Add TLS client authentication support. #43090
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
azasypkin
added
release_note:enhancement
Team:Core
|
Pinging @elastic/kibana-platform |
|
Pinging @elastic/kibana-security |
7 tasks
azasypkin
force-pushed
the
issue-xxx-client-authentication
branch
from
87b6812
to
b723c06
Compare
💚 Build Succeeded |
azasypkin
commented
Aug 12, 2019
| @@ -202,4 +244,55 @@ describe('with TLS', () => { | |||
| httpSchema.validate(allKnownWithOneUnknownProtocols) | |||
| ).toThrowErrorMatchingSnapshot(); | |||
| }); | |||
|
|
|||
| test('HttpConfig instance should properly interpret `none` client authentication', () => { | |||
There was a problem hiding this comment.
note: just a bunch of tests to only test functionality I'm introducing...
azasypkin
commented
Aug 12, 2019
src/legacy/server/config/schema.js
Outdated
| @@ -111,7 +111,8 @@ export default () => Joi.object({ | |||
| keyPassphrase: Joi.string(), | |||
| certificateAuthorities: Joi.array().single().items(Joi.string()).default([]), | |||
| supportedProtocols: Joi.array().items(Joi.string().valid('TLSv1', 'TLSv1.1', 'TLSv1.2')).default(['TLSv1.1', 'TLSv1.2']), | |||
| cipherSuites: Joi.array().items(Joi.string()).default(cryptoConstants.defaultCoreCipherList.split(':')) | |||
| cipherSuites: Joi.array().items(Joi.string()).default(cryptoConstants.defaultCoreCipherList.split(':')), | |||
| clientAuthentication: Joi.any().description('This key is handled in the new platform ONLY'), | |||
There was a problem hiding this comment.
note: this removes a blocker status from #42818 (at least for PKI auth provider)
|
Here is the archive with |
mshustov
approved these changes
Aug 12, 2019
kobelb
approved these changes
Aug 14, 2019
💚 Build Succeeded |
|
7.x/7.4.0: d106a4b |
jloleysens
added a commit
to jloleysens/kibana
that referenced
this pull request
Aug 15, 2019
…p-metrics-selectall * 'master' of github.com:elastic/kibana: (50 commits) [Uptime] update monitor list configs for mobile view (elastic#43218) [APM] Local UI filters (elastic#41588) [Code] Upgrade ctags langserver (elastic#43252) [Code] show multiple definition results in panel (elastic#43249) Adds Metric Type to full screen launch tracking (elastic#42692) [Canvas] Convert Autocomplete to Typescript (elastic#42502) [telemetry] add spacesEnabled config back to xpack_main (elastic#43312) [ML] Adds DF Transform Analytics list to Kibana management (elastic#43151) Add TLS client authentication support. (elastic#43090) [csp] Telemetry for csp configuration (elastic#43223) [SIEM] Run Cypress Tests Against Elastic Cloud & Cypress Command Line / Reporting (elastic#42804) docs: add tip on agent config in a dt (elastic#43301) [ML] Adding bucket span estimator to new wizards (elastic#43288) disable flaky tests (elastic#43017) Fix percy target branch for PRs (elastic#43160) [ML] Adding post create job options (elastic#43205) Restore discover histogram selection triggering fetch (elastic#43097) Per panel time range (elastic#43153) [Infra UI] Add APM to Metadata Endpoint (elastic#42197) Sentence case copy changes (elastic#43215) ...
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Recently we introduced
server.ssl.requestCert(7.3+) for upcoming Kibana node-to-node TLS authentication, but that setting neither ever worked properly nor ever was mentioned in our docs. That lets us to dropserver.ssl.requestCertcompletely in a next minor in favor ofserver.ssl.clientAuthentication: {none|optional|required}to be on a par with Elasticsearch'sxpack.security.http.ssl.client_authentication. This is also a blocker for PKI authentication provider.How to test
Generate certificates for Kibana and End User or use my test certificate-bundle.zip. Steps below assume that you use certificates from the attached certificate bundle.
Run Kibana with the following config:
certificate-bundle/user/user.pfxandcertificate-bundle/kibana/kibana.pfx(to test 2 different users) to the list of your certificates in the browser.Blocks: #42606
"Release Note: added new
server.ssl.clientAuthenticationsetting that controls the server’s behavior in regard to requesting a certificate from client connections. Valid values arerequired,optional, andnone. Therequiredforces a client to present a certificate, whileoptionalrequests a client certificate but the client is not required to present one. Defaults tonone."