-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Expose a security header API to plugins #181812
Comments
Pinging @elastic/kibana-security (Team:Security) |
I wonder if we should / want to do for this permission policy header the same thing with did regarding the CSP's header configuration in #102059 : splitting it into per-directive configuration. Note that internally, we will have to do that separation / split anyway given we want to be perform per-directive addition from this new API anyway, so my question is only regarding the way we want to expose this configuration to consumers. |
I opted not to include implementation details in the issue, but I pondered the same thing. I think this is reasonable, and keeps it simple. 👍 |
Sounds good to me. Please tell if you need anything from the Core team to move forward on this. |
Thanks for filing this issue @jeramysoucy, and thanks for the feedback @pgayvallet! I'm wondering if instead of exposing programmatic APIs, we could provide a way to configure this declaratively and statically somehow (e.g., via a "permissions policies" section in the plugin manifest or something along these lines)? As far as I understand, these values are known upfront and not calculated at runtime. This would give us two benefits:
What do you think? |
I certainly appreciate the benefits of a statically defined configuration, but I also worry about the limitations. A static definition will never support user customization, so administrators will have no way to control the resulting CSP. Plugin authors may need to curate the CSP based on something more than just the enabled/disabled state of their plugin. I worry that investing in a static configuration now will lead to a lack of extensibility down the road, causing us to eventually throw this out in favor of a more dynamic system. Perhaps there's a middle ground where we can design a plugin API that allows us to extend it in the future, without giving plugins too much power in the initial design? A similar argument could be made for our feature registration system that powers our authorization model. Our original requirements could have worked with a static system, but we have significantly benefited from the ability to programmatically adapt this over time. |
Thanks for sharing your thoughts, @legrego!
That's a fair point that static registration is much more limiting compared to programmatic APIs, I agree. But the programmatic API on its own doesn't provide Kibana administrators with any customization controls either unless platform or consumer (plugin) build something else on top of this API (e.g., expose additional configuration options from consumer plugins).
It's hard to tell if they need this in practice or not at this point, but if they do, do we want every consumer to model this curation experience differently, or do we want the platform to give consumer "tools" to do that so that Kibana admins have exactly the same curation experience when they configure CSP, irrespective of the solution/plugin/area that needs CSP extensions? I assume we're not talking about decisions that are made at runtime since I don't think it's possible or desirable today: you should know what CSP you need before
It's definitely a valid concern, I agree. Using plugin manifests for something like this might be too extreme in terms of upfront cost and rigidity at this point, even though I'd like us to use more static configuration for things like this. That being said, I'm not so concerned about giving plugins a lot of power. After all, if the need to tweak CSP or Permissions Policies, there is usually a valid business reason for that. I'm more concerned about the lack of visibility when it's done via programmatic APIs. Maybe we can consider exposing core config extensions via config declaration somehow. I'll give it some thought.
These two cases might appear similar, but I'm not sure it's a completely fair comparison: allowing developers to add new features and extend existing ones with as little friction as possible was (likely) a requirement for the feature registration system, as for any other public programmatic APIs that are supposed to be used frequently. But is it the same for deployment-level security controls such as CSP that aren't supposed to evolve and be modified at the same pace? Moreover, this flexibility isn't free either: auditing what every feature registered in Kibana is incredibly hard today. I'm referring to all the diverse abstractions that plugin developers built around the feature registration API over time. I wish we were more prescriptive here. |
Correct. My concern was that a static config would preclude this possibility altogether.
That's a good question. The capabilities that we protect via CSP and Permissions Policy are vast, and I could see us exposing this configuration in different ways. Example 1: an administrator would likely want a checkbox to control whether or not Kibana can be embedded into other domains -- they probably don't want to control the CSP directives and Example 2: Configuring an external source for map layers. Would we want administrators to know to have to adjust I guess I'm leaning more towards domain-specific user experiences. Having said that, I do see benefit in an administrative UX which tells administrators what their effective CSP is, and why it's configured in that way. So I want to have my cake and eat it too 😬.
Hmm. For stateful, I think making this determination during
++ we definitely need visibility and oversight into the final policies, and how plugins are influencing it.
It would be generous to say that we had such a requirement for feature registration, but I take your point. CSP (hopefully) won't need to evolve nearly as much -- but it will still evolve.
That's a good point, and a fair criticism of the feature registration API |
Agreed, we should abstract this away with something that makes more sense. We already do this somewhat with
The issue I see here is that it'd result in domain-specific experiences for deployment-level configuration. If we weren't a single-page application, I could see I agree, it's a tough one to do properly once and for all, but I'm glad we're brainstorming here.
Assuming by
Yeah, if we can solve this somehow, I'd feel much more comfortable giving more control to the consumers/domains.
It wasn't to criticize the feature registration API - it does its job well considering all the constraints we had and still have 🙂 I just wanted to point out that there are a lot of lessons we can learn from it and apply to new functionality. |
++ I understand what you're saying now. That makes sense to me.
I agree. My fear was the static nature of the deployment-level configuration would prevent us from building the domain-specific experiences due to its lack of flexibility at runtime. Ideally, we should eventually be able to apply these domain-specific experiences without requiring a restart of the deployment/project. There might be a way to do this with the static configuration, so I don't want to discourage us from exploring that option. I just want to make sure we consider these use cases when we're designing the solution. |
Related issues: #177777, #179061
Describe the feature:
Our default Content Security Policy (CSP) and Permissions Policy headers are purposefully restrictive. This means that sometimes we encounter plugins that require additional directive values in order to support features (see related issues). Rather than maintaining a cumbersome hardcoded list of trusted sources for each directive that each plugin requires, we should expose an API for plugins to augment our default directive settings.
This feature entails two parts:
kibana/packages/core/http/core-http-server-internal/src/csp/csp_directives.ts
Lines 33 to 40 in 6fc0d97
kibana/packages/core/http/core-http-server-internal/src/csp/csp_directives.ts
Lines 42 to 53 in 6fc0d97
This logic would be applied for both CSP and Permissions Policy directives when custom values are applied (either via this new API or any other means of external configuration, e.g. setting
http.securityHeaders.permissionsPolicy
).Kibana also should log the security header value whenever a non-default value is applied to a directive. This will allow us to better assist customers and troubleshoot systems.
Describe a specific use case for the feature:
Within the Kibana security domain, we will not always be aware of specific trusted sources for content. This feature would allow plugins to augment a default set of security header directive with trusted sources specific to their solution or application. In issue #177777, the Security Solution plugin would use the new API to add the required source to our Permissions Policy's
fullscreen
directive. The result would be a fullscreen directive containing the default 'self' value along with the added value.cc: @semd @pgayvallet
Before proceeding, we should create a 1-pager to align on the proposed implementation
The text was updated successfully, but these errors were encountered: