Ensuring basic authentication provider in managed environments #53910
Comments
|
Pinging @elastic/kibana-security (Team:Security) |
|
cc @bleskes |
|
Feels like the simplest solution would be just having something similar to Hapi's
|
|
Update: In this PR we added a way to enable and configure desired HTTP authentication mechanisms (aka authentication with # default is xpack.security.authc.http.schemes: [apikey],
# so we need to preserve `apikey`.
xpack.security.authc.http.schemes: [apikey, basic] Would that work for the Cloud use case @peterschretlen ? |
|
Is it safe to assume that Cloud would need to add |
If you are you asking whether Kibana would choke if we end up with duplicates in this field then the answer is |
@azasypkin yes I think that will work nicely for cloud, thank you! cc @nachogiljaldo to confirm. From what I can see by setting to |
|
So, just to confirm, on Cloud, we should add: and that would work for us now on any case, disregard SAML etc.? |
I suppose yes, assuming I understand your use case correctly. But I'm not sure how you merge user overrides with the settings you specify in Cloud. If for arrays like Just to reiterate, when you configure |
|
@azasypkin the way we merge overrides is by replacing the original node (i.e. if we default I am wondering, though, whether we should whitelist it at all (which would prevent the overrides). Is it needed to override it to make SAML work? |
|
From what I can see we don't set any
Editing the value of |
|
++ to what Peter said, we can blacklist |
|
Closing this one since https://github.com/elastic/cloud/issues/52454 is resolved. Feel free to reopen if anything else is needed from the Kibana side. |
Managed environments like Elasticsearch Service, Elastic Cloud Enterprise (ECE), and Elastic Cloud on Kubernetes (ECK) use file realm authentication for administrative “service accounts” in effect. These service accounts are used to check and maintain the state of the cluster. File realm is used over other realms because it allows the cluster to be administered regardless of cluster state - say .security index is corrupted or if external authentication is not available.
This extends to Kibana as well - for example API calls are made to check if a cluster can be upgraded.
In Kibana the problem we occasionally encounter is the removal of the
basicprovider in kibana.yml. While multiple providers can be supported ( for example: https://www.elastic.co/guide/en/kibana/current/kibana-authentication.html#_saml_and_basic_authentication ),basicis sometimes removed in order to remove the login form when using SSO provider like SAML or OIDC. When this happens, customers unknowingly cut off Kibana from the management of the environment.In managed environments we’d like to use the basic auth provider in order to give these service accounts access to Kibana, even when
basicis not in the providers list. Perhaps this would allow the basic auth provider but exclude the login form, in order to support SSO case where the login form isn’t wanted.The text was updated successfully, but these errors were encountered: