Relax the ESO UUID-ID requirement for the rules SO #194692
Assignees
Labels
enhancement
New value added to drive a business result
Feature:Security/Encrypted Saved Objects
Team:Security
Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Comments
cnasikas
added
the
Team:Security
|
Pinging @elastic/kibana-security (Team:Security) |
|
@cnasikas thanks for raising this. Can you help us understand the priority of this request, and ideal timeline from your perspective? |
legrego
added
enhancement
|
Hey @legrego! I would say is of medium+ priority and if it can be done for 8.17 it would be great. Any concerns with the suggested timeline? |
@cnasikas At this point, 8.17 sounds reasonable to us, but we can't yet commit to the timeframe. We will let you know if it looks like it'll miss feature freeze. |
5 tasks
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this issue
Nov 5, 2024
elastic#198287) Closes elastic#194692 ## Summary Allow consumers of ESOs to explicitly opt out of the strict highly random UID requirements while registering the ESO type ### Description The `getValidId` method was updated to allow consumers of Encrypted Saved Objects to explicitly opt-out of the enforced random ID requirement. This change is added during ESO registration - consumers can now pass a new field to opt-out of random UIDs. Additional changes - Updated canSpecifyID logic: - The canSpecifyID condition now also checks if enforceRandomId is explicitly set to false. This opt-out approach allows specific ESOs to bypass the random ID enforcement without affecting the default behavior, keeping it secure by default. During the registration phase of the saved object, consumers can now specify if they'd like to opt-out of the random ID ``` savedObjects.registerType({ name: TYPE_WITH_PREDICTABLE_ID, //... }); encryptedSavedObjects.registerType({ type: TYPE_WITH_PREDICTABLE_ID, //... enforceRandomId: false, }); ``` ### Release notes Improves Encrypted Saved Objects (ESO) ID validation by adding an enforceRandomId parameter, allowing consumers to opt out of the default random ID requirement for specific use cases. ### Checklist - [x] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#_add_your_labels) - [ ] This will appear in the **Release Notes** and follow the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: Elastic Machine <[email protected]> Co-authored-by: Jeramy Soucy <[email protected]> (cherry picked from commit 56c0806)
|
Hi @cnasikas! We've just added a new field for consumers to use to opt-out of random IDs for ESOs in this PR: #198287. You should now be able to register the ESOs and opt-out of the requirement which will allow you to set predictable IDs on the objects. Let us know if this new option is what's expected for the rules SOs to achieve what the users might need. |
|
Thank you so much @SiddharthMantri! I will open a PR soon and let you know. |
|
Done #199119! It is working as expected. |
2 tasks
mgadewoll
pushed a commit
to mgadewoll/kibana
that referenced
this issue
Nov 7, 2024
elastic#198287) Closes elastic#194692 ## Summary Allow consumers of ESOs to explicitly opt out of the strict highly random UID requirements while registering the ESO type ### Description The `getValidId` method was updated to allow consumers of Encrypted Saved Objects to explicitly opt-out of the enforced random ID requirement. This change is added during ESO registration - consumers can now pass a new field to opt-out of random UIDs. Additional changes - Updated canSpecifyID logic: - The canSpecifyID condition now also checks if enforceRandomId is explicitly set to false. This opt-out approach allows specific ESOs to bypass the random ID enforcement without affecting the default behavior, keeping it secure by default. During the registration phase of the saved object, consumers can now specify if they'd like to opt-out of the random ID ``` savedObjects.registerType({ name: TYPE_WITH_PREDICTABLE_ID, //... }); encryptedSavedObjects.registerType({ type: TYPE_WITH_PREDICTABLE_ID, //... enforceRandomId: false, }); ``` ### Release notes Improves Encrypted Saved Objects (ESO) ID validation by adding an enforceRandomId parameter, allowing consumers to opt out of the default random ID requirement for specific use cases. ### Checklist - [x] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#_add_your_labels) - [ ] This will appear in the **Release Notes** and follow the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: Elastic Machine <[email protected]> Co-authored-by: Jeramy Soucy <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Users are using tools like terraform to provision their rules as code, and as such, they need a user-friendly ID when creating rules. This can help will correlating easily with other resources eliminating the need for searching the right ones. At the moment of writing, the Create Rule API supports creating rules with a specified ID but they have to be a UUID. The reason is that the rule SO has encrypted values (the API key of the user that created or updated the rule) and SOs with encrypted values must have IDs as UUID because the IDs are part of the AAD used during encryption and they should be hard to guess. We could introduce functional IDs but there is no way to guarantee the uniqueness of both a functional ID and a technical ID (SO ID). Therefore, it would be nice if we could relax the ESO UUID-ID requirement for the rules SO (
alerts).Related: #182594
The relevant validation is located here:
kibana/packages/core/saved-objects/core-saved-objects-api-server-internal/src/lib/apis/helpers/common.ts
Lines 91 to 118 in b628770
The text was updated successfully, but these errors were encountered: