Encrypted saved objects plugin to allow specifying a custom id on create #42688
Comments
mikecote
added
Team:Security
|
Pinging @elastic/kibana-security |
|
Is task manager using a UUID as the ID currently? |
|
@kobelb it's now using whatever the saved objects client is providing to generate ids (when an id is not provided). |
I'm confused. If you're using the SavedObjectsClient itself to generate IDs, why can't the ESO specify the ID? |
|
Everything with ESO works fine when using generated IDs. When providing custom ids (since task manager supports both) ESO throws an error here https://github.com/elastic/kibana/blob/master/x-pack/legacy/plugins/encrypted_saved_objects/server/lib/encrypted_saved_objects_client_wrapper.ts#L56-L58. |
|
When task manager specifies an ID, is it always a UUID? |
|
Most of the time it will be a reserved word, something like |
Thanks. I was hoping we could validate that the provided ID was a UUID v4, but it sounds like to support your use-case we'd need to allow any arbitrary ID. |
|
Correct, they can be anything the developer wants (in task manager's case). |
Use case (short version)
Making task manager use encrypted saved objects would need to keep the functionality of specifying ids when scheduling tasks.
Use case (long version)
Alerts will soon contain API keys to allow executing requests on behalf of the user. When the alert fires actions, those actions also need to execute requests on behalf of the creator of the alert and not the creator of the action. Task manager sits between alerts and actions to handle scaling and error handling.
In order to have alerts pass the API key to an action, I was thinking of storing them within the task. We could convert
tasksaved object type to use encrypted saved objects (ESO) and encrypt a specific attribute. One feature missing in ESO is the ability to specify ids on create. Task manager supports this and isn't something that can be rolled back.The text was updated successfully, but these errors were encountered: