Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow Kibana to restrict the usage of JWT for a predefined set of routes only #162632

Closed
azasypkin opened this issue Jul 27, 2023 · 1 comment · Fixed by #163806
Closed

Allow Kibana to restrict the usage of JWT for a predefined set of routes only #162632

azasypkin opened this issue Jul 27, 2023 · 1 comment · Fixed by #163806
Assignees
@azasypkin
Labels
Feature:Security/Authentication Platform Security - Authentication Project:Serverless Work as part of the Serverless project for its initial release Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!

Comments

@azasypkin
Copy link
Member

azasypkin commented Jul 27, 2023
edited
Loading

Summary

In #161564, we configured Kibana to accept JWT as a means of authentication in the Serverless offering. Currently, JWT is accepted by any Kibana HTTP API, despite the fact that we only need to support JWT authentication for a handful of metrics-related endpoints. This is sub-optimal from a security perspective.

We need to explore ways to configure Kibana to allow only specific HTTP endpoints to use JWT for authentication. In this issue, our goal is to choose the best approach and implement it.

NOTE TO IMPLEMENTERS: Refer to #159117 for more details and a naive PoC.

Elasticsearch JWT realm is configured with these fields that we can potentially rely on:

allowed_audiences:
    - elasticsearch
allowed_subjects:
    - apm-indexer
    - elastic-agent
@azasypkin azasypkin added Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! Feature:Security/Authentication Platform Security - Authentication Project:Serverless Work as part of the Serverless project for its initial release labels Jul 27, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@azasypkin azasypkin mentioned this issue Jul 27, 2023
Closed
@azasypkin azasypkin self-assigned this Aug 14, 2023
@azasypkin azasypkin mentioned this issue Aug 14, 2023
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@azasypkin azasypkin

Labels
Feature:Security/Authentication Platform Security - Authentication Project:Serverless Work as part of the Serverless project for its initial release Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Allow Kibana to restrict the usage of JWT for a predefined set of routes only. azasypkin/kibana
2 participants
@azasypkin @elasticmachine