Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add TLS client authentication support. #43090

Merged
merged 3 commits into from
Aug 14, 2019

Conversation

azasypkin
Copy link
Member

@azasypkin azasypkin commented Aug 12, 2019

Recently we introduced server.ssl.requestCert (7.3+) for upcoming Kibana node-to-node TLS authentication, but that setting neither ever worked properly nor ever was mentioned in our docs. That lets us to drop server.ssl.requestCert completely in a next minor in favor of server.ssl.clientAuthentication: {none|optional|required} to be on a par with Elasticsearch's xpack.security.http.ssl.client_authentication. This is also a blocker for PKI authentication provider.


How to test

  1. Generate certificates for Kibana and End User or use my test certificate-bundle.zip. Steps below assume that you use certificates from the attached certificate bundle.

  2. Run Kibana with the following config:

server.ssl.enabled: true
server.ssl.key: certificate-bundle/kibana/kibana.key
server.ssl.certificate: certificate-bundle/kibana/kibana.crt
server.ssl.certificateAuthorities: certificate-bundle/ca/ca.crt
server.ssl.clientAuthentication: required
  1. Add certificate-bundle/user/user.pfx and certificate-bundle/kibana/kibana.pfx (to test 2 different users) to the list of your certificates in the browser.

Blocks: #42606

"Release Note: added new server.ssl.clientAuthentication setting that controls the server’s behavior in regard to requesting a certificate from client connections. Valid values are required, optional, and none. The required forces a client to present a certificate, while optional requests a client certificate but the client is not required to present one. Defaults to none."

@azasypkin azasypkin added release_note:enhancement Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! v7.4.0 labels Aug 12, 2019
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-platform

@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security

@azasypkin azasypkin force-pushed the issue-xxx-client-authentication branch from 87b6812 to b723c06 Compare August 12, 2019 09:53
@elasticmachine
Copy link
Contributor

💚 Build Succeeded

@azasypkin azasypkin marked this pull request as ready for review August 12, 2019 10:55
@azasypkin azasypkin requested a review from a team as a code owner August 12, 2019 10:55
@azasypkin azasypkin requested review from mshustov and kobelb August 12, 2019 10:56
@@ -202,4 +244,55 @@ describe('with TLS', () => {
httpSchema.validate(allKnownWithOneUnknownProtocols)
).toThrowErrorMatchingSnapshot();
});

test('HttpConfig instance should properly interpret `none` client authentication', () => {
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

note: just a bunch of tests to only test functionality I'm introducing...

@@ -111,7 +111,8 @@ export default () => Joi.object({
keyPassphrase: Joi.string(),
certificateAuthorities: Joi.array().single().items(Joi.string()).default([]),
supportedProtocols: Joi.array().items(Joi.string().valid('TLSv1', 'TLSv1.1', 'TLSv1.2')).default(['TLSv1.1', 'TLSv1.2']),
cipherSuites: Joi.array().items(Joi.string()).default(cryptoConstants.defaultCoreCipherList.split(':'))
cipherSuites: Joi.array().items(Joi.string()).default(cryptoConstants.defaultCoreCipherList.split(':')),
clientAuthentication: Joi.any().description('This key is handled in the new platform ONLY'),
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

note: this removes a blocker status from #42818 (at least for PKI auth provider)

@azasypkin
Copy link
Member Author

azasypkin commented Aug 12, 2019

Here is the archive with pfx bundles for user and kibana: certs-with-pwd.zip, in case passwordless pfx are rejected by the keychain manager. Password is changeme for both user-with-pwd.pfx and kibana-with-pwd.pfx.

Copy link
Contributor

@mshustov mshustov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM and tested locally

@elasticmachine
Copy link
Contributor

💚 Build Succeeded

@azasypkin azasypkin merged commit 6be8b32 into elastic:master Aug 14, 2019
@azasypkin azasypkin deleted the issue-xxx-client-authentication branch August 14, 2019 20:57
@azasypkin
Copy link
Member Author

7.x/7.4.0: d106a4b

jloleysens added a commit to jloleysens/kibana that referenced this pull request Aug 15, 2019
…p-metrics-selectall

* 'master' of github.com:elastic/kibana: (50 commits)
  [Uptime] update monitor list configs for mobile view (elastic#43218)
  [APM] Local UI filters (elastic#41588)
  [Code] Upgrade ctags langserver (elastic#43252)
  [Code] show multiple definition results in panel (elastic#43249)
  Adds Metric Type to full screen launch tracking (elastic#42692)
  [Canvas] Convert Autocomplete to Typescript (elastic#42502)
  [telemetry] add spacesEnabled config back to xpack_main (elastic#43312)
  [ML] Adds DF Transform Analytics list to Kibana management (elastic#43151)
  Add TLS client authentication support. (elastic#43090)
  [csp] Telemetry for csp configuration (elastic#43223)
  [SIEM] Run Cypress Tests Against Elastic Cloud & Cypress Command Line / Reporting (elastic#42804)
  docs: add tip on agent config in a dt (elastic#43301)
  [ML] Adding bucket span estimator to new wizards (elastic#43288)
  disable flaky tests (elastic#43017)
  Fix percy target branch for PRs (elastic#43160)
  [ML] Adding post create job options (elastic#43205)
  Restore discover histogram selection triggering fetch (elastic#43097)
  Per panel time range (elastic#43153)
  [Infra UI] Add APM to Metadata Endpoint (elastic#42197)
  Sentence case copy changes (elastic#43215)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backported release_note:enhancement Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! v7.4.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants