Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Breaking change] forbid elasticsearch.username: elastic in production #51101

Closed
kobelb opened this issue Nov 19, 2019 · 2 comments · Fixed by #122722
Closed

[Breaking change] forbid elasticsearch.username: elastic in production #51101

kobelb opened this issue Nov 19, 2019 · 2 comments · Fixed by #122722
Labels
Breaking Change chore Feature:Upgrade Assistant impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. loe:small Small Level of Effort Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!

Comments

@kobelb
Copy link
Contributor

kobelb commented Nov 19, 2019
edited by jportner
Loading

Change description

Which release will ship the breaking change?

This is deprecated but we are not sure when we will actually stop supporting it.

Edit Jan 2022: elastic/elasticsearch#81400 will change the superuser role to remove write access to system indices. That will implicitly prevent Kibana from using the elastic superuser to authenticate to Elasticsearch, since Kibana needs to be able to write to system indices. This means Kibana will stop supporting authenticating to ES with the elastic superuser (and other superusers) starting in 8.0.
See also: #122704

Describe the change. How will it manifest to users?

We should not allow Kibana to be configured with elasticsearch.username: elastic; that is a superuser and Kibana should run with minimal privileges.

Starting in 7.6, started logging a deprecation warning when Kibana is configured with the elastic user in production (#48247).

Starting in 7.16, we should ensure that this is also surfaced in the upgrade assistant.

In a later version (TBD) we will actually prevent Kibana from starting when this is used in production.

How many users will be affected?

TBD

What can users do to address the change manually?

Use Kibana's user management to set the password for the kibana_system user, and update all kibana.yml's to use this username and password for the elasticsearch.username and elasticsearch.password.

How could we make migration easier with the Upgrade Assistant?

There isn't a good way to use the Upgrade Assistant to do so. We don't want the Kibana server to be able to write values to the kibana.yml, nor do we have a way of doing so across every instance of Kibana.

Are there any edge cases?

No

Test Data

Example kibana.yml:

elasticsearch.username: elastic
elasticsearch.password: changeme

(note: need to run Kibana in production mode, it will not start in dev mode with this configuration)

Cross links

This is related to #81680.
@kobelb kobelb added the Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! label Nov 19, 2019
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@kobelb kobelb added the chore label Nov 19, 2019
@legrego legrego changed the title Forbid elasticsearch.username: elastic in production Warn when kibana uses an overprivileged account Jun 16, 2021
@exalate-issue-sync exalate-issue-sync bot added impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. loe:small Small Level of Effort labels Aug 4, 2021
@jportner jportner changed the title Warn when kibana uses an overprivileged account [Breaking change] forbid elasticsearch:username: elastic in production Sep 29, 2021
@jportner jportner changed the title [Breaking change] forbid elasticsearch:username: elastic in production [Breaking change] forbid elasticsearch.username: elastic in production Sep 29, 2021
@jportner jportner mentioned this issue Sep 29, 2021
Open
@jportner
Copy link
Contributor

I changed this issue title and description --
We still plan to make this breaking change eventually, just not in 8.0.

However, we will add a deprecation message in the Upgrade Assistant starting in 7.16.

@jportner jportner mentioned this issue Sep 29, 2021
Closed
@jportner jportner mentioned this issue Oct 19, 2021
Open
This was referenced Jan 11, 2022
Closed
Merged
@makelicious makelicious mentioned this issue Jul 17, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Breaking Change chore Feature:Upgrade Assistant impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. loe:small Small Level of Effort Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Forbid using elasticsearch.username: elastic in production jportner/kibana
4 participants
@kobelb @legrego @jportner @elasticmachine