Open markdboyd opened 12 months ago
I did some initial investigation here. Findings:
/etc/hosts
or SOCKS5 proxying to access the domain host over the tunnel, otherwise you will get certificate errors Even if you create the tunnel successfully, the domain security config doesn't allow incoming traffic from anonymous users, so you would get an error like:
User: anonymous is not authorized to perform: es:ESHttpGet
It should be possible to use the brokered credentials to sign requests to the ES domain, but other than using a proxy I'm not sure how to sign the requests to Kibana for the domain.
After discussion with the team, it was suggested to use a reverse proxy deployed as an app which could talk to the ES/OS instance and display its Kibana/Dashboard.
AWS even has an example proxy which handles the request signing properly and can be configured to use brokered credentials for an instance:
https://github.com/awslabs/aws-sigv4-proxy
The only problem with using this proxy is that works almost too well: because the requests are signed by the brokered IAM credentials, they don't require any credentials to log in to the Kibana/Dashboard itself.
If a resource-based access policy contains IAM roles or users, clients must send signed requests using AWS Signature Version 4. As such, access policies can conflict with fine-grained access control, especially if you use the internal user database and HTTP basic authentication. You can't sign a request with a username and password and IAM credentials. In general, if you enable fine-grained access control, we recommend using a domain access policy that doesn't require signed requests.
However, I don't think we want to remove the IAM users from our brokered instances access policies, since that is how we guarantee that customers can only talk to their specific instances.
Another, completely different option is using Dashboard SSO which is a built-in feature of the service broker API. I'm still grasping how it works, but it seems like it would be something like:
dashboard_url
propertyQuestions/thoughts
After discussion with @spgreenberg and @mogul, we determined that the dashboard SSO is the only viable path forward here because:
I have taken some initial steps towards this implementation:
The next steps would be:
dashboard_client
pointing at the new dashboard service proxyNotes on verifying JWTs:
I don't think you need this:
- If logged in, should show list of ES/OpenSearch services
- Once an instance is selected, should use AWS proxy to show Kibana/Dashboards for instance
The dashboard_url
that is provided to clients along with the other instance details should be specific for that instance, not identical for all of them.
For instance:
dashboard_url: https://dashboards.fr.cloud.gov/SERVICEGUID/INSTANCEGUID
If you later decide you do want to offer folks some kind of navigation/chooser, then you can make this functional...but that's not what gets supplied in dashboard_url
:
dashboard_chooser: https://dashboards.fr.cloud.gov/SERVICEGUID
Or even
dashboards: https://dashboards.fr.cloud.gov
But that goes into UX issues that are best left to the overall platform UI. And you can support that by only implementing the first case, so don't overdo it!
Background
See https://gsa-tts.slack.com/archives/GS7RNLM1N/p1699292497648179
To do