Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Fleet] handle API key upgrade/renewal #85777

Closed
nchaulet opened this issue Dec 14, 2020 · 13 comments
Closed

[Fleet] handle API key upgrade/renewal #85777

nchaulet opened this issue Dec 14, 2020 · 13 comments
Labels
Team:Fleet Team label for Observability Data Collection Fleet team

Comments

@nchaulet
Copy link
Member

Description

it's possible we add new permission to Fleet API keys (Like here #85761)

In this case we want:

  • to be able to regenerate the fleet_enroll user, this need a user interaction:
  • to generate a new set of output API keys for the agents. The old API keys should be invalidated when the agent do not use them anymore.
@nchaulet nchaulet added the Team:Fleet Team label for Observability Data Collection Fleet team label Dec 14, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/ingest-management (Team:Ingest Management)

@jalvz
Copy link
Contributor

jalvz commented Jan 26, 2021

@nchaulet can you remind me the consequences of this? it is like an existing Elastic Agent would not work with an APM integration from a newer release?

@nchaulet
Copy link
Member Author

@jalvz so the agent enrolled on a Kibana running a version < 7.11 and the user that used Fleet in kibana < 7.11 will not be able to use the APM integration as the api key will not have the trace-* permission

@jalvz
Copy link
Contributor

jalvz commented Jan 26, 2021

got it, thanks.

@jalvz
Copy link
Contributor

jalvz commented Feb 8, 2021

Just to make sure: this is still planned for 7.12, right?

@nchaulet
Copy link
Member Author

nchaulet commented Feb 8, 2021

We did not any work on that for 7.12, There still a few discussions on how this should and I am wondering if we should do the work in Kibana or wait Fleet Server for that, and for 7.12 document that you need to re-enroll your agent to have the correct permissions. cc @ruflin

@jalvz
Copy link
Contributor

jalvz commented Feb 9, 2021

Ok, that is a bit unfortunate.
Can you update the label with the correct release target then?

Thanks

@ruflin
Copy link
Contributor

ruflin commented Feb 15, 2021

We are in talks to the ES team about this issue and I hope we find a solution where we don't require to regenerate all API Keys. If we have to regenerate, agree it needs to be done in fleet-server.

@ruflin
Copy link
Contributor

ruflin commented Mar 9, 2021

I'm wondering if we implement elastic/fleet-server#101 and #94058 this issue might get resolved.

@nchaulet
Copy link
Member Author

nchaulet commented Mar 9, 2021

I'm wondering if we implement elastic/fleet-server#101 and #94058 this issue might get resolved.

This would move the problem away from Kibana and move the API key upgrade/renewal part to elastic/fleet-server#101

@ph
Copy link
Contributor

ph commented Mar 9, 2021

I think you are correct here, that would make it a single flow and really clear the responsibility:

  • Fleet is responsible of listing the permissions based on the chosen integrations.
  • Fleet-server is responsible of managing the permissions.

@ruflin
Copy link
Contributor

ruflin commented Mar 26, 2021

There is an issue here we found: elastic/fleet-server#101 (comment) Currently Beats does not reload the output when a new API Key arrives.

@ruflin
Copy link
Contributor

ruflin commented Mar 31, 2021

Going to close this issue as the solution here must happen in Beats / fleet-server and not Fleet.

@ruflin ruflin closed this as completed Mar 31, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Team:Fleet Team label for Observability Data Collection Fleet team
Projects
None yet
Development

No branches or pull requests

5 participants