Skip to content

Switch to the most recent Kibana configuration format and SAML/OIDC endpoints.#50652

Merged
azasypkin merged 5 commits intoelastic:masterfrom
azasypkin:issue-xxx-rename-kibana-oidc-endpoint
Apr 2, 2020
Merged

Switch to the most recent Kibana configuration format and SAML/OIDC endpoints.#50652
azasypkin merged 5 commits intoelastic:masterfrom
azasypkin:issue-xxx-rename-kibana-oidc-endpoint

Conversation

@azasypkin
Copy link
Contributor

@azasypkin azasypkin commented Jan 6, 2020
edited by lcawl
Loading

Kibana recently did a bunch of changes in configuration format and endpoint names:

  • Kibana is dropping /api/security/v1/oidc and /api/security/v1/oidc/implicit (deprecated since 7.6) routes in favor of /api/security/oidc/callback and /api/security/oidc/implicit respectively
  • Kibana is dropping /api/security/v1/oidc route used for 3rd-party initiated login in favor of /api/security/oidc/initiate_login
  • There is no need in configuring server.xsrf.whitelist now
  • xpack.security.authc.saml|oidc is deprecated and xpack.security.authc.providers changed format that will allow to define ES realm name within provider definition itself.

Preview:

@azasypkin azasypkin added >docs General docs changes :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) v8.0.0 labels Jan 6, 2020
@elasticmachine
Copy link
Collaborator

elasticmachine commented Jan 6, 2020

Pinging @elastic/es-docs (>docs)

@elasticmachine
Copy link
Collaborator

elasticmachine commented Jan 6, 2020

Pinging @elastic/es-security (:Security/Authentication)

@azasypkin azasypkin mentioned this pull request Jan 6, 2020
Closed
3 tasks
@azasypkin azasypkin force-pushed the issue-xxx-rename-kibana-oidc-endpoint branch from b92b461 to 9dc5765 Compare March 27, 2020 10:45
@azasypkin azasypkin changed the title Remove /v1/ from Kibana OIDC callback URLs. Switch to the most recent Kibana configuration format and SAML/OIDC endpoints. Mar 27, 2020
@azasypkin azasypkin marked this pull request as ready for review March 27, 2020 14:20
@azasypkin azasypkin requested a review from jkakavas March 30, 2020 07:45
@jkakavas
Copy link
Contributor

jkakavas commented Mar 30, 2020

@azasypkin are the new kibana endpoints usable in 7.x ?If so after which minor ? We should

  • add deprecation warnings if the user is using the old format
  • Create an issue for the upgrade assistant to handle these automatically or notify the user at the very least
  • Change the cloud documentation
  • Notify cloud well in advance so that these settings can be migrated on behalf of users at latest when upgrading to 8.0

@azasypkin
Copy link
Contributor Author

azasypkin commented Mar 30, 2020
edited
Loading

@azasypkin are the new kibana endpoints usable in 7.x ?

Yes

If so after which minor ?

It depends on specific endpoint, but we'd like to mention this only starting since 7.7+ when new config is introduced.

add deprecation warnings if the user is using the old format

We do this already in Kibana.

Create an issue for the upgrade assistant to handle these automatically or notify the user at the very least

UA is not capable of doing this yet, elastic/kibana#54702. Once we can do this - we'll definitely do this.

Change the cloud documentation

We filed the appropriate issue some time ago (already linked to this one), but it's up to the Cloud to update it. There is lots of friction for non-Cloud developers to do this (e.g we don't have access to CI if PR is failing etc.) and we agreed that Cloud will do that for us.

Notify cloud well in advance so that these settings can be migrated on behalf of users at latest when upgrading to 8.0

We'll do this separately in the scope of Cloud SSO initiative since Cloud we'll have to use new config format anyway. Regarding URLs - the issue mentioned above should cover that as well.

@jkakavas
Copy link
Contributor

jkakavas commented Mar 30, 2020

We do this already in Kibana.

Nice, I was wondering if we should throw a deprecation in elasticsearch logs too. I think kibana is enough though

We filed the appropriate issue some time ago (already linked to this one)

Yap, sorry, I missed that.

jkakavas
jkakavas approved these changes Mar 30, 2020
View reviewed changes
Copy link
Contributor

@jkakavas jkakavas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks @azasypkin

@azasypkin azasypkin requested a review from lcawl March 31, 2020 15:46
lcawl
lcawl reviewed Mar 31, 2020
View reviewed changes
x-pack/docs/en/security/authentication/saml-guide.asciidoc Outdated
{kib}. This login will not use SAML credentials, and will rely on one of the
other security realms within {es}. Only users who have a username and password
for a configured {es} authentication realm will be able to login via this page.
If {kib} is configured in this way, then users will be presented with the choice
Copy link
Contributor

@lcawl lcawl Mar 31, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor edit, removing future tense:

Suggested change
If {kib} is configured in this way, then users will be presented with the choice
If {kib} is configured in this way, users are presented with a choice

lcawl
lcawl reviewed Mar 31, 2020
View reviewed changes
x-pack/docs/en/security/authentication/saml-guide.asciidoc Outdated
other security realms within {es}. Only users who have a username and password
for a configured {es} authentication realm will be able to login via this page.
If {kib} is configured in this way, then users will be presented with the choice
at the Login Selector screen whether to use username and password, and rely on one
Copy link
Contributor

@lcawl lcawl Mar 31, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor edit, splitting long sentence:

Suggested change
at the Login Selector screen whether to use username and password, and rely on one
at the Login Selector screen. They can provide a username and password, rely on one

Copy link
Contributor Author

@azasypkin azasypkin Apr 1, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! I kept and before rely on since these "other security realms" are used only when username and password are provided, but let me know if there is a better way to express this (in this sentence we're describing just two options - either SAML or not-SAML).

Copy link
Contributor

@lcawl lcawl Apr 1, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmmm... maybe that will be more obvious if we change the order. I'll provide a new suggestion.

lcawl
lcawl reviewed Mar 31, 2020
View reviewed changes
x-pack/docs/en/security/authentication/saml-guide.asciidoc Outdated
If {kib} is configured in this way, then users will be presented with the choice
at the Login Selector screen whether to use username and password, and rely on one
of the other security realms within {es}, or log in with SAML. Only users who have
a username and password for a configured {es} authentication realm will be able to
Copy link
Contributor

@lcawl lcawl Mar 31, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor edit, removing future tense:

Suggested change
a username and password for a configured {es} authentication realm will be able to
a username and password for a configured {es} authentication realm can

lcawl
lcawl reviewed Apr 1, 2020
View reviewed changes
lcawl
lcawl reviewed Apr 1, 2020
View reviewed changes
@azasypkin @lcawl
Review#2: include new suggestions.
8a6fc5a 
Co-Authored-By: Lisa Cawley <lcawley@elastic.co>
lcawl
lcawl approved these changes Apr 1, 2020
View reviewed changes
Copy link
Contributor

@lcawl lcawl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@azasypkin
Copy link
Contributor Author

azasypkin commented Apr 1, 2020

@elasticmachine merge upstream

@azasypkin azasypkin merged commit 129031c into elastic:master Apr 2, 2020
@azasypkin azasypkin deleted the issue-xxx-rename-kibana-oidc-endpoint branch April 2, 2020 06:00
This was referenced Apr 2, 2020
Merged
Merged
azasypkin added a commit to azasypkin/elasticsearch that referenced this pull request Apr 2, 2020
@azasypkin
Switch to the most recent Kibana configuration format and SAML/OIDC e…
866bb39 
…ndpoints. (elastic#50652)
@azasypkin
Copy link
Contributor Author

azasypkin commented Apr 2, 2020

7.7/7.7.0: 4bebc5d
7.x/7.8.0: 161eac1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jkakavas jkakavas jkakavas approved these changes

@lcawl lcawl lcawl approved these changes

Assignees

No one assigned

Labels

>docs General docs changes :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) v7.7.0 v7.8.0 v8.0.0-alpha1

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@azasypkin @elasticmachine @jkakavas @lcawl @jakelandis