Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Reporting] Document Network Policy configuration #80431

Merged
merged 11 commits into from
Oct 16, 2020
5 changes: 5 additions & 0 deletions docs/settings/reporting-settings.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -248,6 +248,11 @@ a| `xpack.reporting.capture.browser`
exist. Configure this to a unique value, beginning with `.reporting-`, for every
{kib} instance that has a unique <<kibana-index, `kibana.index`>> setting. Defaults to `.reporting`.

| `xpack.reporting.capture.networkPolicy`
| Capturing a screenshot from a {kib} page involves sending out requests for all the linked web assets. For example, a Markdown
visualization can show an image from a remote server. You can configure what kind of requests to allow or filter by setting a
tsullivan marked this conversation as resolved.
Show resolved Hide resolved
Network Policy for Reporting. See <<reporting-network-policy, Network Policy>> for more details.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

missed this one the first time around. Network Policy should be lower case. How about removing the last sentence and making "network policy" the link in the previous sentence:

You can configure what type of requests to allow or filter by setting a <<reporting-network-policy, network policy>> for Reporting. See <<reporting-network-policy, Network Policy>> for more details.


| `xpack.reporting.roles.allow`
| Specifies the roles in addition to superusers that can use reporting.
Defaults to `[ "reporting_user" ]`. +
Expand Down
1 change: 1 addition & 0 deletions docs/user/reporting/configuring-reporting.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -75,3 +75,4 @@ to point to a proxy host requires that the Kibana server has network access to
the proxy.

include::{kib-repo-dir}/user/security/reporting.asciidoc[]
include::network-policy.asciidoc[]
74 changes: 74 additions & 0 deletions docs/user/reporting/network-policy.asciidoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
[role="xpack"]
[[reporting-network-policy]]
=== Restricting requests with a Reporting Network Policy
tsullivan marked this conversation as resolved.
Show resolved Hide resolved

When {report-features} generates PDF reports, it uses the Chromium browser to fully load the {kib} page on the server. This
tsullivan marked this conversation as resolved.
Show resolved Hide resolved
potentially involves sending requests to external hosts, for example, a request may go to an external image server for showing a
tsullivan marked this conversation as resolved.
Show resolved Hide resolved
field formatted as an image, or to show an image in a Markdown visualization.

If the Chromium browser is requested to send a request that violates the network policy, Reporting will stop processing the page
tsullivan marked this conversation as resolved.
Show resolved Hide resolved
before the request goes out, and the report will be marked as a failure. Additional information about the event can be found in
tsullivan marked this conversation as resolved.
Show resolved Hide resolved
Kibana's server logs.
tsullivan marked this conversation as resolved.
Show resolved Hide resolved

A network policy applies not only to outgoing requests, but also incoming responses. That means if a request goes out to an allowed
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
A network policy applies not only to outgoing requests, but also incoming responses. That means if a request goes out to an allowed
A network policy applies not only to outgoing requests, but also to incoming responses. If a request goes out to an allowed

host, but is redirected and a response returns from a denied host, the response will be denied, and the report will fail.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Isn't this still technically an outgoing request? The redirect would involve a response from the allowed host, and then the browser would issue a new request to the denied host -- the network policy would then prevent the connection to the denied host.

The way it's currently written, I could misinterpret this to believe that Chromium would connect to the denied host, but simply ignore the response.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I mistook what is going on in the response handler code that I have become slightly familiar with.

I should have realized the point you made, but now I'm less sure about what the code is doing :)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yup, that's correct: we do a best effort prior to the request being sent, but if a DNS hijack or something else occurs, this can redirect to internal-only IPs or worse (the file:// protocol, etc).

This is why we check both the request itself, as well as the response, and if any violate network policies then the session is shutdown immediately (the browser is closed, we log the reason, and the reporting job is failed).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cool, glad to understand it better.

I think that level of detail might not be required for the docs. I'm just going to wipe out these sentences.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
host, but is redirected and a response returns from a denied host, the response will be denied, and the report will fail.
host, but is redirected and a response returns from a denied host, the response is denied, and the report fails.


[NOTE]
============
{kib} installations are not designed to be publicly accessible over the Internet. The Reporting network policy and other capabilities
of the Elastic Stack security features do not change this condition.
============

==== Configuring Reporting Network Policy
tsullivan marked this conversation as resolved.
Show resolved Hide resolved

You configure the network policy by specifying the `xpack.reporting.capture.networkPolicy.rules` setting in `kibana.yml`. A policy is specified as
an array of objects that describe what to allow or deny based on an optionally-provided host and/or protocol. If a host or protocol
tsullivan marked this conversation as resolved.
Show resolved Hide resolved
is not specified, the rule will match any host or protocol, respectively.
tsullivan marked this conversation as resolved.
Show resolved Hide resolved

The rule objects are evaluated sequentially from the beginning to the end of the array, and continue until there is a matching rule.
If none of the rules allow a request, the request will be denied.
tsullivan marked this conversation as resolved.
Show resolved Hide resolved

[source,yaml]
-------------------------------------------------------
# Only allow requests to placeholder.com
xpack.reporting.capture.networkPolicy:
rules: [ { allow: true, host: "placeholder.com" } ]
-------------------------------------------------------

[source,yaml]
-------------------------------------------------------
# Only allow requests to https://placeholder.com
xpack.reporting.capture.networkPolicy:
rules: [ { allow: true, host: "placeholder.com", protocol: "https:" } ]
tsullivan marked this conversation as resolved.
Show resolved Hide resolved
-------------------------------------------------------

A final `allow` rule with no host or protocol will allow all requests that are not explicitly denied.

[source,yaml]
-------------------------------------------------------
# Denies requests from http://placeholder.com, but anything else is allowed.
xpack.reporting.capture.networkPolicy:
rules: [{ allow: false, host: "placeholder.com", protocol: "http:" }, { allow: true }];
-------------------------------------------------------

A network policy can be composed of multiple rules.

[source,yaml]
-------------------------------------------------------
# Allow any request to http://placeholder.com but for any other host, https is required
xpack.reporting.capture.networkPolicy
rules: [
{ allow: true, host: "placeholder.com", protocol: "http:" },
{ allow: true, protocol: "https:" },
]
-------------------------------------------------------

[NOTE]
============
The `file:` protocol will always be denied, even if there is no network policy configured.
tsullivan marked this conversation as resolved.
Show resolved Hide resolved
============

==== Disabling Reporting Network Policy
tsullivan marked this conversation as resolved.
Show resolved Hide resolved

You can use the `xpack.reporting.capture.networkPolicy.enabled: false` setting to disable the network policy feature. The default for
this configuration property is `true`, so it is not necessary to explicitly enable it.