Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deprecate username/password in elastic-agent #29434

Merged
merged 5 commits into from Dec 23, 2021
Merged

Deprecate username/password in elastic-agent #29434

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
43d5d99
Deprecate username/password in elastic-agent
michel-laterman Dec 15, 2021
45e74c8
Appy deprecation only to fleet-server
michel-laterman Dec 16, 2021
a65b066
Review feedback
michel-laterman Dec 17, 2021
33ea36b
Add deprecation notes in container help output
michel-laterman Dec 20, 2021
d18269e
Merge remote-tracking branch 'origin/7.17' into agent-deprecate-password
michel-laterman Dec 21, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
1 change: 1 addition & 0 deletions x-pack/elastic-agent/CHANGELOG.next.asciidoc
View file
Open in desktop
Expand Up @@ -150,3 +150,4 @@
- Add diagnostics collect command to gather beat metadata, config, policy, and logs and bundle it into an archive. {pull}28461[28461]
- Add `KIBANA_FLEET_SERVICE_TOKEN` to Elastic Agent container. {pull}28096[28096]
- Allow pprof endpoints for elastic-agent or beats if enabled. {pull}28983[28983] {pull}29155[29155]
- Mark username/password settings for fleet-server as deprecated. {pull}29434[29434]
8 changes: 6 additions & 2 deletions x-pack/elastic-agent/_meta/config/common.p2.yml.tmpl
View file
Open in desktop
Expand Up @@ -5,8 +5,9 @@ outputs:
default:
type: elasticsearch
hosts: [127.0.0.1:9200]
username: elastic
password: changeme
api_key: "example-key"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm a bit confused if this attribute should be api_key or service_token.
the libbeat output config expects api_key, but some config from within the agent refers to it as service_token.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

api_key is for the output, service_token is for what is passed to fleet-server. This is not the same thing, see other comments.

# username: elastic
# password: changeme

inputs:
- type: system/metrics
Expand Down Expand Up @@ -74,6 +75,9 @@ inputs:

# # optional values
# #protocol: "https"
# #service_token: "example-token"
# # Note that fleet-server basic auth is deprecated for and will be removed in 8.0
# # service_token should be used instead.
# #username: "elastic"
# #password: "changeme"
# #path: ""
Expand Down
9 changes: 7 additions & 2 deletions x-pack/elastic-agent/_meta/config/common.reference.p2.yml.tmpl
View file
Open in desktop
Expand Up @@ -5,8 +5,9 @@ outputs:
default:
type: elasticsearch
hosts: [127.0.0.1:9200]
username: elastic
password: changeme
api_key: "example-key"
# username: elastic
michel-laterman marked this conversation as resolved.
Show resolved Hide resolved
# password: changeme

inputs:
- type: system/metrics
Expand Down Expand Up @@ -43,6 +44,10 @@ inputs:

# # optional values
# #protocol: "https"
# #service_token: "example-token"
# # Note that fleet-server basic auth is deprecated and will be removed in 8.0
# # service_token should be used instead.
# #username: "elastic"
# #username: "elastic"
# #password: "changeme"
# #path: ""
Expand Down
3 changes: 3 additions & 0 deletions x-pack/elastic-agent/_meta/config/elastic-agent.docker.yml.tmpl
View file
Open in desktop
Expand Up @@ -43,6 +43,9 @@ inputs:

# # optional values
# #protocol: "https"
# #service_token: "${FLEET_SERVER_SERVICE_TOKEN}"
michel-laterman marked this conversation as resolved.
Show resolved Hide resolved
# # Note that fleet-server basic auth is deprecated and will be removed in 8.0
# # service_token should be used instead.
# #username: "elastic"
# #password: "changeme"
# #path: ""
Expand Down
3 changes: 3 additions & 0 deletions x-pack/elastic-agent/elastic-agent.docker.yml
View file
Open in desktop
Expand Up @@ -43,6 +43,9 @@ inputs:

