[Breaking] Restrict internal APIs by default in 9.0

elastic / kibana

Your window into the Elastic Stack

https://www.elastic.co/products/kibana

Other

19.75k stars 8.15k forks source link

[Breaking] Restrict internal APIs by default in 9.0 #163654

Open lukeelmers opened 1 year ago

lukeelmers commented 1 year ago

For our serverless offering we introduced a mechanism to prevent access to internal-only APIs by setting server.restrictInternalApis: true.

We cannot enable this in on-prem / ESS Kibana in 8.x as it would be a breaking change, however we should remove this configuration in 9.0 so we can enforce internal API restrictions in all environments.

We also need to add a KB to communicate the change with Support. Opening this issue as a reminder for whenever 9.0 rolls around.

elasticmachine commented 1 year ago

Pinging @elastic/kibana-core (Team:Core)

TinaHeiligers commented 1 year ago

whenever 9.0 rolls around.

it might happen sooner than we thought!

TinaHeiligers commented 3 months ago

Part of https://github.com/elastic/kibana/issues/179467

TinaHeiligers commented 3 weeks ago

For PR review: Add how to enable the restriction for testing.