You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In doing some local testing for the linked issue above, there is an indication that we are not handling AAD correctly for converted saved objects. From @chrisronline :
the scenario is:
With a 7.14 branch, start up ES (with a dedicated data path) and Kibana (both 7.14)
Create rules/connectors in the default space and a custom space
Copy the data out of the dedicated data path into a new dedicated data path
On master, start ES (with the second dedicated data path) and Kibana (the kibana has source changes like namespaceType: * single -> namespaceType: multiple-isolated as well as changing from .get to .resolve)
Observe error: server log [12:06:49.294] [error][encryptedSavedObjects][plugins] Failed to decrypt "apiKey" attribute: Unsupported state or unable to authenticate data
The ESO service has some special handling in place for converted objects, but at first glance this may not be correct. We just attempt to decrypt the object with/without the namespace in its descriptor (which feeds into its additionally-authenticated data, or AAD). However it looks like we need to attempt to decrypt the object with its old ID (originId).
We need to create E2E integration tests for an encrypted saved object that is converted, and probably update our algorithm in the ESO service to correctly handle these cases.
The text was updated successfully, but these errors were encountered:
Blocks: #100067
In doing some local testing for the linked issue above, there is an indication that we are not handling AAD correctly for converted saved objects. From @chrisronline :
the scenario is:
server log [12:06:49.294] [error][encryptedSavedObjects][plugins] Failed to decrypt "apiKey" attribute: Unsupported state or unable to authenticate data
The ESO service has some special handling in place for converted objects, but at first glance this may not be correct. We just attempt to decrypt the object with/without the
namespace
in its descriptor (which feeds into its additionally-authenticated data, or AAD). However it looks like we need to attempt to decrypt the object with its old ID (originId
).We need to create E2E integration tests for an encrypted saved object that is converted, and probably update our algorithm in the ESO service to correctly handle these cases.
The text was updated successfully, but these errors were encountered: