-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ability to expose and edit connector secrets #78704
Comments
Pinging @elastic/kibana-alerting-services (Team:Alerting Services) |
Side note: this may also questions the usage of Encrypted Saved Object AAD? Since we would return all the data, does AAD bring any benefit to connectors? |
AAD is still useful - I think - for the case where a customer "hacks" a connector's config directly via SO or ES APIs partial update; eg, the url of a webhook. A partial update of that will succeed, but a subsequent attempt to decrypt the secrets will fail. |
I'm sure there's a reason for why my thought won't work but; I wonder if everything should be encrypted instead? We could merge |
Pinging @elastic/kibana-security on the issue as I think it'll be worth getting some early feedback / warnings as we explore the possibility of exposing connector secrets to users. |
@mdefazio mentioned the following from a UX perspective (please correct me if I'm wrong). Users who can't edit connectors shouldn't be able to see anything other than the connector name. Otherwise, we would end up in the same issue where half the fields are returned for readonly users that can only read (partial) / execute the connector. |
And to clarify a bit more on that note..
refers to only seeing the connector name in the table and not opening the flyout to just see the name. If we are able to provide a bit more info to the user (barring security concerns) then perhaps we can show some read-only values in the flyout. |
From an API point of view, I think this could work, we just need to be careful not to send down the secrets when we shouldn't be. We get that "for free" today, since you have to specifically decrypt the SO to get the secrets, and normal SO access just doesn't give them to you. OTOH, this would make informal problem diagnosis harder, in terms of folks peeking through SOs, since nothing will be visible. Did we ever discuss either using the existing keystore, or maybe having a separate SO keystore? The idea would be that you store your secrets with some kind of useful id in a new SO; eg, id: |
In general, we don't have the ability to restrict decryption to a specific set of users. If a SO attribute is marked as I say "in general" because Alerts/Actions are a bit different in that you've implemented your own authorization model on top of these specific saved object types. So our lack of support won't prevent you from adding your own support, at least for now. I'm happy to help brainstorm ideas for how this might work, so that we have a consistent experience if/when add support for the "normal" SO types. |
👌 awesome, thanks! We'll be in touch when we get closer to working on this. |
Moving from |
Closing due to lack of interest and activity. |
With the current UX around connectors not returning encrypted values (ex: #74870), it feels the UX would be better if a limited set of users can see what encrypted values exist for each connector.
With the introduction of RBAC #43994, it is now possible to limit who can edit these connectors and the same could follow for viewing the encrypted values. The security team has also added such capabilities in the APIs #56013.
There are a few other scenarios that this enhancement could improve:
Some related issues:
The text was updated successfully, but these errors were encountered: