[8.x] [Kibana Management] Add missing API endpoint authz info (elasti…

…c#209758) (elastic#210135)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[Kibana Management] Add missing API endpoint authz info
(elastic#209758)](elastic#209758)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Ignacio
Rivas","email":"rivasign@gmail.com"},"sourceCommit":{"committedDate":"2025-02-07T07:51:22Z","message":"[Kibana
Management] Add missing API endpoint authz info
(elastic#209758)","sha":"a468965588704f61a493eacd691da98877c177e2","branchLabelMapping":{"^v9.1.0$":"main","^v8.19.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:Kibana
Management","release_note:skip","v9.0.0","backport:prev-minor","backport:version","Authz:
API migration","v9.1.0","v8.19.0"],"title":"[Kibana Management] Add
missing API endpoint authz
info","number":209758,"url":"https://github.com/elastic/kibana/pull/209758","mergeCommit":{"message":"[Kibana
Management] Add missing API endpoint authz info
(elastic#209758)","sha":"a468965588704f61a493eacd691da98877c177e2"}},"sourceBranch":"main","suggestedTargetBranches":["9.0","8.x"],"targetPullRequestStates":[{"branch":"9.0","label":"v9.0.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/209758","number":209758,"mergeCommit":{"message":"[Kibana
Management] Add missing API endpoint authz info
(elastic#209758)","sha":"a468965588704f61a493eacd691da98877c177e2"}},{"branch":"8.x","label":"v8.19.0","branchLabelMappingKey":"^v8.19.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Ignacio Rivas <rivasign@gmail.com>

src/platform/plugins/shared/console/server/routes/api/console/convert_request_to_language/index.ts

@@ -77,6 +77,11 @@ export const registerConvertRequestRoute = ({
   router.post(
     {
       path: '/api/console/convert_request_to_language',
+      security: {
+        authz: {
+          requiredPrivileges: ['console'],
+        },
+      },
       validate: routeValidationConfig,
     },
     handler

x-pack/platform/plugins/private/upgrade_assistant/server/routes/ml_snapshots.ts

@@ -345,6 +345,12 @@ export function registerMlSnapshotRoutes({
   router.get(
     {
       path: `${API_BASE_PATH}/ml_upgrade_mode`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
       validate: false,
     },
     versionCheckHandlerWrapper(async ({ core }, request, response) => {
@@ -387,6 +393,12 @@ export function registerMlSnapshotRoutes({
   router.delete(
     {
       path: `${API_BASE_PATH}/ml_snapshots/{jobId}/{snapshotId}`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
       validate: {
         params: schema.object({
           snapshotId: schema.string(),

x-pack/platform/plugins/private/upgrade_assistant/server/routes/reindex_data_streams/reindex_data_stream.ts

@@ -90,6 +90,12 @@ export function registerReindexDataStreamRoutes({
         access: 'public',
         summary: `Get data stream status`,
       },
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
       validate: {
         params: schema.object({
           dataStreamName: schema.string(),
@@ -144,6 +150,12 @@ export function registerReindexDataStreamRoutes({
         access: 'public',
         summary: `Get data stream reindexing metadata`,
       },
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
       validate: {
         params: schema.object({
           dataStreamName: schema.string(),

x-pack/platform/plugins/private/upgrade_assistant/server/routes/reindex_indices/reindex_indices.ts

@@ -91,6 +91,12 @@ export function registerReindexIndicesRoutes(
         access: 'public',
         summary: `Get reindex status`,
       },
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es and saved object clients for authorization',
+        },
+      },
       validate: {
         params: schema.object({
           indexName: schema.string(),
@@ -152,6 +158,12 @@ export function registerReindexIndicesRoutes(
         access: 'public',
         summary: `Cancel reindex`,
       },
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es and saved object clients for authorization',
+        },
+      },
       validate: {
         params: schema.object({
           indexName: schema.string(),

x-pack/platform/plugins/private/upgrade_assistant/server/routes/system_indices_migration.ts

@@ -52,7 +52,16 @@ export function registerSystemIndicesMigrationRoutes({
 
   // POST starts the system indices migration
   router.post(
-    { path: `${API_BASE_PATH}/system_indices_migration`, validate: false },
+    {
+      path: `${API_BASE_PATH}/system_indices_migration`,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
+      validate: false,
+    },
     versionCheckHandlerWrapper(async ({ core }, request, response) => {
       try {
         const {

x-pack/platform/plugins/private/watcher/server/routes/api/watch/action/register_acknowledge_route.ts

@@ -35,6 +35,12 @@ export function registerAcknowledgeRoute({
   router.put(
     {
       path: '/api/watcher/watch/{watchId}/action/{actionId}/acknowledge',
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
       validate: {
         params: paramsSchema,
       },

x-pack/platform/plugins/shared/ingest_pipelines/server/routes/api/get.ts

@@ -17,23 +17,35 @@ const paramsSchema = schema.object({
 
 export const registerGetRoutes = ({ router, lib: { handleEsError } }: RouteDependencies): void => {
   // Get all pipelines
-  router.get({ path: API_BASE_PATH, validate: false }, async (ctx, req, res) => {
-    const { client: clusterClient } = (await ctx.core).elasticsearch;
+  router.get(
+    {
+      path: API_BASE_PATH,
+      security: {
+        authz: {
+          enabled: false,
+          reason: 'Relies on es client for authorization',
+        },
+      },
+      validate: false,
+    },
+    async (ctx, req, res) => {
+      const { client: clusterClient } = (await ctx.core).elasticsearch;
 
-    try {
-      const pipelines = await clusterClient.asCurrentUser.ingest.getPipeline();
+      try {
+        const pipelines = await clusterClient.asCurrentUser.ingest.getPipeline();
 
-      return res.ok({ body: deserializePipelines(pipelines) });
-    } catch (error) {
-      const esErrorResponse = handleEsError({ error, response: res });
-      if (esErrorResponse.status === 404) {
-        // ES returns 404 when there are no pipelines
-        // Instead, we return an empty array and 200 status back to the client
-        return res.ok({ body: [] });
+        return res.ok({ body: deserializePipelines(pipelines) });
+      } catch (error) {
+        const esErrorResponse = handleEsError({ error, response: res });
+        if (esErrorResponse.status === 404) {
+          // ES returns 404 when there are no pipelines
+          // Instead, we return an empty array and 200 status back to the client
+          return res.ok({ body: [] });
+        }
+        return esErrorResponse;
       }
-      return esErrorResponse;
     }
-  });
+  );
 
   // Get single pipeline
   router.get(