[Uptime] Generate api key for synthetics service #119590
Conversation
shahzad31
changed the title
shahzad31
force-pushed
the
generate-api-key
branch
from
06a0d74
to
cb994e5
Compare
shahzad31
added
release_note:skip
| import { SyntheticsServiceApiKey } from '../../../common/runtime_types/synthetics_service_api_key'; | ||
| import { EncryptedSavedObjectsClient } from '../../../../encrypted_saved_objects/server'; | ||
|
|
||
| export const syntheticsApiKeyID = 'ba997842-b0cf-4429-aa9d-578d9bf0d391'; |
There was a problem hiding this comment.
using UUID is a requirement to work with encrypted saved objects
botelastic
bot
added
the
Team:Uptime - DEPRECATED
|
Pinging @elastic/uptime (Team:uptime) |
| cluster: ['monitor', 'read_ilm', 'read_pipeline'], | ||
| index: [ | ||
| { | ||
| names: ['synthetics-*', 'heartbeat-*'], |
There was a problem hiding this comment.
Should we be indexing to both heartbeat-* and synthetics-*? I was under the impression we should only be indexing to synthetics-*
There was a problem hiding this comment.
I'm realizing that I'm commenting this on the test, but it applies to the actual implementation too. Same for the below comment.
There was a problem hiding this comment.
since we are going to use data stream format, it makes sense to remove heartbeat, i will do that
| index: [ | ||
| { | ||
| names: ['synthetics-*', 'heartbeat-*'], | ||
| privileges: ['view_index_metadata', 'create_doc'], |
There was a problem hiding this comment.
We will need auto_configure privilege as well to create the data stream
| export const SyntheticsServiceApiKeyType = t.type({ | ||
| id: t.string, | ||
| name: t.string, | ||
| apiKey: t.string, |
There was a problem hiding this comment.
In practice, I've also seen the api service return an encoded key on the object, which is the encoded id and name which saves us the trouble of having to encode it ourselves.
There was a problem hiding this comment.
i think we are not using the encoded part, since we only need apiKey and that will get saved in savedObjects in encrypted form. But will add it just in case for typing purpose.
There was a problem hiding this comment.
we are not saving encoded part at all in the saved object
|
|
||
| encryptedSavedObjects.registerType({ | ||
| type: syntheticsServiceApiKey.name, | ||
| attributesToEncrypt: new Set(['apiKey']), |
There was a problem hiding this comment.
As I mentioned above, when I was testing this the saved object service also returned to me an encoded key, which was the pre-encoded id:apiKey combination. If that's the case, we should also encrypted that key, or only save the encoded key on the saved object and encrypted that.
| const isApiKeysEnabled = await security.authc.apiKeys?.areAPIKeysEnabled(); | ||
|
|
||
| if (!isApiKeysEnabled) { | ||
| return; |
There was a problem hiding this comment.
I don't know a lot about the types of helpers we have with our API layer, but when we return null, what is response that is returned to the client? Status 500?
We may need to have a more specific error message here, so that we can let the user know how to remedy this situation. I don't suppose anyone wouldn't be using tls in production, which is required to use API keys, but perhaps if they are just trying to get started and testing out synthetics service, we could populate an error message to let them know to run with tls.
At any rate, this isn't necessary right now for an incremental step, but it could be good to keep in mind.
There was a problem hiding this comment.
i think in the route if the key is undefined or an error, that should be passed on to the UI. i have updated this line to bit better
| names: ['synthetics-*', 'heartbeat-*'], | ||
| privileges: ['view_index_metadata', 'create_doc'], |
There was a problem hiding this comment.
See my comment on the test about these two lines.
| client: SavedObjectsClientContract, | ||
| apiKey: SyntheticsServiceApiKey | ||
| ) => { | ||
| await client.create(syntheticsServiceApiKey.name, apiKey, { |
There was a problem hiding this comment.
Does this need an error handling? Unsure of what potential points of failure there are.
There was a problem hiding this comment.
i don't think so, it will throw an error, kibana route will auto pick it up and generate a message if it needs be.
shahzad31
added
the
auto-backport
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
💚 Build Succeeded
Metrics [docs]
History
To update your PR or re-run it, just comment with: |
|
The following labels were identified as gaps in your version labels and will be added automatically:
If any of these should not be on your pull request, please manually remove them. |
💔 Backport failed
To backport manually run: |
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Summary
fixes elastic/uptime#398
Basic idea is that we will call this utility function from the CRUD requests or kibana task manager, in case of task manager, it will not have access to the request object, so that part we still need to figure out. But i think in most cases i assume when the task manager will run, we will have pushed some saved object, in a sense that key will already be there so it can just reuse it.
you can test the encryption/decryption aspect by placing the following piece of code in existing uptime route , perhaps
get_index_status.