[Fleet] Replace usage of username by user profile uid
#138703
Comments
juliaElastic
added
discuss
Team:Security
|
Pinging @elastic/kibana-security (Team:Security) |
|
Pinging @elastic/fleet (Team:Fleet) |
What this
|
I wonder if we (as a platform) should offer an opinionated, graceful fallback. If the consumer can do without a true identity for their use case, then perhaps we could offer to store a display name (and/or other fields) in lieu of a profile id. This could allow for a ux that more gracefully degrades. For example (hypothetical!): If |
++, we'll definitely provide/document guidance on this one that might eventually result into one-stop set of programmatic APIs (e.g. "get me the the most unique identifier for the current user you can get" and "resolve this user identifier to the most human readable label you can") for all types of users. I'd like to learn more about the existing uses cases before we offer anything though. |
It is stored as a field in agent and integration policies, I found one place where the Updated by field is displayed on Integrations UI:
@paul-tavares Can you confirm what is security plugin using this field for? |
|
Hi @juliaElastic , We have not yet opened an issue on our side to follow up, but note that I think many more discussions will be needed on this due to the fact that the Security team is suggesting we store a User Profile UUID. That value is not useful from a UX standpoint and thus we will need to discuss the implication of making such change and how we can continue to support showing a username on the UI. cc/ @kevinlog , @ashokaditya |
How can these policies be updated? Are they always updated interactively by the logged in user or you also provide HTTP APIs to update these policies with something like
Kibana Security plugin exposes APIs to resolve profile UID to the user profile that always includes |
It's worth noting that storing/displaying a username is not always sufficient for determining identity. It's possible that two different people can share a username, by authenticating via different realms. For example, you can define an User Profiles are a much stronger form of identity within the platform, and were intentionally designed to support these nuanced scenarios. |
The policies can be updated through UI and API (the UI uses the same API that we expose to users). The API supports ApiKey, Bearer auth, with those we just set "updatedBy: system". How urgent is this work to replace |
Thanks for confirming, let me discuss this case with the team.
There is no urgency from our end, but the sooner you migrate the sooner you might leverage all user profile related functionality and potentially less code paths to migrate later. |
legrego
removed
the
Team:Security
Fleet uses username from security plugin to set
updatedByfield in agent policy and package policy.security.authc.getCurrentUser(req).usernamehttps://github.com/elastic/kibana/blob/main/x-pack/plugins/fleet/server/services/agent_policy.ts#L206
kibana/x-pack/plugins/fleet/server/services/package_policy.ts
Lines 190 to 192 in ea7bc36
It was raised that users of this API should migrate to use profile ID instead as username is not guaranteed to be unique.
((await security.userProfiles.getCurrent(req)).uid)https://www.elastic.co/guide/en/elasticsearch/reference/master/user-profile.html
Can we get some guidance whether user profile ID should be used in our use case?
Originally discussed here: https://elastic.slack.com/archives/C9097ABGC/p1660232160243589?thread_ts=1660148287.877479&cid=C9097ABGC
cc @joshdover
The text was updated successfully, but these errors were encountered: