/oidc/implicit` - `/api/security/v1/oidc` (POST) - elastic#53886 - `7.6.0`, deprecated `/api/security/v1/oidc` (GET) - elastic#47929 - `8.0.0`, dropped `/api/security/v1/saml` (`breaking` release note) - elastic#106665 - restored `/api/security/v1/saml` but warned as deprecated (no release note) ## Testing 1. Start ES & Kibana in trial license mode 2. Make several calls to one or more of the deprecated endpoints 3. Navigate to `Stack Management`->`Upgrade Assistant` 4. Click on Kibana warnings <img width="1003" alt="Screenshot 2024-11-18 at 10 01 10 AM" src="https://github.com/user-attachments/assets/da44af13-57eb-4ffd-a507-e423eb767a11"> 5. Confirm the called endpoints are displayed as warnings in the Upgrade Assistant <img width="1274" alt="Screenshot 2024-11-18 at 9 59 34 AM" src="https://github.com/user-attachments/assets/4c054fbe-6838-48cf-8b1b-8c161252db0f"> ## Previous release notes ### v7.6.0 https://www.elastic.co/guide/en/kibana/7.6/release-notes-7.6.0.html#deprecation-7.6.0 https://www.elastic.co/guide/en/kibana/7.6/breaking-changes-7.6.html The deprecations are not listed in the release notes or breaking changes notes. ### v8.0.0 https://www.elastic.co/guide/en/kibana/current/release-notes-8.0.0-alpha1.html#rest-api-changes SAML endpoint deprecation only appears in the 8.0.0-alpha1 release notes, and was reverted in 8.0.0-alpha2 # Release note See `docs/upgrade-notes.asciidoc` in file changes # Follow-up A follow-up PR must be created to create and backfill the docLinks. --------- Co-authored-by: kibanamachine <[email protected]>
In this PR, I'm moving the rest of the API endpoints to the New Platform:
NOTE: It'd be much easier to review PR commit by commit.
Fixes: #43258
"Release note:
/api/security/v1/me
endpoint is deprecated and will be completely replaced with internal-use-only endpoint in the next major version.""Release note:
/api/security/v1/logout
endpoint is deprecated in favor of/api/security/logout
and will be removed completely in the next major version. Please make sure to switch any Single sign-on providers you use with Kibana to/api/security/logout
instead.""Release note:
/api/security/v1/oidc/implicit
endpoint is deprecated in favor of/api/security/implicit
and will be removed completely in the next major version. Please make sure to switch Elasticsearch and any OpenID Connect providers you use with Kibana to/api/security/implicit
instead.""Release note: support of Third-Party Initiated login via
/api/security/v1/oidc
endpoint is deprecated and will be removed completely in the next major version. Please make sure to switch OpenID Connect providers you use with Kibana for Third-Party Initiated login to/api/security/initiate_login
instead."