search

elastic / fleet-server

The Fleet server allows managing a fleet of Elastic Agents.
Other
81 stars 81 forks source link

Fleet should sanity check values #644

Closed michel-laterman closed 3 months ago

michel-laterman commented 3 years ago

The fleet-server currently does no additional validation for config values, anything that is parsable by go is passed to fleet. This may result in values such as a negative duration being accepted and passed down.

For example durations (for cache config) can be set to negative numbers in Kibana (also jitter in this example is greater then any TTL):

cache:
  ttl_action: 30s
  ttl_enroll_key: 30
  ttl_artifact: 3.14
  ttl_api_key: -10
  jitter_api_key: 1h

Leading to the following config running on an elastic-agent running fleet-server:

bash-4.2$ ./elastic-agent inspect
agent:
  monitoring:
    enabled: true
    logs: true
    metrics: true
    namespace: default
    use_output: default
fleet:
  hosts:
  - http://fleet-server:8220
id: 76c1fdc0-003e-11ec-b5c2-a1b08d7aa65f
inputs:
- cache:
    jitter_api_key: 1h
    ttl_action: 30s
    ttl_api_key: -10
    ttl_artifact: 3.14
    ttl_enroll_key: 30
  data_stream:
    namespace: default
  id: 9ffbad09-d751-44fc-b193-81a72f59363d
  meta:
    package:
      name: fleet_server
      version: 1.0.1
  name: fleet_server-1
  revision: 11
  server:
    host: 0.0.0.0
    port: 8220
  type: fleet-server
  use_output: default
output_permissions:
  default:
    _elastic_agent_checks:
      cluster:
      - monitor
      indices:
      - names:
        - logs-elastic_agent-default
        - logs-elastic_agent.elastic_agent-default
        - logs-elastic_agent.apm_server-default
        - logs-elastic_agent.filebeat-default
        - logs-elastic_agent.fleet_server-default
        - logs-elastic_agent.metricbeat-default
        - logs-elastic_agent.osquerybeat-default
        - logs-elastic_agent.packetbeat-default
        - logs-elastic_agent.endpoint_security-default
        - logs-elastic_agent.auditbeat-default
        - metrics-elastic_agent-default
        - metrics-elastic_agent.elastic_agent-default
        - metrics-elastic_agent.apm_server-default
        - metrics-elastic_agent.filebeat-default
        - metrics-elastic_agent.fleet_server-default
        - metrics-elastic_agent.metricbeat-default
        - metrics-elastic_agent.osquerybeat-default
        - metrics-elastic_agent.packetbeat-default
        - metrics-elastic_agent.endpoint_security-default
        - metrics-elastic_agent.auditbeat-default
        privileges:
        - auto_configure
        - create_doc
outputs:
  default:
    api_key: kvQFWnsBEcj4LkotX0C4:N3QIZQdLScKGbehBjVuMGw
    hosts:
    - http://elasticsearch:9200
    type: elasticsearch
revision: 11

And the fleet-server logs have no issues accepting these values (negative numbers, jitter > TTL):

{"log.level":"info","service.name":"fleet-server","service.name":"fleet-server","@timestamp":"2021-08-18T17:53:49.021Z","message":"Server configuration update"}
{"log.level":"info","service.name":"fleet-server","service.name":"fleet-server","status":"CONFIGURING","@timestamp":"2021-08-18T17:53:49.021Z","message":"Re-configuring"}
{"log.level":"info","service.name":"fleet-server","service.name":"fleet-server","cfg":{"NumCounters":500000,"MaxCost":52428800,"ActionTTL":30000000000,"ApiKeyTTL":-10000000000,"EnrollKeyTTL":30000000000,"ArtifactTTL":3140000000,"ApiKeyJitter":3600000000000},"@timestamp":"2021-08-18T17:53:49.022Z","message":"Reconfigure cache"}

cc: @scunningham

jlind23 commented 3 months ago

Closing this one as outdated, we will reopen it later if required. cc @ycombinator