Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support authenticating to Elasticsearch via service account tokens #102121

Merged
merged 8 commits into from
Jul 12, 2021
Merged

Support authenticating to Elasticsearch via service account tokens #102121

merged 8 commits into from
Jul 12, 2021

Conversation

legrego
Copy link
Member

@legrego legrego commented Jun 14, 2021
edited
Loading

Summary

Adds support for authenticating to Elasticsearch via service account tokens.

Service account tokens are Bearer style tokens that replace the traditional username/password based configuration.

This PR adds a new elasticsearch.serviceAccountToken configuration option, which can be used in place of the traditional elasticsearch.username and elasticsearch.password configuration options.

Note I am marking this as beta in the docs because the underlying ES APIs are marked as beta. This gives us the necessary flexibility to make a breaking change if required (although I do not expect any at this time)

⚠️ Testing instructions

This PR must be tested against elastic/elasticsearch#73738, as this contains the code necessary to grant service account tokens with the necessary privileges for the kibana-system service account.

Once Elasticsearch is up and running, issue the following API call as the elastic user to generate a service account token:

POST /_security/service/elastic/kibana-system/credential/token/<some_token_name>

You will receive a token in the response. This token should be used in your kibana.yml:

# configuration via service account tokens
elasticsearch.serviceAccountToken: AAEAAWVsYXN0aWMva2liYW5hLXN5c3RlbS9teS10b2tlbjpJNnNzbllPOFExRzBnR2pVQ0RCSGRB

Checklist

  • Documentation was added for features that require explanation or tutorials
  • Unit or functional tests were updated or added to match the most common scenarios
  • If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the docker list

@legrego legrego added auto-backport Deprecated - use backport:version if exact versions are needed release_note:enhancement v7.14.0 v8.0.0 Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! labels Jun 14, 2021
@legrego legrego marked this pull request as ready for review June 15, 2021 11:50
@legrego legrego requested review from a team as code owners June 15, 2021 11:50
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

jbudz
jbudz approved these changes Jun 15, 2021
View reviewed changes
Copy link
Member

@jbudz jbudz left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

legrego helped me with getting this tested, in case it helps others:

  1. clone es into a sibling directory of kibana
  2. git fetch origin pull/73738/head:pr/73738
  3. git checkout pr/73738
  4. cd ../kibana && yarn es source --license trial

Few nits above but overall LGTM. I ran some extra tests with verbose logging to make sure none of this was leaked, didn't have any issues.

@legrego legrego self-assigned this Jun 15, 2021
@legrego legrego added v7.15.0 and removed v7.14.0 labels Jun 17, 2021
@legrego
Copy link
Member Author

legrego commented Jun 17, 2021

We decided today to wait until the 7.15 branch is cut before merging. We require changes in ES to land alongside this PR, and we don't wish to squeeze that into the 7.14.0 release at this time.

@azasypkin azasypkin mentioned this pull request Jul 1, 2021
Closed
15 tasks
@legrego
Copy link
Member Author

legrego commented Jul 12, 2021

@elasticmachine merge upstream

@kibanamachine
Copy link
Contributor

expected head sha didn’t match current head ref.

@legrego
Copy link
Member Author

legrego commented Jul 12, 2021

@elasticmachine merge upstream

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

Unknown metric groups

API count

id before after diff
core 2327 2328 +1

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @legrego

@legrego legrego merged commit 76f4956 into elastic:master Jul 12, 2021
@legrego legrego deleted the security/support-service-accounts branch July 12, 2021 18:18
@kibanamachine
Copy link
Contributor

💔 Backport failed

Status Branch Result
7.x Commit could not be cherrypicked due to conflicts

To backport manually run:
node scripts/backport --pr 102121

@legrego legrego mentioned this pull request Jul 12, 2021
Merged
legrego added a commit to legrego/kibana that referenced this pull request Jul 12, 2021
@legrego
Support authenticating to Elasticsearch via service account tokens (e…
33c60fd 
…lastic#102121)

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
# Conflicts:
#	src/core/server/elasticsearch/elasticsearch_config.ts
@legrego
Copy link
Member Author

legrego commented Jul 12, 2021

Manual backport to 7.x/7.15: #105286

legrego added a commit that referenced this pull request Jul 12, 2021
@legrego
Support authenticating to Elasticsearch via service account tokens (#…
6a47b49 
…102121) (#105286)

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
# Conflicts:
#	src/core/server/elasticsearch/elasticsearch_config.ts
@legrego legrego mentioned this pull request Aug 30, 2021
Merged
@jportner jportner mentioned this pull request Feb 3, 2022
Closed
This was referenced Mar 23, 2022
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jbudz jbudz jbudz approved these changes

@pgayvallet pgayvallet pgayvallet approved these changes

Assignees

@legrego legrego

Labels
auto-backport Deprecated - use backport:version if exact versions are needed release_note:enhancement Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! v7.15.0 v8.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@legrego @elasticmachine @kibanamachine @pgayvallet @jbudz