Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Uptime] Implement Encrypted Saved Objects for UI Monitor Management #127158

Closed
dominiqueclarke opened this issue Mar 8, 2022 · 2 comments · Fixed by #127348
Closed

[Uptime] Implement Encrypted Saved Objects for UI Monitor Management #127158

dominiqueclarke opened this issue Mar 8, 2022 · 2 comments · Fixed by #127348
Labels
Team:Uptime - DEPRECATED Synthetics & RUM sub-team of Application Observability v8.2.0

Comments

@dominiqueclarke
Copy link
Contributor

As a user of Uptime, I'd like my sensitive data to be encrypted at rest.

To help protect customer information, we must transition Uptime Synthetic Monitor saved objects to encrypted saved objects.

POC: #125168

SPIKE: elastic/uptime#406

Encrypted Saved Objects README: https://github.com/elastic/kibana/blob/main/x-pack%2Fplugins%2Fencrypted_saved_objects%2FREADME.md

Fields to encrypt must be specified as a single JSON payload under a single key. This ensures that decrypting objects at scale is performant. For example, the key secrets would hold a JSON payload of all the sensitive fields.

export const syntheticsMonitor: SavedObjectsType = {
  name: syntheticsMonitorType,
  hidden: false,
  namespaceType: 'single',
  mappings: {
    dynamic: false,
    properties: {
      name: {
        type: 'keyword',
      },
      id: {
        type: 'keyword',
      },
      type: {
        type: 'keyword',
      },
      urls: {
        type: 'keyword',
      },
      tags: {
        type: 'keyword',
      },
      secrets: {
        type: 'text'
      }
    },
  },
  management: {
    importableAndExportable: true,
    icon: 'uptimeApp',
    getTitle: (savedObject) =>
      savedObject.attributes.name +
      ' - ' +
      i18n.translate('xpack.uptime.syntheticsMonitors', {
        defaultMessage: 'Uptime - Monitor',
      }),
  },
};

When the encrypted saved object is registered, the secrets field should specified as attributesToEncrypt

encryptedSavedObjects.registerType({
  type: syntheticsMonitor.name,
  attributesToEncrypt: new Set(['secrets']),
});

Formating Saved Objects

All fields in the SyntheticsMonitor type are flattened. To support saving sensitive fields within the saved object under a single key, we should create formatters that transform the SyntheticsMonitor type into a saved object compatible format, and vice versa, when adding or fetching a monitor. This ensures that the current contract is able to remain intact throughout the app.

Saved Object Migrations

Now that sensitive fields must be stored as JSON payload under a single key, we must create a saved object migration. This migration must account for our previously unencrypted saved objects and 1. store them as encrypted saved objects and 2. move the sensitive fields to the secrets key. Sync with @azasypkin for questions.
@botelastic botelastic bot added the needs-team Issues missing a team label label Mar 8, 2022
@dominiqueclarke dominiqueclarke added the Team:Uptime - DEPRECATED Synthetics & RUM sub-team of Application Observability label Mar 8, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/uptime (Team:uptime)

@botelastic botelastic bot removed the needs-team Issues missing a team label label Mar 8, 2022
@dominiqueclarke dominiqueclarke self-assigned this Mar 9, 2022
@dominiqueclarke dominiqueclarke mentioned this issue Mar 17, 2022
Merged
@dominiqueclarke dominiqueclarke mentioned this issue Mar 29, 2022
Closed
@dominiqueclarke dominiqueclarke removed their assignment Apr 11, 2022
@shahzad31
Copy link
Contributor

POST FF Testing

Tested on edg-olbt and can verify that secrets are being encrypted in saved objects

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Team:Uptime - DEPRECATED Synthetics & RUM sub-team of Application Observability v8.2.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Uptime] implement encrypted saved objects for monitor management dominiqueclarke/kibana
3 participants
@shahzad31 @dominiqueclarke @elasticmachine