Allow Kibana to restrict the usage of JWT for a predefined set of routes only #162632
Labels
Feature:Security/Authentication
Platform Security - Authentication
Project:Serverless
Work as part of the Serverless project for its initial release
Team:Security
Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Summary
In #161564, we configured Kibana to accept JWT as a means of authentication in the Serverless offering. Currently, JWT is accepted by any Kibana HTTP API, despite the fact that we only need to support JWT authentication for a handful of metrics-related endpoints. This is sub-optimal from a security perspective.
We need to explore ways to configure Kibana to allow only specific HTTP endpoints to use JWT for authentication. In this issue, our goal is to choose the best approach and implement it.
NOTE TO IMPLEMENTERS: Refer to #159117 for more details and a naive PoC.
Elasticsearch JWT realm is configured with these fields that we can potentially rely on:
The text was updated successfully, but these errors were encountered: