[7.17] Fixes bulk re-encryption for encrypted objects located in all spaces (#217625)#218182
Merged
Merged
Conversation
…lastic#217625) Closes elastic#215534 ## Summary The Encrypted Saved Objects Key Rotation service makes use of the Saved Objects Bulk Update API to re-encrypt objects. Bulk update supports an optional 'namespace' parameter, per-object, defining the space to access a specific object. This allows objects outside of the current space to be affected in the update operation. The Key Rotation service leverages this optional parameter for each object to ensure that the re-encryption operation is not limited to the current space. However, should a multi-namespace encrypted object reside in all spaces, the only value in the object's namespaces property is the `ALL_NAMESPACES_STRING` constant '*'. As this is not a valid single namespace, the Bulk Update operation will skip updating the object. PR resolves the issue by only providing a object namespace for objects that do not reside in all spaces. Objects that reside in all spaces can be accessed from the current space without the need for an override. This PR also updates unit tests to account for this case. ### Testing - [x] Set the encrypted saved objects encryption key to a known value (either in kibana.yml or kibana.dev.yml). For example: ``` xpack.encryptedSavedObjects: encryptionKey: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" ``` - [x] Start ES & Kibana - [x] You will need to set up a Fleet agent policy and create a synthetics location and monitor. The UI will guide you through this when you navigate to Observability -> Synthetics - [x] Create a synthetics parameter, Observability -> Synthetics -> Settings, Global Parameters tab. Use anything for a value, but be sure to check the `Share across spaces` option. - [x] Update the kibana config to change the encryption key, and use the old key as a decryption-only key ``` xpack.encryptedSavedObjects: encryptionKey: "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb" keyRotation: decryptionOnlyKeys: ["aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"] ``` - [x] Wait for Kibana to restart - [x] Call the key rotation HTTP API as a privileged user (I just used the `elastic` superuser account) `[you_kibana_endpoint]/api/encrypted_saved_objects/_rotate_key?type=synthetics-param` - [x] Verify that 1 out of 1 objects were processed with 0 failures. - [x] Repeat these steps from Main and note that 0 of 1 objects succeeded, and there is 1 failure ### Release Note Fixes an issue where the Saved Objects Rotate Encryption Key API would not affect sharable encrypted object types that exist in all spaces. --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> (cherry picked from commit 1176625) # Conflicts: # x-pack/platform/plugins/shared/encrypted_saved_objects/tsconfig.json # x-pack/plugins/encrypted_saved_objects/server/crypto/encryption_key_rotation_service.ts
9 tasks
Contributor
💚 Build Succeeded
Metrics [docs]
History
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport
This will backport the following commits from
mainto7.17:Questions ?
Please refer to the Backport tool documentation