Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unauthorized route migration for routes owned by appex-ai-infra,obs-ai-assistant,security-generative-ai #198351

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Unauthorized route migration for routes owned by appex-ai-infra,obs-ai-assistant,security-generative-ai #198351

wants to merge 2 commits into from
+12 −0

Conversation

kibanamachine
Copy link
Contributor

Authz API migration for unauthorized routes

This PR migrates unauthorized routes owned by your team to a new security configuration.
Please refer to the documentation for more information: Authorization API

Before migration:

router.get({
  path: '/api/path',
  ...
}, handler);

After migration:

router.get({
  path: '/api/path',
  security: {
    authz: {
      enabled: false,
      reason: 'This route is opted out from authorization because ...',
    },
  },
  ...
}, handler);

What to do next?

  1. Review the changes in this PR.
  2. Elaborate on the reasoning to opt-out of authorization.
  3. Routes without a compelling reason to opt-out of authorization should plan to introduce them as soon as possible.
  4. You might need to update your tests to reflect the new security configuration:
  • If you have snapshot tests that include the route definition.

Any questions?

If you have any questions or need help with API authorization, please reach out to the @elastic/kibana-security team.

@kibanamachine kibanamachine added enhancement New value added to drive a business result release_note:skip Skip the PR/issue when compiling release notes Feature:Security/Authorization Platform Security - Authorization labels Oct 30, 2024
@kibanamachine kibanamachine requested a review from a team as a code owner October 30, 2024 13:48
@kibanamachine kibanamachine added backport:prev-minor Backport to (8.x) the previous minor version (i.e. one version back from main) Team:Obs AI Assistant labels Oct 30, 2024
@kibanamachine kibanamachine requested a review from a team as a code owner October 30, 2024 13:48
@kibanamachine kibanamachine added Team:Security Generative AI Security Generative AI Team:AI Infra AppEx AI Infrastructure Team Authz: API migration labels Oct 30, 2024
@kibanamachine kibanamachine requested a review from a team as a code owner October 30, 2024 13:48
@elasticmachine
Copy link
Contributor

Pinging @elastic/obs-ai-assistant (Team:Obs AI Assistant)

@elasticmachine
Copy link
Contributor

Pinging @elastic/appex-ai-infra (Team:AI Infra)

sorenlouv
sorenlouv reviewed Oct 30, 2024
View reviewed changes
x-pack/plugins/inference/server/routes/chat_complete.ts
enabled: false,
reason: 'This route is opted out from authorization',
},
},
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dgieselaar I don't think we intended to opt-out of authorization here? Don't we want to require a minimum set of privileges?

Copy link
Contributor

@pgayvallet pgayvallet Nov 4, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's true, but atm we don't know what set of roles or permission swe should restraint to (virtual any plugin can call those APIs from the inference public contract) - it's a platform API. Plus, RBAC regarding inference APIs could be lower level than the endpoints (once we figure that what RBAC model we might want).

The PR is just adapting the code to the new route rbac format, basically

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we model privileges based on the features that currently call this endpoint? For example, could this route require any of the privileges that grant access to the AI Assistants?

@pgayvallet
Copy link
Contributor

@elasticmachine merge upstream

@elasticmachine
Merge branch 'main' into authz-migration/unauthorized-routes-by-appex…
b5fc5b3 
…-ai-infra_obs-ai-assistant_security-generative-ai
@elasticmachine
Copy link
Contributor

💛 Build succeeded, but was flaky

Failed CI Steps

Test Failures

  • [job] [logs] Jest Tests #13 / Case View Page files tab should render the custom fields correctly

Metrics [docs]

✅ unchanged

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@legrego legrego legrego left review comments

@sorenlouv sorenlouv sorenlouv left review comments

@pgayvallet pgayvallet pgayvallet approved these changes

Assignees
No one assigned
Labels
Authz: API migration backport:prev-minor Backport to (8.x) the previous minor version (i.e. one version back from main) enhancement New value added to drive a business result Feature:Security/Authorization Platform Security - Authorization release_note:skip Skip the PR/issue when compiling release notes Team:AI Infra AppEx AI Infrastructure Team Team:Obs AI Assistant Team:Security Generative AI Security Generative AI
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@kibanamachine @elasticmachine @pgayvallet @sorenlouv @legrego