-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introduce PKI authentication provider. #42606
Conversation
Pinging @elastic/kibana-security |
c2af046
to
f951999
Compare
f951999
to
d0d7d02
Compare
@tvernum I have a hazy memory of us discussing some validation that Kibana should be performing using the CN of the certificate, and Cloud potentially impacting this logic. Would you mind refreshing my memory? Apologies for not taking better notes. |
Just a note so I don't forget. I can't think of a way that PKI in Kibana will work if there's a HTTP layer reverse-proxy in front of Kibana, because we won't have a way to request the client's certificates. We'll want to ensure that this isn't going to be an issue for Kibana in ECE/ESS because if they're doing TLS termination before accessing Kibana, we won't have access to the client's certificates. As long as Cloud is using a TCP layer proxy we should be fine... Also, I think we're going to a way to set If users are going to want to use Reporting, they're going to have to use |
Good point! I believe it's not even supported for Elasticsearch yet: https://github.com/elastic/cloud/issues/36871. We could theoretically try to workaround this by forcing proxy to forward certificate to us in a header (e.g. HAProxy's directive
Yeah, I agree, that would be consistent with ES, for the core part of Kibana. But I'm not entirely sure if we want to allow PKI authentication provider in non-required configuration. Currently ES PKI realm works with any
Do you think it's not viable option to introduce |
Just realized that even though |
The conversation I recall was in the context of mutual-TLS between co-operating Kibana instances in large scale environments. I don't think we discussed it for PKI auth. |
d0d7d02
to
b9ae122
Compare
That makes a lot more sense, thanks Tim!! |
That's an interesting idea. We'd have to generate the certificate for Reporting using the CA that we have configured, and then ensure it doesn't match any of the role mappings configured in ES... Do you happen to know if that's possible? I guess we could potentially require the user to do this themselves if they absolutely want to use |
I'm not an expert on Node-TLS, but that seems like more than you need. You could simply generate a standalone cert (e.g. If you do that, ES will never authenticate that cert, because it belongs to a chain that we don't know about. |
Thanks Tim! Aleh suggested a similar solution when we were chatting earlier today. For the initial implementation, we were considering requiring users to use If this becomes intolerable, we were planning on implementing the approach that you outlined where we manually require users to generate an independent CA which Kibana's http server trusts (which isn't used by the PKI realm) and a cert/key signed by this independent CA to be used by Reporting. If this is too much work, we talked about pre-providing the CA and cert/key to be used by Reporting. @tvernum I know that previously you mentioned your experience with some users requiring that all certs/keys be signed by a centralized "corporate CA". Do you think us implicitly trusting this pre-provided CA and cert/key would exacerbate the situation? |
b9ae122
to
76bc68b
Compare
💚 Build Succeeded |
76bc68b
to
9b4f85d
Compare
💚 Build Succeeded |
💚 Build Succeeded |
@kobelb added tests you suggested, PR should be ready for the second pass whenever you have time. Thanks! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 for platform changes
💔 Build Failed |
💚 Build Succeeded |
💚 Build Succeeded |
7.x/7.4.0: 8199253 |
This PR introduces PKI authentication provider that is supposed to authenticate Kibana users via PKI Elasticsearch realm.
Here is the list of blockers we need to resolve before we can merge this (PR includes all these changes as a reference of what we need, but we need a help of the @elastic/kibana-platform to merge them or get alternative proposals):
server.ssl.requestCert
(introduced in a ^half^ working state in Allow requestCert option to be set #38920) cleanup http config in legacy paltform for migrated params #42818KibanaRequest
should allow access to the "detailed" (the one that includesissuerCertificate
field) peer certificate. Or maybe there is a better way, not sure. add socket.getPeerCertificate to KibanaRequest #42929requestCert
withclientAuthentication
proposed in Introduce PKI authentication provider. #42606 (comment) Add TLS client authentication support. #43090Notes
Figure out what to do with reporting(at the initial implementation, reporting will requireserver.ssl.clientAuthentication
to be set tooptional
, support ofrequired
will be discussed in Reporting should work withserver.ssl.clientAuthentication
set torequired
#43309)unit tests(done) andintegration tests, blocked by Add SSL support when starting Elasticsearch from(done)yarn es
#42527 and Add Elasticsearch SSL support for integration tests #41765How to test
Generate certificates for Elasticsearch, Kibana and End User or use my test certificate-bundle.zip. Steps below assume that you use certificates from the attached certificate bundle.
Run Elasticsearch with the following (or similar) config (currently works only with
proxied-pk
Elasticsearch feature branch):certificate-bundle/user/user.crt
) and Kibana internal user (certificate-bundle/kibana/kibana.crt
) authenticated with PKI realm, e.g.:certificate-bundle/user/user.pfx
andcertificate-bundle/kibana/kibana.pfx
(to test 2 different users) to the list of your certificates in the browser.Blocked by: elastic/elasticsearch#45906,
#42527 and #41765 (to be able to run Elasticsearch with TLS in tests), #42069 (optional dependency), #42818, #42929, #43090Documentation: #43572
Fixes: #7341
"Release Note: Adding support for PKI authentication in Kibana via Elasticsearch PKI realm."
/cc @albertzaharovits