-
Notifications
You must be signed in to change notification settings - Fork 8.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Implement
interactiveSetup
plugin server side functionality: `setup…
…` layout.
- Loading branch information
Showing
26 changed files
with
376 additions
and
23 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
src/plugins/user_setup/README.md → src/plugins/interactive_setup/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,3 @@ | ||
# `userSetup` plugin | ||
# `interactiveSetup` plugin | ||
|
||
The plugin provides UI and APIs for the interactive setup mode. |
27 changes: 27 additions & 0 deletions
27
src/plugins/interactive_setup/common/elasticsearch_connection_status.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0 and the Server Side Public License, v 1; you may not use this file except | ||
* in compliance with, at your election, the Elastic License 2.0 or the Server | ||
* Side Public License, v 1. | ||
*/ | ||
|
||
/** | ||
* Describes current status of the Elasticsearch connection. | ||
*/ | ||
export enum ElasticsearchConnectionStatus { | ||
/** | ||
* Indicates that Kibana hasn't figured out yet if existing Elasticsearch connection configuration is valid. | ||
*/ | ||
Unknown = 'unknown', | ||
|
||
/** | ||
* Indicates that current Elasticsearch connection configuration valid and sufficient. | ||
*/ | ||
Configured = 'configured', | ||
|
||
/** | ||
* Indicates that current Elasticsearch connection configuration isn't valid or not sufficient. | ||
*/ | ||
NotConfigured = 'not-configured', | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0 and the Server Side Public License, v 1; you may not use this file except | ||
* in compliance with, at your election, the Elastic License 2.0 or the Server | ||
* Side Public License, v 1. | ||
*/ | ||
|
||
export type { InteractiveSetupViewState, EnrollmentToken } from './types'; | ||
export { ElasticsearchConnectionStatus } from './elasticsearch_connection_status'; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0 and the Server Side Public License, v 1; you may not use this file except | ||
* in compliance with, at your election, the Elastic License 2.0 or the Server | ||
* Side Public License, v 1. | ||
*/ | ||
|
||
import type { ElasticsearchConnectionStatus } from './elasticsearch_connection_status'; | ||
|
||
/** | ||
* A set of state details that interactive setup view retrieves from the Kibana server. | ||
*/ | ||
export interface InteractiveSetupViewState { | ||
/** | ||
* Current status of the Elasticsearch connection. | ||
*/ | ||
elasticsearchConnectionStatus: ElasticsearchConnectionStatus; | ||
} | ||
|
||
/** | ||
* The token that allows one to configure Kibana instance to communicate with an existing Elasticsearch cluster that | ||
* has security features enabled. | ||
*/ | ||
export interface EnrollmentToken { | ||
/** | ||
* The version of the Elasticsearch node that generated this enrollment token. | ||
*/ | ||
ver: string; | ||
|
||
/** | ||
* An array of addresses in the form of `<hostname>:<port>` or `<ip_address>:<port>` where the Elasticsearch node is listening for HTTP connections. | ||
*/ | ||
adr: readonly string[]; | ||
|
||
/** | ||
* The SHA-256 fingerprint of the CA certificate that is used to sign the certificate that the Elasticsearch node presents for HTTP over TLS connections. | ||
*/ | ||
fgr: string; | ||
|
||
/** | ||
* An Elasticsearch API key (not encoded) that can be used as credentials authorized to call the enrollment related APIs in Elasticsearch. | ||
*/ | ||
key: string; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
5 changes: 3 additions & 2 deletions
5
src/plugins/user_setup/kibana.json → src/plugins/interactive_setup/kibana.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,13 +1,14 @@ | ||
{ | ||
"id": "userSetup", | ||
"id": "interactiveSetup", | ||
"owner": { | ||
"name": "Platform Security", | ||
"githubTeam": "kibana-security" | ||
}, | ||
"description": "This plugin provides UI and APIs for the interactive setup mode.", | ||
"version": "8.0.0", | ||
"kibanaVersion": "kibana", | ||
"configPath": ["userSetup"], | ||
"type": "preboot", | ||
"configPath": ["interactiveSetup"], | ||
"server": true, | ||
"ui": true | ||
} |
File renamed without changes.
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,121 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0 and the Server Side Public License, v 1; you may not use this file except | ||
* in compliance with, at your election, the Elastic License 2.0 or the Server | ||
* Side Public License, v 1. | ||
*/ | ||
|
||
import type { Subscription } from 'rxjs'; | ||
|
||
import type { TypeOf } from '@kbn/config-schema'; | ||
import type { CorePreboot, Logger, PluginInitializerContext, PrebootPlugin } from 'src/core/server'; | ||
|
||
import { ElasticsearchConnectionStatus } from '../common'; | ||
import type { ConfigSchema, ConfigType } from './config'; | ||
import { defineRoutes } from './routes'; | ||
|
||
export class UserSetupPlugin implements PrebootPlugin { | ||
readonly #logger: Logger; | ||
|
||
#configSubscription?: Subscription; | ||
#config?: ConfigType; | ||
readonly #getConfig = () => { | ||
if (!this.#config) { | ||
throw new Error('Config is not available.'); | ||
} | ||
return this.#config; | ||
}; | ||
|
||
#elasticsearchConnectionStatus = ElasticsearchConnectionStatus.Unknown; | ||
readonly #getElasticsearchConnectionStatus = () => { | ||
return this.#elasticsearchConnectionStatus; | ||
}; | ||
|
||
constructor(private readonly initializerContext: PluginInitializerContext) { | ||
this.#logger = this.initializerContext.logger.get(); | ||
} | ||
|
||
public setup(core: CorePreboot) { | ||
this.#configSubscription = this.initializerContext.config | ||
.create<TypeOf<typeof ConfigSchema>>() | ||
.subscribe((config) => { | ||
this.#config = config; | ||
}); | ||
|
||
// We shouldn't activate interactive setup mode if we detect that user has already configured | ||
// Elasticsearch connection manually: either if Kibana system user credentials are specified or | ||
// user specified non-default host for the Elasticsearch. | ||
// User can also set `interactiveSetup.forceSetup` config to `true` to force interactive setup mode. | ||
const shouldActiveSetupMode = | ||
this.#getConfig().forceSetup || | ||
(!core.elasticsearch.config.credentialsSpecified && | ||
core.elasticsearch.config.hosts.length === 1 && | ||
core.elasticsearch.config.hosts[0] === 'http://localhost:9200'); | ||
if (!shouldActiveSetupMode) { | ||
this.#logger.debug( | ||
'Interactive setup mode will not be activated since Elasticsearch connection is already configured.' | ||
); | ||
return; | ||
} | ||
|
||
let completeSetup: (result: { shouldReloadConfig: boolean }) => void; | ||
core.preboot.holdSetupUntilResolved( | ||
'Validating Elasticsearch connection configuration…', | ||
new Promise((resolve) => { | ||
completeSetup = resolve; | ||
}) | ||
); | ||
|
||
// If preliminary check above indicates that user didn't alter default Elasticsearch connection | ||
// details, it doesn't mean Elasticsearch connection isn't configured. There is a chance that they | ||
// already disabled security features in Elasticsearch and everything should work by default. | ||
// We should check if we can connect to Elasticsearch with default configuration to know if we | ||
// need to activate interactive setup. This check can take some time, so we should register our | ||
// routes to let interactive setup UI to handle user requests until the check is complete. | ||
core.elasticsearch | ||
.createClient('ping') | ||
.asInternalUser.ping() | ||
.then( | ||
(pingResponse) => { | ||
if (pingResponse.body) { | ||
this.#logger.debug( | ||
'Kibana is already properly configured to connect to Elasticsearch. Interactive setup mode will not be activated.' | ||
); | ||
this.#elasticsearchConnectionStatus = ElasticsearchConnectionStatus.Configured; | ||
completeSetup({ shouldReloadConfig: false }); | ||
} else { | ||
this.#logger.debug( | ||
'Kibana is not properly configured to connect to Elasticsearch. Interactive setup mode will be activated.' | ||
); | ||
this.#elasticsearchConnectionStatus = ElasticsearchConnectionStatus.NotConfigured; | ||
} | ||
}, | ||
() => { | ||
// TODO: we should probably react differently to different errors. 401 - credentials aren't correct, etc. | ||
// Do we want to constantly ping ES if interactive mode UI isn't active? Just in case user runs Kibana and then | ||
// configure Elasticsearch so that it can eventually connect to it without any configuration changes? | ||
this.#elasticsearchConnectionStatus = ElasticsearchConnectionStatus.NotConfigured; | ||
} | ||
); | ||
|
||
core.http.registerRoutes('', (router) => { | ||
defineRoutes({ | ||
router, | ||
basePath: core.http.basePath, | ||
logger: this.#logger.get('routes'), | ||
getConfig: this.#getConfig.bind(this), | ||
getElasticsearchConnectionStatus: this.#getElasticsearchConnectionStatus.bind(this), | ||
}); | ||
}); | ||
} | ||
|
||
public stop() { | ||
this.#logger.debug('Stopping plugin'); | ||
|
||
if (this.#configSubscription) { | ||
this.#configSubscription.unsubscribe(); | ||
this.#configSubscription = undefined; | ||
} | ||
} | ||
} |
31 changes: 31 additions & 0 deletions
31
src/plugins/interactive_setup/server/routes/enrollment/enroll.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0 and the Server Side Public License, v 1; you may not use this file except | ||
* in compliance with, at your election, the Elastic License 2.0 or the Server | ||
* Side Public License, v 1. | ||
*/ | ||
|
||
import { schema } from '@kbn/config-schema'; | ||
|
||
import type { RouteDefinitionParams } from '../'; | ||
|
||
/** | ||
* Defines routes to deal with Elasticsearch `enroll_kibana` APIs. | ||
*/ | ||
export function defineEnrollRoutes({ router }: RouteDefinitionParams) { | ||
router.post( | ||
{ | ||
path: '/internal/interactive_setup/enrollment/enroll', | ||
validate: { | ||
body: schema.object({ token: schema.string() }), | ||
}, | ||
options: { authRequired: false }, | ||
}, | ||
async (context, request, response) => { | ||
return response.forbidden({ | ||
body: { message: `API is not implemented yet.` }, | ||
}); | ||
} | ||
); | ||
} |
16 changes: 16 additions & 0 deletions
16
src/plugins/interactive_setup/server/routes/enrollment/index.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0 and the Server Side Public License, v 1; you may not use this file except | ||
* in compliance with, at your election, the Elastic License 2.0 or the Server | ||
* Side Public License, v 1. | ||
*/ | ||
|
||
import type { RouteDefinitionParams } from '../'; | ||
import { defineEnrollRoutes } from './enroll'; | ||
import { defineValidateTokenRoutes } from './validate_token'; | ||
|
||
export function defineEnrollmentRoutes(params: RouteDefinitionParams) { | ||
defineEnrollRoutes(params); | ||
defineValidateTokenRoutes(params); | ||
} |
Oops, something went wrong.