Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reporting should work with server.ssl.clientAuthentication set to required #43309

Open
azasypkin opened this issue Aug 14, 2019 · 11 comments
Open
Labels
enhancement New value added to drive a business result Feature:Reporting:Framework Reporting issues pertaining to the overall framework Feature:Security/Authentication Platform Security - Authentication impact:needs-assessment Product and/or Engineering needs to evaluate the impact of the change. loe:small Small Level of Effort old Used to help sort old issues on GH Projects which don't support the Created search term. Team:SharedUX Team label for AppEx-SharedUX (formerly Global Experience)

Comments

@azasypkin
Copy link
Member

azasypkin commented Aug 14, 2019

In #43090 we're introducing server.ssl.clientAuthentication: {required|optional|none} and in #42606 we're adding PKI authentication provider. The way reporting works currently won't affected by none or optional modes, but to support required mode headless Chrome browser will have to provide a client certificate signed by CA that is trusted by Kibana, but not Elasticsearch. This way Chromium can successfully query Kibana, but won't be able to create an access token with PKI realm.

To solve this we can potentially introduce two new reporting settings: xpack.reporting.capture.browser.*.ssl.cert and xpack.reporting.capture.browser.*.ssl.key and either set these values automatically using the pre-generated self-signed reporting-only certificate distributed with Kibana or allow administrators to provide their own certificate in case it needs to comply with any internal policy they may have.

Some helpful links:

@azasypkin azasypkin added Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! enhancement New value added to drive a business result Feature:Security/Authentication Platform Security - Authentication (Deprecated) Feature:Reporting Use Reporting:Screenshot, Reporting:CSV, or Reporting:Framework instead labels Aug 14, 2019
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security

@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-stack-services

@tsullivan
Copy link
Member

tsullivan commented Aug 15, 2019

The way reporting works currently won't affected by none or optional modes

Just to be clear, is this a reference to how we use Puppeteer to launch the Chromium process with ignoreHTTPSErrors: true https://github.com/elastic/kibana/blob/7.x/x-pack/legacy/plugins/reporting/server/browsers/chromium/driver_factory/index.ts#L113 ?

To solve this we can potentially introduce two new reporting settings: xpack.reporting.capture.browser..ssl.cert and xpack.reporting.capture.browser..ssl.key and either set these values automatically using the pre-generated self-signed reporting-only certificate distributed with Kibana

I think that suggestion is good: the automatic aspect would make sense when headless Chromium is talking directly to Kibana.

NOTE: Currently, when there is a proxy in front of Kibana that does not recognize the Kibana SSL certificate, there exists the problem of ignoreHTTPSErrors: true not being sufficient to get Reporting to work, because proxies act like a client, but do not ignore HTTPS errors.

I'm trying to think of how it would impact traffic when there is a proxy in front of Kibana, which Reporting must go through. A proxy can have responsibility in making requests work sometimes, for example: URL rewriting.

Adding xpack.reporting.capture.browser.*.ssl.cert and xpack.reporting.capture.browser.*.ssl.key seems like it would reduce (or solve?) the problem of proxies blocking untrusted HTTPS traffic. It would allow proxies to be configured with the same certificate as Kibana Reporting.

@azasypkin Can you confirm that?

@azasypkin
Copy link
Member Author

Just to be clear, is this a reference to how we use Puppeteer to launch the Chromium process with ignoreHTTPSErrors: true https://github.com/elastic/kibana/blob/7.x/x-pack/legacy/plugins/reporting/server/browsers/chromium/driver_factory/index.ts#L113 ?

That's too, but I was mostly referring to the fact that with server.ssl.clientAuthentication: {none|optional} Kibana server won't require client certificate from Puppeteer that it can't provide currently.

NOTE: Currently, when there is a proxy in front of Kibana that does not recognize the Kibana SSL certificate, there exists the problem of ignoreHTTPSErrors: true not being sufficient to get Reporting to work, because proxies act like a client, but do not ignore HTTPS errors.

It's orthogonal issue, but just curious, can't such proxies just include Kibana server certificate authority into the list of trusted authorities?

Adding xpack.reporting.capture.browser..ssl.cert and xpack.reporting.capture.browser..ssl.key seems like it would reduce (or solve?) the problem of proxies blocking untrusted HTTPS traffic. It would allow proxies to be configured with the same certificate as Kibana Reporting.

