apm-agent-rum-js icon indicating copy to clipboard operation
apm-agent-rum-js copied to clipboard
verified publisher icon elastic

RUM advanced security by CAS

Open amoscatelli opened this issue 7 years ago • 1 comments

I understand that secrect_token for RUM agent is not applicable since it would become public/js client side (https://www.elastic.co/guide/en/apm/server/current/securing-apm-server.html)

However I would suggest/prefer an (optional?) advanced security mechanism based on some sort of external authentication system (why not CAS?) in particular Json Web Token: https://apereo.github.io/cas/5.2.x/installation/Configure-ServiceTicket-JWT.html

I'd like the APM server to discard and refuse every RUM request without a Bearer token containing a valid JWT produced by CAS. Of course APM server will require configuration for deciphering JWT tokens.

Yea I know this means APM server will receive and send to ES only transactions regarding logged in users, but this will prevent attacking the APM server in so many ways.

JS RUM agents need some method to set the Bearer, and would not contact the APM server since such bearer is not configured.

I stress out all of this should/could be optional.

Also I specify we are actually using elastic cloud on AWS to run our services.

amoscatelli avatar Dec 27 '18 11:12 amoscatelli

Thanks for reaching out!

As you mentioned this is currently not possible in APM server. I have created an issue to keep track of this feature request (please feel free to make comments).

However, at the moment, my suggestion is to use a reverse proxy to check the token and discard any request without a valid one.

hmdhk avatar Jan 02 '19 15:01 hmdhk