Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove Transport Layer Security (TLS) requirement for alerting when security is enabled #111721

Closed
mikecote opened this issue Sep 9, 2021 · 5 comments · Fixed by #115234
Closed

Remove Transport Layer Security (TLS) requirement for alerting when security is enabled #111721

mikecote opened this issue Sep 9, 2021 · 5 comments · Fixed by #115234
Assignees
@mikecote
Labels
estimate:small Small Estimated Level of Effort Feature:Alerting/RulesFramework Issues related to the Alerting Rules Framework Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)
Projects
Kibana Alerting

Comments

@mikecote
Copy link
Contributor

mikecote commented Sep 9, 2021

Once elastic/elasticsearch#76801 merges, Elasticsearch no longer requires TLS to be enabled to use API keys. As a follow-up, we can remove the enforcement checks the alerting framework does and enable usage when TLS is disabled, and security is enabled.

cc @arisonl
@mikecote mikecote added Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Feature:Alerting/RulesFramework Issues related to the Alerting Rules Framework estimate:small Small Estimated Level of Effort labels Sep 9, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-alerting-services (Team:Alerting Services)

@mikecote
Copy link
Contributor Author

mikecote commented Sep 9, 2021

Adding blocked label until elastic/elasticsearch#76801 is merged.

@mikecote
Copy link
Contributor Author

mikecote commented Sep 9, 2021

Since we are using security?.authc.apiKeys.areAPIKeysEnabled(), we may get this fix for free 🤔 might be worth validating. We still need to disable the usage of alerting if ever a customer sets xpack.security.authc.api_key.enabled: false in Elasticsearch.

@gmmorris gmmorris added this to 7.16/8.0 in Kibana Alerting Sep 15, 2021
@mikecote
Copy link
Contributor Author

elastic/elasticsearch#76801 is now merged and backported, removing blocked label.

@mikecote mikecote removed the blocked label Sep 23, 2021
@gmmorris gmmorris moved this from 7.16/8.0 to To-Do (Ordered by priority) in Kibana Alerting Oct 4, 2021
@mikecote
Copy link
Contributor Author

Expanding on #111721 (comment).

The security?.authc.apiKeys.areAPIKeysEnabled() makes it seem that alerting will work without TLS. If that is the case, without changing our code, users can encounter 2 scenarios that would be misleading.

Scenario 1: User reads docs, spends time to set up TLS when alerting works without TLS enabled (wasting set-up steps)
Scenario 2: User disables API keys and gets a banner asking for TLS to be enabled (when it fact it doesn’t need to be)

@mikecote mikecote self-assigned this Oct 15, 2021
@mikecote mikecote moved this from To-Do (Ordered by priority) to In Progress in Kibana Alerting Oct 15, 2021
This was referenced Oct 15, 2021
Merged
Closed
@mikecote mikecote moved this from In Progress to In Review in Kibana Alerting Oct 18, 2021
Kibana Alerting automation moved this from In Review to Done (Ordered by most recent) Oct 19, 2021
@kobelb kobelb added the needs-team Issues missing a team label label Jan 31, 2022
@botelastic botelastic bot removed the needs-team Issues missing a team label label Jan 31, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mikecote mikecote

Labels
estimate:small Small Estimated Level of Effort Feature:Alerting/RulesFramework Issues related to the Alerting Rules Framework Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)
Projects
No open projects
Kibana Alerting
Done (Ordered by most recent)
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remove TLS requirement for alerting when security is enabled mikecote/kibana
3 participants
@kobelb @mikecote @elasticmachine