Add TLS client authentication support.#43090
Merged
azasypkin merged 3 commits intoelastic:masterfrom Aug 14, 2019
Merged
Conversation
azasypkin
added
release_note:enhancement
Team:Core
Contributor
|
Pinging @elastic/kibana-platform |
Contributor
|
Pinging @elastic/kibana-security |
7 tasks
azasypkin
force-pushed
the
issue-xxx-client-authentication
branch
from
87b6812 to
b723c06
Compare
Contributor
💚 Build Succeeded |
azasypkin
commented
Aug 12, 2019
| ).toThrowErrorMatchingSnapshot(); | ||
| }); | ||
|
|
||
| test('HttpConfig instance should properly interpret `none` client authentication', () => { |
Contributor
Author
There was a problem hiding this comment.
note: just a bunch of tests to only test functionality I'm introducing...
azasypkin
commented
Aug 12, 2019
src/legacy/server/config/schema.js
Outdated
| supportedProtocols: Joi.array().items(Joi.string().valid('TLSv1', 'TLSv1.1', 'TLSv1.2')).default(['TLSv1.1', 'TLSv1.2']), | ||
| cipherSuites: Joi.array().items(Joi.string()).default(cryptoConstants.defaultCoreCipherList.split(':')) | ||
| cipherSuites: Joi.array().items(Joi.string()).default(cryptoConstants.defaultCoreCipherList.split(':')), | ||
| clientAuthentication: Joi.any().description('This key is handled in the new platform ONLY'), |
Contributor
Author
There was a problem hiding this comment.
note: this removes a blocker status from #42818 (at least for PKI auth provider)
Contributor
Author
|
Here is the archive with |
mshustov
approved these changes
Aug 12, 2019
Contributor
mshustov
left a comment
mshustov
left a comment
There was a problem hiding this comment.
LGTM and tested locally
kobelb
approved these changes
Aug 14, 2019
Contributor
💚 Build Succeeded |
Contributor
Author
|
7.x/7.4.0: d106a4b |
jloleysens
added a commit
to jloleysens/kibana
that referenced
this pull request
Aug 15, 2019
…p-metrics-selectall * 'master' of github.com:elastic/kibana: (50 commits) [Uptime] update monitor list configs for mobile view (elastic#43218) [APM] Local UI filters (elastic#41588) [Code] Upgrade ctags langserver (elastic#43252) [Code] show multiple definition results in panel (elastic#43249) Adds Metric Type to full screen launch tracking (elastic#42692) [Canvas] Convert Autocomplete to Typescript (elastic#42502) [telemetry] add spacesEnabled config back to xpack_main (elastic#43312) [ML] Adds DF Transform Analytics list to Kibana management (elastic#43151) Add TLS client authentication support. (elastic#43090) [csp] Telemetry for csp configuration (elastic#43223) [SIEM] Run Cypress Tests Against Elastic Cloud & Cypress Command Line / Reporting (elastic#42804) docs: add tip on agent config in a dt (elastic#43301) [ML] Adding bucket span estimator to new wizards (elastic#43288) disable flaky tests (elastic#43017) Fix percy target branch for PRs (elastic#43160) [ML] Adding post create job options (elastic#43205) Restore discover histogram selection triggering fetch (elastic#43097) Per panel time range (elastic#43153) [Infra UI] Add APM to Metadata Endpoint (elastic#42197) Sentence case copy changes (elastic#43215) ...
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Recently we introduced
server.ssl.requestCert(7.3+) for upcoming Kibana node-to-node TLS authentication, but that setting neither ever worked properly nor ever was mentioned in our docs. That lets us to dropserver.ssl.requestCertcompletely in a next minor in favor ofserver.ssl.clientAuthentication: {none|optional|required}to be on a par with Elasticsearch'sxpack.security.http.ssl.client_authentication. This is also a blocker for PKI authentication provider.How to test
Generate certificates for Kibana and End User or use my test certificate-bundle.zip. Steps below assume that you use certificates from the attached certificate bundle.
Run Kibana with the following config:
certificate-bundle/user/user.pfxandcertificate-bundle/kibana/kibana.pfx(to test 2 different users) to the list of your certificates in the browser.Blocks: #42606
"Release Note: added new
server.ssl.clientAuthenticationsetting that controls the server’s behavior in regard to requesting a certificate from client connections. Valid values arerequired,optional, andnone. Therequiredforces a client to present a certificate, whileoptionalrequests a client certificate but the client is not required to present one. Defaults tonone."