Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Deprecate Anonymous Authentication Credentials #131636

Merged
merged 8 commits into from
May 18, 2022

Conversation

jeramysoucy
Copy link
Contributor

@jeramysoucy jeramysoucy commented May 5, 2022

Resolves #128877

Overview

This PR adds deprecation warnings for 2 credential types of anonymous authentication providers:

  • apiKey (this includes both key and id/key pair)
  • 'elasticsearch_anonymous_user'

Any configured anonymous authentication providers with either of these credentials will trigger a depreciation warning, even if the provider is not enabled.

This PR also adds usage telemetry for the credential type of the enabled anonymous authentication provider, defined as anonymousCredentialType, with the following possible values:

  • undefined (anonymous authentication provider not configured or not enabled)
  • api_key (either key or id/key pair)
  • elasticsearch_anonymous_user (literal credential value 'elasticsearch_anonymous_user')
  • username_password (username/password)

Testing

  1. Modify elasticsearch.yaml to include an anonymous user
  2. Start Elasticsearch.
  3. Modify kibana.yaml to include anonymous authentication
  4. Start Kibana.
  5. Verify deprecation warning for apiKey and 'elasticsearch_anonymous_user' credentials. Verify no deprecation warning for username/password credentials.
  6. Remove anonymous authentication from yaml files. Verify no deprecation warning for anonymous authentication.

Notes
A decision was made to include disabled anonymous authentication providers in the deprecation check. Usage telemetry is only concerned with the enabled anonymous authentication provider.

@jeramysoucy jeramysoucy added release_note:deprecation Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! v8.3.0 labels May 5, 2022
@jeramysoucy jeramysoucy force-pushed the kibana-deprecate-anon-users branch 5 times, most recently from ef45ada to e33ea95 Compare May 5, 2022 20:49
@jeramysoucy jeramysoucy changed the title Deprecate Anonymous Providers Deprecate Anonymous Provider Credentials May 5, 2022
@jeramysoucy jeramysoucy changed the title Deprecate Anonymous Provider Credentials Deprecate Anonymous Authentication Credentials May 5, 2022
… credentials of anonymous authentication providers.

Adds telemetry for usage of anonymous authentication credential type.
@jeramysoucy jeramysoucy force-pushed the kibana-deprecate-anon-users branch from 24638de to 9cdb5c3 Compare May 10, 2022 06:01
@jeramysoucy jeramysoucy marked this pull request as ready for review May 10, 2022 13:40
@jeramysoucy jeramysoucy requested review from a team as code owners May 10, 2022 13:40
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@jeramysoucy
Copy link
Contributor Author

@elasticmachine merge upstream

@jportner jportner self-requested a review May 18, 2022 12:42
Copy link
Contributor

@jportner jportner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice job on this, and I appreciate the tests!

A few nits below. In addition, we need to update the Anonymous Authentication docs at docs/user/security/authentication/index.asciidoc, can you tackle that too?

x-pack/plugins/security/server/config_deprecations.ts Outdated Show resolved Hide resolved
x-pack/plugins/security/server/config_deprecations.ts Outdated Show resolved Hide resolved
x-pack/plugins/security/server/config_deprecations.ts Outdated Show resolved Hide resolved
x-pack/plugins/security/server/config_deprecations.ts Outdated Show resolved Hide resolved
docs/settings/security-settings.asciidoc Show resolved Hide resolved
@jeramysoucy
Copy link
Contributor Author

Completed nits and doc link logic fix.

@jeramysoucy
Copy link
Contributor Author

@elasticmachine merge upstream

Copy link
Contributor

@jportner jportner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

After this merges, we'll need a follow up PR in another repo to add anonymousCredentialType in our telemetry data mappings. I can help you out with that.

@kibana-ci
Copy link
Collaborator

💚 Build Succeeded

Metrics [docs]

✅ unchanged

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@jeramysoucy jeramysoucy merged commit 7d8aae5 into elastic:main May 18, 2022
@kibanamachine kibanamachine added the backport:skip This commit does not require backporting label May 18, 2022
@jeramysoucy jeramysoucy deleted the kibana-deprecate-anon-users branch May 18, 2022 17:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport:skip This commit does not require backporting release_note:deprecation Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! v8.3.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Anonymous auth provider deprecations
6 participants