-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Only allow admins (and Read-Only Admins) to fetch unencrypted telemetry #96538
Comments
Pinging @elastic/kibana-core (Team:Core) |
Pinging @elastic/kibana-telemetry (Team:KibanaTelemetry) |
@afharo what is your timeline for this? The work required to expose the authorization service into OSS is non-trivial for us, so this is an initiative that we'd have to plan for in our roadmap against our other priorities |
@legrego there's no clear timeline for this yet. I'll need some help from @joshdover to set the right priorities. We already have an X-Pack extension of the I'm not entirely sure about how we'd do that for |
@afharo Reopening the discussion, as this was put into our current sprint. As of today, do we have any way to perform such check from an OSS endpoint? If not, the only option I see is to perform IOC by having an xpack plugin register a |
@pgayvallet I think you got it right! The Security team (aka, @legrego) added the permission |
That said, I just tried to add kibana/src/plugins/home/public/application/components/welcome.tsx Lines 77 to 119 in 9d662b7
We might need to change the way router.post(
{
path: '/api/telemetry/v2/clusters/_stats',
validate: {
body: schema.object({
unencrypted: schema.boolean({ defaultValue: false }),
refreshCache: schema.boolean({ defaultValue: false }),
}),
},
},
async (context, req, res) => {
const { unencrypted, refreshCache } = req.body;
+ const security = getSecurity();
+ if (security) {
+ const { hasAllRequested } = await security.authz
+ .checkPrivilegesWithRequest(req)
+ .globally({ kibana: 'decryptedTelemetry' });
+ if (!hasAllRequested) {
+ return res.forbidden();
+ }
+ }
... |
As agreed in #95143, once #96536 is completed, we'll need to change the Telemetry Fetch APIs (
POST /api/telemetry/v2/clusters/_stats
andGET /api/stats?extended
) to only allow Admins and Read-Only Admins (#96536) to fetch the unencrypted version of the usage.This will allow us to remove the scoped clients from the Usage Collection APIs and to always fetch the usage as
kibana_system
.Need to be sure to test the reported telemetry before and after the change for consistency
The text was updated successfully, but these errors were encountered: