-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reporting should work with server.ssl.clientAuthentication
set to required
#43309
Comments
Pinging @elastic/kibana-security |
Pinging @elastic/kibana-stack-services |
Just to be clear, is this a reference to how we use Puppeteer to launch the Chromium process with
I think that suggestion is good: the automatic aspect would make sense when headless Chromium is talking directly to Kibana. NOTE: Currently, when there is a proxy in front of Kibana that does not recognize the Kibana SSL certificate, there exists the problem of I'm trying to think of how it would impact traffic when there is a proxy in front of Kibana, which Reporting must go through. A proxy can have responsibility in making requests work sometimes, for example: URL rewriting. Adding @azasypkin Can you confirm that? |
That's too, but I was mostly referring to the fact that with
It's orthogonal issue, but just curious, can't such proxies just include Kibana server certificate authority into the list of trusted authorities?
Hmm, it looks like we're mixing two types of TLS authentication here, sorry for the confusion! The proposed |
Pinging @elastic/kibana-reporting-services (Team:Reporting Services) |
Pinging @elastic/kibana-app-services (Team:AppServices) |
Thank you for contributing to this issue, however, we are closing this issue due to inactivity as part of a backlog grooming effort. If you believe this feature/bug should still be considered, please reopen with a comment. |
I believe this issue should be fixed, especially since we're going to add PKI support in Elastic Cloud soon. |
Hi @azasypkin can we change the labels to the Kibana Security team? App Services has little context on this issue, and as you see we were not able to move forward with this issue in the last 3 years. |
The way how reporting is currently implemented in Kibana implies that the fix for this issue will most likely be done within Reporting plugin, so it makes sense to keep Is there any issue with keeping this one open even if it doesn't have a high priority at the moment? Having an open issue for the valid Kibana bug increases discoverability among our users and support team whenever they hit this issue. |
Ok, the part about this being a specific issue due to the way reporting launches Chromium makes sense. I browsed to the top of the issue and was reminded about this part you wrote as well:
I don't see an issue with keeping this particular issue open as we wait for a go-ahead from the security team. Thank you for the refresher! |
In #43090 we're introducing
server.ssl.clientAuthentication: {required|optional|none}
and in #42606 we're adding PKI authentication provider. The way reporting works currently won't affected bynone
oroptional
modes, but to supportrequired
mode headless Chrome browser will have to provide a client certificate signed by CA that is trusted by Kibana, but not Elasticsearch. This way Chromium can successfully query Kibana, but won't be able to create an access token with PKI realm.To solve this we can potentially introduce two new reporting settings:
xpack.reporting.capture.browser.*.ssl.cert
andxpack.reporting.capture.browser.*.ssl.key
and either set these values automatically using the pre-generated self-signed reporting-only certificate distributed with Kibana or allow administrators to provide their own certificate in case it needs to comply with any internal policy they may have.Some helpful links:
The text was updated successfully, but these errors were encountered: