search

elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.76k stars 8.15k forks source link

License expiration for security features #74646

Open legrego opened 4 years ago

legrego commented 4 years ago

Many of our security features are available for free under Elastic's Basic License, but some of the more complex or esoteric features are only available under a paid license.

We have historically been lenient at best, and inconsistent at worst when licenses expire. We should research and remediate any shortcomings we have with respect to license enforcement. Specifically:

1) When a license expires, ensure that all features licensed under our Basic (free) tier continue to function without restrictions. a) User Management b) Role Management, without sub-feature privileges c) Authentication via our basic and token auth providers 2) When a license expires, ensure that all paid features stop working. This includes, but is not limited to the following: a) Paid authentication providers (SAML, OIDC, Kerberos, PKI). It might suffice to rely on Elasticsearch for this check, although a better UX would be to mark them as disabled in the ~access agreement~ login selector UI. See also https://github.com/elastic/kibana/issues/60337, https://github.com/elastic/kibana/issues/34592 b) Access Agreement UI: should no longer be part of the login flow c) Sub-feature privileges: should no longer be configurable. I believe this is already resolved, just mentioning it for completeness d) Role Mappings UI: should no longer be visible under the Stack Management application. I believe this is already resolved, just mentioning it for completeness

elasticmachine commented 4 years ago

Pinging @elastic/kibana-security (Team:Security)

azasypkin commented 4 years ago

a) Paid authentication providers (SAML, OIDC, Kerberos, PKI). It might suffice to rely on Elasticsearch for this check, although a better UX would be to mark them as disabled in the access agreement UI. See also #60337, #34592

That's a good idea (assuming you meant access agreement UI ---> login selector UI)! And we also should figure out a way to display something like this when Login Selector isn't enabled (e.g. when users have just SAML and don't need login selector).

legrego commented 4 years ago

That's a good idea (assuming you meant access agreement UI ---> login selector UI)!

Yup, good catch. I updated the original description 😄

And we also should figure out a way to display something like this when Login Selector isn't enabled (e.g. when users have just SAML and don't need login selector).

Yes that's a great call!