[9.0] [Authz]: added reason for authorization opt out for snapshot_restore routes (#213888) (#214727)

# Backport

This will backport the following commits from `main` to `9.0`:
- [[Authz]: added reason for authorization opt out for snapshot_restore
routes (#213888)](#213888)

<!--- Backport version: 9.6.6 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT [{"author":{"name":"Elena
Shostak","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-03-17T12:15:45Z","message":"[Authz]:
added reason for authorization opt out for snapshot_restore routes
(#213888)\n\n## Summary\n\nAdded reason for authorization opt out for
`snapshot_restore` routes.\n\n\n### Checklist\n\n- [x] The PR
description includes the appropriate Release Notes section,\nand the
correct `release_note:*` label is applied per
the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n\nCo-authored-by:
Elastic Machine
<[email protected]>","sha":"59e606cdc49e6500bfd7a9a6e95c4e9d4174e775","branchLabelMapping":{"^v9.1.0$":"main","^v8.19.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Feature:Security/Authorization","backport:prev-minor","backport:version","Authz:
API migration","v9.1.0","v8.19.0"],"title":"[Authz]: added reason for
authorization opt out for snapshot_restore
routes","number":213888,"url":"https://github.com/elastic/kibana/pull/213888","mergeCommit":{"message":"[Authz]:
added reason for authorization opt out for snapshot_restore routes
(#213888)\n\n## Summary\n\nAdded reason for authorization opt out for
`snapshot_restore` routes.\n\n\n### Checklist\n\n- [x] The PR
description includes the appropriate Release Notes section,\nand the
correct `release_note:*` label is applied per
the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n\nCo-authored-by:
Elastic Machine
<[email protected]>","sha":"59e606cdc49e6500bfd7a9a6e95c4e9d4174e775"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/213888","number":213888,"mergeCommit":{"message":"[Authz]:
added reason for authorization opt out for snapshot_restore routes
(#213888)\n\n## Summary\n\nAdded reason for authorization opt out for
`snapshot_restore` routes.\n\n\n### Checklist\n\n- [x] The PR
description includes the appropriate Release Notes section,\nand the
correct `release_note:*` label is applied per
the\n[guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\n\nCo-authored-by:
Elastic Machine
<[email protected]>","sha":"59e606cdc49e6500bfd7a9a6e95c4e9d4174e775"}},{"branch":"8.x","label":"v8.19.0","branchLabelMappingKey":"^v8.19.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Elena Shostak <[email protected]>

Author: kibanamachine

x-pack/platform/plugins/private/snapshot_restore/server/routes/api/policy.ts

@@ -95,7 +95,16 @@ export function registerPolicyRoutes({
 
   // Create policy
   router.post(
-    { path: addBasePath('policies'), validate: { body: policySchema } },
+    {
+      path: addBasePath('policies'),
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
+      validate: { body: policySchema },
+    },
     license.guardApiRoute(async (ctx, req, res) => {
       const { client: clusterClient } = (await ctx.core).elasticsearch;
 
@@ -134,6 +143,12 @@ export function registerPolicyRoutes({
   router.put(
     {
       path: addBasePath('policies/{name}'),
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
       validate: { params: nameParameterSchema, body: policySchema },
     },
     license.guardApiRoute(async (ctx, req, res) => {
@@ -162,7 +177,16 @@ export function registerPolicyRoutes({
 
   // Delete policy
   router.delete(
-    { path: addBasePath('policies/{name}'), validate: { params: nameParameterSchema } },
+    {
+      path: addBasePath('policies/{name}'),
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
+      validate: { params: nameParameterSchema },
+    },
     license.guardApiRoute(async (ctx, req, res) => {
       const { client: clusterClient } = (await ctx.core).elasticsearch;
       const { name } = req.params as TypeOf<typeof nameParameterSchema>;
@@ -193,7 +217,16 @@ export function registerPolicyRoutes({
 
   // Execute policy
   router.post(
-    { path: addBasePath('policy/{name}/run'), validate: { params: nameParameterSchema } },
+    {
+      path: addBasePath('policy/{name}/run'),
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
+      validate: { params: nameParameterSchema },
+    },
     license.guardApiRoute(async (ctx, req, res) => {
       const { client: clusterClient } = (await ctx.core).elasticsearch;
       const { name } = req.params as TypeOf<typeof nameParameterSchema>;
@@ -212,7 +245,16 @@ export function registerPolicyRoutes({
 
   // Get policy indices
   router.get(
-    { path: addBasePath('policies/indices'), validate: false },
+    {
+      path: addBasePath('policies/indices'),
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
+      validate: false,
+    },
     license.guardApiRoute(async (ctx, req, res) => {
       const { client: clusterClient } = (await ctx.core).elasticsearch;
 
@@ -243,7 +285,16 @@ export function registerPolicyRoutes({
 
   // Get policy feature states
   router.get(
-    { path: addBasePath('policies/features'), validate: false },
+    {
+      path: addBasePath('policies/features'),
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
+      validate: false,
+    },
     license.guardApiRoute(async (ctx, req, res) => {
       const { client: clusterClient } = (await ctx.core).elasticsearch;
 
@@ -259,7 +310,16 @@ export function registerPolicyRoutes({
 
   // Get retention settings
   router.get(
-    { path: addBasePath('policies/retention_settings'), validate: false },
+    {
+      path: addBasePath('policies/retention_settings'),
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
+      validate: false,
+    },
     license.guardApiRoute(async (ctx, req, res) => {
       const { client: clusterClient } = (await ctx.core).elasticsearch;
       const { persistent, transient, defaults } =
@@ -288,6 +348,12 @@ export function registerPolicyRoutes({
   router.put(
     {
       path: addBasePath('policies/retention_settings'),
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
       validate: { body: retentionSettingsSchema },
     },
     license.guardApiRoute(async (ctx, req, res) => {
@@ -314,7 +380,16 @@ export function registerPolicyRoutes({
 
   // Execute retention
   router.post(
-    { path: addBasePath('policies/retention'), validate: false },
+    {
+      path: addBasePath('policies/retention'),
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
+      validate: false,
+    },
     license.guardApiRoute(async (ctx, req, res) => {
       const { client: clusterClient } = (await ctx.core).elasticsearch;
       const response = await clusterClient.asCurrentUser.slm.executeRetention();
@@ -324,7 +399,16 @@ export function registerPolicyRoutes({
 
   // Get snapshot lifecycle management status
   router.get(
-    { path: addBasePath('policies/slm_status'), validate: false },
+    {
+      path: addBasePath('policies/slm_status'),
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
+      validate: false,
+    },
     license.guardApiRoute(async (ctx, req, res) => {
       const { client: clusterClient } = (await ctx.core).elasticsearch;
 

x-pack/platform/plugins/private/snapshot_restore/server/routes/api/repositories.ts

@@ -172,7 +172,16 @@ export function registerRepositoriesRoutes({
 
   // GET repository types
   router.get(
-    { path: addBasePath('repository_types'), validate: false },
+    {
+      path: addBasePath('repository_types'),
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
+      validate: false,
+    },
     license.guardApiRoute(async (ctx, req, res) => {
       const { client: clusterClient } = (await ctx.core).elasticsearch;
       // module repo types are available everywhere out of the box
@@ -212,6 +221,12 @@ export function registerRepositoriesRoutes({
   router.get(
     {
       path: addBasePath('repositories/{name}/verify'),
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
       validate: { params: nameParameterSchema },
     },
     license.guardApiRoute(async (ctx, req, res) => {
@@ -246,6 +261,12 @@ export function registerRepositoriesRoutes({
   router.post(
     {
       path: addBasePath('repositories/{name}/cleanup'),
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
       validate: { params: nameParameterSchema },
     },
     license.guardApiRoute(async (ctx, req, res) => {
@@ -289,7 +310,16 @@ export function registerRepositoriesRoutes({
 
   // Create repository
   router.put(
-    { path: addBasePath('repositories'), validate: { body: repositorySchema } },
+    {
+      path: addBasePath('repositories'),
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
+      validate: { body: repositorySchema },
+    },
     license.guardApiRoute(async (ctx, req, res) => {
       const { client: clusterClient } = (await ctx.core).elasticsearch;
       const { name = '', type = '', settings = {} } = req.body as TypeOf<typeof repositorySchema>;
@@ -328,6 +358,12 @@ export function registerRepositoriesRoutes({
   router.put(
     {
       path: addBasePath('repositories/{name}'),
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
       validate: { body: repositorySchema, params: nameParameterSchema },
     },
     license.guardApiRoute(async (ctx, req, res) => {
@@ -362,7 +398,16 @@ export function registerRepositoriesRoutes({
 
   // Delete repository
   router.delete(
-    { path: addBasePath('repositories/{name}'), validate: { params: nameParameterSchema } },
+    {
+      path: addBasePath('repositories/{name}'),
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
+      validate: { params: nameParameterSchema },
+    },
     license.guardApiRoute(async (ctx, req, res) => {
       const { client: clusterClient } = (await ctx.core).elasticsearch;
       const { name } = req.params as TypeOf<typeof nameParameterSchema>;

x-pack/platform/plugins/private/snapshot_restore/server/routes/api/restore.ts

@@ -104,6 +104,12 @@ export function registerRestoreRoutes({
   router.post(
     {
       path: addBasePath('restore/{repository}/{snapshot}'),
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
       validate: { body: restoreSettingsSchema, params: restoreParamsSchema },
     },
     license.guardApiRoute(async (ctx, req, res) => {

x-pack/platform/plugins/private/snapshot_restore/server/routes/api/snapshots.ts

@@ -182,6 +182,12 @@ export function registerSnapshotsRoutes({
   router.get(
     {
       path: addBasePath('snapshots/{repository}/{snapshot}'),
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
       validate: { params: getOneParamsSchema },
     },
     license.guardApiRoute(async (ctx, req, res) => {
@@ -239,7 +245,16 @@ export function registerSnapshotsRoutes({
 
   // DELETE one or multiple snapshots
   router.post(
-    { path: addBasePath('snapshots/bulk_delete'), validate: { body: deleteSchema } },
+    {
+      path: addBasePath('snapshots/bulk_delete'),
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
+      validate: { body: deleteSchema },
+    },
     license.guardApiRoute(async (ctx, req, res) => {
       const { client: clusterClient } = (await ctx.core).elasticsearch;