-
Notifications
You must be signed in to change notification settings - Fork 83
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add ability to provide the agent-id in enroll API #4226
Comments
I think we already provide this through the fleet-server/model/openapi.yml Lines 150 to 155 in 0687ea5
It was added with #2655 |
@michel-laterman |
@blakerouse and I had a brief conversation about this. We've decided to add an ID field to enrolment requests that is distinct from the existing This is so that we don't break/get blocked on existing scale tests when delivering this feature; and as a follow up we can see if we can make the scale tests just use the new ID value and deprecate I've also looked a bit more into opamp for how it handles duplicate IDs. In short, this type of workflow (where we may have more than one pod that are "the same agent") isn't supported. When sending a message an agent is able to specify their own Additionally Supporting this workflow is something we'll need to handle once we start supporting opamp. |
@nimarezainia do you think this is something we could piggy back on in order to migrate Agent from a cluster to another using the same ID in the enroll command? |
@jlind23 After our discussion of the security implications I have added a section to the description about the addition agent-token API option for enrollment. Hopefully this implementation would alleviate those implications. @elastic/product-security Could you give the security implications a review? |
Updated description to change from bcrypt to pbkdf2-sha512, so it would be FIPS compliant. |
Describe the enhancement:
Add the ability to specify the agent-id of the enrolling Elastic Agent.
Describe a specific use case for the enhancement or feature:
On serverless, an Elastic Agent is static but the pod doesn't have any persistent storage so it cannot store the enrollment information between restarts of the Elastic Agent. There have also been other reports of this issue from customers where they do not need persistent storage from the integration and requiring the Elastic Agent to have it just for the enrollment information is not possible.
To provide a stable Elastic Agent in the agents list in Kibana, this would allow an Elastic Agent to enroll with the ID they want to have. This would also replace an existing Elastic Agent if one already has the same ID.
The new enrolled Elastic Agent will replace the previous Elastic Agent prevent it from being able to communicate with the Fleet Server any more.
Describe any security issues:
This does open the possibility that if a bad actor had the enrollment token and the ID of the Elastic Agent it would be able to enroll over top of it and prevent the communication of that current Elastic Agent as the other Elastic Agent would be come the newly communicating Elastic Agent.
To prevent this only an additional replace-token would be added to the enrollment API. This would be any unique value that is stored as a pbkdf2-sha512 hash on the Elastic Agent record. If an Elastic Agent is enrolled without this token then it doesn't allow any other Elastic Agent to enroll with the same ID (trying to enroll with the same ID would error). If an Elastic Agent is enrolled with the replace token and its the first enrollment then it would successfully enroll. On a second enrollment to replace the Elastic Agent the exact same replace token must be provided and if it matches (using pbkdf2-sha512 hash) then it would be considered the replacement of the Elastic Agent and allow the enrollment to complete.
The text was updated successfully, but these errors were encountered: