cloud-gov / product

Program-level artifacts, workflow and issues for cloud.gov
Creative Commons Zero v1.0 Universal
31 stars 15 forks source link

Determine if customers can access Kibana for their brokered ES instance #2760

Open markdboyd opened 12 months ago

markdboyd commented 12 months ago

Background

See https://gsa-tts.slack.com/archives/GS7RNLM1N/p1699292497648179

To do

markdboyd commented 11 months ago

I did some initial investigation here. Findings:

It should be possible to use the brokered credentials to sign requests to the ES domain, but other than using a proxy I'm not sure how to sign the requests to Kibana for the domain.

markdboyd commented 7 months ago

Reverse proxy

After discussion with the team, it was suggested to use a reverse proxy deployed as an app which could talk to the ES/OS instance and display its Kibana/Dashboard.

AWS even has an example proxy which handles the request signing properly and can be configured to use brokered credentials for an instance:

https://github.com/awslabs/aws-sigv4-proxy

The only problem with using this proxy is that works almost too well: because the requests are signed by the brokered IAM credentials, they don't require any credentials to log in to the Kibana/Dashboard itself.

The AWS docs even call out that you can't use both IAM credentials and fine-grained access controls at the same time:

If a resource-based access policy contains IAM roles or users, clients must send signed requests using AWS Signature Version 4. As such, access policies can conflict with fine-grained access control, especially if you use the internal user database and HTTP basic authentication. You can't sign a request with a username and password and IAM credentials. In general, if you enable fine-grained access control, we recommend using a domain access policy that doesn't require signed requests.

However, I don't think we want to remove the IAM users from our brokered instances access policies, since that is how we guarantee that customers can only talk to their specific instances.

Dashboard SSO

Another, completely different option is using Dashboard SSO which is a built-in feature of the service broker API. I'm still grasping how it works, but it seems like it would be something like:

Questions/thoughts

markdboyd commented 7 months ago

After discussion with @spgreenberg and @mogul, we determined that the dashboard SSO is the only viable path forward here because:

I have taken some initial steps towards this implementation:

The next steps would be:

markdboyd commented 7 months ago

Notes on verifying JWTs:

mogul commented 7 months ago

I don't think you need this:

  • If logged in, should show list of ES/OpenSearch services
  • Once an instance is selected, should use AWS proxy to show Kibana/Dashboards for instance

The dashboard_url that is provided to clients along with the other instance details should be specific for that instance, not identical for all of them.

For instance:

dashboard_url: https://dashboards.fr.cloud.gov/SERVICEGUID/INSTANCEGUID

If you later decide you do want to offer folks some kind of navigation/chooser, then you can make this functional...but that's not what gets supplied in dashboard_url:

dashboard_chooser: https://dashboards.fr.cloud.gov/SERVICEGUID

Or even

dashboards: https://dashboards.fr.cloud.gov

But that goes into UX issues that are best left to the overall platform UI. And you can support that by only implementing the first case, so don't overdo it!