Move the plugin configuration to stateless

[Desvelao]

Description
As part of the issue that pretends to remove the stateful of the Wazuh dashboard plugins, we need to adapt the way the plugin's configuration is defined through the current wazuh.yml file.

The configuration will be saved in a saved object. This should support deploys with multiple instances of the Wazuh dashboard with shared or independent configuration. More info: #6201 (comment)

Type	ID
wazuh-dashboard-plugins-config	id of instance

The sensitive data related to API host entries must be protected through encryption. The data encryption must use a secret. More info: #6201 (comment)

The configuration management (edit settings, add API hosts) must be only allowed for the privileged users regarding the platform login data. More info: #6201 (comment)

The API host entries must be managed through the UI.

Tasks:

• Analyze the possibilities
• Implement the configuration management:
  • Create configuration service in the core plugin (backend-side)
  • Create store repository (saved-objects) in the core plugin (backend-side)
  • Create configuration service in the core plugin (frontend-side)
  • Adapt the configuration management
    • Adapt endpoint controllers
    • Adapt jobs in the main plugin
    • Refactor services that used the old configuration
      • manageHosts
      • serverAPIClient
      • cacheAPIUserAllowRunAs
      • serverAPIHostEntries
      • updateConfigurationFile
  • Remove management of wazuh.yml file
  • Remove the getConfiguration service
  • Move the services related to settings to integrate into the Configuration service
  • Adapt the configuration through App Settings
  • Enhance the Security factory of the core plugin on the backend side
  • Protect the routes related to managing the configuration with the privileged permissions
  • Add a mechanism to encrypt the sensitive data of API hosts configuration
  • Create a security dashboard service on the frontend side to manage the permissions related to the privileged user
• Nice to have. Create a utility to port the changes to the new system.

Other related issues:

• Remove wazuh.yml and store config in wazuh-indexer #4159
• Wazuh App password is saved as plain text  #3637

[Desvelao]

Analysis

Save the configuration in a saved object

Pros:

• React to real-time configuration

Cons:

• Hard to share or port the configuration to another Wazuh dashboard
• Sensitive data as API server password is accessible for any user with read permissions of the saved object

This could be mitigated by hidding or masking fields, see:
hide: https://opensearch.org/docs/latest/security/access-control/field-level-security/
mask: https://opensearch.org/docs/latest/security/access-control/field-masking/

Use the configuration of the platform (opensearch_dashboards.yml)

Pros:

• Centralize the configuration of the Wazuh dashboard
• Configuration is not visible. The sensitive data could be stored in the keystore (this needs research)
• Easily share the configuration

Cons:

• Require renaming the settings. The plugin configuration settings need a namespace (prefix).
• Can not react to real-time changes. Need a restart.

Comparison

Description	Current	Store in saved object	Platform configuration
React to real-time changes (do not need a restart)	✅ (some settings need a restart)	✅	❌
Share configuration easily	✅	❌	✅
Protected data	✅	❌	✅

[Desvelao]

We had a meeting today and we decided to research the possibility of creating a similar initiation process for the security of the Wazuh indexer to set the plugins settings. This approach could resolve some of the problems of the analyzed solutions.

A script that initiates the status from the configuration from a file (internalusers.yml, roles.yml, etc...).

[Desvelao]

Research the initiation of security in Wazuh indexer

The securityadmin.sh script is used to initialize the security of the Wazuh indexer cluster using the configuration of internal users, roles, etc... defined in local files.

The script executes Java code:

• https://github.com/opensearch-project/security/blob/2.11.0.0/tools/securityadmin.sh#L34
• https://github.com/opensearch-project/security/blob/2.11.0.0/src/main/java/org/opensearch/security/tools/SecurityAdmin.java

This seems to be managing the requests through the Wazuh indexer API

Regarding the intention to save sensitive data, if we retrieve the data for an internal user doesn't display the hashed password:

The .opendistro-security index doesn't return the documents despite there are:

According to this documentation, the .opendistro_security is a system index, and if you want to get the data, for this specific index, you need to use an admin certificate instead: https://opensearch.org/docs/2.11/security/configuration/system-indices/

I got the document that contains the data related to the internal users and this seems to be encoded:

{
        "_index": ".opendistro_security",
        "_id": "internalusers",
        "_score": 1.0,
        "_source": {
          "internalusers": "eyJfbWV0YSI6eyJ0eXBlIjoiaW50ZXJuYWx1c2VycyIsImNvbmZpZ192ZXJzaW9uIjoyfSwiYWRtaW4iOnsiaGFzaCI6IiQyYSQxMiRWY0NEZ2gyTkRrMDdKR04wcmpHYk0uQWQ0MXFWUi9ZRkpjZ0hwMFVHbnM1SkR5bXYuLlRPRyIsInJlc2VydmVkIjp0cnVlLCJiYWNrZW5kX3JvbGVzIjpbImFkbWluIl0sImRlc2NyaXB0aW9uIjoiRGVtbyBhZG1pbiB1c2VyIn0sImtpYmFuYXNlcnZlciI6eyJoYXNoIjoiJDJhJDEyJDRBY2dBdDN4d09XYWRBNXM1YmxMNmV2MzlPWEROaG1PZXNFb28zM2VadHJxMk4wWXJVM0guIiwicmVzZXJ2ZWQiOnRydWUsImRlc2NyaXB0aW9uIjoiRGVtbyBraWJhbmFzZXJ2ZXIgdXNlciJ9LCJraWJhbmFybyI6eyJoYXNoIjoiJDJhJDEyJEpKU1hOZlRvd3o3VXU1dHRYZmVZcGVZRTBhckFDdmN3bFBCU3RCMUYuTUk3ZjBVOVo0REdDIiwicmVzZXJ2ZWQiOmZhbHNlLCJiYWNrZW5kX3JvbGVzIjpbImtpYmFuYXVzZXIiLCJyZWFkYWxsIl0sImF0dHJpYnV0ZXMiOnsiYXR0cmlidXRlMSI6InZhbHVlMSIsImF0dHJpYnV0ZTIiOiJ2YWx1ZTIiLCJhdHRyaWJ1dGUzIjoidmFsdWUzIn0sImRlc2NyaXB0aW9uIjoiRGVtbyBraWJhbmFybyB1c2VyIn0sImxvZ3N0YXNoIjp7Imhhc2giOiIkMmEkMTIkdTFTaFI0bDR1QlMzVXY1OVBhMnk1LjF1UXVaQnJadG1OZnFCM2lNLy5qTDBYb1Y5c2doUzIiLCJyZXNlcnZlZCI6ZmFsc2UsImJhY2tlbmRfcm9sZXMiOlsibG9nc3Rhc2giXSwiZGVzY3JpcHRpb24iOiJEZW1vIGxvZ3N0YXNoIHVzZXIifSwicmVhZGFsbCI6eyJoYXNoIjoiJDJhJDEyJGFlNHljd3p3dkx0Wnh3WjgyUm1pRXVuQmJJUGlBbUdaZHVCQWpLTjBUWGR3UUZ0Q3dBUnoyIiwicmVzZXJ2ZWQiOmZhbHNlLCJiYWNrZW5kX3JvbGVzIjpbInJlYWRhbGwiXSwiZGVzY3JpcHRpb24iOiJEZW1vIHJlYWRhbGwgdXNlciJ9LCJzbmFwc2hvdHJlc3RvcmUiOnsiaGFzaCI6IiQyeSQxMiREcHdtZXRIS3dnWW5vcmJnZHZPUkNlbnY0TkFLOGNQVWc4QUk2cHhMQ3VXZi9BTGMwLnY3VyIsInJlc2VydmVkIjpmYWxzZSwiYmFja2VuZF9yb2xlcyI6WyJzbmFwc2hvdHJlc3RvcmUiXSwiZGVzY3JpcHRpb24iOiJEZW1vIHNuYXBzaG90cmVzdG9yZSB1c2VyIn19"
        }
}

The value seems to be encoded using JWT. If we decode it, we can see the hashed password of the internal users:

The user password of the internal user is hashed. The creation of these hashes, using a script that runs under the hoods this code: https://github.com/opensearch-project/security/blob/2.11.0.0/src/main/java/org/opensearch/security/tools/Hasher.java#L84-L92

I could not find it where the data is JWT encoded or how the GET /<security_index> endpoint is protected to avoid the searches, but it seems the .opendistro_security index has so many protections. We could need to develop a similar system to difficult the security risks, but this could require the development of a plugin for the Wazuh indexer. As a workaround, we could encode the sensitive data as related to the server API host data (mainly the password).

[Desvelao]

Store the configuration

The intention is to store the plugin configuration in a saved object instead of the current configuration file (wazuh.yml). This approach causes the data to be more exposed, so we must take some actions to protect the sensitive data as the host.

Design

We will create an interface to communicate with the configuration in the server and frontend side that will use the current plugin setting schema (extending as necessary).

Backend:

• Store in a saved object

Frontend:

• Store in memory
• Ability to retrieve the latest configuration through the current endpoints

These new services will be created in the core plugin and exposed to the rest of the plugins that could register their own settings. Each plugin should register the settings on the backend and frontend side.

Interfaces:

• Configuration: interface to use directly. This uses under the hood an instance of ConfigurationStore service to retrieve the configuration that is saved in different places depending on if it is the backend or frontend side.
• ConfigurationStore: store the configuration

Backend side

Each plugin should register the setting on the setup method and then the core plugin registers the saved object configuration.

The configuration will be stored on a saved object:

Type	ID
wazuh-dashboard-plugins-config	id of instance

The ID of the instance can be defined through:

Plugin setting	Type	Description	Default value
wazuh_core.instance	string	Define the instance ID	wazuh-dashboard

The sensitive data as the hosts will be encrypted using an encryption key. More info at: #6201 (comment)

This supports deploying multiple instances of the Wazuh dashboard that share or use independent configuration. If using the shared configuration, take into account that if the jobs of monitoring or statistics are enabled in multiple machines with the same API hosts entries, the daya could be duplicated on the Wazuh indexer.

The cache system is based on time to live (60s) and reduces the requests to retrieve the data of the saved object and lets a Wazuh dashboard instance "updates" its configuration if another instance that is sharing the configuration modifies it. Take into account that modifying a setting that implies the restart of the Wazuh dashboard service, needs each instance sharing the configuration to be restarted to take effect.

Frontend side

The configuration will be saved in memory.

Migrate the wazuh.yml configuration file

The previous versions of the Wazuh dashboard could use the mechanism to initialize the Wazuh dashboard plugins settings with its customizations.

Manage the API host

A new mechanism has to be created to manage the API host entries ( create, delete, update ) from the UI.

Implementation

The API host entries can be managed through the Server APIs application.

New endpoints:

• PUT /hosts/apis/{API_ID}: creates or updates the API host entry
• DELETE /hosts/apis/{API_ID}: removes the API host entry

The addition, update, or deletion of API host entries must be done through these endpoints.

[Desvelao]

Manage the API host entries

I was exploring the idea to manage the API host entries from the App Settings configuration, but, it seems overcomplicated due to the layout and manage the password values.

I reverted this to move to the Server APIs application where the server API are listed and added the ability to create, update or remove the API host entries.

As the ability to manage the API host from the UI is new, we need to specify the requirements for a user can execute these actions. This affects the UI buttons and the backend side that manages the API host entries.

[Desvelao]

Encrypt the sensitive data of configuration in the saved object

Description

The API host data is saved in the saved object of the plugin's configuration. This saved object can be retrieved from any user with permission about the index where this is located. As the API host data will save some sensitive data, we could need to implement a mechanism to encrypt/decrypt the data in the saved object. In the previous configuration system in the wazuh.yml file, the API host data is in plain text.

I recently added the ability to the ConfigurationStore service on the backend side to map/unmap the password values for the API host entries.

We need to decide on the encryption method, but one of the possibilities could be the user can configure the method or options to this data is encrypted. We need to decide how these options are defined taking into account we want to the plugins be stateless (no required files to work). Moreover, we need to take into account the process when the options to encrypt the data change, a migration process (automatic or manual by the user) should be done to keep the previous data. The options to encrypt the data could be done through the definition in the Wazuh dashboard configuration file.

Implementation

Create a Encryption service that manages how to encrypt and decrypt the data. This service is configured through a secret that is used to get some encryption properties such as salt and key.

The secret can be defined in a new plugin setting defined in the platform configuration file (opensearch_dashboards.yml):

Plugin setting	Type	Description	Default value
wazuh_core.configuration.encryption_key	string	Define the key to be used to generate some encryption properties	secretencryptionkey!

Example:

wazuh_core.configuration.encryption_key: customEncryptionKey

⚠ Changing the key will cause the data not to be decrypted in environments that are configured previously.

The encryption only applies to the API host data stored in the saved object.

[Desvelao]

Manage the API host entries

The API host entries can be managed through the Server APIs application.

The Add new button was replaced to Add API host which opens a flyout that contains a form with the required API host data.

Moreover, a button to add or remove an API host entry was added to the API hosts table.

The Add API host, editing or removing buttons are protected to a privileged user. The API endpoints to configure the API hosts were protected with the same requirement.

[Desvelao]

Administrator user

The plugin's configuration management is restricted to privileged users.

The administrator users of the plugins is based in the access to the rest API of OpenSearch, this can be configured through the plugins.security.restapi.roles_enabled OpenSearch setting. More details on: #6201 (comment) privileged users can be defined through RBAC using the roles of Wazuh indexer.

Example:

# opensearch.yml
plugins.security.restapi.roles_enabled: ["all_access", "wazuh_admin"]

A new endpoint was created that returns if the current user is a privileged user or not.

GET /utils/account

Responses:

• User is administrator:
  • HTTP code: 200

{
 "administrator": true
}

• User is NOT administrator:
  • HTTP code: 200

{
 "administrator": false,
 "administrator_message": "<Permission denied reason>"
}

[Desvelao]

Setup or migrate the configuration

I am researching how to migrate or pre-setup the configuration using the previous configuration through the wazuh.yml configuration file to the new system stored in a saved object.

Migration task on Wazuh dashboard initiation

I added a mechanism to setup the configuration using the configuration file located at <WAZUH_DASHBOARD>/data/wazuh/config/wazuh.yml (location of configuration in the previous plugins).

When the Wazuh dashboard starts, check if the configuration file is located in the expected directory (<WAZUH_DASHBOARD>/data/wazuh/config/wazuh.yml ). If this exists and there is not a previous configuration stored in the saved object, then read the file and update the defined settings on the saved object.

This process is indicated to migrate the configuration of previous versions.

API

Use the POST /utils/configuration/import endpoint to upload the file.

 curl -k -u <username>:<password> --form file='@<config_file>' -XPOST <address>/utils/configuration/import

where:

• username: username
• password: password for the user
• config_file: path to the configuration file
• address: URL address of the Wazuh dashboard host

ℹ️ This process can be done by a privileged user.

[Desvelao]

Sync meeting

Show

• Configuration encryption.
  • New plugin setting
• Administrator user roles

Discussion

• No multiple instances of Wazuh dashboard (use case: worker fetch data for statistics and monitoring)

• Replace the current protection of privileged user (administrator API role) for the platform role:

  • Sample data: view UI, add and remove
  • App Settings
  • Delete PDF report

• Protect view actions related to privileged user:

  • App Settings
  • Deploy new agent option to set the enrollment.dns
  • Server APIs?

• Migration process

  • Server side
  • Script
    • Where should it be included in the binary: plugin or platform?

  Changes could require a restart of a Wazuh dashboard

Action items

• Administrator role: research about cluster permissions instead of roles
• Ignore the migration process when the saved object has some settings defined
• See parallel monitoring and migration
• Support multiple instances of Wazuh dashboards
• Disable button user has no permissions: Deploy new agent option to set the enrollment.dns
• Where should it be included in the binary: plugin or platform? Plugin. Create an issue to move to <WAZUH_DASHBOARD>/bin Move the script to setup the configuration to bin directory wazuh-dashboard#142
• Adapt the protections of view/actions related to the administrator user
  • Sample data view
  • Sample data add data
  • Sample data remove data
  • App settings view
  • Set enrollment.dns setting from Deploy new agent guide
  • Remove the requirement of administrator user from the delete report in the Reports application

[Desvelao]

Research - Administrator: Cluster permissions

One of the action items of the last meeting was:

Administrator role: research about cluster permissions instead of roles
whose intention is to consider the administrator user based on the cluster permissions.

Currently, the security data of the user is getting through GET /_opendistro/_security/api/account but it is does not include data about the cluster permissions. But it includes the roles of the user.

The role information can be used with the security plugin API to get the cluster permissions using the endpoint:

GET /api/v1/configuration/roles/{id}

whose response https://github.com/opensearch-project/security-dashboards-plugin/blob/v1.13.0.0/server/routes/index.ts#L273-L290

   * for role, response will look like:
   * {
   *   "reserved": true,
   *   "hidden": false,
   *   "description": "Allow full access to all indices and all cluster APIs",
   *   "cluster_permissions": ["*"],
   *   "index_permissions": [{
   *     "index_patterns": ["*"],
   *     "fls": [],
   *     "masked_fields": [],
   *     "allowed_actions": ["*"]
   *   }],
   *   "tenant_permissions": [{
   *     "tenant_patterns": ["*"],
   *     "allowed_actions": ["kibana_all_write"]
   *   }],
   *   "static": false
   * }

The cluster_permissions can include an action group or specific cluster permissions. We could get the specific cluster permissions of an action group with the API request:

GET /api/v1/configuration/actiongroups/{id}

In summary, to check if an user could have the desired cluster permission we could need to do multiple API requests:

• Get user info
• Get role info (for each role)
• Get an action group (for each group)

We could use the generic API endpoints to get data about the roles or actions ( if all the data is returned). This could reduce the API request to 3.

Update 2024/02/20

I am working to get the role info using the internal user but this has no permissions to get this data. If we think to use this user, then we need to provide of the required permissions.

If we use the current user, then the current user needs this permissions.

I was testing to use the OpenSearch client that is comming in the security plugin:

const response =
        await context.security_plugin.esClient.callAsInternalUser(
          'opensearch_security.listResource',
          {
            resourceName: 'roles',
          },
        );

Based on https://github.com/opensearch-project/security-dashboards-plugin/blob/2.11.0.0/server/routes/index.ts#L248-L253 that uses the current user instead.

[Desvelao]

Changes

• Rename platform setting: wazuh_core.configuration.encryption_password to wazuh_core.configuration.encryption_key
• Rename the setup configuration script to wazuh-dashboard-setup-configuration
• Replace the policy to consider the administrator user that is now based on the rest API access

[Desvelao]

Administrator user considerations

According to the research to use the cluster permissions instead of roles, this could need the current or internal user has permissions to retrieve data of roles or cluster permissions.

Another option could be to use the same approach that is using the Security plugin of the platform to be displayed to the current user that is checking if this has some specific permissions. With this approach, we could remove the current implementation that is based in user roles.

I opened a discussion with the cloud team to consider the implementation taking into account that can be compatible with its management.

[Desvelao]

Meeting

team: documenation

I asked to the documentation team a meeting to define the changes to apply in the documentation and take into account some considerations to organize the content.

Topics

• Organize the new configuration system
  • Removed wazuh.yml
  • Usage of wazuh.yml file to load configuration
  • Platform settings
  • API dashboard
  • References to the configuration file: what to do?

I was in a recent meeting with the documentation team discussing the topics:

Actions items

• Analyze each reference to the configuration file:
  • Replace the references to change values in run time through the UI
  • Raise the related changes to Docker, AMI, other installations
• Ignore the addition of a new section about the API dashboard for now

[Desvelao]

Administrator user that can manage the configuration

We could use to consider the administrator user the same approach that is used to display the Security plugin that is only visible for users with permissions to access to the API.

The Security plugin of OpenSearch Dashboards does a request to check the permissions and register the application depending on the value of has_api_access field.

Endpoint: GET /api/v1/restapinfo
Register Security application depending on the has_api_access value: https://github.com/opensearch-project/security-dashboards-plugin/blob/2.11.0.0/public/plugin.ts#L99-L100
Request definition and check response value: https://github.com/opensearch-project/security-dashboards-plugin/blob/2.11.0.0/public/plugin.ts#L54C16-L63
Request: https://github.com/opensearch-project/security-dashboards-plugin/blob/2.11.0.0/public/plugin.ts#L89

Following this approach, we could create a function with the similar check and use it to consider the administrator user.

async function isAdministratorUser(
  context: RequestHandlerContext,
  request: OpenSearchDashboardsRequest,
) {
  const response = await context.security_plugin.esClient
    .asScoped(request)
    .callAsCurrentUser('opensearch_security.restapiinfo');

  if (!response.has_api_access) {
    throw new Error(`User has no permission.`);
  }
}

This approach removes the requirements to implement our own system based on roles or cluster permissions.

Analysis of has_api_access value

The has_api_access is defined here https://github.com/opensearch-project/security/blob/2.11.0.0/src/main/java/org/opensearch/security/dlic/rest/api/PermissionsInfoAction.java#L133 that is the result to check https://github.com/opensearch-project/security/blob/2.11.0.0/src/main/java/org/opensearch/security/dlic/rest/api/PermissionsInfoAction.java#L121.

The currentUserHasRestApiAccess definition: https://github.com/opensearch-project/security/blob/main/src/main/java/org/opensearch/security/dlic/rest/api/RestApiPrivilegesEvaluator.java#L256-L261
The mehod uses the variable allowedRoles that is a Map that contains the roles defined in the OpenSearch setting plugins.security.restapi.roles_enabled https://github.com/opensearch-project/security/blob/main/src/main/java/org/opensearch/security/dlic/rest/api/RestApiPrivilegesEvaluator.java#L103 . OpenSearch documentation about accessing to the rest API: https://opensearch.org/docs/2.11/security/access-control/api/#access-control-for-the-api

According to the analysis of the has_api_access value, it will be true if the user has some role of the defined in the plugins.security.restapi.roles_enabled OpenSearch setting.

This means we can control the users that are considered as administrator for the Wazuh plugins using the roles assinged to the user and the plugins.security.restapi.roles_enabled setting of OpenSearch.

Related to: #6201 (comment)

[Desvelao]

Changes

• Add a cache to the ConfigurationStore service of the backend side that avoids the repetition of requests to get the content of the saved object.

[Desvelao]

Changes

• Reimplemented the cache system of the ConfigurationStore taking into account the possibility to share the configuration through multiple instances of the Wazuh dashboard.

[Desvelao]

Changes

• Minor fixes
• Adapt the monitoring and statistics jobs
• Generate suite of manual tests
• Update development branch with the last changes
• Resolve some TODOs
• Fix unit tests
• Rename references to API host by API connection in the Server APIs application and ManageHosts service

[Desvelao]

Changes

• Move some AngularJS dependencies to the component in the ApiTable component
• Create API endpoint to create API connections:
  • POST /hosts/apis/{id}
• Adapt the API request done by the form of API connection
• Adapt setup-configuration script to use the new API endpoint
• Add method to create API connection to the ManageHosts service

[Desvelao]

Changes

• Add some tests related to wazuh-utils
• Rework the setup of configuration based on importing the file through a new API endpoint. This does unnecessary the addition to own script.

[Desvelao]

Changes

• Renamed the type of configuration saved object from plugins-configuration to wazuh-dashboard-plugins-config