Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce telemetry for security features #74530

Merged
merged 9 commits into from
Sep 10, 2020
Merged

Introduce telemetry for security features #74530

merged 9 commits into from
Sep 10, 2020

Conversation

legrego
Copy link
Member

@legrego legrego commented Aug 6, 2020
edited
Loading

Summary

Adds telemetry for Kibana's stack security features. Specifically, this introduces the following fields under a new security section:

      // Denotes if audit logging is available under the current license, and enabled by the user
      auditLoggingEnabled: {
        type: 'boolean',
      },
      // Denotes if the login selector is enabled
      loginSelectorEnabled: {
        type: 'boolean',
      },
      // Denotes if the access agreement is available under the current license, and enabled by the user for at least one auth provider.
      accessAgreementEnabled: {
        type: 'boolean',
      },
      // The number of enabled auth providers
      authProviderCount: {
        type: 'number',
      },
      // A de-duplicated array of enabled auth provider types. ex: ['basic', 'saml']
      enabledAuthProviders: {
        type: 'keyword',
      },
      // The configured http auth schemes (via `xpack.security.authc.http.schemes')
      httpAuthSchemes: {
        type: 'keyword',
      },

Resolves #50815
Resolves #67747

@legrego legrego added Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! Team:KibanaTelemetry labels Aug 6, 2020
@legrego
Copy link
Member Author

legrego commented Aug 6, 2020
edited
Loading

@elastic/kibana-telemetry this PR adds new telemetry fields, but I never ran the script to update the JSON mappings. Should the Schema telemetry check have failed this build?

image

Edit: I added the mappings. The original commit built via https://kibana-ci.elastic.co/job/elastic+kibana+pipeline-pull-request/66908/ passed without updating the mappings

legrego
legrego commented Aug 6, 2020
View reviewed changes
src/plugins/telemetry/schema/oss_plugins.json Outdated
@@ -13,6 +13,19 @@
}
}
},
"search": {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not changed as part of this PR, but the script to update the telemetry schema picked this up as something that was already missing.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Bamieh do you know why this could have happened?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Bamieh poke 😄

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sorry for being dormant. I think it's already been merged to master and we've reviewed to the telemetry_check script to make sure it fails if the JSON file is not up-to-date (if you rebase, it should be all good)

@legrego legrego added release_note:skip Skip the PR/issue when compiling release notes v7.10.0 v8.0.0 discuss labels Aug 6, 2020
@legrego legrego force-pushed the security/authc-telemetry branch from 9fd1ddc to e078af5 Compare August 25, 2020 11:14
@legrego legrego removed the discuss label Aug 27, 2020
@legrego legrego marked this pull request as ready for review August 27, 2020 11:04
@legrego legrego requested review from a team as code owners August 27, 2020 11:04
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@legrego legrego requested review from azasypkin and arisonl August 27, 2020 11:05
afharo
afharo approved these changes Sep 1, 2020
View reviewed changes
Copy link
Member

@afharo afharo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Just added one tiny NIT.

x-pack/plugins/security/server/plugin.ts Outdated Show resolved Hide resolved
@legrego legrego removed the request for review from azasypkin September 2, 2020 18:38
@legrego legrego requested a review from jportner September 3, 2020 00:00
jportner
jportner reviewed Sep 3, 2020
View reviewed changes
Copy link
Contributor

@jportner jportner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some nits/questions in the comments below. In addition, some higher-level questions on our approach:

  1. Will we ever want to ask the question "how many of each auth provider type is enabled?" Currently, the schema doesn't tell us for instance that 2 saml providers and 1 basic provider is enabled. It will just tell us that saml and basic are each enabled, with 3 providers total.

  2. Will we ever want to ask the question "how many of our users who can enable audit logging have it enabled?" Right now the implementation will just tell us that they don't have it enabled if ES Security is disabled and/or if the license level is < Gold. (should we also be tracking allowRbac, allowAccessAgreement, and allowAuditLogging?)

x-pack/plugins/security/server/usage_collector/security_usage_collector.test.ts Outdated Show resolved Hide resolved
x-pack/plugins/security/server/usage_collector/security_usage_collector.test.ts Outdated Show resolved Hide resolved
x-pack/plugins/security/server/usage_collector/security_usage_collector.test.ts Outdated Show resolved Hide resolved
x-pack/plugins/security/server/config.ts Outdated Show resolved Hide resolved
@legrego
Copy link
Member Author

legrego commented Sep 3, 2020

In addition, some higher-level questions on our approach:

These are exactly the types of questions I was hoping to have a discussion on before getting this ready for review 😄

Will we ever want to ask the question "how many of each auth provider type is enabled?" Currently, the schema doesn't tell us for instance that 2 saml providers and 1 basic provider is enabled. It will just tell us that saml and basic are each enabled, with 3 providers total.

I did consider this, but didn't see a huge benefit to collecting this information. Happy to revisit this decision if we think it's worthwhile though.

Will we ever want to ask the question "how many of our users who can enable audit logging have it enabled?" Right now the implementation will just tell us that they don't have it enabled if ES Security is disabled and/or if the license level is < Gold.

Elasticsearch exposes available and enabled flags for their features to capture this. I considered this approach, but I was trying to be a good telemetry citizen by being conservative with the number of fields I was adding to the mapping. We can derive this information by also aggregating on the cluster's license level, and the information about security that Elasticsearch is already reporting. We could add our own fields here to make it a little easier to consume, but it would mostly be duplicative information that we can read from other fields.

@jportner
Copy link
Contributor

jportner commented Sep 3, 2020

I did consider this, but didn't see a huge benefit to collecting this information. Happy to revisit this decision if we think it's worthwhile though.

OK! I only asked because it would probably involve a schema change, not just an addition. I don't feel strongly either way.

We can derive this information by also aggregating on the cluster's license level, and the information about security that Elasticsearch is already reporting.

I'm not super familiar with the telemetry, kinda figured this might be the case but wanted to ask to be sure. Good enough for me!

@legrego @jportner
Update x-pack/plugins/security/server/usage_collector/security_usage_…
77fe6f4 
…collector.test.ts

Co-authored-by: Joe Portner <5295965+jportner@users.noreply.github.com>
@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Build metrics

page load bundle size

id value diff baseline
security 305.4KB +270.0B 305.2KB

distributable file count

id value diff baseline
default 45479 +2 45477

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@legrego legrego requested a review from jportner September 10, 2020 10:58
@legrego
Copy link
Member Author

legrego commented Sep 10, 2020

@jportner this is ready for the next review round

jportner
jportner approved these changes Sep 10, 2020
View reviewed changes
Copy link
Contributor

@jportner jportner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code review only of changes since my last review--
LGTM!

@legrego legrego merged commit 52fba21 into elastic:master Sep 10, 2020
@legrego legrego mentioned this pull request Sep 10, 2020
Merged
legrego added a commit that referenced this pull request Sep 10, 2020
@legrego @jportner
Introduce telemetry for security features (#74530) (#77199)
d767b03 
Co-authored-by: Joe Portner <5295965+jportner@users.noreply.github.com>

Co-authored-by: Joe Portner <5295965+jportner@users.noreply.github.com>
@mindbat
Copy link

mindbat commented Sep 15, 2020

@afharo Perhaps a silly question, but I'll ask it to be certain: Will this require updates to the Telemetry cluster mappings?

@afharo
Copy link
Member

afharo commented Sep 16, 2020

@mindbat yes, it does. It'll report the data in the same format as specified in x-pack/plugins/telemetry_collection_xpack/schema/xpack_plugins.json (check out the new fields added in this PR)

@legrego legrego deleted the security/authc-telemetry branch September 16, 2020 16:42
@mindbat
Copy link

mindbat commented Sep 16, 2020

@afharo Gotcha, thanks for clarifying!

@legrego In order for these fields to be visible in the Telemetry cluster, we'll need to update the mappings under which this data gets indexed once its received. Would you mind opening an issue in the infra repo for making those updates?

@legrego
Copy link
Member Author

legrego commented Sep 16, 2020
edited
Loading

@legrego In order for these fields to be visible in the Telemetry cluster, we'll need to update the mappings under which this data gets indexed once its received. Would you mind opening an issue in the infra repo for making those updates?

@mindbat will do. I was under the impression that the schema in x-pack/plugins/telemetry_collection_xpack/schema/xpack_plugins.json automagically took care of that -- thanks for letting me know!

edit: done in https://github.com/elastic/infra/issues/23346

@lukeelmers lukeelmers added the Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc label Oct 1, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-core (Team:Core)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jportner jportner jportner approved these changes

@afharo afharo afharo approved these changes

@arisonl arisonl Awaiting requested review from arisonl

Assignees
No one assigned
Labels
Feature:Telemetry release_note:skip Skip the PR/issue when compiling release notes Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! v7.10.0 v8.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Telemetry for AuthC features Usage data for Security
7 participants
@legrego @elasticmachine @jportner @kibanamachine @mindbat @afharo @lukeelmers