-
Notifications
You must be signed in to change notification settings - Fork 8.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Alert users when authentication features are not enabled #73929
Comments
Pinging @elastic/kibana-security (Team:Security) |
Given the sensitivity, this prominent location feels suitable. Perhaps it doesn't need to be an error style, but rather a caution/info (yellow/blue). With regards to the top header location, we could revisit this positioning (and desired emphasis) once we have a notifications UI up there. |
Dropping in some thoughts and questions around UI/UX . When @arisonl is back we can fine tune the requirements and scope. We don't need to address all of the questions below in the first iteration, but it'll be good to know where we want to go.
|
@arisonl @alexfrancoeur @VijayDoshi @joshbressers @aravindputrevu @elastic/kibana-security: 👋 Hey folks! I was going to make this a meeting, but this is a hard group to schedule, so I think starting this as an async discussion would be easier. We have a sync on Wednesday September 23rd at 8:00am ET that you are all welcome to attend (find it on the Kibana Cal), but I think we can handle most if not all of the feedback directly in this issue. Our goal is to have a version of this alert in the 7.10 release, so I am looking to solicit feedback this week, with a cutoff of Thursday, September 24th so that we have time to finish implementation. The @elastic/kibana-security team has been meeting to discuss the available ux options. I'm going to attempt to distill those conversations down to a few points that we can collaborate on as a larger group. I will not attempt to present all of our ideas, but I rather want to focus on the two "main" concepts that we explored, and our current preference. Option 1: Dismissible BannerThe original idea was to display a banner at the top of the home page (or possibly at the top of all pages) to warn users that their installation was not secure. This is not the final design, but something similar to: This banner would be dismissible by the current user for the duration of their session (via cookies, session storage, etc). Administrators would also be able to configure Kibana (via Pros
Cons
Option 2: Persistent Navigation ControlWhen security is enabled, we display the user's avatar in the top-right corner of Kibana: When security is not enabled, then we don't render anything there. We could use this location to instead show our alert. Here is a rough mockup to illustrate what this could look like: Pros
Cons
Personal preferenceAs of now, my personal preference is Option 2: Persistent Navigation Control. This approach alleviates the question of when to show this warning -- it's unintrusive enough to always be displayed, unless configured via Other thoughtsHere's my thinking on the questions @alexfrancoeur posed:
If we use Option 2, then I think we can show this all of the time.
If we use Option 2, then I don't think the upgrade experience will have an impact. It will always be visible unless disabled via
Since security is not enabled, we don't have the concept of a user, admin, or roles. Therefore, I think we have to show this to everyone.
If we take the banner approach, my thinking is to dismiss locally in cache for the current browser session.
My thinking is somewhere in between warning and info. I couldn't decide, so you'll notice my mockup for option 2 reflects both...
This is my thinking for the initial version. We can expand this behavior in the future.
Yeah I think this would be a good idea.
Yes, I think we need messaging for OSS users too. Instead of telling them to enable security features, we could instead tell them that the default distribution comes with free security features, and link them to the downloads page. |
I agree 100% with everything @legrego wrote above. The only suggestion I have is we should copy the chrome browser behavior as it is known to people Use a scary triangle and the friendly lock. I think there could be value in also showing positive feedback like "You appear to have security properly configured", but we can consider that a different discussion, what's been suggested will make a perfect MVP. |
Option 2 seems noticeable enough and it is reasonable to show it to all users all of the time IMO. My only hesitation is during trial - do we want the first experience to immediately have a warning? This won't be an issue for cloud trials though since those are secure, so perhaps we are okay. Providing an indicator that your cluster is secure seems useful - my only concern is making the UI more complicated. |
I spoke with @snide about the onboarding point specifically, and his response leaned more towards a subtle toast notification that eventually is persisted in the notifications center. If we take this approach, it ends up being a combination of 1 and 2, and almost phased accordingly. For the initial phase and MVP, we provide a concise, subtle and build-specific toast notification for when a cluster is not secure. This could show upon initial onboarding and on upgrade as a reminder. When we eventually add a notification center to the global header / nav (🤞 7.x), that notification will be persisted (and maybe even pinned?) there. I like the idea of a security indicator as well. In addition to Vijay's suggestion, we might also be able to call out under management. Alternatively, we could show disabled security UI's under stack management in all builds. |
Hey @legrego and @arisonl, @VijayDoshi and I spoke earlier this afternoon around the approaches proposed and what would be the best way to implement without significantly impacting the onboarding experience for self-managed builds of Kibana. Please let us know what you think and if it's possible to introduce some or all of these requirements before FF. @snide if you have any additional comments on this approach related to onboarding, please let us know
|
Thanks all for the feedback so far! @alexfrancoeur, @VijayDoshi, @snide -- here are my thoughts on the proposal for a toast notification:
This should be reasonable to address before FF. I'm not opposed to the toast, but I'm interested to know what benefits this option provides that the navigation control does not. Is the nav control too persistent? We were discussing the toast notification this morning, and our concern here was that it'd be really easy to dismiss this, and then promptly forget about it. The suggestions to mentioned below about persisting this in the help menu/notification center mitigate this, although likely not for the MVP.
This is probably doable, using the following heuristic:
My concern here is having to enumerate all indices in the cluster. Large clusters could produce large payloads that the Kibana server would have to parse and process. We can cache this calculation, but we've seen instances where larger payloads end up crashing the Kibana server. This might not be a problem in practice, but I wanted to raise it.
The current help menu doesn't have extension points (yet) to allow plugins to inject content for all screens. The current model allows individual applications to inject their own custom support links, but we don't have a way yet to inject custom support for all applications. This is certainly something we can address, but likely not in scope for FF.
Agree with both of the above -- not in scope for MVP, but worthwhile for us to do. |
Actually you instincts are correct @legrego. It's more an issue of timing in design with other, similar initiatives. We have the concept of a "navigation center" coming in design within the next minor or two. Rather than do a custom implementation here that is just for this problem and adds another interface, I'd prefer we go with a less ideal, but generic (we deal with the IE security issue the same way, with a toast) solution till we get there. Hopefully that makes sense, but we're agreed this needs to be persistent. Again just to consolidate the threads here:
|
Thanks @snide, I appreciate the context. Unless there any objections, our goal will be to implement the following for FF:
Dismissing the notification:
For the option to Enable Security, where would you like to send users? Is there an existing docs page that you all feel would make sense? I was thinking this page, but I'm interested to hear y'alls thoughts too. |
@snide given the additional work that would need to be done to check for non-internal and non-sample data indices, what are your thoughts on the impact of presenting this toast as one of the first things a new self managed user sees when opening Kibana? I ask because while it's not a Cloud flow, it does impact onboarding. Larry mentioned that it should be possible (potentially with some risk). It also raises the question around upgrade. If we build this logic in, we wouldn't be able to remind users that their cluster is not secure with each new release or would have to introduce more complex logic. We take a similar approach with telemetry opt-in right now.
We'll probably need to huddle up with @gchaps and @arisonl on the language and endpoint to land on. I feel like we may want to take them to our website that show cases the features, presents Elastic the brand / company and links out to the documentation. This page looks like it might be the appropriate one: https://www.elastic.co/what-is/elastic-stack-security |
It's either important or it isn't. It sounds like we're saying it's important, so I think it's OK to let them know. Language is important. "Please add security" vs. "You stuff is broken" makes a big difference on perception of the default experience. |
We could use wording similar to what's on the web page that Alex pointed out: Protect your data Or something more similar to the screenshot above: Please secure your installation |
To summarise (and add my two cents): Short-term:
Post-MVP short-term:
Mid term:
How does this sound? |
I have the data check implemented at this point, but I'm happy to remove it if others share my unfounded fear about payload sizes.
Do you want the same message for both the OSS and Default distributions? |
Some minor edits to the message:
If Protect your data is used as a title, then it doesn't require an ending period. |
Kibana should alert users when it isn't configured to use stack authentication features.
Kibana should also inform users of the OSS distribution that free authentication features are available with the default distribution.
This alert should be prominently displayed, but dismissible by the current user for the duration of their session.
We should also allow this alert to be disabled altogether via configuration setting in
kibana.yml
for administrators who wish to intentionally run an unsecure cluster.Background
There are clusters that don't have security enabled, even if they are in production mode and so reachable by other hosts. These clusters are potentially giving access to anyone, with high risk of data leaks.
We want raise awareness to users, and minimize the scenarios where unsecured clusters are not intentionally exposed.
TL;DR
Summary of this conversation is here: #73929 (comment)
The text was updated successfully, but these errors were encountered: