[SOR] Intersect allowed and authorized types#244967
Merged
afharo merged 16 commits intoelastic:mainfrom Dec 16, 2025
Merged
Conversation
afharo
added
bug
afharo
force-pushed
the
saved-objects-repository/intersect-allowed-and-authorized-types
branch
from
60c94ce to
3a28421
Compare
afharo
commented
Dec 3, 2025
| } | ||
| if (authorizationResult?.status === 'partially_authorized') { | ||
| if ( | ||
| authorizationResult?.status === 'fully_authorized' || |
Member
Author
There was a problem hiding this comment.
This only ensures the same path is followed for both authorization levels, although, functionally, it achieves the same result if we don't add this clause in the if.
Happy to remove this line if we think that performance might be a problem.
I'd appreciate @azasypkin's thoughts on this.
Contributor
There was a problem hiding this comment.
Would it be more defensive to express this as if (authorizationResult?.status) {?
Member
Author
There was a problem hiding this comment.
I'd like @elastic/kibana-security's input to help me answer that.
Contributor
There was a problem hiding this comment.
I might be missing some other context here, but if you are concerned with having the overhead of additional conditional checks, then this can just check that authorizationResult is not undefined or that authorizationResult.status is not unauthorized. Though, just before this we're returning if unauthorized. By this point in the execution path, the status must be either partially or fully authorized.
Member
Author
There was a problem hiding this comment.
Apologies for not being clear: what I meant is that, in the current code, the fully_authorized doesn't go through this path, so typeToNamespacesMap is not defined, and only allowedTypes is used.
Maybe it's not worth spending CPU cycles to calculate the intersection of the authorized and the allowed types because the intersection will always equal allowedTypes.
I only added it because it made the code consistent before the fix. But happy to revert this change if we think that the extra CPU cycles are not necessary.
Contributor
There was a problem hiding this comment.
Ah, I see. Thanks for clarifying. You are correct, and I think it is fine to skip this logic for fully_authorized if there is any concern about performance here.
Member
Author
There was a problem hiding this comment.
I added a code comment for future us to know that's safe to be removed.
I left it for consistency, and because, while there are more CPU cycles used... I'd expect that, typically, users are partially_authorized, so we're just removing that branch for a low percentage of the users.
Comment on lines
+180
to
+181
| // Discard the types that the SO repository doesn't know about (typically hidden objects). | ||
| if (!allowedTypes.includes(objType)) continue; |
Member
Author
There was a problem hiding this comment.
Mixing the user's authorization and the client's scope here (which can be odd).
However, typeToNamespacesMap doesn't really imply that it's bound to only one.
Contributor
There was a problem hiding this comment.
Part of the issue/complexity for me is that we have types and typeToNamespacesMap and these can get out-of-sync. In that context, code like this looks a bit weird to me:
Shouldn't our type: string | string[] | undefined be the source of truth for the types we are building queries for? Would another fix be to just use type as types when building our query (just on that line Iinked)? Or does that break something else?
Member
Author
There was a problem hiding this comment.
IIUC, this would break the authorization part: if we only look at the requested type, users who don't have access to the type will be able to read it. Also, in the line that you shared, type can be undefined, leading to getTypes to return all registered types (no matter if the user has access or not).
The bug here is that type is "cleaned up" from the hidden SOs that the SO Client isn't allowed to read, but we don't apply such filter to typeToNamespacesMap.
Contributor
There was a problem hiding this comment.
I see, thanks for taking a closer look @afharo ! We also have a comment talking directly to the issue I expressed:
typeToNamespacesMap, // If defined, this takes precedence over the `type` and `namespaces` fieldsStill a bit odd, but I think that's OK!
| { | ||
| type: [ | ||
| type, | ||
| 'foo', |
Member
Author
There was a problem hiding this comment.
I had to add foo to the requested type so that it is kept in the auth map.
| expect(arrayMapsAreEqual(actualMap, expectedMap)).toBeTruthy(); | ||
| }); | ||
|
|
||
| test(`uses the authorization map when fully authorized`, async () => { |
Member
Author
There was a problem hiding this comment.
just repeating the test above, but for fully authorized.
Comment on lines
119
to
120
| // Make sure to search through all the hidden types as well. | ||
| includedHiddenTypes: types.filter((t) => t.hidden).map((t) => t.name), |
Member
Author
There was a problem hiding this comment.
I assume that we want to search references to the Data View across all types. Is my assumption correct?
Contributor
There was a problem hiding this comment.
Nice, tested locally and this fixes the bug from #243432, thanks!
And your assumption is correct, although we're intending to get approval from existing hidden SO owners before changing the swap_references API to make sure everyone is on the same page. I've pinged all owning teams now and am tracking an approvals list in #243432.
I'm hoping to get all approvals quickly, but if you'd like to get this PR merged ahead of that, please feel free to drop these changes for now and we can reintroduce them in a separate PR after, as well as adding some integration tests for it.
Member
Author
There was a problem hiding this comment.
Thank you, @davismcphee.
We agreed in the Core team that we'll send a heads-up to all other teams and hold off on merging until next week to give enough time to test and react. So happy to wait for your approval.
Contributor
There was a problem hiding this comment.
Thanks for the heads up @afharo, I think this makes sense. Looks like the swap_references case is a bit more complicated than anticipated, and we'll have some additional work to do there.
Contributor
|
Pinging @elastic/kibana-core (Team:Core) |
Contributor
|
Pinging @elastic/kibana-security (Team:Security) |
afharo
added
the
Team:DataDiscovery
Contributor
|
Pinging @elastic/kibana-data-discovery (Team:DataDiscovery) |
…nd-authorized-types
…nd-authorized-types
afharo
added
ci:cloud-deploy
afharo
removed
ci:project-persist-deployment
…nd-authorized-types
Contributor
💔 Build Failed
Failed CI StepsTest Failures
History
cc @afharo |
…nd-authorized-types
afharo
deleted the
saved-objects-repository/intersect-allowed-and-authorized-types
branch
Contributor
|
Starting backport for target branches: 8.19, 9.1, 9.2 |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Dec 16, 2025
## Summary We identified some scenarios where clients authorized to a partial list of SO types would circumvent the Saved Objects Repository's allowed types (it could list "hidden" SO types). This PR addresses this issue by unifying the flow for partially and fully authorized clients, and applying the intersection of the allowed and authorized lists. ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [x] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [x] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations. - [x] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [x] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. ### Identify risks - [x] Some APIs might have been abusing this bug. We need to validate through CI that they work as intended, and send an internal note to all Kibana contributors to raise awareness of potential failures. --------- Co-authored-by: Jeramy Soucy <jeramy.soucy@elastic.co> (cherry picked from commit 28fc5b9)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Dec 16, 2025
## Summary We identified some scenarios where clients authorized to a partial list of SO types would circumvent the Saved Objects Repository's allowed types (it could list "hidden" SO types). This PR addresses this issue by unifying the flow for partially and fully authorized clients, and applying the intersection of the allowed and authorized lists. ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [x] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [x] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations. - [x] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [x] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. ### Identify risks - [x] Some APIs might have been abusing this bug. We need to validate through CI that they work as intended, and send an internal note to all Kibana contributors to raise awareness of potential failures. --------- Co-authored-by: Jeramy Soucy <jeramy.soucy@elastic.co> (cherry picked from commit 28fc5b9)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Dec 16, 2025
## Summary We identified some scenarios where clients authorized to a partial list of SO types would circumvent the Saved Objects Repository's allowed types (it could list "hidden" SO types). This PR addresses this issue by unifying the flow for partially and fully authorized clients, and applying the intersection of the allowed and authorized lists. ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [x] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [x] This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The `release_note:breaking` label should be applied in these situations. - [x] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) - [x] Review the [backport guidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing) and apply applicable `backport:*` labels. ### Identify risks - [x] Some APIs might have been abusing this bug. We need to validate through CI that they work as intended, and send an internal note to all Kibana contributors to raise awareness of potential failures. --------- Co-authored-by: Jeramy Soucy <jeramy.soucy@elastic.co> (cherry picked from commit 28fc5b9)
Contributor
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Dec 16, 2025
# Backport This will backport the following commits from `main` to `9.2`: - [[SOR] Intersect allowed and authorized types (#244967)](#244967) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Alejandro Fernández Haro","email":"alejandro.haro@elastic.co"},"sourceCommit":{"committedDate":"2025-12-16T18:59:35Z","message":"[SOR] Intersect allowed and authorized types (#244967)\n\n## Summary\n\nWe identified some scenarios where clients authorized to a partial list\nof SO types would circumvent the Saved Objects Repository's allowed\ntypes (it could list \"hidden\" SO types).\n\nThis PR addresses this issue by unifying the flow for partially and\nfully authorized clients, and applying the intersection of the allowed\nand authorized lists.\n\n\n### Checklist\n\n- [x] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n- [x]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas added for features that require explanation or tutorials\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [x] If a plugin configuration key changed, check if it needs to be\nallowlisted in the cloud and added to the [docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)\n- [x] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.\n- [x] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [x] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.\n\n### Identify risks\n\n- [x] Some APIs might have been abusing this bug. We need to validate\nthrough CI that they work as intended, and send an internal note to all\nKibana contributors to raise awareness of potential failures.\n\n---------\n\nCo-authored-by: Jeramy Soucy <jeramy.soucy@elastic.co>","sha":"28fc5b935532b01a810acfefbeaf2b7ce8dba82c","branchLabelMapping":{"^v9.3.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","Team:Core","release_note:fix","Team:Security","Team:DataDiscovery","backport:all-open","v9.3.0"],"title":"[SOR] Intersect allowed and authorized types","number":244967,"url":"https://github.com/elastic/kibana/pull/244967","mergeCommit":{"message":"[SOR] Intersect allowed and authorized types (#244967)\n\n## Summary\n\nWe identified some scenarios where clients authorized to a partial list\nof SO types would circumvent the Saved Objects Repository's allowed\ntypes (it could list \"hidden\" SO types).\n\nThis PR addresses this issue by unifying the flow for partially and\nfully authorized clients, and applying the intersection of the allowed\nand authorized lists.\n\n\n### Checklist\n\n- [x] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n- [x]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas added for features that require explanation or tutorials\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [x] If a plugin configuration key changed, check if it needs to be\nallowlisted in the cloud and added to the [docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)\n- [x] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.\n- [x] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [x] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.\n\n### Identify risks\n\n- [x] Some APIs might have been abusing this bug. We need to validate\nthrough CI that they work as intended, and send an internal note to all\nKibana contributors to raise awareness of potential failures.\n\n---------\n\nCo-authored-by: Jeramy Soucy <jeramy.soucy@elastic.co>","sha":"28fc5b935532b01a810acfefbeaf2b7ce8dba82c"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.3.0","branchLabelMappingKey":"^v9.3.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/244967","number":244967,"mergeCommit":{"message":"[SOR] Intersect allowed and authorized types (#244967)\n\n## Summary\n\nWe identified some scenarios where clients authorized to a partial list\nof SO types would circumvent the Saved Objects Repository's allowed\ntypes (it could list \"hidden\" SO types).\n\nThis PR addresses this issue by unifying the flow for partially and\nfully authorized clients, and applying the intersection of the allowed\nand authorized lists.\n\n\n### Checklist\n\n- [x] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n- [x]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas added for features that require explanation or tutorials\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [x] If a plugin configuration key changed, check if it needs to be\nallowlisted in the cloud and added to the [docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)\n- [x] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.\n- [x] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [x] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.\n\n### Identify risks\n\n- [x] Some APIs might have been abusing this bug. We need to validate\nthrough CI that they work as intended, and send an internal note to all\nKibana contributors to raise awareness of potential failures.\n\n---------\n\nCo-authored-by: Jeramy Soucy <jeramy.soucy@elastic.co>","sha":"28fc5b935532b01a810acfefbeaf2b7ce8dba82c"}}]}] BACKPORT--> Co-authored-by: Alejandro Fernández Haro <alejandro.haro@elastic.co> Co-authored-by: Jeramy Soucy <jeramy.soucy@elastic.co>
kibanamachine
added a commit
that referenced
this pull request
Dec 16, 2025
# Backport This will backport the following commits from `main` to `8.19`: - [[SOR] Intersect allowed and authorized types (#244967)](#244967) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Alejandro Fernández Haro","email":"alejandro.haro@elastic.co"},"sourceCommit":{"committedDate":"2025-12-16T18:59:35Z","message":"[SOR] Intersect allowed and authorized types (#244967)\n\n## Summary\n\nWe identified some scenarios where clients authorized to a partial list\nof SO types would circumvent the Saved Objects Repository's allowed\ntypes (it could list \"hidden\" SO types).\n\nThis PR addresses this issue by unifying the flow for partially and\nfully authorized clients, and applying the intersection of the allowed\nand authorized lists.\n\n\n### Checklist\n\n- [x] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n- [x]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas added for features that require explanation or tutorials\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [x] If a plugin configuration key changed, check if it needs to be\nallowlisted in the cloud and added to the [docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)\n- [x] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.\n- [x] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [x] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.\n\n### Identify risks\n\n- [x] Some APIs might have been abusing this bug. We need to validate\nthrough CI that they work as intended, and send an internal note to all\nKibana contributors to raise awareness of potential failures.\n\n---------\n\nCo-authored-by: Jeramy Soucy <jeramy.soucy@elastic.co>","sha":"28fc5b935532b01a810acfefbeaf2b7ce8dba82c","branchLabelMapping":{"^v9.3.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","Team:Core","release_note:fix","Team:Security","Team:DataDiscovery","backport:all-open","v9.3.0"],"title":"[SOR] Intersect allowed and authorized types","number":244967,"url":"https://github.com/elastic/kibana/pull/244967","mergeCommit":{"message":"[SOR] Intersect allowed and authorized types (#244967)\n\n## Summary\n\nWe identified some scenarios where clients authorized to a partial list\nof SO types would circumvent the Saved Objects Repository's allowed\ntypes (it could list \"hidden\" SO types).\n\nThis PR addresses this issue by unifying the flow for partially and\nfully authorized clients, and applying the intersection of the allowed\nand authorized lists.\n\n\n### Checklist\n\n- [x] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n- [x]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas added for features that require explanation or tutorials\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [x] If a plugin configuration key changed, check if it needs to be\nallowlisted in the cloud and added to the [docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)\n- [x] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.\n- [x] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [x] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.\n\n### Identify risks\n\n- [x] Some APIs might have been abusing this bug. We need to validate\nthrough CI that they work as intended, and send an internal note to all\nKibana contributors to raise awareness of potential failures.\n\n---------\n\nCo-authored-by: Jeramy Soucy <jeramy.soucy@elastic.co>","sha":"28fc5b935532b01a810acfefbeaf2b7ce8dba82c"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.3.0","branchLabelMappingKey":"^v9.3.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/244967","number":244967,"mergeCommit":{"message":"[SOR] Intersect allowed and authorized types (#244967)\n\n## Summary\n\nWe identified some scenarios where clients authorized to a partial list\nof SO types would circumvent the Saved Objects Repository's allowed\ntypes (it could list \"hidden\" SO types).\n\nThis PR addresses this issue by unifying the flow for partially and\nfully authorized clients, and applying the intersection of the allowed\nand authorized lists.\n\n\n### Checklist\n\n- [x] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n- [x]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas added for features that require explanation or tutorials\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [x] If a plugin configuration key changed, check if it needs to be\nallowlisted in the cloud and added to the [docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)\n- [x] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.\n- [x] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [x] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.\n\n### Identify risks\n\n- [x] Some APIs might have been abusing this bug. We need to validate\nthrough CI that they work as intended, and send an internal note to all\nKibana contributors to raise awareness of potential failures.\n\n---------\n\nCo-authored-by: Jeramy Soucy <jeramy.soucy@elastic.co>","sha":"28fc5b935532b01a810acfefbeaf2b7ce8dba82c"}}]}] BACKPORT--> Co-authored-by: Alejandro Fernández Haro <alejandro.haro@elastic.co> Co-authored-by: Jeramy Soucy <jeramy.soucy@elastic.co>
kibanamachine
added a commit
that referenced
this pull request
Dec 17, 2025
# Backport This will backport the following commits from `main` to `9.1`: - [[SOR] Intersect allowed and authorized types (#244967)](#244967) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Alejandro Fernández Haro","email":"alejandro.haro@elastic.co"},"sourceCommit":{"committedDate":"2025-12-16T18:59:35Z","message":"[SOR] Intersect allowed and authorized types (#244967)\n\n## Summary\n\nWe identified some scenarios where clients authorized to a partial list\nof SO types would circumvent the Saved Objects Repository's allowed\ntypes (it could list \"hidden\" SO types).\n\nThis PR addresses this issue by unifying the flow for partially and\nfully authorized clients, and applying the intersection of the allowed\nand authorized lists.\n\n\n### Checklist\n\n- [x] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n- [x]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas added for features that require explanation or tutorials\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [x] If a plugin configuration key changed, check if it needs to be\nallowlisted in the cloud and added to the [docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)\n- [x] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.\n- [x] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [x] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.\n\n### Identify risks\n\n- [x] Some APIs might have been abusing this bug. We need to validate\nthrough CI that they work as intended, and send an internal note to all\nKibana contributors to raise awareness of potential failures.\n\n---------\n\nCo-authored-by: Jeramy Soucy <jeramy.soucy@elastic.co>","sha":"28fc5b935532b01a810acfefbeaf2b7ce8dba82c","branchLabelMapping":{"^v9.3.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","Team:Core","release_note:fix","Team:Security","Team:DataDiscovery","backport:all-open","v9.3.0"],"title":"[SOR] Intersect allowed and authorized types","number":244967,"url":"https://github.com/elastic/kibana/pull/244967","mergeCommit":{"message":"[SOR] Intersect allowed and authorized types (#244967)\n\n## Summary\n\nWe identified some scenarios where clients authorized to a partial list\nof SO types would circumvent the Saved Objects Repository's allowed\ntypes (it could list \"hidden\" SO types).\n\nThis PR addresses this issue by unifying the flow for partially and\nfully authorized clients, and applying the intersection of the allowed\nand authorized lists.\n\n\n### Checklist\n\n- [x] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n- [x]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas added for features that require explanation or tutorials\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [x] If a plugin configuration key changed, check if it needs to be\nallowlisted in the cloud and added to the [docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)\n- [x] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.\n- [x] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [x] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.\n\n### Identify risks\n\n- [x] Some APIs might have been abusing this bug. We need to validate\nthrough CI that they work as intended, and send an internal note to all\nKibana contributors to raise awareness of potential failures.\n\n---------\n\nCo-authored-by: Jeramy Soucy <jeramy.soucy@elastic.co>","sha":"28fc5b935532b01a810acfefbeaf2b7ce8dba82c"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.3.0","branchLabelMappingKey":"^v9.3.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/244967","number":244967,"mergeCommit":{"message":"[SOR] Intersect allowed and authorized types (#244967)\n\n## Summary\n\nWe identified some scenarios where clients authorized to a partial list\nof SO types would circumvent the Saved Objects Repository's allowed\ntypes (it could list \"hidden\" SO types).\n\nThis PR addresses this issue by unifying the flow for partially and\nfully authorized clients, and applying the intersection of the allowed\nand authorized lists.\n\n\n### Checklist\n\n- [x] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n- [x]\n[Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html)\nwas added for features that require explanation or tutorials\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n- [x] If a plugin configuration key changed, check if it needs to be\nallowlisted in the cloud and added to the [docker\nlist](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker)\n- [x] This was checked for breaking HTTP API changes, and any breaking\nchanges have been approved by the breaking-change committee. The\n`release_note:breaking` label should be applied in these situations.\n- [x] [Flaky Test\nRunner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was\nused on any tests changed\n- [x] The PR description includes the appropriate Release Notes section,\nand the correct `release_note:*` label is applied per the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n- [x] Review the [backport\nguidelines](https://docs.google.com/document/d/1VyN5k91e5OVumlc0Gb9RPa3h1ewuPE705nRtioPiTvY/edit?usp=sharing)\nand apply applicable `backport:*` labels.\n\n### Identify risks\n\n- [x] Some APIs might have been abusing this bug. We need to validate\nthrough CI that they work as intended, and send an internal note to all\nKibana contributors to raise awareness of potential failures.\n\n---------\n\nCo-authored-by: Jeramy Soucy <jeramy.soucy@elastic.co>","sha":"28fc5b935532b01a810acfefbeaf2b7ce8dba82c"}}]}] BACKPORT--> Co-authored-by: Alejandro Fernández Haro <alejandro.haro@elastic.co> Co-authored-by: Jeramy Soucy <jeramy.soucy@elastic.co>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
We identified some scenarios where clients authorized to a partial list of SO types would circumvent the Saved Objects Repository's allowed types (it could list "hidden" SO types).
This PR addresses this issue by unifying the flow for partially and fully authorized clients, and applying the intersection of the allowed and authorized lists.
Checklist
release_note:breakinglabel should be applied in these situations.release_note:*label is applied per the guidelinesbackport:*labels.Identify risks