Migrate the rest of the API endpoints to the New Platform plugin #50695
Conversation
azasypkin
added
Team:Security
|
Pinging @elastic/kibana-security (Team:Security) |
azasypkin
force-pushed
the
issue-xxx-migrate-np-api
branch
from
23c9ff1
to
a70c46d
Compare
💚 Build Succeeded |
azasypkin
force-pushed
the
issue-xxx-migrate-np-api
branch
from
a70c46d
to
88e35f7
Compare
| @@ -5,8 +5,7 @@ | |||
| */ | |||
|
|
|||
| import { kfetch } from 'ui/kfetch'; | |||
| import { ApiKey, ApiKeyToInvalidate } from '../../common/model/api_key'; | |||
| import { INTERNAL_API_BASE_PATH } from '../../common/constants'; | |||
There was a problem hiding this comment.
note: tbh I don't see much value in INTERNAL_API_BASE_PATH constant and it makes it harder to copy-paste URL to find where it's defined. But let me know if you prefer to have it.
There was a problem hiding this comment.
I'm in favor of removing this as well. I enjoy being able to search on full API paths in code
| @@ -39,7 +39,7 @@ const ELASTICSEARCH_PASSWORD = 'ELASTICSEARCH_PASSWORD'; | |||
| /** | |||
| * The Kibana server endpoint used for authentication | |||
| */ | |||
| const LOGIN_API_ENDPOINT = '/api/security/v1/login'; | |||
| const LOGIN_API_ENDPOINT = '/internal/security/login'; | |||
There was a problem hiding this comment.
question: @andrew-goldstein, this code looks a bit suspicious to me, I'd love to hear what it's doing and why? Or is it just test only code?
P.S. I don't see that anyone owns this plugin in .github/CODEOWNERS.
💚 Build Succeeded |
| @@ -4,576 +4,573 @@ | |||
| * you may not use this file except in compliance with the Elastic License. | |||
| */ | |||
|
|
|||
| (function (root, factory) { | |||
There was a problem hiding this comment.
note: just removed this part and run the rest of the file through prettier.
azasypkin
force-pushed
the
issue-xxx-migrate-np-api
branch
from
88e35f7
to
43280e4
Compare
💚 Build Succeeded |
| getLegacyAPI, | ||
| basePath, | ||
| }: RouteDefinitionParams) { | ||
| // Generate two identical routes with new and deprecated URL and issue a warning if route with deprecated URL is ever used. |
There was a problem hiding this comment.
note: lots of BWC tricks in this file, but while I'm here I wanted to clean it up.....
azasypkin
force-pushed
the
issue-xxx-migrate-np-api
branch
from
43280e4
to
94018c1
Compare
| createLicensedRouteHandler(async (context, request, response) => { | ||
| const serverBasePath = basePath.serverBasePath; | ||
| if (path === '/api/security/v1/logout') { | ||
| logger.warn( |
There was a problem hiding this comment.
What do you think about integrating this with the upgrade assistant in a followup PR? I think it'd be helpful for folks when upgrading to the next major version if we make it known that something in their environment is relying on this deprecated endpoint.
To say this another way, I'd personally be annoyed if I ran the upgrade assistant, and it didn't warn me that this would stop working if I was relying on it 😄
Comment applies to the other deprecated endpoints as well
There was a problem hiding this comment.
That's a great idea! I'll try to figure how hard/easy it would be. I tried it once in the distant past and UA wasn't ready for things like this back then, but I believe it's much more advanced now.
| validate: { query: schema.object({}, { allowUnknowns: true }) }, | ||
| options: { authRequired: false }, | ||
| }, | ||
| createLicensedRouteHandler(async (context, request, response) => { |
There was a problem hiding this comment.
The LP implementation for login/logout endpoints did not perform license checks. I think it makes sense to add it for our login routes, but what do you think about removing the check for the logout endpoints? It's an edge-case for sure, but I worry about blocking logout if there is a hiccup with Kibana's view of the current license.
There was a problem hiding this comment.
Yeah, that's a good point, thanks! I'll remove license check from here.
| { path: '/internal/security/me', validate: false }, | ||
| createLicensedRouteHandler(async (context, request, response) => { | ||
| try { | ||
| return response.ok({ body: (await authc.getCurrentUser(request)) as any }); |
There was a problem hiding this comment.
note: authc.getCurrentUser performs an additional round-trip to ES to retrieve the user details. The previous implementation did not have to do this, likely because of the intimate relationship it had with Hapi.
I don't think anything has to change here, but as we move the client-side security plugin to. the NP, we should evaluate all the places we are calling this endpoint. I recall seeing several calls as the page loads which we can likely trim down.
There was a problem hiding this comment.
authc.getCurrentUser performs an additional round-trip to ES to retrieve the user details. The previous implementation did not have to do this, likely because of the intimate relationship it had with Hapi.
Yep, that's correct.
I don't think anything has to change here, but as we move the client-side security plugin to. the NP, we should evaluate all the places we are calling this endpoint. I recall seeing several calls as the page loads which we can likely trim down.
