Add -all & -read tags for HTTP routes

x-pack/plugins/ingest_manager/server/plugin.ts

@@ -53,6 +53,16 @@ export interface IngestManagerAppContext {
   savedObjects: SavedObjectsServiceStart;
 }
 
+const allSavedObjectTypes = [
+  OUTPUT_SAVED_OBJECT_TYPE,
+  AGENT_CONFIG_SAVED_OBJECT_TYPE,
+  DATASOURCE_SAVED_OBJECT_TYPE,
+  PACKAGES_SAVED_OBJECT_TYPE,
+  AGENT_SAVED_OBJECT_TYPE,
+  AGENT_EVENT_SAVED_OBJECT_TYPE,
+  ENROLLMENT_API_KEYS_SAVED_OBJECT_TYPE,
+];
+
 export class IngestManagerPlugin implements Plugin {
   private config$: Observable<IngestManagerConfigType>;
   private security: SecurityPluginSetup | undefined;
@@ -77,34 +87,18 @@ export class IngestManagerPlugin implements Plugin {
         app: [PLUGIN_ID, 'kibana'],
         privileges: {
           all: {
-            api: [PLUGIN_ID],
+            api: [`${PLUGIN_ID}-read`, `${PLUGIN_ID}-all`],
             savedObject: {
-              all: [
-                OUTPUT_SAVED_OBJECT_TYPE,
-                AGENT_CONFIG_SAVED_OBJECT_TYPE,
-                DATASOURCE_SAVED_OBJECT_TYPE,
-                PACKAGES_SAVED_OBJECT_TYPE,
-                AGENT_SAVED_OBJECT_TYPE,
-                AGENT_EVENT_SAVED_OBJECT_TYPE,
-                ENROLLMENT_API_KEYS_SAVED_OBJECT_TYPE,
-              ],
+              all: allSavedObjectTypes,
               read: [],
             },
             ui: ['show', 'read', 'write'],
           },
           read: {
-            api: [PLUGIN_ID],
+            api: [`${PLUGIN_ID}-read`],
             savedObject: {
               all: [],
-              read: [
-                OUTPUT_SAVED_OBJECT_TYPE,
-                AGENT_CONFIG_SAVED_OBJECT_TYPE,
-                DATASOURCE_SAVED_OBJECT_TYPE,
-                PACKAGES_SAVED_OBJECT_TYPE,
-                AGENT_SAVED_OBJECT_TYPE,
-                AGENT_EVENT_SAVED_OBJECT_TYPE,
-                ENROLLMENT_API_KEYS_SAVED_OBJECT_TYPE,
-              ],
+              read: allSavedObjectTypes,
             },
             ui: ['show', 'read'],
           },

x-pack/plugins/ingest_manager/server/routes/agent/index.ts

@@ -42,7 +42,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: AGENT_API_ROUTES.INFO_PATTERN,
       validate: GetOneAgentRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-read`] },
     },
     getAgentHandler
   );
@@ -51,7 +51,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: AGENT_API_ROUTES.UPDATE_PATTERN,
       validate: UpdateAgentRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-all`] },
     },
     updateAgentHandler
   );
@@ -60,7 +60,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: AGENT_API_ROUTES.DELETE_PATTERN,
       validate: DeleteAgentRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-all`] },
     },
     deleteAgentHandler
   );
@@ -69,7 +69,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: AGENT_API_ROUTES.LIST_PATTERN,
       validate: GetAgentsRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-read`] },
     },
     getAgentsHandler
   );
@@ -108,7 +108,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: AGENT_API_ROUTES.UNENROLL_PATTERN,
       validate: PostAgentUnenrollRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-all`] },
     },
     postAgentsUnenrollHandler
   );
@@ -118,7 +118,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: AGENT_API_ROUTES.EVENTS_PATTERN,
       validate: GetOneAgentEventsRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-read`] },
     },
     getAgentEventsHandler
   );
@@ -128,7 +128,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: AGENT_API_ROUTES.STATUS_PATTERN,
       validate: GetAgentStatusRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-read`] },
     },
     getAgentStatusForConfigHandler
   );

x-pack/plugins/ingest_manager/server/routes/agent_config/index.ts

@@ -28,7 +28,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: AGENT_CONFIG_API_ROUTES.LIST_PATTERN,
       validate: GetAgentConfigsRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-read`] },
     },
     getAgentConfigsHandler
   );
@@ -38,7 +38,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: AGENT_CONFIG_API_ROUTES.INFO_PATTERN,
       validate: GetOneAgentConfigRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-read`] },
     },
     getOneAgentConfigHandler
   );
@@ -48,7 +48,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: AGENT_CONFIG_API_ROUTES.CREATE_PATTERN,
       validate: CreateAgentConfigRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-all`] },
     },
     createAgentConfigHandler
   );
@@ -58,7 +58,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: AGENT_CONFIG_API_ROUTES.UPDATE_PATTERN,
       validate: UpdateAgentConfigRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-all`] },
     },
     updateAgentConfigHandler
   );
@@ -68,7 +68,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: AGENT_CONFIG_API_ROUTES.DELETE_PATTERN,
       validate: DeleteAgentConfigsRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-all`] },
     },
     deleteAgentConfigsHandler
   );
@@ -78,7 +78,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: AGENT_CONFIG_API_ROUTES.FULL_INFO_PATTERN,
       validate: GetFullAgentConfigRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-read`] },
     },
     getFullAgentConfig
   );

x-pack/plugins/ingest_manager/server/routes/datasource/index.ts

@@ -24,7 +24,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: DATASOURCE_API_ROUTES.LIST_PATTERN,
       validate: GetDatasourcesRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-read`] },
     },
     getDatasourcesHandler
   );
@@ -34,7 +34,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: DATASOURCE_API_ROUTES.INFO_PATTERN,
       validate: GetOneDatasourceRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-read`] },
     },
     getOneDatasourceHandler
   );
@@ -44,7 +44,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: DATASOURCE_API_ROUTES.CREATE_PATTERN,
       validate: CreateDatasourceRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-all`] },
     },
     createDatasourceHandler
   );
@@ -54,7 +54,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: DATASOURCE_API_ROUTES.UPDATE_PATTERN,
       validate: UpdateDatasourceRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-all`] },
     },
     updateDatasourceHandler
   );

x-pack/plugins/ingest_manager/server/routes/enrollment_api_key/index.ts

@@ -23,7 +23,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: ENROLLMENT_API_KEY_ROUTES.INFO_PATTERN,
       validate: GetOneEnrollmentAPIKeyRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-read`] },
     },
     getOneEnrollmentApiKeyHandler
   );
@@ -32,7 +32,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: ENROLLMENT_API_KEY_ROUTES.DELETE_PATTERN,
       validate: DeleteEnrollmentAPIKeyRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-all`] },
     },
     deleteEnrollmentApiKeyHandler
   );
@@ -41,7 +41,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: ENROLLMENT_API_KEY_ROUTES.LIST_PATTERN,
       validate: GetEnrollmentAPIKeysRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-read`] },
     },
     getEnrollmentApiKeysHandler
   );
@@ -50,7 +50,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: ENROLLMENT_API_KEY_ROUTES.CREATE_PATTERN,
       validate: PostEnrollmentAPIKeyRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-all`] },
     },
     postEnrollmentApiKeyHandler
   );

x-pack/plugins/ingest_manager/server/routes/epm/index.ts

@@ -26,7 +26,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: EPM_API_ROUTES.CATEGORIES_PATTERN,
       validate: false,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-read`] },
     },
     getCategoriesHandler
   );
@@ -35,7 +35,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: EPM_API_ROUTES.LIST_PATTERN,
       validate: GetPackagesRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-read`] },
     },
     getListHandler
   );
@@ -44,7 +44,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: EPM_API_ROUTES.FILEPATH_PATTERN,
       validate: GetFileRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-read`] },
     },
     getFileHandler
   );
@@ -53,7 +53,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: EPM_API_ROUTES.INFO_PATTERN,
       validate: GetInfoRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-read`] },
     },
     getInfoHandler
   );
@@ -62,7 +62,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: EPM_API_ROUTES.INSTALL_PATTERN,
       validate: InstallPackageRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-all`] },
     },
     installPackageHandler
   );
@@ -71,7 +71,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: EPM_API_ROUTES.DELETE_PATTERN,
       validate: DeletePackageRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-all`] },
     },
     deletePackageHandler
   );

x-pack/plugins/ingest_manager/server/routes/setup/index.ts

@@ -18,7 +18,9 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: SETUP_API_ROUTE,
       validate: false,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      // if this route is set to `-all`, a read-only user get a 404 for this route
+      // and will see `Unable to initialize Ingest Manager` in the UI
+      options: { tags: [`access:${PLUGIN_ID}-read`] },
     },
     ingestManagerSetupHandler
   );
@@ -27,7 +29,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: FLEET_SETUP_API_ROUTES.INFO_PATTERN,
       validate: GetFleetSetupRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-read`] },
     },
     getFleetSetupHandler
   );
@@ -37,7 +39,7 @@ export const registerRoutes = (router: IRouter) => {
     {
       path: FLEET_SETUP_API_ROUTES.CREATE_PATTERN,
       validate: CreateFleetSetupRequestSchema,
-      options: { tags: [`access:${PLUGIN_ID}`] },
+      options: { tags: [`access:${PLUGIN_ID}-all`] },
     },
     createFleetSetupHandler
   );