Skip to content

[8.x] [Fields Metadata] Restrict access to integration fields by privileges (#199774)#200676

Merged
kibanamachine merged 1 commit intoelastic:8.xfrom
kibanamachine:backport/8.x/pr-199774
Nov 19, 2024
Merged

[8.x] [Fields Metadata] Restrict access to integration fields by privileges (#199774)#200676
kibanamachine merged 1 commit intoelastic:8.xfrom
kibanamachine:backport/8.x/pr-199774

Conversation

@kibanamachine
Copy link
Copy Markdown
Contributor

@kibanamachine kibanamachine commented Nov 19, 2024

Backport

This will backport the following commits from main to 8.x:

Questions ?

Please refer to the Backport tool documentation

@tonyghiani
[Fields Metadata] Restrict access to integration fields by privileges (
2583ca0 
…elastic#199774)

## 📓 Summary

Related to elastic#198349

Disabling authorization on fields metadata `find API` implies every user
would have access to the integration fields since we use the internal
user to retrieve the package information.

On the other hand, requiring API root-level privileges for `fleet` and
`fleetv2` would restrict more use cases since other apps might rely on
this service to consume field metadata from ECS only, with no need for
integration permissions (Discover, etc.).

To keep the door open to all these use cases, we'll check the available
user privileges on a per-request basis and allow integration fields only
when they have access to fleet and integrations, without fully
restricting the service.

https://github.com/user-attachments/assets/49b9953a-f1e1-410a-8c7f-c38d87408fcc

---------

Co-authored-by: Marco Antonio Ghiani <marcoantonio.ghiani@elastic.co>
(cherry picked from commit 45056f3)
@kibanamachine kibanamachine added the backport This PR is a backport of another PR label Nov 19, 2024
@kibanamachine kibanamachine enabled auto-merge (squash) November 19, 2024 08:05
@kibanamachine kibanamachine mentioned this pull request Nov 19, 2024
Merged
@kibanamachine kibanamachine merged commit cffa72b into elastic:8.x Nov 19, 2024
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Nov 19, 2024

💚 Build Succeeded

Metrics [docs]

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id before after diff
fieldsMetadata 44 45 +1
Unknown metric groups

API count

id before after diff
fieldsMetadata 44 45 +1

cc @tonyghiani

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

Assignees

@tonyghiani tonyghiani

Labels

backport This PR is a backport of another PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kibanamachine @elasticmachine @tonyghiani