Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deprecate Anonymous Authentication Credentials #131636

Merged
merged 8 commits into from
May 18, 2022
Merged

Deprecate Anonymous Authentication Credentials #131636

merged 8 commits into from
May 18, 2022
+378 −63

Conversation

jeramysoucy
Copy link
Contributor

@jeramysoucy jeramysoucy commented May 5, 2022
edited
Loading

Resolves #128877

Overview

This PR adds deprecation warnings for 2 credential types of anonymous authentication providers:

  • apiKey (this includes both key and id/key pair)
  • 'elasticsearch_anonymous_user'

Any configured anonymous authentication providers with either of these credentials will trigger a depreciation warning, even if the provider is not enabled.

This PR also adds usage telemetry for the credential type of the enabled anonymous authentication provider, defined as anonymousCredentialType, with the following possible values:

  • undefined (anonymous authentication provider not configured or not enabled)
  • api_key (either key or id/key pair)
  • elasticsearch_anonymous_user (literal credential value 'elasticsearch_anonymous_user')
  • username_password (username/password)

Testing

  1. Modify elasticsearch.yaml to include an anonymous user
  2. Start Elasticsearch.
  3. Modify kibana.yaml to include anonymous authentication
  4. Start Kibana.
  5. Verify deprecation warning for apiKey and 'elasticsearch_anonymous_user' credentials. Verify no deprecation warning for username/password credentials.
  6. Remove anonymous authentication from yaml files. Verify no deprecation warning for anonymous authentication.

Notes
A decision was made to include disabled anonymous authentication providers in the deprecation check. Usage telemetry is only concerned with the enabled anonymous authentication provider.

@jeramysoucy jeramysoucy added release_note:deprecation Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! v8.3.0 labels May 5, 2022
@jeramysoucy jeramysoucy force-pushed the kibana-deprecate-anon-users branch 5 times, most recently from ef45ada to e33ea95 Compare May 5, 2022 20:49
@jeramysoucy jeramysoucy changed the title Deprecate Anonymous Providers Deprecate Anonymous Provider Credentials May 5, 2022
@jeramysoucy jeramysoucy changed the title Deprecate Anonymous Provider Credentials Deprecate Anonymous Authentication Credentials May 5, 2022
@jeramysoucy
Adds deprecation warnings for apiKey and elasticsearch_anonymous_user…
9cdb5c3 
… credentials of anonymous authentication providers.

Adds telemetry for usage of anonymous authentication credential type.
@jeramysoucy jeramysoucy marked this pull request as ready for review May 10, 2022 13:40
@jeramysoucy jeramysoucy requested review from a team as code owners May 10, 2022 13:40
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@jeramysoucy
Copy link
Contributor Author

@elasticmachine merge upstream

@jportner jportner self-requested a review May 18, 2022 12:42
jportner
jportner reviewed May 18, 2022
View reviewed changes
Copy link
Contributor

@jportner jportner left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice job on this, and I appreciate the tests!

A few nits below. In addition, we need to update the Anonymous Authentication docs at docs/user/security/authentication/index.asciidoc, can you tackle that too?

x-pack/plugins/security/server/config_deprecations.ts Outdated Show resolved Hide resolved
x-pack/plugins/security/server/config_deprecations.ts Outdated Show resolved Hide resolved
x-pack/plugins/security/server/config_deprecations.ts Outdated Show resolved Hide resolved
x-pack/plugins/security/server/config_deprecations.ts Outdated Show resolved Hide resolved
docs/settings/security-settings.asciidoc Show resolved Hide resolved
@jeramysoucy
Copy link
Contributor Author

Completed nits and doc link logic fix.

@jeramysoucy
Copy link
Contributor Author

@elasticmachine merge upstream

jportner
jportner approved these changes May 18, 2022
View reviewed changes
Copy link
Contributor

@jportner jportner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

After this merges, we'll need a follow up PR in another repo to add anonymousCredentialType in our telemetry data mappings. I can help you out with that.

@kibana-ci
Copy link
Collaborator

💚 Build Succeeded

Metrics [docs]

✅ unchanged

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@jeramysoucy jeramysoucy merged commit 7d8aae5 into elastic:main May 18, 2022
@kibanamachine kibanamachine added the backport:skip This commit does not require backporting label May 18, 2022
@jeramysoucy jeramysoucy deleted the kibana-deprecate-anon-users branch May 18, 2022 17:28
@jportner jportner mentioned this pull request May 23, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jportner jportner jportner approved these changes

@lukeelmers lukeelmers lukeelmers approved these changes

Assignees
No one assigned
Labels
backport:skip This commit does not require backporting release_note:deprecation Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! v8.3.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Anonymous auth provider deprecations
6 participants
@jeramysoucy @elasticmachine @kibana-ci @lukeelmers @jportner @kibanamachine