Open elasticmachine opened 6 years ago
Original comment by @tvernum:
// CC: @elastic/es-security
Original comment by @jkakavas:
My gut feeling is that
More explicit output in the tool
would be the lesser evil.
Docs (but we have docs, so we'd need to do something fundamentally better/different than what we have now)
In this case, I think it's more of a "users might not read documentation" problem than a "documentation is not clear enough" one.
Since this is ( I think ) mostly about users attempting to login to Kibana with the kibana
user, should we revisit the discussion about renaming kibana
to kibana_system
that was started in LINK REDACTED ? ( I added the :Discuss label to that one while re-triaging and labeling before seeing this issue)
Original comment by @tvernum:
Since this is ( I think ) mostly about users attempting to login to Kibana with the kibana user
Mostly, but not entirely. The issue was prompted by a forum post where logstash_system was being used in a pipeline, so while the "system" suffix will probably help, it's not the whole solution
Original comment by @albertzaharovits:
Here's my 2 cents:
setup-password auto
mode instead of manual. It is auto in the guide but manual in the reference. The idea is that a long auto-generated password should discourage humans to use them.kibana_admin
human friendly user, that can add other users and read anything (kibana_user
role) and recommend it in the installing kibana-xpackkibana
and logstash_system
), ie config entries were they should go, eg. elasticsearch.username
inside kibana.yml
. I would not link to docs, I fear links could get stale.Original comment by @bizybot:
All good ideas, sharing an alternative here.
As this is like an app to app communication that we want to authenticate, why not use certificate-based authentication.
This would involve enabling client_authentication on during setup not sure of the work on the client side (like kibana, logstash) to use certs instead of configured credentials. Plus there is this certificate management, but IMO this seems right to me than using passwords, as this is more explicit about the usage.
Original comment by @tvernum:
As this is like an app to app communication that we want to authenticate, why not use certificate-based authentication.
We need to do a better job of making certificate-based auth easier for customers to use but the issues are:
Original comment by @tvernum:
The problem is that once a customer runs
setup-passwords
they're given the userids and passwords for 3 users that can be quite misleading.Since releasing
setup-passwords
in 6.0, we've seen an (anecdotal) increase in the number of customers who are usingkibana
to login to Kibana andlogstash_system
for their logstash pipelines. And it makes sense that if users don't read the docs thoroughly, and they run the required tool and it gives them 3 users+passwords, then they'll go and use those users.Possible solutions:
Do you want to setup some logins for Kibana?
Do you want to setup a user for logstash pipelines?
. I think it's hard to do well, but it's an option.