kibana
kibana copied to clipboard
elastic
Please add missing "xpack.reporting.encryptionKey" setting to "Security settings in Kibana" doc page
Kibana version: 8.2.2 Elasticsearch version: 8.2.2 Server OS version:
Ubuntu 22.04 LTS
Browser version:
Chrome Version 102.0.5005.115 (Official Build) (64-bit)
Firefox 101.0.1 (64-bit)
Browser OS version:
$ head -4 /etc/os-release
PRETTY_NAME="Ubuntu 22.04 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04 LTS (Jammy Jellyfish)"
$ uname -a
Linux ncc-1701-d 5.15.0-39-generic #42-Ubuntu SMP Thu Jun 9 23:42:32 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Original install method (e.g. download page, yum, from source, etc.): Download Linux zip archives Manual setup and run 2 clusters on Linux desktop with TLS Description of the problem including expected versus actual behavior: I am running two clusters of Elasticsearch on localhost for testing, and each cluster has one Kibana instance.
When I login to both Kibana instances at same time, the other session is clobbered. To fix that, I searched and found these doc pages which mention I need to configure the xpack.security.cookieName setting:
- https://www.elastic.co/guide/en/kibana/current/using-kibana-with-security.html
- https://www.elastic.co/guide/en/kibana/current/security-settings-kb.html
While reading about that xpack.security.cookieName setting, I noticed other related security settings such as an encryptionKey for the session id cookie contents. I read through the full page and I applied other settings that seemed relevant.
kibana.yml
xpack.security.cookieName: "cluster1-session_id"
xpack.security.secureCookies: true
xpack.security.sameSiteCookies: "Strict"
xpack.security.session.idleTimeout: 30m
xpack.security.session.lifespan: 1d
xpack.security.session.cleanupInterval: 6h
xpack.security.audit.enabled: true
kibana-keystore
echo https-server-kibana1 | bin/kibana-keystore add -f server.ssl.keyPassphrase
echo https-client-kibana1 | bin/kibana-keystore add -f elasticsearch.ssl.keyPassphrase
echo cluster1-encryptionKey-for-session-cookies | bin/kibana-keystore add -f xpack.security.encryptionKey
echo cluster1-encryptedSavedObjects-in-elasticsearch | bin/kibana-keystore add -f xpack.encryptedSavedObjects.encryptionKey
When I restarted Kibana, I got a warning that I had not set an encryptionKey security setting.
[2022-06-15T14:07:41.500-04:00][WARN ][plugins.reporting.config] Generating a random key for xpack.reporting.encryptionKey. To prevent sessions from being invalidated on restart, please set xpack.reporting.encryptionKey in the kibana.yml or use the bin/kibana-encryption-keys command.
I was confused at first because I thought I read the full contents of the "Security settings in Kibana" doc page.
Upon closer inspection, I realized the warning was about a different setting with a very similar name. So, I double checked the "Security settings in Kibana" doc page, and I found it only mentions xpack.reporting.encryptionKey, not xpack.reporting.encryptionKey.
Please add the missing xpack.reporting.encryptionKey setting to the "Security settings in Kibana" doc page. If a user approaches the docs the same way I did, they will miss out on configuring that setting like I did. I did a search and xpack.reporting.encryptionKey appears in other pages, but I think it would be useful to include it in the "Security settings in Kibana" doc page so the content of that page is more complete.
Errors in browser console (if relevant): n/a
Provide logs and/or server output (if relevant): Provided above
Describe the feature: n/a
Pinging @elastic/kibana-reporting-services (Team:Reporting Services)
It's a good point and it's always bothered me. There are actually three encryption keys:
-
xpack.security.encryptionKey- found in Configure security in Kibana -
xpack.reporting.encryptionKey- found in Reporting settings in Kibana -
xpack.encryptedSavedObjects.encryptionKey- found in Security settings in Kibana, Secure saved objects, Alerting and action settings in Kibana, and Alerting set up
It's a bit of a gray area, because even though they are encryption keys and clearly Security-related, two of these are required to use different features (Reporting and Alerting).
The only page that mentions all three keys is Use Kibana in a production environment.
It would be good to add some cross links here, and mention on the Security page that there are other encryption keys. It's totally reasonable that a user would go straight to the "Configure security in Kibana" page and assume that's all the encryption keys they need to set.
@elastic/kibana-docs any thoughts?
Personally, I think we should leave the documentation as it is, and do a better job of surface these warning states in the UI better. Expecting folks to notice warning logged messages or read every documentation settings, is too much. One thing we could do is have a global notifications UI that somehow re-plays any warnings that would get logged at server startup.
If there are no other objections, I can bring up this with the team and see how an enhancement request like this should get routed.
@elastic/kibana-security @elastic/kibana-docs do we still need this issue?
Thanks for the ping @tsullivan
Personally, I think we should leave the documentation as it is, and do a better job of surface these warning states in the UI better. Expecting folks to notice warning logged messages or read every documentation settings, is too much. One thing we could do is have a global notifications UI that somehow re-plays any warnings that would get logged at server startup.
If there are no other objections, I can bring up this with the team and see how an enhancement request like this should get routed.
DId we ever perform this UI update? If not, I can add this issue to the docs backlog. If so, I think we're good to close the issue.
do we still need this issue?
@tsullivan Not sure. @legrego closed a PR back in Sept, but I don't have full context/reason for not moving forward.
Joe had a good suggestion to cross link from the security docs:
It would be good to add some cross links here, and mention on the Security page that there are other encryption keys. It's totally reasonable that a user would go straight to the "Configure security in Kibana" page and assume that's all the encryption keys they need to set.
Thanks @jeramysoucy. I can work on adding a cross-link based on Joe's suggestion. I'll open a related PR and close this issue once that's merged.
DId we ever perform this UI update?
Sorry to chime in late, but we haven't put any tasks on the @elastic/appex-sharedux roadmap that would help here. Thanks for taking this on via the docs!