[Serverless] Allow authentication via the Elasticsearch JWT realm wit…

…h the `shared_secret` client authentication type. (#161564)
elastic · Jul 11, 2023 · cdc862a · cdc862a
1 parent 95e5087
commit cdc862a
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 3 deletions.
diff --git a/config/serverless.yml b/config/serverless.yml
@@ -69,6 +69,5 @@ server.versioned.strictClientVersionCheck: false
 xpack.spaces.maxSpaces: 1
 xpack.spaces.allowFeatureVisibility: false
 
-# Temporarily allow unauthenticated access to task manager utilization & status/stats APIs for autoscaling
-status.allowAnonymous: true
-xpack.task_manager.unsafe.authenticate_background_task_utilization: false
+# Allow authentication via the Elasticsearch JWT realm with the `shared_secret` client authentication type.
+elasticsearch.requestHeadersWhitelist: ["authorization", "es-client-authentication"]
diff --git a/packages/kbn-es/src/settings.test.ts b/packages/kbn-es/src/settings.test.ts
@@ -12,6 +12,7 @@ const mockSettings = [
   'abc.def=1',
   'xpack.security.authc.realms.oidc.oidc1.rp.client_secret=secret',
   'xpack.security.authc.realms.oidc.oidc1.rp.client_id=client id',
+  'xpack.security.authc.realms.jwt.jwt1.client_authentication.shared_secret=jwt_secret',
   'discovery.type=single-node',
 ];
 
@@ -20,6 +21,7 @@ test('`parseSettings` parses and returns all settings by default', () => {
     ['abc.def', '1'],
     ['xpack.security.authc.realms.oidc.oidc1.rp.client_secret', 'secret'],
     ['xpack.security.authc.realms.oidc.oidc1.rp.client_id', 'client id'],
+    ['xpack.security.authc.realms.jwt.jwt1.client_authentication.shared_secret', 'jwt_secret'],
     ['discovery.type', 'single-node'],
   ]);
 });
@@ -29,13 +31,15 @@ test('`parseSettings` parses and returns all settings with `SettingsFilter.All`
     ['abc.def', '1'],
     ['xpack.security.authc.realms.oidc.oidc1.rp.client_secret', 'secret'],
     ['xpack.security.authc.realms.oidc.oidc1.rp.client_id', 'client id'],
+    ['xpack.security.authc.realms.jwt.jwt1.client_authentication.shared_secret', 'jwt_secret'],
     ['discovery.type', 'single-node'],
   ]);
 });
 
 test('`parseSettings` parses and returns only secure settings with `SettingsFilter.SecureOnly` filter', () => {
   expect(parseSettings(mockSettings, { filter: SettingsFilter.SecureOnly })).toEqual([
     ['xpack.security.authc.realms.oidc.oidc1.rp.client_secret', 'secret'],
+    ['xpack.security.authc.realms.jwt.jwt1.client_authentication.shared_secret', 'jwt_secret'],
   ]);
 });
 

diff --git a/packages/kbn-es/src/settings.ts b/packages/kbn-es/src/settings.ts
@@ -11,6 +11,7 @@
  */
 const SECURE_SETTINGS_LIST = [
   /^xpack\.security\.authc\.realms\.oidc\.[a-zA-Z0-9_]+\.rp\.client_secret$/,
+  /^xpack\.security\.authc\.realms\.jwt\.[a-zA-Z0-9_]+\.client_authentication\.shared_secret$/,
 ];
 
 function isSecureSetting(settingName: string) {