-
Notifications
You must be signed in to change notification settings - Fork 515
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docs: Clarify anonymous authentication details #10227
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the only point which is not clear now is explain what happens if APM Server/Integration allows both api key & secret token.
At least from elastic/apm#183 and from some tests we did: the api key is sent out by the agent if both are configured and so the event should be accepted/allowed
The server behaves the same if only the api key or secret token or both are enabled. The differentiator is whether or not any auth is required by enabling at least one of them.
I'm not sure I follow; the apm agent will use whatever is configured for the agent (not in the apm-server) - api key, secret token or nothing, and this can be different between apm agents. |
To add to Silvia's response, we mention in the docs that
|
This comment was marked as off-topic.
This comment was marked as off-topic.
529f93f
to
285732c
Compare
* docs: anon auth clarifications * add yml file to trigger full ci * test * pls work * test gpg (cherry picked from commit b6c8e12) # Conflicts: # docs/legacy/configuration-anonymous.asciidoc
* docs: anon auth clarifications * add yml file to trigger full ci * test * pls work * test gpg (cherry picked from commit b6c8e12)
* docs: anon auth clarifications * add yml file to trigger full ci * test * pls work * test gpg (cherry picked from commit b6c8e12)
@Mergifyio backport 8.7 |
✅ Backports have been created
|
@Mergifyio backport 8.7 |
✅ Backports have been created
|
* docs: anon auth clarifications * add yml file to trigger full ci * test * pls work * test gpg (cherry picked from commit b6c8e12)
* docs: anon auth clarifications * add yml file to trigger full ci * test * pls work * test gpg (cherry picked from commit b6c8e12)
Summary
The goal of this PR is to better clarify when and why anonymous requests to the APM Server are accepted or rejected. Here's the thought process—and please correct me if I'm wrong:
We have two anonymous authentication pages in the docs. One is for the APM integration and one is for standalone APM Server. This PR updates these pages to clarify that the APM Server’s default response to anonymous requests depends on whether an API key or Secret Token has been configured. If and only if an API key or Secret token has been configured, you can enable anonymous authentication in the APM Server to allow the ingestion of unauthenticated client-side APM data while still requiring authentication for server-side services.
In addition to the above pages, the standalone APM Server documentation has a configuration reference for anonymous authentication. Previously, this page stated:
IIUC, this is only true if a secret token or API key has been configured. I've reworked the text on this page to better reflect this.
I think those are the important bits. Have a good weekend 👋
Related