elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.6k stars 8.22k forks source link

[Fleet] Fleet enrollment token management improvements #192469

Open jillguyonnet opened 1 month ago

jillguyonnet commented 1 month ago

The aim of this issue is to capture the open discussion raised during the implementation of https://github.com/elastic/kibana/issues/155550.

1. Consider lifting the existing constraint that the token name must be unique.

This constraint was put in place in https://github.com/elastic/kibana/issues/85118. Considering the UUID of the token is appended to the name, it is not clear whether the uniqueness of the name itself needs to be enforced. https://github.com/elastic/kibana/issues/155550 suggests that this could be a small improvement for some users.

2. Review token deletion flow

Related to https://github.com/elastic/kibana/issues/190708.

We should clarify the expected flow of enrollement token deletion (DELETE kbn:/api/fleet/enrollment_api_keys/{id}). Revoking a Fleet token marks the document in .fleet-enrollment-api-keys as inactive: https://github.com/elastic/kibana/blob/230d2748e6968fa74078408ae90b3c94ec9ddd9b/x-pack/plugins/fleet/server/services/api_keys/enrollment_api_key.ts#L162-L179

According to the Security docs, API keys are deleted after the retention period, which is an Elasticsearch setting. Based on that, we should confirm the following after deletion:

elasticmachine commented 1 month ago

Pinging @elastic/fleet (Team:Fleet)