elasticmachine
commented
2 hours ago Pinging @elastic/kibana-presentation (Team:Presentation)
Open nickpeihl opened 2 hours ago
elasticmachine
commented
2 hours ago Pinging @elastic/kibana-presentation (Team:Presentation)
The Controls options list route endpoints will be opted out from authorization in https://github.com/elastic/kibana/pull/198329. We should consider enabling authorizations on these routes so that only authorized users can invoke the endpoints. These routes make calls directly to Elasticsearch and, in one case, use the Kibana internal user to authorize with Elasticsearch.
Adding authorization would require adding privileges for the Controls and assigning those privileges to the routes. Users would need the appropriate privileges to access the routes, so we would need to carefully consider all usages of the Controls in Kibana both in Dashboards and Solutions and update and document the necessary privileges so that controls maintain their functionality.
If we decide not to enable to authorization on these routes, we should update the reason to explain why authorization is not enabled.