New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Fleet] Support preconfigured output secrets #166360
Comments
Pinging @elastic/fleet (Team:Fleet) |
Update: nevermind, see comment below this one We need to decide how users will specify secrets in config. Here is a preconfigured output as it stands:
We can't have it so that a user upgrades to 8.12 and all of a sudden their ssl.key secret is migrated to using secrets storage, mainly bevause they also need to upgrade their flee tserver and on prem users may not have done this, so we would break their policy A couple options, in both of these we will need to update the docs to warn the user that using the old keys will store in plaintext:
I think this is clean but it makes the API a bit more complicated
@juliaElastic @kpollich any opinions/ other ideas? |
Actually I've just been for a walk and realised that |
@jillguyonnet I had a DM from @ismisepaul recommending we use argon2id, so I have had a go at starting an implementation, its very rough but I think it works: |
## Summary This PR adds support for outputs with secrets preconfigured in the `kibana.yml` config file. As Kibana needs to compare the value of the secret to manage updates, a hash of the value is stored in the output's saved object. The implementation follows [option 2 in Infosec's recommendations](elastic/infosec#14853 (comment)) with the Argon2id algorithm. See [here](https://www.npmjs.com/package/argon2) for information about the `argon2` Node package and [here](https://github.com/ranisalt/node-argon2/wiki/Options) for the config options. Here, `argon2` was configured with the recommended `m=19456 (19 MiB), t=2, p=1 ` (for some reason, `timeCost` cannot be set to less than 2). Closes elastic#166360 ### Testing 1. Ensure the [`outputSecretsStorage` experimental feature ](https://github.com/elastic/kibana/blob/fd4fdb01bcb011c0968a4ccab7ba739c3195016a/x-pack/plugins/fleet/common/experimental_features.ts#L26)is enabled. 2. Add the following to your kibana config: ``` xpack.fleet.outputs: - id: my-logstash-output-with-a-secret name: preconfigured logstash output with a secret type: logstash hosts: ["localhost:9999"] ssl: certificate: xxxxxxxxxx secrets: ssl: key: thisissecret ``` 3. Verify the secret has been correctly created, e.g. by issuing a `GET .fleet-secrets/_search` request in Dev Tools: the secret should be listed there. 4. Change the preconfigured value and wait for kibana to restart: the secret should be updated with the new value. --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: jillguyonnet <jill.guyonnet@gmail.com>
Reopening this as #170259 was reverted. |
This PR adds support for outputs with secrets preconfigured in the `kibana.yml` config file. As Kibana needs to compare the value of the secret to manage updates, a hash of the value is stored in the output's saved object. The implementation follows [option 2 in Infosec's recommendations](elastic/infosec#14853 (comment)) with the Argon2id algorithm. See [here](https://www.npmjs.com/package/argon2) for information about the `argon2` Node package and [here](https://github.com/ranisalt/node-argon2/wiki/Options) for the config options. Here, `argon2` was configured with the recommended `m=19456 (19 MiB), t=2, p=1 ` (for some reason, `timeCost` cannot be set to less than 2). Closes elastic#166360 1. Ensure the [`outputSecretsStorage` experimental feature ](https://github.com/elastic/kibana/blob/fd4fdb01bcb011c0968a4ccab7ba739c3195016a/x-pack/plugins/fleet/common/experimental_features.ts#L26)is enabled. 2. Add the following to your kibana config: ``` xpack.fleet.outputs: - id: my-logstash-output-with-a-secret name: preconfigured logstash output with a secret type: logstash hosts: ["localhost:9999"] ssl: certificate: xxxxxxxxxx secrets: ssl: key: thisissecret ``` 3. Verify the secret has been correctly created, e.g. by issuing a `GET .fleet-secrets/_search` request in Dev Tools: the secret should be listed there. 4. Change the preconfigured value and wait for kibana to restart: the secret should be updated with the new value. --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: jillguyonnet <jill.guyonnet@gmail.com>
@amolnater-qasource surfacing testing instructions from Jill's second PR here since there's multiple PR's here: Testing
@jillguyonnet if there's any more detail you can provide to help the QA folks test please feel free to add anything 🙂 |
Thank you @kpollich! It would be great to test this with the three output types that support secret values:
@amolnater-qasource please let me know if you have any questions 🙂 |
## Summary Support for outputs with secrets preconfigured in `kibana.yml`. This was already implemented in #170259, which had to be reverted as the `argon2` package was causing Windows tests to test (cf. [this comment](#170259 (comment))). The present implementation follows [option 2 in Infosec's recommendations](elastic/infosec#14853 (comment)) with the Scrypt algorithm using the following params: N=2^14 (16 MiB), r=8 (1024 bytes), p=5. Note that Scrypt is built-in within the `crypto` module (see [here](https://nodejs.org/api/crypto.html#cryptoscryptpassword-salt-keylen-options-callback) for documentation). Closes #166360 ### Testing 1. Ensure the [`outputSecretsStorage` experimental feature ](https://github.com/elastic/kibana/blob/fd4fdb01bcb011c0968a4ccab7ba739c3195016a/x-pack/plugins/fleet/common/experimental_features.ts#L26)is enabled. 2. Add the following to your kibana config: ``` xpack.fleet.outputs: - id: my-logstash-output-with-a-secret name: preconfigured logstash output with a secret type: logstash hosts: ["localhost:9999"] ssl: certificate: xxxxxxxxxx secrets: ssl: key: thisissecret ``` 3. Verify the secret has been correctly created, e.g. by issuing a `GET .fleet-secrets/_search` request in Dev Tools: the secret should be listed there. 4. Change the preconfigured value and wait for kibana to restart: the secret should be updated with the new value. --------- Co-authored-by: Mark Hopkin <mark.hopkin@elastic.co> Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Hi Team, We have executed 08 testcases under the Feature test run for the 8.12.0 release at the link: Status: PASS: 08 Build details: As the testing is completed on this feature, we are marking this as QA:Validated. Please let us know if anything else is required from our end. |
As part of #157458 we are adding the ability to use secrets with outputs.
Outputs can also be preconfigured in kibana.yml config. The scope of this issue is to support secrets in preconfigured outputs:
Implementation
See https://github.com/elastic/infosec/issues/14853 this has been raised with infosec.
The text was updated successfully, but these errors were encountered: