New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Fleet] Support preconfigured output secrets (scrypt edition) #172041
[Fleet] Support preconfigured output secrets (scrypt edition) #172041
Conversation
🤖 GitHub commentsExpand to view the GitHub comments
Just comment with:
|
export async function hashSecret(secret: string) { | ||
return new Promise((resolve, reject) => { | ||
const salt = crypto.randomBytes(16).toString('hex'); | ||
crypto.scrypt(secret, salt, 64, { p: 5 }, (err, derivedKey) => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: should the integer values be moved to constants?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Pinging @elastic/fleet (Team:Fleet) |
This PR adds support for outputs with secrets preconfigured in the `kibana.yml` config file. As Kibana needs to compare the value of the secret to manage updates, a hash of the value is stored in the output's saved object. The implementation follows [option 2 in Infosec's recommendations](elastic/infosec#14853 (comment)) with the Argon2id algorithm. See [here](https://www.npmjs.com/package/argon2) for information about the `argon2` Node package and [here](https://github.com/ranisalt/node-argon2/wiki/Options) for the config options. Here, `argon2` was configured with the recommended `m=19456 (19 MiB), t=2, p=1 ` (for some reason, `timeCost` cannot be set to less than 2). Closes elastic#166360 1. Ensure the [`outputSecretsStorage` experimental feature ](https://github.com/elastic/kibana/blob/fd4fdb01bcb011c0968a4ccab7ba739c3195016a/x-pack/plugins/fleet/common/experimental_features.ts#L26)is enabled. 2. Add the following to your kibana config: ``` xpack.fleet.outputs: - id: my-logstash-output-with-a-secret name: preconfigured logstash output with a secret type: logstash hosts: ["localhost:9999"] ssl: certificate: xxxxxxxxxx secrets: ssl: key: thisissecret ``` 3. Verify the secret has been correctly created, e.g. by issuing a `GET .fleet-secrets/_search` request in Dev Tools: the secret should be listed there. 4. Change the preconfigured value and wait for kibana to restart: the secret should be updated with the new value. --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: jillguyonnet <jill.guyonnet@gmail.com>
fa9fae0
to
0184a8d
Compare
@elasticmachine merge upstream |
| { | ||
id: string; | ||
}; | ||
service_token?: OutputSecret; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@juliaElastic Does this look OK? I made this change after #171875 was merged.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, it's good
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we should test if a preconfigured remote_elasticsearch
output works though
@elasticmachine merge upstream |
💚 Build Succeeded
Metrics [docs]
History
To update your PR or re-run it, just comment with: |
Summary
Support for outputs with secrets preconfigured in
kibana.yml
. This was already implemented in #170259, which had to be reverted as theargon2
package was causing Windows tests to test (cf. this comment).The present implementation follows option 2 in Infosec's recommendations with the Scrypt algorithm using the following params: N=2^14 (16 MiB), r=8 (1024 bytes), p=5. Note that Scrypt is built-in within the
crypto
module (see here for documentation).Closes #166360
Testing
outputSecretsStorage
experimental feature is enabled.GET .fleet-secrets/_search
request in Dev Tools: the secret should be listed there.