Make it possible to use Kibana anonymous authentication provider with ES anonymous access. #84074
Conversation
azasypkin
added
Team:Security
… ES anonymous access.
azasypkin
force-pushed
the
issue-xxx-anonymous-and-es
branch
from
e22d8f7
to
56c6eec
Compare
|
Pinging @elastic/kibana-security (Team:Security) |
|
There aren't any concrete requirements listed, but do you think this PR resolves #35613? I think from an end-user perspective it does, but we still run the "risk" of running the Kibana system account as the anonymous user (i.e. not specifying I don't think this is necessarily a problem, but is potentially something we can surface in a security center or similar in the future. |
| credentials: schema.maybe( | ||
| schema.oneOf([ | ||
| schema.object({ | ||
| username: schema.string(), | ||
| password: schema.string(), | ||
| }), | ||
| schema.object({ | ||
| apiKey: schema.oneOf([ | ||
| schema.object({ id: schema.string(), key: schema.string() }), | ||
| schema.string(), | ||
| ]), | ||
| }), | ||
| ]) | ||
| ), |
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
| @@ -164,7 +167,9 @@ export class AnonymousAuthenticationProvider extends BaseAuthenticationProvider | |||
| * @param state State value previously stored by the provider. | |||
| */ | |||
| private async authenticateViaAuthorizationHeader(request: KibanaRequest, state?: unknown) { | |||
| const authHeaders = { authorization: this.httpAuthorizationHeader.toString() }; | |||
| const authHeaders = this.httpAuthorizationHeader | |||
There was a problem hiding this comment.
question What do you think about testing for a 401 response in the event that we've attempted to use native anonymous access against a cluster or node that isn't setup for it? We could log a more informative message that way, warning the administrator that their setup isn't configured correctly.
There was a problem hiding this comment.
Sure, but it seems we can/should do that for all types of anonymous authentication (if apiKey isn't valid, if username or password isn't valid and if anonymous access isn't configured)?
…dentials type to be more explicit.
Technically yes since Kibana is usable in this configuration now (ES anonymous access + Kibana with enabled security) assuming anonymous roles give enough privileges for Kibana's internal operations. Whether we provide an ideal UX or not is probably a different question and depends on user requirements that we don't have yet 🙂
Yep, agree. |
💚 Build SucceededMetrics [docs]
History
To update your PR or re-run it, just comment with: |
… ES anonymous access. (elastic#84074)
* master: [Lens] Show color in flyout instead of auto (elastic#84532) [Lens] Use index pattern through service instead of reading saved object (elastic#84432) Make it possible to use Kibana anonymous authentication provider with ES anonymous access. (elastic#84074) TelemetryCollectionManager: Use X-Pack strategy as an OSS overwrite (elastic#84477) migrate away from rest_total_hits_as_int (elastic#84508) [Input Control] Custom renderer (elastic#84423) Attempt to more granularly separate App Search vs Workplace Search vs shared GitHub notifications (elastic#84713) [Security Solutino][Case] Case connector alert UI (elastic#82405) [Maps] Support runtime fields in tooltips (elastic#84377) [CCR] Fix row actions in follower index and auto-follow pattern tables (elastic#84433) [Enterprise Search] Migrate shared Indexing Status component (elastic#84571) [maps] remove fields from index-pattern test artifacts (elastic#84379) Add routes for use in Sources Schema (elastic#84579) Changes UI links for drilldowns (elastic#83971) endpoint telemetry cloned endpoint tests (elastic#81498) [Fleet] Handler api key creation errors when Fleet Admin is invalid (elastic#84576)
|
7.x/7.11.0: e7b7641 |
* master: (72 commits) Make alert status fetching more resilient (elastic#84676) [APM] Refactor hooks and context (elastic#84615) Added word break styles to the texts in the item details card. (elastic#84654) [Search] Disable "send to background" when auto-refresh is enabled (elastic#84106) Add readme for new palette service (elastic#84512) Make all providers to preserve original URL when session expires. (elastic#84229) [Lens] Show color in flyout instead of auto (elastic#84532) [Lens] Use index pattern through service instead of reading saved object (elastic#84432) Make it possible to use Kibana anonymous authentication provider with ES anonymous access. (elastic#84074) TelemetryCollectionManager: Use X-Pack strategy as an OSS overwrite (elastic#84477) migrate away from rest_total_hits_as_int (elastic#84508) [Input Control] Custom renderer (elastic#84423) Attempt to more granularly separate App Search vs Workplace Search vs shared GitHub notifications (elastic#84713) [Security Solutino][Case] Case connector alert UI (elastic#82405) [Maps] Support runtime fields in tooltips (elastic#84377) [CCR] Fix row actions in follower index and auto-follow pattern tables (elastic#84433) [Enterprise Search] Migrate shared Indexing Status component (elastic#84571) [maps] remove fields from index-pattern test artifacts (elastic#84379) Add routes for use in Sources Schema (elastic#84579) Changes UI links for drilldowns (elastic#83971) ...
This PR makes it possible to use Kibana authentication provider with the Elasticsearch native anonymous access. The gist of the change is that
xpack.security.authc.providers.anonymous.<provider-name>.credentialssupports third type of credentials:elasticsearch_anonymous_userstring literal and provider will not send anyAuthorizationheaders to the Elasticsearch in this case.Setup
credentials:manage_securityprivilege and createanonymousrole with the privileges you wish anonymous users to have and you're done.Unresolved questions/issues:
It seems reporting doesn't work in this configuration (investigating...)Turned out it wasn't related to this PRResolves #35613