-
Notifications
You must be signed in to change notification settings - Fork 519
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introduce apm-server.auth.anonymous
config
#5623
Conversation
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
Trends 🧪 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Generally looks good, left a couple of minor comments for now.
# Defines the maximum amount of events allowed per IP per second. Defaults to 300. The overall | ||
# maximum event throughput for anonymous access is (event_limit * ip_limit). | ||
#event_limit: 300 | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you also add the new settings to the apmpackage
please and remove the deprecated ones there?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added:
anonymous_enabled
-- on by default, always shown; everything else is advanced configanonymous_allow_agent
-- defaults to[rum-js, js-base, iOS/swift]
(iOS/swift is not in the standalone defaults)anonymous_allow_service
(wasrum_allow_service_names
)anonymous_rate_limit_event_limit
(wasrum_event_rate_limit
)anonymous_rate_limit_ip_limit
(wasrum_event_rate_lru_size
)
a5a3262
to
29857c1
Compare
/test |
(cherry picked from commit fd6a8c0) # Conflicts: # changelogs/head.asciidoc
Wait until elastic/kibana#109237 is resolved and part of the BC and then ensure the new config options are also tested for the apm package (managed by agent) |
Tested with BC3: The following works as expected:
Testing with the iOS agent:
Created a bug description in #6095 |
followed up on the iOS testing issue - this was purely an issue with the test app (sending an empty auth header instead of none). Everything works as expected. |
Motivation/summary
Generalise the ability for agents to send events unauthenticated (anonymous) but rate-limited. Until now this has been a RUM-only feature, but we now find ourselves needing it also for the iOS agent.
Anonymous auth is disabled by default, but is automatically enabled when RUM is enabled as long as
apm-server.auth.anonymous
hasn't been explicitly configured. The existing RUM config for allowed services and rate limiting are deprecated and replaced with equivalent config underapm-server.auth.anonymous.*
.Instead of restricting anonymous auth to requests going by endpoint (i.e. RUM intake and agent config), we now restrict based on the provided agent and service names. There was previously nothing stopping clients from spoofing RUM agents, e.g. sending events to the RUM intake with a non-RUM agent name, so this is not any less secure.
Checklist
- [ ] Documentation has been updateddocs: documentapm-server.auth.anonymous
config #5698For functional changes, consider:
How to test these changes
apm-server.auth.anonymous.allow_agent: [iOS/swift]
, check that the iOS/swift agent can send data without an auth token.apm-server.auth.anonymous.allow_service: [opbeans-rum]
, check that opbeans-rum can send data. Change it to something else and check that opbeans-rum cannot send data.Related issues
Closes #5347