Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deprecate username/password in elastic-agent #29434

Merged
merged 5 commits into from Dec 23, 2021
Merged

Deprecate username/password in elastic-agent #29434

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
43d5d99
Deprecate username/password in elastic-agent
michel-laterman Dec 15, 2021
45e74c8
Appy deprecation only to fleet-server
michel-laterman Dec 16, 2021
a65b066
Review feedback
michel-laterman Dec 17, 2021
33ea36b
Add deprecation notes in container help output
michel-laterman Dec 20, 2021
d18269e
Merge remote-tracking branch 'origin/7.17' into agent-deprecate-password
michel-laterman Dec 21, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
1 change: 1 addition & 0 deletions x-pack/elastic-agent/CHANGELOG.next.asciidoc
View file
Open in desktop
Expand Up @@ -150,3 +150,4 @@
- Add diagnostics collect command to gather beat metadata, config, policy, and logs and bundle it into an archive. {pull}28461[28461]
- Add `KIBANA_FLEET_SERVICE_TOKEN` to Elastic Agent container. {pull}28096[28096]
- Allow pprof endpoints for elastic-agent or beats if enabled. {pull}28983[28983] {pull}29155[29155]
- Mark username/password settings as deprecated. {pull}29434[29434]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

username / password for fleet-server are deprecated. If we should deprecate username / password for Elastic Agent in a more general way for the output is another discussion.

10 changes: 8 additions & 2 deletions x-pack/elastic-agent/_meta/config/common.p2.yml.tmpl
View file
Open in desktop
Expand Up @@ -5,8 +5,11 @@ outputs:
default:
type: elasticsearch
hosts: [127.0.0.1:9200]
username: elastic
password: changeme
api_key: "example-key"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm a bit confused if this attribute should be api_key or service_token.
the libbeat output config expects api_key, but some config from within the agent refers to it as service_token.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

api_key is for the output, service_token is for what is passed to fleet-server. This is not the same thing, see other comments.

# Note that basic auth is deprecated and will be removed in 8.0
# api_key should be used instead.
# username: elastic
# password: changeme

inputs:
- type: system/metrics
Expand Down Expand Up @@ -74,6 +77,9 @@ inputs:

# # optional values
# #protocol: "https"
# #service_token: "example-token"
# # Note that basic auth is deprecated and will be removed in 8.0
# # service_token should be used instead.
# #username: "elastic"
# #password: "changeme"
# #path: ""
Expand Down
11 changes: 9 additions & 2 deletions x-pack/elastic-agent/_meta/config/common.reference.p2.yml.tmpl
View file
Open in desktop
Expand Up @@ -5,8 +5,11 @@ outputs:
default:
type: elasticsearch
hosts: [127.0.0.1:9200]
username: elastic
password: changeme
api_key: "example-key"
# Note that basic auth is deprecated and will be removed in 8.0
# api_key should be used instead.
# username: elastic
michel-laterman marked this conversation as resolved.
Show resolved Hide resolved
# password: changeme

inputs:
- type: system/metrics
Expand Down Expand Up @@ -43,6 +46,10 @@ inputs:

# # optional values
# #protocol: "https"
# #service_token: "example-token"
# # Note that basic auth is deprecated and will be removed in 8.0
# # service_token should be used instead.
# #username: "elastic"
# #username: "elastic"
# #password: "changeme"
# #path: ""
Expand Down
11 changes: 9 additions & 2 deletions x-pack/elastic-agent/_meta/config/elastic-agent.docker.yml.tmpl
View file
Open in desktop
Expand Up @@ -5,8 +5,11 @@ outputs:
default:
type: elasticsearch
hosts: '${ELASTICSEARCH_HOSTS:http://elasticsearch:9200}'
username: '${ELASTICSEARCH_USERNAME:elastic}'
password: '${ELASTICSEARCH_PASSWORD:changeme}'
service_token: '${FLEET_SERVER_SERVICE_TOKEN}'
# Basic auth (username:password) is deprecated.
# Please user service_token instead.
#username: '${ELASTICSEARCH_USERNAME:elastic}'
#password: '${ELASTICSEARCH_PASSWORD:changeme}'

inputs:
- type: system/metrics
Expand Down Expand Up @@ -43,6 +46,10 @@ inputs:

# # optional values
# #protocol: "https"
# #service_token: "example-token"
# # Note that basic auth is deprecated and will be removed in 8.0
# # service_token should be used instead.
# #username: "elastic"
# #username: "elastic"
# #password: "changeme"
# #path: ""
Expand Down
11 changes: 9 additions & 2 deletions x-pack/elastic-agent/elastic-agent.docker.yml
View file
Open in desktop
Expand Up @@ -5,8 +5,11 @@ outputs:
default:
type: elasticsearch
hosts: '${ELASTICSEARCH_HOSTS:http://elasticsearch:9200}'
username: '${ELASTICSEARCH_USERNAME:elastic}'
password: '${ELASTICSEARCH_PASSWORD:changeme}'
service_token: '${FLEET_SERVER_SERVICE_TOKEN}'
# Basic auth (username:password) is deprecated.
# Please user service_token instead.
#username: '${ELASTICSEARCH_USERNAME:elastic}'
#password: '${ELASTICSEARCH_PASSWORD:changeme}'

inputs:
- type: system/metrics
Expand Down Expand Up @@ -43,6 +46,10 @@ inputs:

# # optional values
# #protocol: "https"
# #service_token: "example-token"
# # Note that basic auth is deprecated and will be removed in 8.0
# # service_token should be used instead.
# #username: "elastic"
# #username: "elastic"
# #password: "changeme"
# #path: ""
Expand Down
11 changes: 9 additions & 2 deletions x-pack/elastic-agent/elastic-agent.reference.yml
View file
Open in desktop
Expand Up @@ -11,8 +11,11 @@ outputs:
default:
type: elasticsearch
hosts: [127.0.0.1:9200]
username: elastic
password: changeme
api_key: "example-key"
# Note that basic auth is deprecated and will be removed in 8.0
# api_key should be used instead.
# username: elastic
michel-laterman marked this conversation as resolved.
Show resolved Hide resolved
# password: changeme

inputs:
- type: system/metrics
Expand Down Expand Up @@ -49,6 +52,10 @@ inputs:

# # optional values
# #protocol: "https"
# #service_token: "example-token"
# # Note that basic auth is deprecated and will be removed in 8.0
# # service_token should be used instead.
# #username: "elastic"
michel-laterman marked this conversation as resolved.
Show resolved Hide resolved
# #username: "elastic"
# #password: "changeme"
# #path: ""
Expand Down
10 changes: 8 additions & 2 deletions x-pack/elastic-agent/elastic-agent.yml
View file
Open in desktop
Expand Up @@ -11,8 +11,11 @@ outputs:
default:
type: elasticsearch
hosts: [127.0.0.1:9200]
username: elastic
password: changeme
api_key: "example-key"
# Note that basic auth is deprecated and will be removed in 8.0
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This does not apply to the general output. +1 on having the api_key here but username / password for the output part stay around AFAIK.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah, much simpler then. i'll just log it there.

# api_key should be used instead.
# username: elastic
# password: changeme

inputs:
- type: system/metrics
Expand Down Expand Up @@ -80,6 +83,9 @@ inputs:

# # optional values
# #protocol: "https"
# #service_token: "example-token"
# # Note that basic auth is deprecated and will be removed in 8.0
# # service_token should be used instead.
# #username: "elastic"
# #password: "changeme"
# #path: ""
Expand Down
2 changes: 2 additions & 0 deletions x-pack/elastic-agent/pkg/agent/cmd/container.go
View file
Open in desktop
Expand Up @@ -27,6 +27,7 @@ import (
"github.com/spf13/cobra"
"gopkg.in/yaml.v2"

"github.com/elastic/beats/v7/libbeat/common/cfgwarn"
"github.com/elastic/beats/v7/libbeat/common/transport/httpcommon"
"github.com/elastic/beats/v7/libbeat/common/transport/tlscommon"
"github.com/elastic/beats/v7/libbeat/kibana"
Expand Down Expand Up @@ -426,6 +427,7 @@ func buildFleetServerConnStr(cfg fleetServerConfig) (string, error) {
if cfg.Elasticsearch.ServiceToken != "" {
return fmt.Sprintf("%s://%s%s", u.Scheme, u.Host, path), nil
}
cfgwarn.Deprecate("8.0.0", "Support for basic authorization (FLEET_SERVER_ELASTICSEARCH_USERNAME:FLEET_SERVER_ELASTICSEARCH_PASSWORD) is deprecated. Please use FLEET_SERVER_SERVICE_TOKEN instead.")
return fmt.Sprintf("%s://%s:%s@%s%s", u.Scheme, cfg.Elasticsearch.Username, cfg.Elasticsearch.Password, u.Host, path), nil
}

Expand Down
2 changes: 2 additions & 0 deletions x-pack/elastic-agent/pkg/agent/configuration/fleet_server.go
View file
Open in desktop
Expand Up @@ -7,6 +7,7 @@ package configuration
import (
"net/url"

"github.com/elastic/beats/v7/libbeat/common/cfgwarn"
"github.com/elastic/beats/v7/libbeat/common/transport/tlscommon"
"github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors"
)
Expand Down Expand Up @@ -81,6 +82,7 @@ func ElasticsearchFromConnStr(conn string, serviceToken string, insecure bool) (
if !ok {
return Elasticsearch{}, errors.New("invalid connection string: must include a password unless a service token is provided")
}
cfgwarn.Deprecate("8.0.0", "Support for basic authorization (username:password) is deprecated. Please use service_token.")
cfg.Username = u.User.Username()
cfg.Password = password
return cfg, nil
Expand Down
3 changes: 3 additions & 0 deletions x-pack/elastic-agent/pkg/remote/client.go
View file
Open in desktop
Expand Up @@ -17,6 +17,7 @@ import (
"github.com/pkg/errors"

"github.com/elastic/beats/v7/libbeat/common"
"github.com/elastic/beats/v7/libbeat/common/cfgwarn"
"github.com/elastic/beats/v7/libbeat/common/transport/httpcommon"
"github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/config"
"github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/logger"
Expand Down Expand Up @@ -61,6 +62,7 @@ func NewConfigFromURL(kURL string) (Config, error) {

var username, password string
if u.User != nil {
cfgwarn.Deprecate("8.0.0", "Support for basic authorization is deprecated. Please use api keys.")
username = u.User.Username()
// _ is true when password is set.
password, _ = u.User.Password()
Expand Down Expand Up @@ -126,6 +128,7 @@ func NewWithConfig(log *logger.Logger, cfg Config, wrapper wrapperFunc) (*Client
}

if cfg.IsBasicAuth() {
cfgwarn.Deprecate("8.0.0", "Support for basic authorization is deprecated. Please use api keys.")
// Pass basic auth credentials to all the underlying calls.
transport = NewBasicAuthRoundTripper(transport, cfg.Username, cfg.Password)
}
Expand Down