Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[EBT] userId hash generation #131144

Closed
Tracked by #121992
afharo opened this issue Apr 28, 2022 · 4 comments · Fixed by #131701
Closed
Tracked by #121992

[EBT] userId hash generation #131144

afharo opened this issue Apr 28, 2022 · 4 comments · Fixed by #131701
Assignees
@afharo
Labels
Feature:Telemetry impact:critical This issue should be addressed immediately due to a critical level of impact on the product. loe:small Small Level of Effort Team:Cloud Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! v8.2.1

Comments

@afharo
Copy link
Member

afharo commented Apr 28, 2022

We need to come up with a better logic to generate the hashed userId in the telemetry context.

Currently, we concatenate the Cloud Deployment ID and the Username and generate a hash out of it. The problem with this approach is that it does not allow us to match this data with Cloud UI users (they do a hash of the Username only). In FullStory, it also splits the session, making it harder to analyze the user funnel from Cloud UI to Kibana and back.

The problem with sending the hash of the username only is that users that log in with a different provider to Cloud' SAML might share the same user name (i.e.: elastic username from the elasticsearch basic authentication method). Using a hash of the username provides a unique count of users that is wrong for this reason.

The suggestion is to validate the authentication provider and:

  1. If it's Cloud, generate it as a hash of the username to match Cloud UI generation method. It should be unique per unique Cloud user because of how Cloud authentication works.
  2. For any other provider, use the current logic of concatenating the Cloud Deployment ID.

The relevant piece of logic is in the cloud plugin:

kibana/x-pack/plugins/cloud/public/plugin.tsx

Line 313 in 2f3f919

return { userId: sha256(cloudId ? `${cloudId}:${userId}` : `${userId}`) };

@afharo afharo added Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! Team:Cloud Feature:Telemetry labels Apr 28, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-core (Team:Core)

@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@afharo
Copy link
Member Author

afharo commented Apr 28, 2022

Pinging the @elastic/kibana-security team to confirm how to validate the Cloud authentication provider.

This was referenced Apr 28, 2022
Closed
Merged
Merged
@exalate-issue-sync exalate-issue-sync bot added the impact:critical This issue should be addressed immediately due to a critical level of impact on the product. label Apr 28, 2022
@legrego
Copy link
Member

legrego commented Apr 28, 2022

Pinging the @elastic/kibana-security team to confirm how to validate the Cloud authentication provider.

We can consider a user to be a "cloud user" if both of the following are true (copied from #129236):

  • Kibana is running on Cloud.
  • The current user has authenticated via the saml realm named cloud-saml-kibana.

The former is known by the cloud plugin. The latter can be derived by inspecting the authentication_realm of the current user:

kibana/x-pack/plugins/security/common/model/authenticated_user.ts

Lines 22 to 25 in 6ecffcc

/**
* The name and type of the Realm that has authenticated the user.
*/
authentication_realm: UserRealm;

@exalate-issue-sync exalate-issue-sync bot added the loe:medium Medium Level of Effort label Apr 29, 2022
@afharo afharo added the v8.2.1 label Apr 29, 2022
@exalate-issue-sync exalate-issue-sync bot added loe:small Small Level of Effort and removed loe:medium Medium Level of Effort labels May 4, 2022
@afharo afharo self-assigned this May 5, 2022
@afharo afharo mentioned this issue May 6, 2022
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@afharo afharo

Labels
Feature:Telemetry impact:critical This issue should be addressed immediately due to a critical level of impact on the product. loe:small Small Level of Effort Team:Cloud Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! v8.2.1
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[EBT] Fix userId generation afharo/kibana
3 participants
@legrego @afharo @elasticmachine