New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Encrypted Saved Objects] Multiple plugins experiencing errors with encrypted saved objects in 8.11.1 #171630
Comments
Pinging @elastic/security-defend-workflows (Team:Defend Workflows) |
Pinging @elastic/fleet (Team:Fleet) |
Ping @elastic/kibana-security (Sorry I don't know your team label) |
Posting a summary of my findings and what the great folks on the Kibana Security team, ECK team, and Security Defend Workflow teams have helped out with today over Slack.
kibana/x-pack/plugins/fleet/server/services/security/uninstall_token_service/index.ts Lines 193 to 228 in be46cce
I've tried a few different ways to recreate this outside of an ECK environment without success, e.g.
I've tried the above steps going from 8.9.2 -> 8.11.1, 8.10.4 -> 8.11.1, and 8.9.2 -> 8.11.1 all without a reproduction of the errors. Something else to note: the uninstall tokens seem to be the most common culprit for these error logs, but Fleet has another encrypted saved object code path that we haven't seen errors reported for yet: kibana/x-pack/plugins/fleet/server/services/security/message_signing_service.ts Lines 55 to 105 in be46cce
If these saved objects are encountering the same decryption errors as the uninstall tokens, we'd expect to see Finally, I have reason to suspect this limited to ECK. Kibana does not implicitly set
So it appears to me that something has potentially changed the value of the Is there any kind of trigger that would cause this random value to change during a stack upgrade? If a K8's namespace or secret or ConfigMap or something was blown away for some reason during the upgrade, would that cause a new encryption key to be randomly generated and break decryption like this? @elastic/cloud-k8s could you perhaps weigh in on this? |
I need to debug some local environment stuff with Kubernetes, but I'll try and reproduce the upgrade issue specifically in an ECK setup tomorrow morning my time (eastern US). |
I spun up an ECK deployment on my local machine this morning and performed a stack upgrade from 8.9.2 -> 8.11.1 without issue. The value of So, my hunch that the ECK operator changed the encryption key seems to not be accurate, at least in this instance. If we can get some kibana logs from before and after the stack upgrade for one of the instances where this bug is happening, that'd be massively helpful in tracking down the cause. Full findings below: 8.9.2 cluster
Created 3 agent policies via Fleet UI
Uninstall tokens feature is not active, so no tokens exist (expected)
8.11.1 clusterEverything worked as expected 🙁
|
I'll try an upgrade from 8.11.0 -> 8.11.1 to see if anything changes there, as the uninstall tokens will already exist during the stack upgrade process. |
Upgrade from 8.11.0 -> 8.11.1 shows the same behavior. Decryption works as expected, encryption key persists across stack upgrades 8.11.0 cluster
8.11.1
|
We've validated a workaround that will unblock Fleet: To unblock Fleet, you'll need to blow away and regenerate all uninstall tokens for your agent policies. It's recommended to keep a record of the existing uninstall tokens somewhere safe, in case they are present elsewhere in your environment or eventually appear in logs when an agent is uninstalled. Perform the following actions, all requests are expected to be made in Kibana dev tools:
Then, in another browser session (incognito/private window is easiest) log into Kibana as that user and open dev tools while logged in as the temporary user with elevated permissions.
Afterwards, the temp_user can be deleted from the initial Kibana browser session.
We're also working on an fix for 8.11.2 that will prevent Fleet from being blocked by encryption errors and improve the error logging for the uninstall token service to see if we can get a better idea of what's happening here: #171998. The root cause is still unclear, and we're continuing to investigate. |
Hi all. The security team is tracking this internally, and the workaround above should unblock anyone that runs into the issue as described. I'm closing this in favor of the internal issue in the security team's repo. |
Hi Kpollich, |
Hi @huangharry - if you're experiencing issues with Fleet specifically the workaround in this comment should unblock you. Are you experiencing issues related to encrypted saved objects in other plugins? Happy to take a look at any error logs, screenshots, or other information you could provide 🙏 |
Ref https://discuss.elastic.co/t/fleet-initial-error/347225/7
We're seeing various errors related to encrypted saved objects across multiple plugins in 8.11.1 including Fleet and Rules + Alerts.
Examples
During Fleet Setup
Fleet setup throws an error for each agent policy when we try to generate uninstall tokens.
This will result in Fleet Setup failing, Fleet being unavailable, or the uninstall tokens page being unavailable.
This error originates in Fleet setup here:
kibana/x-pack/plugins/fleet/server/services/setup.ts
Lines 167 to 178 in 3a58207
Specifically, the final error is thrown in this function:
kibana/x-pack/plugins/fleet/server/services/security/uninstall_token_service/index.ts
Lines 499 to 503 in 3a58207
The encrypted saved objects error is thrown here:
kibana/x-pack/plugins/encrypted_saved_objects/server/crypto/encrypted_saved_objects_service.ts
Lines 545 to 557 in 3a58207
In the Rules and Alerts Plugin
I don't have logs for this, but a discuss user provided this screenshot:
The error is likely identical to the Fleet issue, however the user was able to regenerate their rules' API keys in order to alleviate the problem.
Investigation
We've been able to reproduce a subset of these errors by doing the following
xpack.encryptedSavedObjects.encryptionKey
set to some valuekibana.yml
Open questions
The text was updated successfully, but these errors were encountered: