New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow using JWT credentials to grant API keys. #172444
Conversation
@@ -94,7 +94,7 @@ export const configSchema = schema.object({ | |||
}), | |||
], | |||
{ | |||
defaultValue: ['authorization'], | |||
defaultValue: ['authorization', 'es-client-authentication'], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
note: the time has come 🙂 See https://www.elastic.co/guide/en/elasticsearch/reference/8.11/jwt-auth-realm.html#jwt-realm-configuration
Pinging @elastic/kibana-security (Team:Security) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ftr_configs.yml
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tested locally, LGTM with one docs comment and one test question.
I recommend adding a Release Notes section to this PR description, which includes a note about the change to elasticsearch.requestHeadersWhitelist
's default value.
packages/core/elasticsearch/core-elasticsearch-server-internal/src/elasticsearch_config.ts
Show resolved
Hide resolved
`xpack.security.authc.realms.jwt.jwt_with_secret.pkc_jwkset_path=${jwksPath}`, | ||
`xpack.security.authc.realms.jwt.jwt_with_secret.token_type=access_token`, | ||
|
||
// JWT WITHOUT shared secret |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🏅 thanks for testing both with and without shared secret
// separate `describe` since `this.tags` only works on a test suite level. | ||
this.tags(['skipMKI']); | ||
|
||
it('should properly grant API key (with client authentication)', async function () { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
question should we include negative tests to ensure that end-to-end error handling works correctly if we:
- Fail to provide a
ES-Client-Authentication
header - Provide a malformed
ES-Client-Authentication
header - Provide a well-formed, but incorrect
ES-Client-Authentication
header - Provide a valid
ES-Client-Authentication
header with a valid ES bearer token instead of a JWT
While this should be handled more or less automatically, we've benefited in the past from these types of "redundant" tests.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All these tests will fail during authentication stage, so we'll effectively be testing authentication, not grantApiKey
API, but I agree that these tests will be useful, so I added them to a separate test suite. Done in e795826!
Good idea, thanks. I'll add a release note. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ObsUX changes LGTM
💛 Build succeeded, but was flaky
Failed CI Steps
Test Failures
Metrics [docs]History
To update your PR or re-run it, just comment with: cc @azasypkin |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
Summary
In this PR we:
elasticsearch.requestHeadersWhitelist
to include bothauthorization
andes-client-authentication
to support JWT with required client authentication by default. See https://www.elastic.co/guide/en/elasticsearch/reference/8.11/jwt-auth-realm.html#jwt-realm-configurationNOTE: We're not gating this functionality with the config flag (
xpack.security.authc.http.jwt.taggedRoutesOnly
) as we did for the Serverless offering. It'd be a breaking change as we already implicitly support JWT authentication without client authentication, and to be honest, it's not really necessary anyway.Testing
Refer to the
Testing
section in this PR description: #159117.Or run already pre-configured Kibana functional test server:
node scripts/functional_tests_server.js --config x-pack/test/security_api_integration/api_keys.config.ts
Fixes: #171522
Release note: The default value of the
elasticsearch.requestHeadersWhitelist
configuration option has been expanded to include thees-client-authentication
HTTP header, in addition toauthorization
.