-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security plugin in the new platform #18024
Comments
Original comment by @azasypkin: Some thoughts: security is the plugin that affects other plugins and probably the core itself since it is going to intercept other routes for authentication, there is a chance that other plugins will need something like this as well. In my test branch I temporarily added What do you think @elastic/kibana-platform? Do we have other use cases when some plugins are supposed to have more power than others? |
Original comment by @azasypkin: WIP code is in LINK REDACTED |
Original comment by @epixa: I think implementing our own cookie-based session middleware is probably a good thing, to be honest. We'll need to implement exactly the same cookie/encryption logic initially so that the same cookie can be used to auth requests on the old core and new platform, and I doubt there's any out of the box solution we could use to do this. In the future, we'll want to move to using tokens, and we'll be able to do that more seamlessly if we have full control over the middleware. |
Original comment by @azasypkin:
Indeed, from my experiments |
Original comment by @azasypkin: To summarize or discussion on the "http filters". The platform extension point that security needs should be able to:
/cc @kjbekkelund |
Original comment by @kjbekkelund: All the things that rely on the hapi lifecycle in Kibana today:
And in x-pack:
|
@elastic/kibana-security Technically, this is a security team thing, but it's something we need to sort out pretty early in the roll out of the new platform, so unless the security team miraculously gets a chunk of free time in the next couple months, I think the @elastic/kibana-platform is going to take a swing at this initial implementation. |
Unassigning myself since I'm not working on this at the moment. |
@azasypkin @restrry Sessions and route auth is migrated, right? I think we can close this. |
Yes, entire authentication system has been migrated to NP plugin (except for security |
Original comment by @azasypkin:
In current Kibana security plugin is highly coupled with
Hapi
and its authentication plugins. In the new platform we'll presumably be usingExpress
framework that will affect the way we manage authentication. Ideally that should be internal implementation detail though.There are two main parts that we should take care of:
Route authentication
Route authentication will require router-level middleware that will basically work with something like
Authenticator
we have in LINK REDACTED We likely don't need any special 3rd-party module to handle that.Session management
It feels OK to leverage middleware cookie session modules provided by
Express
itself: LINK REDACTED or LINK REDACTED.The problem with the
express-session
middleware is that it stores session data on the server and only saves the session ID in the cookie itself, not session data. So it's likely a no-go for us.The
cookie-session
middleware implements cookie-backed storage and serializes the entire session to the cookie, rather than just a session key. Exactly like we do it right now. The only problem is thatcookie-session
can only sign cookie, not encrypt (see expressjs/cookie-session#9). Having ability to encrypt cookie is very important for Kibana in the current state since it storesusername:password
pair in the cookie itself. Right now LINK REDACTED plugin handles cookie encryption for us and uses LINK REDACTED under the hood.I'm not sure if we can easily complement
cookie-session
with encryption and that's what I'm going to check next. If not, we may want to implement something similar to Mozilla's node-client-sessions, although I'm not sure if it's a good idea to do so.Also I'm wondering if
username:password
in the cookie is the only reason for cookie encryption, if so maybe we can rely on Token Management API and store authentication token in the cookie instead? In this case we won't need to encrypt the cookie, unless I'm missing something. We can invalidate such token from Kibana on logout and it also has expiration date. We'll use same/similar token API forSAML
anyway./cc @elastic/kibana-platform
The text was updated successfully, but these errors were encountered: