Skip to content

Add license gating to Graph API#255989

Open
albertoblaz wants to merge 4 commits intoelastic:mainfrom
albertoblaz:graph-ealic-server
Open

Add license gating to Graph API#255989
albertoblaz wants to merge 4 commits intoelastic:mainfrom
albertoblaz:graph-ealic-server

Conversation

@albertoblaz
Copy link
Contributor

@albertoblaz albertoblaz commented Mar 4, 2026
edited
Loading

Summary

Closes https://github.com/elastic/security-team/issues/16082.

How to test

  1. Stateful with a basic/gold license — Start ES with basic license using yarn es snapshot --license basic. Call POST /internal/cloud_security_posture/graph with a valid body. Expect a 403 Forbidden with the message "Graph visualization requires a Platinum license or higher."
Screenshot 2026-02-25 at 16 28 48
  1. Stateful with a platinum+ license — Same request should succeed (or return a normal data response / empty result).
Screenshot 2026-02-25 at 15 11 27
  1. Serverless essentials tier — Start ES in serverless mode with yarn es serverless --projectType security --kill and Kibana with yarn serverless-security. Add these lines to your kibana.dev.yml:
xpack.securitySolutionServerless.productTypes:
  [
    { product_line: 'security', product_tier: 'essentials' },
    { product_line: 'endpoint', product_tier: 'essentials' },
    { product_line: 'cloud', product_tier: 'essentials' },
  ]

The route should not be registered (404).

Screenshot 2026-02-25 at 15 11 36
  1. Serverless complete tier — Remove added lines to kibana.dev.yml. The route should be accessible and return data normally.

Checklist

  • Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
  • Documentation was added for features that require explanation or tutorials
  • Unit or functional tests were updated or added to match the most common scenarios
  • If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the docker list
  • This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The release_note:breaking label should be applied in these situations.
  • Flaky Test Runner was used on any tests changed
  • The PR description includes the appropriate Release Notes section, and the correct release_note:* label is applied per the guidelines
  • Review the backport guidelines and apply applicable backport:* labels.

Identify risks

Low risk of exposing Graph API when shouldn't be reachable.

@albertoblaz albertoblaz self-assigned this Mar 4, 2026
@albertoblaz albertoblaz added release_note:skip Skip the PR/issue when compiling release notes backport:skip This PR does not require backporting Team:Cloud Security Cloud Security team related ci:build-serverless-image v9.4.0 labels Mar 4, 2026
@albertoblaz albertoblaz marked this pull request as ready for review March 5, 2026 07:58
@albertoblaz albertoblaz requested review from a team as code owners March 5, 2026 07:58
@elasticmachine
Copy link
Contributor

elasticmachine commented Mar 5, 2026

Pinging @elastic/contextual-security-apps (Team:Cloud Security)

@elasticmachine
Copy link
Contributor

elasticmachine commented Mar 5, 2026
edited
Loading

💚 Build Succeeded

  • Buildkite Build
  • Commit: c219752
  • Kibana Serverless Image: docker.elastic.co/kibana-ci/kibana-serverless:pr-255989-c2197525583b

Metrics [docs]

Unknown metric groups

ESLint disabled line counts

id before after diff
@kbn/test-suites-xpack-security 70 71 +1

Total ESLint disabled count

id before after diff
@kbn/test-suites-xpack-security 72 73 +1

History

cc @albertoblaz

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@delanni delanni delanni approved these changes

@steliosmavro steliosmavro steliosmavro approved these changes

@alexreal1314 alexreal1314 Awaiting requested review from alexreal1314

@kfirpeled kfirpeled Awaiting requested review from kfirpeled

At least 1 approving review is required to merge this pull request.

Assignees

@albertoblaz albertoblaz

Labels

backport:skip This PR does not require backporting ci:build-serverless-image release_note:skip Skip the PR/issue when compiling release notes Team:Cloud Security Cloud Security team related v9.4.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@albertoblaz @elasticmachine @delanni @steliosmavro