If it becomes a perf problem for us, we'll ask platform to expose existing auth information to plugins: security plugin returns user info to core, core stores it in the internal cache, but just doesn't expose it for now.
| validate: { | ||
| query: schema.object( | ||
| { | ||
| authenticationResponseURI: schema.maybe(schema.string({ minLength: 1 })), |
There was a problem hiding this comment.
question: is there a reason authenticationResponseURI can't be validated via schema.uri() like error_uri is below?
There was a problem hiding this comment.
Hmm, I don't think there is a reason, just an oversight 🙈 Will fix.
| target_link_uri: schema.maybe(schema.uri()), | ||
| state: schema.maybe(schema.string()), | ||
| }, | ||
| { allowUnknowns: true } |
There was a problem hiding this comment.
nit: unrelated to the migration, but can we add a comment explaining why we want to allow unknown object properties here? We're trying to reduce the number of places this is required in code, so documenting legitimate uses will be helpful going forward.
There was a problem hiding this comment.
Sure, added comments in all 3 places in this file.
| loginAttempt: ProviderLoginAttempt | ||
| ) { | ||
| try { | ||
| // We handle the fact that the user might get redirected to Kibana while already having an session |
There was a problem hiding this comment.
super-nit
| // We handle the fact that the user might get redirected to Kibana while already having an session | |
| // We handle the fact that the user might get redirected to Kibana while already having a session |
| if (authenticationResult.succeeded()) { | ||
| return response.forbidden({ | ||
| body: | ||
| 'Sorry, you already have an active Kibana session. ' + |
There was a problem hiding this comment.
This can be done in a followup since it also existed in LP, but we should internationalize this message.
There was a problem hiding this comment.
I was hesitating to translate error messages as users usually copy-paste-google for similar cases. But this one is clear enough and actionable by itself, so agree we can translate it. Will fix in this PR.
| } | ||
|
|
||
| router.get( | ||
| { path: '/internal/security/me', validate: false }, |
There was a problem hiding this comment.
How do you feel about also keeping /api/security/v1/me around for the remainder of 7.x? Although it's not part of our public API, we have instructed both users and customers about this endpoint for quite some time, and I fear we'll break a lot of "custom" configurations by removing this endpoint.
There was a problem hiding this comment.
Hmm, interesting, didn't know that. I can definitely keep it in 7.x. Also what was the use case for customers/users? Would it justify having this as a public API?
There was a problem hiding this comment.
Also what was the use case for customers/users? Would it justify having this as a public API?
I believe there are some custom/third-party plugins which use this endpoint. At the very least, we've put it out there in the public:
| export function defineCreateOrUpdateUserRoutes({ router, clusterClient }: RouteDefinitionParams) { | ||
| router.post( | ||
| { | ||
| path: '/internal/security/users/{username}', |
There was a problem hiding this comment.
It looks like we have a couple references to the old endpoint here
There was a problem hiding this comment.
Oh, good catch, it's a brand new script! Will fix.
…ep `/api/security/v1/me` in 7.x, validate OIDC `authenticationResponseURI` as a proper URI, explain the need for `allowUnknowns` in OIDC routes validation, localize error message, update APM dev script with new `users` internal routes.
| { path, validate: false }, | ||
| createLicensedRouteHandler(async (context, request, response) => { | ||
| if (path === '/api/security/v1/me') { | ||
| logger.warn( |
There was a problem hiding this comment.
note: Assuming we make this route internal I don't mention the name of the internal route as we don't provide any guarantees regarding it.
|
@legrego thanks for the review! PR is ready for another pass. |
Thanks for review and testing! I believe we're good, I tested OIDC and SAML locally as well and we have a good number of integration tests I believe. If we figure out that I broke something, then I'll add even more integration tests. Testing everything manually is hard and tedious and if we can't rely enough on the test coverage we built it's not going to scale anyway 🙈 |
|
7.x/7.6.0: bb8e383 |
💚 Build SucceededHistory
To update your PR or re-run it, just comment with: |
|
It looks like this moved the shield plugin. Is it possible to still use this within the old platform? |
@chrisronline Technically you can still import P.S. The latest version of |
|
Good question. I spoke with @kobelb about some other code and he mentioned we shouldn't use |
|
Are we using the non-legacy Elasticsearch client already? |
You mean |
In this PR, I'm moving the rest of the API endpoints to the New Platform:
NOTE: It'd be much easier to review PR commit by commit.
Fixes: #43258
"Release note:
/api/security/v1/meendpoint is deprecated and will be completely replaced with internal-use-only endpoint in the next major version.""Release note:
/api/security/v1/logoutendpoint is deprecated in favor of/api/security/logoutand will be removed completely in the next major version. Please make sure to switch any Single sign-on providers you use with Kibana to/api/security/logoutinstead.""Release note:
/api/security/v1/oidc/implicitendpoint is deprecated in favor of/api/security/implicitand will be removed completely in the next major version. Please make sure to switch Elasticsearch and any OpenID Connect providers you use with Kibana to/api/security/implicitinstead.""Release note: support of Third-Party Initiated login via
/api/security/v1/oidcendpoint is deprecated and will be removed completely in the next major version. Please make sure to switch OpenID Connect providers you use with Kibana for Third-Party Initiated login to/api/security/initiate_logininstead."