# # optional values
# #protocol: "https"
# #service_token: "${FLEET_SERVER_SERVICE_TOKEN}"
# # Note that fleet-server basic auth is deprecated and will be removed in 8.0
# # service_token should be used instead.
# #username: "elastic"
# #password: "changeme"
# #path: ""
Expand Down
9 changes: 7 additions & 2 deletions x-pack/elastic-agent/elastic-agent.reference.yml
View file
Open in desktop
Expand Up @@ -11,8 +11,9 @@ outputs:
default:
type: elasticsearch
hosts: [127.0.0.1:9200]
username: elastic
password: changeme
api_key: "example-key"
# username: elastic
michel-laterman marked this conversation as resolved.
Show resolved Hide resolved
# password: changeme

inputs:
- type: system/metrics
Expand Down Expand Up @@ -49,6 +50,10 @@ inputs:

# # optional values
# #protocol: "https"
# #service_token: "example-token"
# # Note that fleet-server basic auth is deprecated and will be removed in 8.0
# # service_token should be used instead.
# #username: "elastic"
michel-laterman marked this conversation as resolved.
Show resolved Hide resolved
# #username: "elastic"
# #password: "changeme"
# #path: ""
Expand Down
8 changes: 6 additions & 2 deletions x-pack/elastic-agent/elastic-agent.yml
View file
Open in desktop
Expand Up @@ -11,8 +11,9 @@ outputs:
default:
type: elasticsearch
hosts: [127.0.0.1:9200]
username: elastic
password: changeme
api_key: "example-key"
# username: elastic
# password: changeme

inputs:
- type: system/metrics
Expand Down Expand Up @@ -80,6 +81,9 @@ inputs:

# # optional values
# #protocol: "https"
# #service_token: "example-token"
# # Note that fleet-server basic auth is deprecated for and will be removed in 8.0
# # service_token should be used instead.
# #username: "elastic"
# #password: "changeme"
# #path: ""
Expand Down
2 changes: 2 additions & 0 deletions x-pack/elastic-agent/pkg/agent/cmd/container.go
View file
Open in desktop
Expand Up @@ -27,6 +27,7 @@ import (
"github.com/spf13/cobra"
"gopkg.in/yaml.v2"

"github.com/elastic/beats/v7/libbeat/common/cfgwarn"
"github.com/elastic/beats/v7/libbeat/common/transport/httpcommon"
"github.com/elastic/beats/v7/libbeat/common/transport/tlscommon"
"github.com/elastic/beats/v7/libbeat/kibana"
Expand Down Expand Up @@ -426,6 +427,7 @@ func buildFleetServerConnStr(cfg fleetServerConfig) (string, error) {
if cfg.Elasticsearch.ServiceToken != "" {
return fmt.Sprintf("%s://%s%s", u.Scheme, u.Host, path), nil
}
cfgwarn.Deprecate("8.0.0", "Support for basic authorization (FLEET_SERVER_ELASTICSEARCH_USERNAME:FLEET_SERVER_ELASTICSEARCH_PASSWORD) is deprecated. Please use FLEET_SERVER_SERVICE_TOKEN instead.")
return fmt.Sprintf("%s://%s:%s@%s%s", u.Scheme, cfg.Elasticsearch.Username, cfg.Elasticsearch.Password, u.Host, path), nil
}

Expand Down
2 changes: 2 additions & 0 deletions x-pack/elastic-agent/pkg/agent/configuration/fleet_server.go
View file
Open in desktop
Expand Up @@ -7,6 +7,7 @@ package configuration
import (
"net/url"

"github.com/elastic/beats/v7/libbeat/common/cfgwarn"
"github.com/elastic/beats/v7/libbeat/common/transport/tlscommon"
"github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors"
)
Expand Down Expand Up @@ -81,6 +82,7 @@ func ElasticsearchFromConnStr(conn string, serviceToken string, insecure bool) (
if !ok {
return Elasticsearch{}, errors.New("invalid connection string: must include a password unless a service token is provided")
}
cfgwarn.Deprecate("8.0.0", "Support for basic authorization (username:password) is deprecated. Please use service_token.")
cfg.Username = u.User.Username()
cfg.Password = password
return cfg, nil
Expand Down