Introduce config apm-server.auth.anonymous

elastic · Jul 13, 2021 · 29857c1 · 29857c1
1 parent aa11469
commit 29857c1
Show file tree

Hide file tree

Showing 34 changed files with 797 additions and 181 deletions.
diff --git a/_meta/beat.yml b/_meta/beat.yml
@@ -19,6 +19,34 @@ apm-server:
     # Define a shared secret token for authorizing agents using the "Bearer" authorization method.
     #secret_token:
 
+    # Allow anonymous access only for specified agents and/or services. This is primarily intended to allow
+    # limited access for untrusted agents, such as Real User Monitoring.
+    #anonymous:
+      # By default anonymous auth is automatically enabled when either auth.api_key or
+      # auth.secret_token is enabled, and RUM is enabled. Otherwise, anonymous auth is
+      # disabled by default.
+      #
+      # When anonymous auth is enabled, only agents matching allow_agent and services
+      # matching allow_service are allowed. See below for details on default values for
+      # allow_agent.
+      #enabled:
+
+      # Allow anonymous access only for specified agents.
+      #allow_agent: [rum-js, js-base]
+
+      # Allow anonymous access only for specified service names. By default, all service names are allowed.
+      #allow_service: []
+
+      # Rate-limit anonymous access by IP and number of events.
+      #rate_limit:
+        # Rate limiting is defined per unique client IP address, for a limited number of IP addresses.
+        # Sites with many concurrent clients should consider increasing this limit. Defaults to 1000.
+        #ip_limit: 1000
+
+        # Defines the maximum amount of events allowed per IP per second. Defaults to 300. The overall
+        # maximum event throughput for anonymous access is (event_limit * ip_limit).
+        #event_limit: 300
+
   # Maximum permitted size in bytes of a request's header accepted by the server to be processed.
   #max_header_size: 1048576
 
@@ -214,6 +242,10 @@ apm-server:
   #rum:
     #enabled: false
 
+    # Rate-limit RUM agents.
+    #
+    # WARNING: This configuration is deprecated and replaced with `apm-server.auth.anonymous.rate_limit`,
+    # and will be removed in the 8.0 release. If that config is defined, this one will be ignored.
     #event_rate:
 
       # Defines the maximum amount of events allowed to be sent to the APM Server RUM
@@ -230,6 +262,9 @@ apm-server:
     # A list of service names to allow, to limit service-specific indices and data streams
     # created for unauthenticated RUM events.
     # If the list is empty, any service name is allowed.
+    #
+    # WARNING: This configuration is deprecated and replaced with `apm-server.auth.anonymous.allow_service`,
+    # and will be removed in the 8.0 release. If that config is defined, this one will be ignored.
     #allow_service_names: []
 
     # A list of permitted origins for real user monitoring.

diff --git a/apm-server.docker.yml b/apm-server.docker.yml
@@ -19,6 +19,34 @@ apm-server:
     # Define a shared secret token for authorizing agents using the "Bearer" authorization method.
     #secret_token:
 
+    # Allow anonymous access only for specified agents and/or services. This is primarily intended to allow
+    # limited access for untrusted agents, such as Real User Monitoring.
+    #anonymous:
+      # By default anonymous auth is automatically enabled when either auth.api_key or
+      # auth.secret_token is enabled, and RUM is enabled. Otherwise, anonymous auth is
+      # disabled by default.
+      #
+      # When anonymous auth is enabled, only agents matching allow_agent and services
+      # matching allow_service are allowed. See below for details on default values for
+      # allow_agent.
+      #enabled:
+
+      # Allow anonymous access only for specified agents.
+      #allow_agent: [rum-js, js-base]
+
+      # Allow anonymous access only for specified service names. By default, all service names are allowed.
+      #allow_service: []
+
+      # Rate-limit anonymous access by IP and number of events.
+      #rate_limit:
+        # Rate limiting is defined per unique client IP address, for a limited number of IP addresses.
+        # Sites with many concurrent clients should consider increasing this limit. Defaults to 1000.
+        #ip_limit: 1000
+
+        # Defines the maximum amount of events allowed per IP per second. Defaults to 300. The overall
+        # maximum event throughput for anonymous access is (event_limit * ip_limit).
+        #event_limit: 300
+
   # Maximum permitted size in bytes of a request's header accepted by the server to be processed.
   #max_header_size: 1048576
 
