From cdc862a6188e846e9e5f04bc1c98dadf6c04c0c1 Mon Sep 17 00:00:00 2001 From: Aleh Zasypkin Date: Tue, 11 Jul 2023 15:06:34 +0200 Subject: [PATCH] [Serverless] Allow authentication via the Elasticsearch JWT realm with the `shared_secret` client authentication type. (#161564) --- config/serverless.yml | 5 ++--- packages/kbn-es/src/settings.test.ts | 4 ++++ packages/kbn-es/src/settings.ts | 1 + 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/config/serverless.yml b/config/serverless.yml index 6296173fbe94f6..5f03bbb6de5041 100644 --- a/config/serverless.yml +++ b/config/serverless.yml @@ -69,6 +69,5 @@ server.versioned.strictClientVersionCheck: false xpack.spaces.maxSpaces: 1 xpack.spaces.allowFeatureVisibility: false -# Temporarily allow unauthenticated access to task manager utilization & status/stats APIs for autoscaling -status.allowAnonymous: true -xpack.task_manager.unsafe.authenticate_background_task_utilization: false +# Allow authentication via the Elasticsearch JWT realm with the `shared_secret` client authentication type. +elasticsearch.requestHeadersWhitelist: ["authorization", "es-client-authentication"] diff --git a/packages/kbn-es/src/settings.test.ts b/packages/kbn-es/src/settings.test.ts index 6963c41e43f01c..e8f0d05500299f 100644 --- a/packages/kbn-es/src/settings.test.ts +++ b/packages/kbn-es/src/settings.test.ts @@ -12,6 +12,7 @@ const mockSettings = [ 'abc.def=1', 'xpack.security.authc.realms.oidc.oidc1.rp.client_secret=secret', 'xpack.security.authc.realms.oidc.oidc1.rp.client_id=client id', + 'xpack.security.authc.realms.jwt.jwt1.client_authentication.shared_secret=jwt_secret', 'discovery.type=single-node', ]; @@ -20,6 +21,7 @@ test('`parseSettings` parses and returns all settings by default', () => { ['abc.def', '1'], ['xpack.security.authc.realms.oidc.oidc1.rp.client_secret', 'secret'], ['xpack.security.authc.realms.oidc.oidc1.rp.client_id', 'client id'], + ['xpack.security.authc.realms.jwt.jwt1.client_authentication.shared_secret', 'jwt_secret'], ['discovery.type', 'single-node'], ]); }); @@ -29,6 +31,7 @@ test('`parseSettings` parses and returns all settings with `SettingsFilter.All` ['abc.def', '1'], ['xpack.security.authc.realms.oidc.oidc1.rp.client_secret', 'secret'], ['xpack.security.authc.realms.oidc.oidc1.rp.client_id', 'client id'], + ['xpack.security.authc.realms.jwt.jwt1.client_authentication.shared_secret', 'jwt_secret'], ['discovery.type', 'single-node'], ]); }); @@ -36,6 +39,7 @@ test('`parseSettings` parses and returns all settings with `SettingsFilter.All` test('`parseSettings` parses and returns only secure settings with `SettingsFilter.SecureOnly` filter', () => { expect(parseSettings(mockSettings, { filter: SettingsFilter.SecureOnly })).toEqual([ ['xpack.security.authc.realms.oidc.oidc1.rp.client_secret', 'secret'], + ['xpack.security.authc.realms.jwt.jwt1.client_authentication.shared_secret', 'jwt_secret'], ]); }); diff --git a/packages/kbn-es/src/settings.ts b/packages/kbn-es/src/settings.ts index a5919dccebd5a7..dabc7482a75bee 100644 --- a/packages/kbn-es/src/settings.ts +++ b/packages/kbn-es/src/settings.ts @@ -11,6 +11,7 @@ */ const SECURE_SETTINGS_LIST = [ /^xpack\.security\.authc\.realms\.oidc\.[a-zA-Z0-9_]+\.rp\.client_secret$/, + /^xpack\.security\.authc\.realms\.jwt\.[a-zA-Z0-9_]+\.client_authentication\.shared_secret$/, ]; function isSecureSetting(settingName: string) {