-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
External URL allow list service #69411
Comments
Pinging @elastic/kibana-platform (Team:Platform) |
Pinging @elastic/kibana-security (Team:Security) |
@elastic-jb we will need this implemented by Security or Platform team for URL drilldown to support external URL allow list |
Watcher has a relevant setting too: |
Thanks for opening this @streamich.
++, I think we could default to a permissive allow-list which allows all external URLs.
This makes sense to me as well. I could see a future where this becomes a space-aware advanced setting, but it doesn't strike me as something we necessarily want to expose right now, since we don't have granular access controls over these settings today.
I haven't given this a ton of thought yet, but I think we could ideally support the
I think wildcards for scheme and host are acceptable (see previous answer regarding
Yeah, I think this could be the default experience, which gives the impression of opting out of this service, without having to explicitly disable it.
This might live in both places. I expect we would want to ensure that any redirects that the server attempts to issue comply with the specified rule set. Again, I haven't given this a ton of thought yet, though. |
Just a friendly reminder that Elastic is moving away from loaded terminology like "whitelist" and "blacklist". We have decided to use "allowlist" and "blocklist" instead. |
Thanks Josh, I saw the conversation taking place. I missed the final
guidance. Will use those terms going forward.
|
Discussed with @streamich and we think we can start with a client-side approach to fulfill their needs initially. This will also alleviate the immediate need for #45815, since the client will always know what Kibana's public URL is. @joshdover I'm expecting that this will be a |
Alerting has a similar setting, We're also trying to figure out how to enable all the various ssl/tls configuration options, that kinda go along with this, probably good to have all this stuff in the same place, eventually: #80120 |
I agree @pmuellr, consolidating these various config options over time makes a lot of sense to me. |
We need to create a global allow list of external URLs to which Kibana users will be allowed to navigate away from Kibana. One user of such service will be URL drilldown but I believe there are many more potential users. For example, all Markdown links could be checked against this allow list before navigating to an external URL.
Food for thought:
kibana.yml
.http://google.com/*
?*
?I'm pinging Security and Platform teams as in our discussion these two teams were considered as likely owners of this service.
The text was updated successfully, but these errors were encountered: