[Fleet] Uninstalltoken saved object namespace agnostic and space aware #190741
Conversation
nchaulet
added
release_note:skip
🤖 GitHub commentsExpand to view the GitHub comments
Just comment with:
|
|
/ci |
… src/core/server/integration_tests/ci_checks'
…haulet/kibana into feature-uninstall-tokens-space-aware
|
/ci |
|
Pinging @elastic/fleet (Team:Fleet) |
| @@ -986,7 +986,7 @@ export const getSavedObjectTypes = ( | |||
| name: MESSAGE_SIGNING_KEYS_SAVED_OBJECT_TYPE, | |||
| indexPattern: INGEST_SAVED_OBJECT_INDEX, | |||
| hidden: true, | |||
| namespaceType: useSpaceAwareness ? 'single' : 'agnostic', | |||
| namespaceType: 'agnostic', | |||
There was a problem hiding this comment.
Is the useSpaceAwareness experimental feature potentially being used anywhere of consequence (by customers, internal deployments, etc)?
Single space ESOs use the object's namespace when constructing AAD. Any instances of Kibana where useSpaceAwareness is active, that then upgrade to a version with this change, would cause existing message signing keys and uninstall token objects to be undecryptable.
There was a problem hiding this comment.
No useSpaceAwareness is not used in any long standing deployment, the feature is still in development, we used that feature flag more as an integration branch for now than a real feature flag
| const tokenObjects = await this.getDecryptedTokenObjects({ filter }); | ||
| const useSpaceAwareness = this.isScoped && (await isSpaceAwarenessEnabled()); | ||
| const namespaceFilter = useSpaceAwareness | ||
| ? getNamespaceFiltering(this.soClient.getCurrentNamespace() ?? DEFAULT_SPACE_ID) |
There was a problem hiding this comment.
On line 676, the SO client is being initialized without the spaces extension. The return value for the call to getCurrentNamespace with no parameter will always be undefined. What is the intended behavior here?
There was a problem hiding this comment.
We use that non space aware so client only when our service is not scoped (this.isScoped = false) (for background task, fleet setup) and if the service is not scoped we are not doing filtering see the line above. This is covered by integration test, but I could add some unit tests to make that behaviour more obvious.
There was a problem hiding this comment.
Ahh...thank you! I missed that.
| @@ -9,7 +9,11 @@ import { createHash } from 'crypto'; | |||
|
|
|||
| import type { KibanaRequest } from '@kbn/core-http-server'; | |||
|
|
|||
| import type { SavedObjectsClientContract } from '@kbn/core/server'; | |||
| import { | |||
There was a problem hiding this comment.
Could you add some more tests here? It would be great to cover some of the functionalities added below. It will give us more confidence, for instance in the event of the feature flag clean up.
There was a problem hiding this comment.
Just added some in 6aa8e8b
| @@ -61,6 +62,14 @@ interface UninstallTokenSOAggregation { | |||
| by_policy_id: AggregationsMultiBucketAggregateBase<UninstallTokenSOAggregationBucket>; | |||
| } | |||
|
|
|||
| function getNamespaceFiltering(namespace: string) { | |||
| if (namespace === DEFAULT_NAMESPACE_STRING) { | |||
| return `(${UNINSTALL_TOKENS_SAVED_OBJECT_TYPE}.attributes.namespaces:default) or (not ${UNINSTALL_TOKENS_SAVED_OBJECT_TYPE}.attributes.namespaces:*)`; | |||
There was a problem hiding this comment.
Just a clarification, is the condition after the or needed to filter out those having namespace = *? I'm not totally sure about this condition, what is going to match.
There was a problem hiding this comment.
if we want the token in the default space, we need to filter by object either not having namespaces set or where namespaces include `default, does it make sense to you?
There was a problem hiding this comment.
isn't going to match also everything else that has any namespace set because of the wildcard *? But maybe I'm misunderstanding how this works.
There was a problem hiding this comment.
the condition is not namespaces:* easy to miss the not here
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
💛 Build succeeded, but was flaky
Failed CI StepsMetrics [docs]
History
To update your PR or re-run it, just comment with: cc @nchaulet |
kibanamachine
added
v8.16.0
backport:skip
Summary
Related to #184864
To avoid being in a state where user cannot uninstall their agent, that PR change the way we handle uninstall token for space awareness:
namespacesattributesTests
Manually tests, you can enable space awareness by adding the flag to your config
Then using the API to opt-in for the feature
Then you can test creating policies in different space, create uninstall tokens only accessible in their respective space.