@@ -214,6 +242,10 @@ apm-server:
   #rum:
     #enabled: false
 
+    # Rate-limit RUM agents.
+    #
+    # WARNING: This configuration is deprecated and replaced with `apm-server.auth.anonymous.rate_limit`,
+    # and will be removed in the 8.0 release. If that config is defined, this one will be ignored.
     #event_rate:
 
       # Defines the maximum amount of events allowed to be sent to the APM Server RUM
@@ -230,6 +262,9 @@ apm-server:
     # A list of service names to allow, to limit service-specific indices and data streams
     # created for unauthenticated RUM events.
     # If the list is empty, any service name is allowed.
+    #
+    # WARNING: This configuration is deprecated and replaced with `apm-server.auth.anonymous.allow_service`,
+    # and will be removed in the 8.0 release. If that config is defined, this one will be ignored.
     #allow_service_names: []
 
     # A list of permitted origins for real user monitoring.

diff --git a/apm-server.yml b/apm-server.yml
@@ -19,6 +19,34 @@ apm-server:
     # Define a shared secret token for authorizing agents using the "Bearer" authorization method.
     #secret_token:
 
+    # Allow anonymous access only for specified agents and/or services. This is primarily intended to allow
+    # limited access for untrusted agents, such as Real User Monitoring.
+    #anonymous:
+      # By default anonymous auth is automatically enabled when either auth.api_key or
+      # auth.secret_token is enabled, and RUM is enabled. Otherwise, anonymous auth is
+      # disabled by default.
+      #
+      # When anonymous auth is enabled, only agents matching allow_agent and services
+      # matching allow_service are allowed. See below for details on default values for
+      # allow_agent.
+      #enabled:
+
+      # Allow anonymous access only for specified agents.
+      #allow_agent: [rum-js, js-base]
+
+      # Allow anonymous access only for specified service names. By default, all service names are allowed.
+      #allow_service: []
+
+      # Rate-limit anonymous access by IP and number of events.
+      #rate_limit:
+        # Rate limiting is defined per unique client IP address, for a limited number of IP addresses.
+        # Sites with many concurrent clients should consider increasing this limit. Defaults to 1000.
+        #ip_limit: 1000
+
+        # Defines the maximum amount of events allowed per IP per second. Defaults to 300. The overall
+        # maximum event throughput for anonymous access is (event_limit * ip_limit).
+        #event_limit: 300
+
   # Maximum permitted size in bytes of a request's header accepted by the server to be processed.
   #max_header_size: 1048576
 
@@ -214,6 +242,10 @@ apm-server:
   #rum:
     #enabled: false
 
+    # Rate-limit RUM agents.
+    #
+    # WARNING: This configuration is deprecated and replaced with `apm-server.auth.anonymous.rate_limit`,
+    # and will be removed in the 8.0 release. If that config is defined, this one will be ignored.
     #event_rate:
 
       # Defines the maximum amount of events allowed to be sent to the APM Server RUM
@@ -230,6 +262,9 @@ apm-server:
     # A list of service names to allow, to limit service-specific indices and data streams
     # created for unauthenticated RUM events.
     # If the list is empty, any service name is allowed.
+    #
+    # WARNING: This configuration is deprecated and replaced with `apm-server.auth.anonymous.allow_service`,
+    # and will be removed in the 8.0 release. If that config is defined, this one will be ignored.
     #allow_service_names: []
 
     # A list of permitted origins for real user monitoring.

diff --git a/apmpackage/apm/agent/input/template.yml.hbs b/apmpackage/apm/agent/input/template.yml.hbs
@@ -1,7 +1,14 @@
 apm-server:
-    api_key:
-        enabled: {{api_key_enabled}}
-        limit: {{api_key_limit}}
+    auth:
+        anonymous:
+            enabled: {{enable_rum}}
+            rate_limit:
+                event_limit: {{anonymous_rate_limit_event_limit}}
+                ip_limit: {{anonymous_rate_limit_ip_limit}}
+        api_key:
+            enabled: {{api_key_enabled}}
+            limit: {{api_key_limit}}
+        secret_token: {{secret_token}}
     capture_personal_data: {{capture_personal_data}}
     idle_timeout: {{idle_timeout}}
     default_service_environment: {{default_service_environment}}
@@ -12,6 +19,7 @@ apm-server:
     max_header_size: {{max_header_bytes}}
     read_timeout: {{read_timeout}}
     response_headers: {{response_headers}}
+    {{#if enable_rum}}
     rum:
         allow_headers:
         {{#each rum_allow_headers}}
@@ -26,12 +34,10 @@ apm-server:
           - {{this}}
         {{/each}}
         enabled: {{enable_rum}}
-        event_rate.limit: {{rum_event_rate_limit}}
-        event_rate.lru_size: {{rum_event_rate_lru_size}}
         exclude_from_grouping: {{rum_exclude_from_grouping}}
         library_pattern: {{rum_library_pattern}}
         response_headers: {{rum_response_headers}}
-    secret_token: {{secret_token}}
+    {{/if}
     shutdown_timeout: {{shutdown_timeout}}
     {{#if tls_enabled}}
     ssl:

diff --git a/apmpackage/apm/manifest.yml b/apmpackage/apm/manifest.yml
@@ -41,6 +41,20 @@ policy_templates:
         title: Collect application traces
         description: Collect application traces
         vars:
+          - name: anonymous_rate_limit_event_limit
+            type: integer
+            title: Anonymous client rate limit event limit
+            description: Maximum number of events per client IP per second.
+            required: false
+            show_user: false
+            default: 10
+          - name: anonymous_rate_limit_ip_limit
+            type: integer
+            title: Anonymous client rate limit IP limit
+            description: Number of unique client IPs for which a distinct rate limit will be maintained.
+            required: false
+            show_user: false
+            default: 10000
           - name: host
             type: text
             title: Host
@@ -106,20 +120,6 @@ policy_templates:
             description: Added to RUM responses, e.g. for security policy compliance.
             required: false
             show_user: false
-          - name: rum_event_rate_limit
-            type: integer
-            title: RUM - Rate limit events per IP
-            description: Maximum number of events allowed per IP per second.
-            required: false
-            show_user: false
-            default: 10
-          - name: rum_event_rate_lru_size
-            type: integer
-            title: RUM - Rate limit cache size
-            description: Number of unique IPs to be cached for the rate limiter.
-            required: false
-            show_user: false
-            default: 10000
           - name: rum_library_pattern
             type: text
             title: RUM - Library Frame Pattern

diff --git a/...approved/integration/TestSourcemapHandler_AuthorizationMiddleware/Forbidden.approved.json b/...approved/integration/TestSourcemapHandler_AuthorizationMiddleware/Forbidden.approved.json
@@ -0,0 +1,3 @@
+{
+    "error": "unauthorized: anonymous access not permitted for sourcemap uploads"
+}
diff --git a/beater/api/config/agent/handler.go b/beater/api/config/agent/handler.go
@@ -113,7 +113,7 @@ func (h *handler) Handle(c *request.Context) {
 		c.Write()
 		return
 	}
-	if c.Authentication.Method == "" {
+	if c.Authentication.Method == auth.MethodAnonymous {
 		// Unauthenticated client, restrict results.
 		query.InsecureAgents = h.allowAnonymousAgents
 	}
@@ -234,7 +234,7 @@ func extractQueryError(c *request.Context, err error) {
 }
 
 func authErrMsg(c *request.Context, fullMsg, shortMsg string) string {
-	if c.Authentication.Method != "" {
+	if c.Authentication.Method != auth.MethodAnonymous {
 		return fullMsg
 	}
 	return shortMsg

diff --git a/beater/api/mux.go b/beater/api/mux.go
@@ -18,7 +18,6 @@
 package api
 
 import (
-	"context"
 	"net/http"
 	"net/http/pprof"
 
@@ -70,13 +69,6 @@ const (
 	IntakeRUMV3Path = "/intake/v3/rum/events"
 )
 
-var (
-	// rumAgents holds the current and previous agent names for the
-	// RUM JavaScript agent. This is used for restricting which config
-	// is supplied to anonymous agents.
-	rumAgents = []string{"rum-js", "js-base"}
-)
-
 // NewMux registers apm handlers to paths building up the APM Server API.
 func NewMux(
 	beatInfo beat.Info,
@@ -191,7 +183,6 @@ func (r *routeBuilder) rumIntakeHandler(newProcessor func(*config.Config) *strea
 				batchProcessor,
 			}
 		}
-		batchProcessor = batchProcessorWithAllowedServiceNames(batchProcessor, r.cfg.RumConfig.AllowServiceNames)
 		h := intake.Handler(newProcessor(r.cfg), requestMetadataFunc, batchProcessor)
 		return middleware.Wrap(h, rumMiddleware(r.cfg, r.authenticator, r.ratelimitStore, intake.MonitoringMap)...)
 	}
@@ -229,7 +220,7 @@ func agentConfigHandler(
 	f agentcfg.Fetcher,
 ) (request.Handler, error) {
 	mw := middlewareFunc(cfg, authenticator, ratelimitStore, agent.MonitoringMap)
-	h := agent.NewHandler(f, cfg.KibanaAgentConfig, cfg.DefaultServiceEnvironment, rumAgents)
+	h := agent.NewHandler(f, cfg.KibanaAgentConfig, cfg.DefaultServiceEnvironment, cfg.AgentAuth.Anonymous.AllowAgent)
 
 	if !cfg.Kibana.Enabled && cfg.AgentConfigs == nil {
 		msg := "Agent remote configuration is disabled. " +
@@ -269,7 +260,7 @@ func rumMiddleware(cfg *config.Config, authenticator *auth.Authenticator, rateli
 		middleware.ResponseHeadersMiddleware(cfg.ResponseHeaders),
 		middleware.ResponseHeadersMiddleware(cfg.RumConfig.ResponseHeaders),
 		middleware.CORSMiddleware(cfg.RumConfig.AllowOrigins, cfg.RumConfig.AllowHeaders),
-		middleware.AuthMiddleware(authenticator, false),
+		middleware.AuthMiddleware(authenticator, true),
 		middleware.AnonymousRateLimitMiddleware(ratelimitStore),
 	)
 	return append(rumMiddleware, middleware.KillSwitchMiddleware(cfg.RumConfig.Enabled, msg))
@@ -294,28 +285,6 @@ func rootMiddleware(cfg *config.Config, authenticator *auth.Authenticator) []mid
 	)
 }
 
-// TODO(axw) move this into the auth package when introducing anonymous auth.
-func batchProcessorWithAllowedServiceNames(p model.BatchProcessor, allowedServiceNames []string) model.BatchProcessor {
-	if len(allowedServiceNames) == 0 {
-		// All service names are allowed.
-		return p
-	}
-	m := make(map[string]bool)
-	for _, name := range allowedServiceNames {
-		m[name] = true
-	}
-	var restrictServiceName modelprocessor.MetadataProcessorFunc = func(ctx context.Context, meta *model.Metadata) error {
-		// Restrict to explicitly allowed service names.
-		// The list of allowed service names is not considered secret,
-		// so we do not use constant time comparison.
-		if !m[meta.Service.Name] {
-			return &stream.InvalidInputError{Message: "service name is not allowed"}
-		}
-		return nil
-	}
-	return modelprocessor.Chained{restrictServiceName, p}
-}
-
 func emptyRequestMetadata(c *request.Context) model.Metadata {
 	return model.Metadata{}
 }