Hmm, it looks like we're mixing two types of TLS authentication here, sorry for the confusion! The proposed browser..ssl.cert and browser..ssl.key will be used for client (Puppeteer) TLS authentication to Kibana server (to support case with xpack.security.authc.providers: [pki] + server.ssl.clientAuthentication: required). That means it won't work with TLS terminating proxies since Kibana won't have direct access to the client certificate, but that's another story.

@bmcconaghy bmcconaghy added Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) and removed Team:Stack Services labels Dec 12, 2019
@bmcconaghy bmcconaghy added Team:Reporting Services and removed Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) labels Dec 20, 2019
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-reporting-services (Team:Reporting Services)

@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-app-services (Team:AppServices)

@exalate-issue-sync exalate-issue-sync bot added impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. loe:small Small Level of Effort loe:medium Medium Level of Effort and removed loe:small Small Level of Effort labels May 13, 2021
@legrego legrego removed the Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! label Aug 3, 2021
@exalate-issue-sync exalate-issue-sync bot added loe:small Small Level of Effort and removed loe:medium Medium Level of Effort labels Dec 1, 2021
@ppisljar
Copy link
Member

Thank you for contributing to this issue, however, we are closing this issue due to inactivity as part of a backlog grooming effort. If you believe this feature/bug should still be considered, please reopen with a comment.

@ppisljar ppisljar closed this as not planned Won't fix, can't repro, duplicate, stale Aug 11, 2022
@azasypkin
Copy link
Member Author

I believe this issue should be fixed, especially since we're going to add PKI support in Elastic Cloud soon.

@azasypkin azasypkin reopened this Aug 11, 2022
@tsullivan
Copy link
Member

I believe this issue should be fixed, especially since we're going to add PKI support in Elastic Cloud soon.

Hi @azasypkin can we change the labels to the Kibana Security team? App Services has little context on this issue, and as you see we were not able to move forward with this issue in the last 3 years.

@azasypkin azasypkin added the Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! label Aug 17, 2022
@azasypkin
Copy link
Member Author

Hi @azasypkin can we change the labels to the Kibana Security team? App Services has little context on this issue, and as you see we were not able to move forward with this issue in the last 3 years.

The way how reporting is currently implemented in Kibana implies that the fix for this issue will most likely be done within Reporting plugin, so it makes sense to keep Team: App Services label. But I also added Team: Security label to give you the context you're missing, assist with the planning and the fix itself once you're ready pick it up.

Is there any issue with keeping this one open even if it doesn't have a high priority at the moment? Having an open issue for the valid Kibana bug increases discoverability among our users and support team whenever they hit this issue.

@tsullivan
Copy link
Member

Ok, the part about this being a specific issue due to the way reporting launches Chromium makes sense. I browsed to the top of the issue and was reminded about this part you wrote as well:

to support required mode headless Chrome browser will have to provide a client certificate signed by CA that is trusted by Kibana

I don't see an issue with keeping this particular issue open as we wait for a go-ahead from the security team.

Thank you for the refresher!

@legrego legrego removed EnableJiraSync loe:small Small Level of Effort impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. labels Aug 18, 2022
@exalate-issue-sync exalate-issue-sync bot added impact:needs-assessment Product and/or Engineering needs to evaluate the impact of the change. loe:small Small Level of Effort labels Aug 26, 2022
@petrklapka petrklapka added Team:SharedUX Team label for AppEx-SharedUX (formerly Global Experience) and removed Team:AppServicesSv labels Oct 24, 2022
@legrego legrego removed the Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! label Jan 17, 2023
@tsullivan tsullivan added Feature:Reporting:Framework Reporting issues pertaining to the overall framework and removed (Deprecated) Feature:Reporting Use Reporting:Screenshot, Reporting:CSV, or Reporting:Framework instead labels Aug 1, 2024
@petrklapka petrklapka added the old Used to help sort old issues on GH Projects which don't support the Created search term. label Sep 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New value added to drive a business result Feature:Reporting:Framework Reporting issues pertaining to the overall framework Feature:Security/Authentication Platform Security - Authentication impact:needs-assessment Product and/or Engineering needs to evaluate the impact of the change. loe:small Small Level of Effort old Used to help sort old issues on GH Projects which don't support the Created search term. Team:SharedUX Team label for AppEx-SharedUX (formerly Global Experience)
Projects
None yet
Development

No branches or pull requests

7 participants