Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Suggestion to create service account tokens using CLI is wrong #124691

Closed
jportner opened this issue Feb 4, 2022 · 1 comment · Fixed by #124717
Closed

Suggestion to create service account tokens using CLI is wrong #124691

jportner opened this issue Feb 4, 2022 · 1 comment · Fixed by #124717
Assignees
@jportner
Labels
bug Fixes for quality problems that affect the customer experience Feature:Upgrade Assistant impact:needs-assessment Product and/or Engineering needs to evaluate the impact of the change. loe:small Small Level of Effort Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!

Comments

@jportner
Copy link
Contributor

jportner commented Feb 4, 2022

Related: #115241, #122704

In 7.17, the Upgrade Assistant shows a deprecation warning for Kibana instances that have elasticsearch.username: elastic or elasticsearch.username: kibana configured.

Authenticating Kibana to Elasticsearch with either of these users is deprecated and should be avoided.

Note that using elasticsearch.username: kibana_system is still supported / not deprecated, but we want to start nudging users towards using service account tokens instead.
To that end, these deprecation warnings suggest using elasticsearch.serviceAccountToken instead:

kibana/src/core/server/elasticsearch/elasticsearch_config.ts

Lines 148 to 180 in 9ffffbc

if (es.username === 'elastic' || es.username === 'kibana') {
const username = es.username;
const level = es.username === 'elastic' ? 'critical' : 'warning';
addDeprecation({
configPath: `${fromPath}.username`,
title: i18n.translate('core.deprecations.elasticsearchUsername.title', {
defaultMessage: 'Using "elasticsearch.username: {username}" is deprecated',
values: { username },
}),
message: i18n.translate('core.deprecations.elasticsearchUsername.message', {
defaultMessage:
'Kibana is configured to authenticate to Elasticsearch with the "{username}" user. Use a service account token instead.',
values: { username },
}),
level,
documentationUrl: `https://www.elastic.co/guide/en/elasticsearch/reference/${branch}/service-accounts.html`,
correctiveActions: {
manualSteps: [
i18n.translate('core.deprecations.elasticsearchUsername.manualSteps1', {
defaultMessage:
'Use the elasticsearch-service-tokens CLI tool to create a new service account token for the "elastic/kibana" service account.',
}),
i18n.translate('core.deprecations.elasticsearchUsername.manualSteps2', {
defaultMessage: 'Add the "elasticsearch.serviceAccountToken" setting to kibana.yml.',
}),
i18n.translate('core.deprecations.elasticsearchUsername.manualSteps3', {
defaultMessage:
'Remove "elasticsearch.username" and "elasticsearch.password" from kibana.yml.',
}),
],
},
});
}

image

We should change the warning to suggest using creating a service account token with the API instead.
@jportner jportner added bug Fixes for quality problems that affect the customer experience Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! Feature:Upgrade Assistant labels Feb 4, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@jportner jportner self-assigned this Feb 4, 2022
@exalate-issue-sync exalate-issue-sync bot added impact:needs-assessment Product and/or Engineering needs to evaluate the impact of the change. loe:small Small Level of Effort labels Feb 4, 2022
@jportner jportner mentioned this issue Feb 4, 2022
Merged
@jportner jportner linked a pull request Feb 4, 2022 that will close this issue
[7.17] Change deprecation warning for elasticsearch.username #124717
Merged
@jportner jportner closed this as completed Feb 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jportner jportner

Labels
bug Fixes for quality problems that affect the customer experience Feature:Upgrade Assistant impact:needs-assessment Product and/or Engineering needs to evaluate the impact of the change. loe:small Small Level of Effort Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[7.17] Change deprecation warning for elasticsearch.username jportner/kibana
2 participants
@jportner @elasticmachine