[8.x] [upgrade assistant] Add authz info to REST api endpoints (#205071…

…) (#205597)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[upgrade assistant] Add authz info to REST api endpoints
(#205071)](#205071)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Matthew
Kime","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-01-06T11:43:30Z","message":"[upgrade
assistant] Add authz info to REST api endpoints (#205071)\n\n##
Summary\r\n\r\nSimply adding `authz` info to REST endpoints as part
of\r\nhttps://github.com//pull/204531","sha":"4eb900651a97fe117b147e3737ad9dc3d9ee4a12","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:Kibana
Management","release_note:skip","Feature:Upgrade
Assistant","v9.0.0","backport:prev-minor"],"title":"[upgrade assistant]
Add authz info to REST api
endpoints","number":205071,"url":"https://github.com/elastic/kibana/pull/205071","mergeCommit":{"message":"[upgrade
assistant] Add authz info to REST api endpoints (#205071)\n\n##
Summary\r\n\r\nSimply adding `authz` info to REST endpoints as part
of\r\nhttps://github.com//pull/204531","sha":"4eb900651a97fe117b147e3737ad9dc3d9ee4a12"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/205071","number":205071,"mergeCommit":{"message":"[upgrade
assistant] Add authz info to REST api endpoints (#205071)\n\n##
Summary\r\n\r\nSimply adding `authz` info to REST endpoints as part
of\r\nhttps://github.com//pull/204531","sha":"4eb900651a97fe117b147e3737ad9dc3d9ee4a12"}}]}]
BACKPORT-->

Co-authored-by: Matthew Kime <[email protected]>

x-pack/platform/plugins/private/upgrade_assistant/server/routes/app.ts

@@ -43,6 +43,12 @@ export function registerAppRoutes({
   router.get(
     {
       path: `${API_BASE_PATH}/privileges`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
       validate: false,
     },
     versionCheckHandlerWrapper(async ({ core }, request, response) => {

x-pack/platform/plugins/private/upgrade_assistant/server/routes/cloud_backup_status.ts

@@ -15,7 +15,16 @@ export function registerCloudBackupStatusRoutes({
 }: RouteDependencies) {
   // GET most recent Cloud snapshot
   router.get(
-    { path: `${API_BASE_PATH}/cloud_backup_status`, validate: false },
+    {
+      path: `${API_BASE_PATH}/cloud_backup_status`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
+      validate: false,
+    },
     versionCheckHandlerWrapper(async (context, request, response) => {
       const { client: clusterClient } = (await context.core).elasticsearch;
 

x-pack/platform/plugins/private/upgrade_assistant/server/routes/cluster_settings.ts

@@ -17,6 +17,12 @@ export function registerClusterSettingsRoute({
   router.post(
     {
       path: `${API_BASE_PATH}/cluster_settings`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
       validate: {
         body: schema.object({
           settings: schema.arrayOf(schema.string()),

x-pack/platform/plugins/private/upgrade_assistant/server/routes/cluster_upgrade_status.ts

@@ -11,7 +11,16 @@ import { RouteDependencies } from '../types';
 
 export function registerClusterUpgradeStatusRoutes({ router }: RouteDependencies) {
   router.get(
-    { path: `${API_BASE_PATH}/cluster_upgrade_status`, validate: false },
+    {
+      path: `${API_BASE_PATH}/cluster_upgrade_status`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Lightweight endpoint',
+        },
+      },
+      validate: false,
+    },
     // We're just depending on the version check to return a 426.
     // Otherwise we just return a 200.
     versionCheckHandlerWrapper(async (context, request, response) => {

x-pack/platform/plugins/private/upgrade_assistant/server/routes/deprecation_logging.ts

@@ -28,6 +28,12 @@ export function registerDeprecationLoggingRoutes({
   router.get(
     {
       path: `${API_BASE_PATH}/deprecation_logging`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
       validate: false,
     },
     versionCheckHandlerWrapper(async ({ core }, request, response) => {
@@ -46,6 +52,12 @@ export function registerDeprecationLoggingRoutes({
   router.put(
     {
       path: `${API_BASE_PATH}/deprecation_logging`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
       validate: {
         body: schema.object({
           isEnabled: schema.boolean(),
@@ -70,6 +82,12 @@ export function registerDeprecationLoggingRoutes({
   router.get(
     {
       path: `${API_BASE_PATH}/deprecation_logging/count`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
       validate: {
         query: schema.object({
           from: schema.string(),
@@ -124,6 +142,12 @@ export function registerDeprecationLoggingRoutes({
   router.delete(
     {
       path: `${API_BASE_PATH}/deprecation_logging/cache`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
       validate: false,
     },
     versionCheckHandlerWrapper(async ({ core }, request, response) => {

x-pack/platform/plugins/private/upgrade_assistant/server/routes/es_deprecations.ts

@@ -22,6 +22,12 @@ export function registerESDeprecationRoutes({
   router.get(
     {
       path: `${API_BASE_PATH}/es_deprecations`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es and saved object clients for authorization',
+        },
+      },
       validate: false,
     },
     versionCheckHandlerWrapper(async ({ core }, request, response) => {

x-pack/platform/plugins/private/upgrade_assistant/server/routes/ml_snapshots.ts

@@ -145,6 +145,12 @@ export function registerMlSnapshotRoutes({
   router.post(
     {
       path: `${API_BASE_PATH}/ml_snapshots`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
       validate: {
         body: schema.object({
           snapshotId: schema.string(),
@@ -195,6 +201,12 @@ export function registerMlSnapshotRoutes({
   router.get(
     {
       path: `${API_BASE_PATH}/ml_snapshots/{jobId}/{snapshotId}`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es and saved object clients for authorization',
+        },
+      },
       validate: {
         params: schema.object({
           snapshotId: schema.string(),

x-pack/platform/plugins/private/upgrade_assistant/server/routes/node_disk_space.ts

@@ -47,6 +47,12 @@ export function registerNodeDiskSpaceRoute({ router, lib: { handleEsError } }: R
   router.get(
     {
       path: `${API_BASE_PATH}/node_disk_space`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
       validate: false,
     },
     versionCheckHandlerWrapper(async ({ core }, request, response) => {

x-pack/platform/plugins/private/upgrade_assistant/server/routes/reindex_indices/batch_reindex_indices.ts

@@ -36,6 +36,12 @@ export function registerBatchReindexIndicesRoutes(
   router.get(
     {
       path: `${BASE_PATH}/batch/queue`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
       options: {
         access: 'public',
         summary: `Get the batch reindex queue`,
@@ -75,6 +81,12 @@ export function registerBatchReindexIndicesRoutes(
   router.post(
     {
       path: `${BASE_PATH}/batch`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
       options: {
         access: 'public',
         summary: `Batch start or resume reindex`,

x-pack/platform/plugins/private/upgrade_assistant/server/routes/reindex_indices/reindex_indices.ts

@@ -34,6 +34,12 @@ export function registerReindexIndicesRoutes(
   router.post(
     {
       path: `${BASE_PATH}/{indexName}`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es and saved object clients for authorization',
+        },
+      },
       options: {
         access: 'public',
         summary: `Start or resume reindex`,

x-pack/platform/plugins/private/upgrade_assistant/server/routes/remote_clusters.ts

@@ -13,6 +13,12 @@ export function registerRemoteClustersRoute({ router, lib: { handleEsError } }:
   router.get(
     {
       path: `${API_BASE_PATH}/remote_clusters`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
       validate: false,
     },
     versionCheckHandlerWrapper(async ({ core }, request, response) => {

x-pack/platform/plugins/private/upgrade_assistant/server/routes/status.ts

@@ -24,6 +24,12 @@ export function registerUpgradeStatusRoute({
   router.get(
     {
       path: `${API_BASE_PATH}/status`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
       options: {
         access: 'public',
         summary: `Get upgrade readiness status`,

x-pack/platform/plugins/private/upgrade_assistant/server/routes/system_indices_migration.ts

@@ -19,7 +19,16 @@ export function registerSystemIndicesMigrationRoutes({
 }: RouteDependencies) {
   // GET status of the system indices migration
   router.get(
-    { path: `${API_BASE_PATH}/system_indices_migration`, validate: false },
+    {
+      path: `${API_BASE_PATH}/system_indices_migration`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
+      validate: false,
+    },
     versionCheckHandlerWrapper(async ({ core }, request, response) => {
       try {
         const {

x-pack/platform/plugins/private/upgrade_assistant/server/routes/update_index_settings.ts

@@ -14,6 +14,12 @@ export function registerUpdateSettingsRoute({ router }: RouteDependencies) {
   router.post(
     {
       path: `${API_BASE_PATH}/{indexName}/index_settings`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
       validate: {
         params: schema.object({
           indexName: schema.string(),