Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DISCUSS] Elasticsearch data access layer #24861

Closed
mattkime opened this issue Oct 30, 2018 · 4 comments
Closed

[DISCUSS] Elasticsearch data access layer #24861

mattkime opened this issue Oct 30, 2018 · 4 comments
Labels
discuss Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!

Comments

@mattkime
Copy link
Contributor

Problem definition
Kibana in general and Kibana management features in particular make heavy use of CRUD calls to elasticsearch. Kibana serves as a proxy for es, providing search functionality generally but other apis are on a per instance basis. This secures es while placing a burden on kibana developers, however there's no stated set of security concerns so compliance is unclear.

Proposed solution

  1. Develop a statement that outlines security concerns in detail.

  2. Create a data access layer that centralizes es access. It would be nice to have a central whitelist of urls and methods.
@legrego legrego added Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! labels Oct 30, 2018
@bmcconaghy
Copy link
Contributor

A couple of thoughts on this:

  • I don't think the current model came about due to security concerns, but rather out of a need to accommodate different network architectures. We cannot assume that a client able to connect to the Kibana server and thus load up the Kibana web app can also connect to the Elasticsearch cluster. Many networks are partitioned such that a direct connection from the web app to ES is not allowed.
  • Console has a proxy Kibana server API endpoint that it uses to allow API requests to be made to ES based on user input. This proposed data layer would need to accommodate that use case as well to centralize ES access.
  • I think that there are some cases where the ES JS client is used in the browser to connect directly to ES. We would need to sort those cases out too.

@kobelb
Copy link
Contributor

kobelb commented Nov 5, 2018

Until very recently with the introduction of Kibana RBAC in 6.4, and Spaces which builds on top of it in 6.5, Kibana was able to defer almost entirely to Elasticsearch to implement security. As such, the Kibana end-users were required to have the various index/cluster privileges in Elasticsearch to be able to perform certain actions, so a majority of calls to Elasticsearch are made using the identity of the authenticated end-user.

We've begun to document these changes here: https://www.elastic.co/guide/en/kibana/current/development-security.html

Is your primary concern stemming from not knowing which ES/Kibana privileges a user needs to be able to perform the various end-user related actions in Kibana directly?

@lukeelmers
Copy link
Member

@mattkime Can this be closed as we are now tracking the data access work in #29215?

@stacey-gammon
Copy link
Contributor

Agree with you @lukeelmers, lets close this in favor of #29215

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
discuss Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@mattkime @kobelb @lukeelmers @bmcconaghy @legrego @stacey-gammon