-
Notifications
You must be signed in to change notification settings - Fork 8.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Fleet] Use Elasticsearch API Keys instead of custom JWT tokens #48968
Comments
"When regenerate delete the old API key" -- I think this concept of having a single enrollment token is going away. That we will need to display a list of enrollment tokens somewhere. @clintongormley Perhaps you can clarify? |
Do we really need this? I don't see why we would need to keep the hash on our side? I presume that you will want to query based on the hashed api key? It means that at some point you did the hash with the Kibana secrets. So If I do a call on your api with the token you can hash it again with the same secret. |
Just want to clarify, that API KEY can be used for both ES and Kibana authentification, correct? |
Agreed, I don't think storing the hash is needed. |
Correct |
We need a way to link an agent (saved object in kibana) and an ApiKey
Yes |
Right but fleet can do this by grabbing and re-hashing the API Key that is in the headers from the Agents request |
So to resume just some misunderstanding here, we are going to save the apiKey hash in the saved object agent not the fleet agent |
Perhaps an additional open question... This token is supposed to be used for the output to ES... in the future, we plan to support outputting to another cluster... should we worry now about how that would work with an API Key only existing on a single cluster? |
Good question @mattapperson for multiple clusters, I don't think we need a resolution for now but. Now, are we assuming that everything we received an elasticsearch output configuration we use the saved |
Yes. Steps: -I send you the plain text version of the key.
The secret is the weakest link here. |
Yes |
No. Enrolment More than one enrolment API key can exist in the same space. The first one should be autogenerated. Subsequent enrollment API keys can be generated by the user via the UI.
Generate the first enrolment API key automatically so it is immediately available.
It should grant permission to the Agent to enroll in the current space.
I don't know about this
Multiple enrolment keys can co-exist - the user would actively choose to delete a key.
The enrolment key should be reusable across many agents until such time as it is deleted or expired.
I agree that we should allow for multiple enrolment keys, but not one per agent. Start with one default autogenerated key and add/remove as needed for a particular deployment. Any agent with an enrolment key can enroll, which gives them an API token associated with the Agent's UUID. An enrolled agent never needs to use the enrollment key again. |
Can you clarify this? when we enroll an agent he is not assigned to a policy, and the user need to do an extra step to assign it? or you can have enrollment token with a policy (optional)? |
@nchaulet I think, unless I am wrong, we want to make enrolling to a particular policy optional. Because in the future we want to be able to have optional auto-assignment rules in fleet vs designating one at enroll. |
@nchaulet An agent can be assigned to 0-1 policies, which means that we can change which policy is assigned to an agent, or we can unassign an agent (which remains enrolled, and still keeps checking with kibana in case it is assigned a new policy). Now when an agent is enrolled, we could do one of the following:
I think I'm leaning towards the 3rd option which can include things which don't need configuration, eg system monitoring |
I agree with most of that, Have unassigned agents => you can assign the policy later from Kibana, (or automatic rules in a future versions). I think we should not allow to specify the policy id on install seems to be sensitive: from one enrolment token you can get all policies |
@nchaulet @clintongormley FWIW one of our top asks for Beats CM was to enroll directly to tags. We don't have tags now but we do have policies.
|
OK, so turn this around. Instead of the agent specifying which policy it should belong to, and instead of an enrollment key belonging to a policy, have an enrollment key specify the policy to assign. Perhaps that was the model you originally had but I understood it as "policy-has-enrollment-key" instead of "enrollment-key-specifies-policy" |
@clintongormley yes this is how we had it before. The UX was token on policy because it felt easier to us. but the implementation is and was "enrollment-key-specifies-policy" |
Work in progress
Context
To authenticate the agent fleet uses tokens:
We have one enrollment token per policy, and when a agent enroll we create a new access token.
Change
During the first implementation of Fleet we use custom JWT token, we want to use ES API Key instead, (standard, more secure, …)
Also now an enrollment token could be assigned to a policy or not.
Vocabulary change
Enrollment token -> Enrollment Api Key
Access token -> Access Api Key
API change
Enrollment and checkin
For the agent instead of using a
kbn-*
headers use the standardAuthorization: ApiKey {API_KEY}
with the new enrollment token for enroll and access token for checkinEnrollment api keys
GET /api/fleet/enrollment_api_keys
list enrollment api keysPOST /api/fleet/enrollment_api_keys
create an enrollment api key with an optionnal policy idKibana Internal change
For enrolment token:
For access token:
logs-*
metrics-*
(we could do better in the future)Open questions, need to solve later
The text was updated successfully, but these errors were encountered: