search

elastic / beats

:tropical_fish: Beats - Lightweight shippers for Elasticsearch & Logstash
https://www.elastic.co/products/beats
Other
12.14k stars 4.91k forks source link

[filebeat][azure-blob-storage] - Add support for authorization via Microsoft Entra ID / RBAC #40434

Open ShourieG opened 1 month ago

ShourieG commented 1 month ago

Describe the enhancement: Add support for authorization via Microsoft Entra ID / RBAC

Describe a specific use case for the enhancement or feature: Currently the azure-blob-storage input handles client auth via shared key credentials and connection strings, but this is inherently insecure according to recent recommendations by Microsoft as outlined by this article. To mitigate security issues we need to add auth support via Microsoft Entra ID. This will require us to overhaul the client auth process and change certain internal auth structs to get it working. The sample code below shows an example of how to get Microsoft Entra ID auth working with the blob storage sdk utilizing the azidentity sdk. 

 // Define the Azure AD credentials
    tenantID := "your-tenant-id"
    clientID := "your-client-id"
    clientSecret := "your-client-secret"

    // Create a ClientSecretCredential
    cred, err := azidentity.NewClientSecretCredential(tenantID, clientID, clientSecret, nil)
    if err != nil {
        log.Fatalf("failed to create client secret credential: %v", err)
    }

    // Define the Azure Blob Storage account URL
    accountName := "your_account_name"
    blobURL := fmt.Sprintf("https://%s.blob.core.windows.net/", accountName)

    // Create a new BlobServiceClient with the Azure credential
    serviceClient, err := azblob.NewServiceClient(blobURL, cred, nil)
    if err != nil {
        log.Fatalf("failed to create blob service client: %v", err)
    }

Using this process of authentication we will require the tenantID, clientID & clientSecret as inputs from the users end. More info regarding this is detailed here and here.

This process however creates a service client of a different type ("github.com/Azure/azure-sdk-for-go/sdk/storage/azblob").Client and is incompatible with our current service client which is of type ("github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/service").Client, so the necessary changes need to be made under the hood to get this working.

elasticmachine commented 1 month ago

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)