forked from elastic/kibana
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Reporting] Document Network Policy configuration (elastic#80431)
* [Reporting] Document Network Policy configuration * Apply suggestions from code review Co-authored-by: Larry Gregory <lgregorydev@gmail.com> * Apply suggestions from code review Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * remove detail about policy acting on responses * Update docs/user/reporting/network-policy.asciidoc Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> * lowercase network policy * typo Co-authored-by: Larry Gregory <lgregorydev@gmail.com> Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com>
- Loading branch information
1 parent
e4e59fb
commit ba04d6b
Showing
3 changed files
with
77 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,71 @@ | ||
[role="xpack"] | ||
[[reporting-network-policy]] | ||
=== Restrict requests with a Reporting network policy | ||
|
||
When Reporting generates PDF reports, it uses the Chromium browser to fully load the {kib} page on the server. This | ||
potentially involves sending requests to external hosts. For example, a request might go to an external image server to show a | ||
field formatted as an image, or to show an image in a Markdown visualization. | ||
|
||
If the Chromium browser is asked to send a request that violates the network policy, Reporting stops processing the page | ||
before the request goes out, and the report is marked as a failure. Additional information about the event is in | ||
the Kibana server logs. | ||
|
||
[NOTE] | ||
============ | ||
{kib} installations are not designed to be publicly accessible over the Internet. The Reporting network policy and other capabilities | ||
of the Elastic Stack security features do not change this condition. | ||
============ | ||
|
||
==== Configure a Reporting network policy | ||
|
||
You configure the network policy by specifying the `xpack.reporting.capture.networkPolicy.rules` setting in `kibana.yml`. A policy is specified as | ||
an array of objects that describe what to allow or deny based on a host or protocol. If a host or protocol | ||
is not specified, the rule matches any host or protocol. | ||
|
||
The rule objects are evaluated sequentially from the beginning to the end of the array, and continue until there is a matching rule. | ||
If no rules allow a request, the request is denied. | ||
|
||
[source,yaml] | ||
------------------------------------------------------- | ||
# Only allow requests to placeholder.com | ||
xpack.reporting.capture.networkPolicy: | ||
rules: [ { allow: true, host: "placeholder.com" } ] | ||
------------------------------------------------------- | ||
|
||
[source,yaml] | ||
------------------------------------------------------- | ||
# Only allow requests to https://placeholder.com | ||
xpack.reporting.capture.networkPolicy: | ||
rules: [ { allow: true, host: "placeholder.com", protocol: "https:" } ] | ||
------------------------------------------------------- | ||
|
||
A final `allow` rule with no host or protocol will allow all requests that are not explicitly denied. | ||
|
||
[source,yaml] | ||
------------------------------------------------------- | ||
# Denies requests from http://placeholder.com, but anything else is allowed. | ||
xpack.reporting.capture.networkPolicy: | ||
rules: [{ allow: false, host: "placeholder.com", protocol: "http:" }, { allow: true }]; | ||
------------------------------------------------------- | ||
|
||
A network policy can be composed of multiple rules. | ||
|
||
[source,yaml] | ||
------------------------------------------------------- | ||
# Allow any request to http://placeholder.com but for any other host, https is required | ||
xpack.reporting.capture.networkPolicy | ||
rules: [ | ||
{ allow: true, host: "placeholder.com", protocol: "http:" }, | ||
{ allow: true, protocol: "https:" }, | ||
] | ||
------------------------------------------------------- | ||
|
||
[NOTE] | ||
============ | ||
The `file:` protocol is always denied, even if no network policy is configured. | ||
============ | ||
|
||
==== Disable a Reporting network policy | ||
|
||
You can use the `xpack.reporting.capture.networkPolicy.enabled: false` setting to disable the network policy feature. The default for | ||
this configuration property is `true`, so it is not necessary to explicitly enable it. |