andrewkroh
commented
10 months ago Do we need to raise the minimum conditions.kibana.version in order for secrets to work? It's my understanding that there are known issues prior to 8.11.2.
Closed jsoriano closed 3 months ago
andrewkroh
commented
10 months ago Do we need to raise the minimum conditions.kibana.version in order for secrets to work? It's my understanding that there are known issues prior to 8.11.2.
kpollich
commented
10 months ago Do we need to raise the minimum conditions.kibana.version in order for secrets to work? It's my understanding that there are known issues prior to 8.11.2.
Yes there are a few known issues prior to 8.11.2 that have been fixed or are actively being backported:
It's not unlikely other issues will shake out with more integrations and teams using secrets heavily as part of this effort. If that happens we will provide guidance on Kibana versions with high impact fixes.
The absolute minimum version for secrets to function prior to any of these fixes is 8.10.0, but we likely want the best experience possible with these fixes and UX improvements so 8.11.2 is a better target as of right now.
joshdover
commented
10 months ago Do we need to raise the minimum
conditions.kibana.versionin order for secrets to work? It's my understanding that there are known issues prior to 8.11.2.
@kpollich Shouldn't older versions of Kibana (pre-secrets) still accept packages that have fields annotated with secret: true?
jsoriano
commented
10 months ago Do we need to raise the minimum
conditions.kibana.versionin order for secrets to work? It's my understanding that there are known issues prior to 8.11.2.@kpollich Shouldn't older versions of Kibana (pre-secrets) still accept packages that have fields annotated with
secret: true?
Yes, packages will still work in older versions of Kibana. Let me add a note about this in the description.
kpollich
commented
10 months ago Yes the secret flag will simply be ignored in older versions of Kibana. Newer stack versions will enjoy the security benefits of better secrets storage, but older stack versions will continue to work as they do now. If a user chooses to upgrade their stack, their policy secrets will be migrated to the new storage scheme whenever they perform an edit/upgrade operation on their package policy for a given package.
tommyers-elastic
commented
10 months ago am i understanding correctly?
secrets are ignored completely in kibana versions < 8.10.0. there are some issues with secrets in kibana versions between 8.10.0 - 8.11.1 inclusive. 8.11.2 is the recommended minimum kibana version for integrations using secrets.
also, is there some script or something for identifying potential secret fields? there quite a lot of secret_access_key fields in AWS packages, for example, that are missing from the tables above.
are the migrations of the packages listed above the responsibility of the teams listed in the headings, or will there be some automation to open PRs for packages/fields identified here? if PRs were opened for all the above, the PR review process would deal with the question of whether they are actually secrets or not, as opposed to having to edit the tables here, then make the changes.
thanks
jsoriano
commented
10 months ago secrets are ignored completely in kibana versions < 8.10.0. there are some issues with secrets in kibana versions between 8.10.0 - 8.11.1 inclusive. 8.11.2 is the recommended minimum kibana version for integrations using secrets.
Correct.
also, is there some script or something for identifying potential secret fields?
elastic-package will check for this for packages using format_version: "3.0.2". You can try to update any package to this version of the spec, and run elastic-package check, with the latest version of elastic-package.
there quite a lot of
secret_access_keyfields in AWS packages, for example, that are missing from the tables above.
Good point, we will review the list. We are doing it with a different script.
are the migrations of the packages listed above the responsibility of the teams listed in the headings, or will there be some automation to open PRs for packages/fields identified here?
Yes, migration of packages needs to be done by the owners of each package, and there is no available automation. We want each team to review each case, as the decision on considering a variable to be a secret or not is sensitive, and there are some consequences of the migration to secrets.
if PRs were opened for all the above, the PR review process would deal with the question of whether they are actually secrets or not, as opposed to having to edit the tables here, then make the changes.
Yeah, as PRs start to appear we can collectively keep the table updated.
jsoriano
commented
10 months ago there quite a lot of
secret_access_keyfields in AWS packages, for example, that are missing from the tables above.Good point, we will review the list. We are doing it with a different script.
There are indeed some secret candidates in AWS, description updated with more findings.
kpollich
commented
10 months ago Hi all, we've identified and fixed another bug with secrets that will land in 8.12: https://github.com/elastic/kibana/issues/172061
Thus, I've updated the advisory for the Kibana version constraint in the overview doc to 8.12.0. I'll send this same note out to the email thread as well.
romulets
commented
9 months ago Updated the table with Cloud Security Posture migrations. The ones that won't be migrated are explained on the linked PR
kpollich
commented
9 months ago Another secrets edge case fixed in 8.12.0: https://github.com/elastic/kibana/issues/173048 + https://github.com/elastic/kibana/pull/173115
romulets
commented
9 months ago We are rolling it back , because of https://github.com/elastic/kibana/issues/173718 which is blocking any integration creation on 8.13.0-SNAPSHOT at the moment
taylor-swanson
commented
9 months ago The SEI integrations are currently blocked by https://github.com/elastic/kibana/issues/173718 as well. I didn't test 8.13.0-SNAPSHOT, but did test the latest 8.12.0-SNAPSHOT (as of writing) and encountered the error there.
taylor-swanson
commented
9 months ago Looks like we have a regression in kibana/fleet/agent with rendering secret values. @ebeahan just ran into this (see his comment on the SEI issue here)
Policy:
- set: target: header.XSignatureBase value: >- [[ sprintf "EG1-HMAC-SHA256 client_token=%s;access_token=%s;timestamp=%s;nonce=%s;" "${SECRET_2}" "${SECRET_0}" (.header.Get "XTimestamp") uuid ]]Rendered:
- set: target: header.XSignatureBase value: '[[ sprintf "EG1-HMAC-SHA256 client_token=%s;access_token=%s;timestamp=%s;nonce=%s;" "$co.elastic.secret{eooc1YwBApAOY4Ce5tv2}" "$co.elastic.secret{eYoc1YwBApAOY4Ce5tv2}" (.header.Get "XTimestamp") uuid ]]'
I also observed this in practice with the system test in the akamai package (excerpt from the logs showing the authorization header, note the unexpanded values):
'Authorization: [EG1-HMAC-SHA256 client_token=$co.elastic.secret{GK_j1IwBnC-aiHiLhKgR};access_token=$co.elastic.secret{Fq_j1IwBnC-aiHiLhKgQ};timestamp=20240104T14:32:20+0000;nonce=300953b6-e8ea-4ab0-b001-a8c2b5e4fb7c;signature=u153JJMjirDHWIN4vCGlWDW6z6yeWvuXMn2KFJ+O3Wk=]'
ebeahan
commented
9 months ago Looks like we have a regression in kibana/fleet/agent with rendering secret values.
I also see the same rendering issue in 8.11.3, so it may be an unhandled use case instead of a regression.
kpollich
commented
9 months ago Thanks @taylor-swanson and @ebeahan for raising this.
This looks like a bug in Fleet Server's secrets rendering logic when multiple secret values appear in a multiline string.
@juliaElastic @michel-laterman would you be able to take a look at this? I'll also start investigating and see what I can come up with.
jlind23
commented
9 months ago @juliaElastic @michel-laterman would also be great to come up with some unit test for this to avoid any further problem. Does it sound good to you?
juliaElastic
commented
9 months ago I can take a look at this today.
juliaElastic
commented
9 months ago Reproduced the issue locally and it was really a problem with multiple secret refs in one variable. Added a fix and unit test in this pr: https://github.com/elastic/fleet-server/pull/3206
jsoriano
commented
8 months ago Hey @romulets, I see you marked some fields as won't migrate. An option for these fields would be to mark them as secret: false, this way the validators will ignore them and they won't be migrated nor need to be.
kaiyan-sheng
commented
8 months ago An option for these fields would be to mark them as
secret: false, this way the validators will ignore them and they won't be migrated nor need to be.
Hi @jsoriano 👋 Does that mean it's preferred to have secret: false to mark the related fields that are not secret? For example with AWS credentials, the access key ID is secret: false, and secret access key is secret: true. Even though access key ID is not a secret variable but still good to mark it with false?
ishleenk17
commented
8 months ago this way the validators will ignore them and they won't be migrated nor need to be.
@jsoriano : Do these validators apply to the fields you have listed above for the Integrations, or to all the fields other than secret fields in the manifest file?
ritalwar
commented
8 months ago Do these validators apply to the fields you have listed above for the Integrations, or to all the fields other than secret fields in the manifest file?
From my understanding and testing, the validator is only applied to identified secret fields, not to other fields. However, if the validator raises an error for a field that we believe shouldn't be secret, we can mark it as false and validator will ignore it.
ritalwar
commented
8 months ago Hey @jsoriano, I'm uncertain about the criteria used by the script to detect secret fields. Perhaps it considers fields with the type "password"? For instance, in azure_app_service, the storage_account_key is of type text, but it should be marked as secret. The same situation applies to kafka.ssl.key_passphrase, which should be a secret field but was not identified by the validator. However, I noticed in the tables above that http.ssl.key_passphrase and tcp.ssl.key_passphrase in the synthetics package were correctly identified as secret, even though they are of type text. In any case, I assume it's okay for me to designate these fields as secret, even if the validator isn't identifying them. Edit: Actually, many text-type fields are correctly recognized as secret, so the ones I mentioned might be missed for another reason.
jsoriano
commented
8 months ago Do these validators apply to the fields you have listed above for the Integrations, or to all the fields other than secret fields in the manifest file?
From my understanding and testing, the validator is only applied to identified secret fields, not to other fields. However, if the validator raises an error for a field that we believe shouldn't be secret, we can mark it as false and validator will ignore it.
Exactly, thanks Richa for the clarification.
I'm uncertain about the criteria used by the script to detect secret fields. Perhaps it considers fields with the type "password"?
Yes, fields of type password are always considered secrets by the script and the validators.
azure_app_service, the storage_account_key is of type text, but it should be marked as secret
Yes, something seems to be wrong there, I will take a look to the script. This one is also not detected by elastic-package check :thinking:
kafka.ssl.key_passphrase, which should be a secret field but was not identified by the validator
The script has found a kafka/metrics.ssl.key_passphrase, could this be this one?
ritalwar
commented
8 months ago The script has found a
kafka/metrics.ssl.key_passphrase, could this be this one?
Yes, that's the one. Maybe it was missed in the table, but I updated it some time back. Thanks for checking!
ritalwar
commented
8 months ago Yes, something seems to be wrong there, I will take a look to the script. This one is also not detected by
elastic-package check🤔
Also, I've noticed that in the case of azure_functions, the validator identifies 'connection_string' as a secret, whereas it doesn't do so for azure, azure_app_service, and azure_frontdoor(for connection_string). Not sure if there are more cases like this.
jsoriano
commented
8 months ago I've noticed that in the case of azure_functions, the validator identifies 'connection_string' as a secret, whereas it doesn't do so for azure, azure_app_service, and azure_frontdoor(for connection_string).
It looks like connection_string is of type password for azure_functions, but not for other packages.
ritalwar
commented
8 months ago It looks like
connection_stringis of typepasswordforazure_functions, but not for other packages.
But validator works well in some cases where fields are of type text, like session_token and access_key_id for AWS.
jsoriano
commented
8 months ago It looks like
connection_stringis of typepasswordforazure_functions, but not for other packages.But validator works well in some cases where fields are of type text, like session_token and access_key_id for AWS.
Yes. All fields of type password are considered potential secrets, independetly of their names. For all the rest we try to guess by the name.
ebeahan
commented
8 months ago Due to the known issues, it is recommended to use kibana.version: ^8.11.2 when using secrets, but older versions can still be used for packages that work in a broad range of versions.
Can we confirm the recommended version to target? I believe there's at least one issue (https://github.com/elastic/kibana/issues/173718) fixed for 8.12 but not back ported to 8.11.
kpollich
commented
8 months ago Can we confirm the recommended version to target? I believe there's at least one issue (https://github.com/elastic/kibana/issues/173718) fixed for 8.12 but not back ported to 8.11.
8.12 contains fixes for all of the above, so we recommend targeting 8.12 at this point. The adoption doc was updated a few weeks ago to mention the new recommend version constraints of ^8.12.0, but I'll double check backports to see if a patch release target is better.
(Edit) All fixes mentioned in the description are present in 8.12.0, so that recommendation still stands.
tetianakravchenko
commented
8 months ago hey @jsoriano. I've checked the suggestions for the kubernetes package - all the secret candidates are bearer_token_file, but it is not a secret, it is a path to the file (/var/run/secrets/kubernetes.io/serviceaccount/token).
Yes. All fields of type password are considered potential secrets, independetly of their names. For all the rest we try to guess by the name.
validator assumes it from the name in this case, right? Should I just mark those as secret: false or maybe it makes also sense to adjust validation?
jsoriano
commented
8 months ago hey @jsoriano. I've checked the suggestions for the
kubernetespackage - all the secret candidates arebearer_token_file, but it is not a secret, it is a path to the file (/var/run/secrets/kubernetes.io/serviceaccount/token).Yes. All fields of type password are considered potential secrets, independetly of their names. For all the rest we try to guess by the name.
validator assumes it from the name in this case, right? Should I just mark those as
secret: falseor maybe it makes also sense to adjust validation?
In principle mark them with secret: false, yes.
Regarding changing the validation, what would be the proposal, to discard names ending with _file?
jsoriano
commented
8 months ago discard names ending with
_file?
Looking to the candidates this can be a good option, yes.
jsoriano
commented
8 months ago Open PR to discard variables whose name ends with _file (https://github.com/elastic/package-spec/pull/712). Should we do the same with variables ending with _url?
@elastic/security-service-integrations you maintain some packages with fields called like token_url, can we assume that these are not secrets?
taylor-swanson
commented
8 months ago @jsoriano,
@elastic/security-service-integrations you maintain some packages with fields called like
token_url, can we assume that these are not secrets?
For the changes I made for #8725, I marked token_url fields as not a secret (secret: false).
jsoriano
commented
8 months ago Thanks @taylor-swanson for confirming, I will discard also variables ending in _url https://github.com/elastic/package-spec/pull/712
jsoriano
commented
7 months ago Updated list in the description removing files and urls.
ebeahan
commented
7 months ago How are teams handling the SSL configurations as we're migrating?
Integrations specify the SSL config as a yaml field, and it could have a mix of sensitive and non-sensitive date (credit to @andrewkroh for pointing out in https://github.com/elastic/kibana/issues/154715#issuecomment-1708651146). For example, users can potentially embed a private key directly into their config instead of specifying a file.
A proposed solution was splitting the ssl YAML field into distinct vars (https://github.com/elastic/kibana/issues/154715#issuecomment-1709850062). Are folks taking that approach as part of these migrations?
paulb-elastic
commented
6 months ago For Synthetics, we already encrypt sensitive fields in the Kibana saved objects as defined here, so should align these to those we mark as secure in the agent policy (cc @smith).
lalit-satapathy
commented
6 months ago A brief update on the secrets migration for o11y integration:
While we have migrated the large number of integrations to enable secrets, there are handful packages where password is embedded as part of the host URI.
For such cases, it would require changes, to ensure that the password field is passed independently and then marked as secret. This may not be a small change (We also need to ensure we do these changes in a non-breaking way), we are working it on case-by-case basis here.
justinkambic
commented
5 months ago Regarding Synthetics, here is a list of all the secret fields we have, if they should correspond to the integration.
kpollich
commented
5 months ago Hey folks FYI we have merged some UX improvements to smooth the onboarding experience with secrets on long-lived clusters that have been upgraded across stack versions: https://github.com/elastic/kibana/pull/178045. This will land in 8.14, but but changes don't necessitate changing our target version for secrets.
jlind23
commented
5 months ago @bturquet can we get an update on aws, azure and synthetics? @pierrehilbert the windows integration is flagged as owned by us but I do believe this is rather owned by @norrietaylor and his team right?
paulb-elastic
commented
5 months ago @bturquet can we get an update on aws, azure and synthetics?
@jlind23 for synthetics, this will need to be done by the Infra&Services team, so pinging @smith (rather than @bturquet) for this one
pierrehilbert
commented
5 months ago @jlind23 yes this is part of @nfritts's scope.
smith
commented
5 months ago Added this issue for synthetics changes: https://github.com/elastic/synthetics-dev/issues/355
andrewkroh
commented
5 months ago Problem statement
Nearly every package that supports TLS includes a YAML textarea to specify arbitrary settings, some of which are sensitive. Fleet added the ability to mark variables as secrets, and after saving this makes it impossible to read the values back for editing. This is a bad user experience.
Solutions
ssl.key would be merged into the existing user defined ssl map). Existing deployments would have to be manually updated to take advantage of secrets but would not be required to. There would not be any means to force into using the secrets versus putting them into the YAML.Solution 1 would be best for users but is there some team that would want to add a new UI component for the TLS config options?
Solution 3 could be implemented immediately by package developers and would not cause any breaking changes for users. But the UX and DX are inferior compared to solution 1. For this packages would add new secret manifest variables for:
The handlebar templates would keep the existing ssl: YAML key but add new ones.
{{if ssl_certificate_key}}
ssl.key: {{escape_string ssl_certificate_key}}
{{end}}
{{if ssl_key_password}}
ssl.key_password: {{escape_string ssl_key_password}}
{{end}}
{{if ssl}}
ssl:
{{ssl}}
{{end}}Fleet could provide a UI component tailored to the TLS config options that all Beats share. This would provide the best user experience because editing YAML is error prone and lacks validation. Fleet UI would be able to migrate existing config, treat sensitive data as secret, and render the config appropriately in the YAML handlebar template.
I think this is the best option from UX perspective to be sure. We can create a new tls type variable that maps to an opinionated UI component for setting these TLS settings. This would require another rollout/adoption process across integrations, but would overall feel like the right solution to me.
I would definitely be curious to see if there are teams who don't want this, and who value the existing UX around TLS settings. Or, if there are packages that have slight variations on the TLS fields that wouldn't be able to migrate to the new workflow.
We are driving an effort to encourage the declaration of secret variables in packages configurations. The use of secret variables highly decreases the risk of leaking secrets in log and configuration files.
Find below a list of variables that we consider secret candidates, sorted by owner.
For these variables, we ask the teams to evaluate if they are actually secrets. If they are, mark them with
secret: true, if they aren't, mark them withsecret: false.For packages reviewed, we recommend to update to
format_version: "3.0.2"to avoid regressions on these fields. Starting on this version the use ofsecretis required for variables that look like secrets.Secrets are supported since Kibana 8.10.0, but there are known issues till 8.11.2. Packages using
secret: truewill also work in older versions, but secrets won't be used. Due to the known issues, it is recommended to usekibana.version: ^8.11.2when using secrets, but older versions can still be used for packages that work in a broad range of versions.As a reminder, these are the consequences of enabling secrets:
We will use this issue to keep track of the progress on this migration.
Issues uncovered during migration efforts
We'll track notable issues uncovered as part of the migration efforts here.
Version target recommendation
All fixes for the above known issues are present in Kibana version 8.12.0. So, the recommended target version constraint for integrations using secrets is
^8.12.0.Codeowner: @elastic/cloud-security-posture
Secret candidates:
Codeowner: @elastic/security-service-integrations
Secret candidates:
Codeowner: @elastic/obs-ds-hosted-services
Secret candidates:
Codeowner: @elastic/obs-ds-intake-services
Secret candidates:
Codeowner: @elastic/obs-infraobs-integrations
Secret candidates:
Codeowner: @elastic/obs-ux-infra_services-team
https://github.com/elastic/synthetics-dev/issues/355
Secret candidates:
Codeowner: @elastic/sec-deployment-and-devices
Secret candidates:
Codeowner: @elastic/security-service-integrations
Secret candidates:
Codeowner: @elastic/stack-monitoring
Secret candidates:
Codeowner: @elastic/profiling
Secret candidates:
cc @elastic/ecosystem @kpollich @jillguyonnet