Collect usage data on proxy-based authentication mechanisms #117517
Labels
Feature:Telemetry
impact:high
Addressing this issue will have a high level of impact on the quality/strength of our product.
loe:medium
Medium Level of Effort
Team:Security
Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Most users who run with security enabled login using Kibana's built-in login flows, for both internal and external authentication realms.
Some setups are a bit more esoteric. Users with unique auth needs will sometimes place a reverse-proxy in front of Kibana, and have the proxy pass an
Authorization
header to Kibana. This will cause us to bypass the login form altogether.Users authenticating via an
Authorization
header lack the following features:As we build more features on top of user sessions, it is becoming increasingly important to understand when human users have authenticated to Kibana in this way. We should collect usage data to record:
basic
,bearer
,ApiKey
, etc.)Note that we do not need to record machine/API access. We should only record this information when Kibana is loaded in a browser for interactive use.
High-level thoughts:
security
plugin, as this will never be executed by a conventional API call.AuthenticatedUser
model:authentication_realm.type
lookup_realm.type
authentication_provider.type
authentication_type
sessionStorage
, so that we do not record this information too frequently.The text was updated successfully, but these errors were encountered: