elastic · michel-laterman · Dec 23, 2021 · Dec 15, 2021 · Dec 16, 2021 · Dec 22, 2021
@@ -14,6 +14,7 @@
 - Default to port 80 and 443 for Kibana and Fleet Server connections. {pull}25723[25723]
 - Remove deprecated/undocumented IncludeCreatorMetadata setting from kubernetes metadata config options {pull}28006[28006]
 - The `/processes/<subprocess>` endpoint proxies to the subprocess's monitoring endpoint, instead of querying its `/stats` endpoint {pull}28165[28165]
+- Remove username/password for fleet-server authentication. {pull}29458[29458]
 
 ==== Bugfixes
 - Fix rename *ConfigChange to *PolicyChange to align on changes in the UI. {pull}20779[20779]

@@ -5,8 +5,9 @@ outputs:
   default:
     type: elasticsearch
     hosts: [127.0.0.1:9200]
-    username: elastic
-    password: changeme
+    api-key: "example-key"
+    # username: "elastic"
+    # password: "changeme"
 
 inputs:
   - type: system/metrics
@@ -74,8 +75,7 @@ inputs:
 
 #     # optional values
 #     #protocol: "https"
-#     #username: "elastic"
-#     #password: "changeme"
+#     #service_token: "example-token"
 #     #path: ""
 #     #ssl.verification_mode: full
 #     #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]

@@ -5,8 +5,9 @@ outputs:
   default:
     type: elasticsearch
     hosts: [127.0.0.1:9200]
-    username: elastic
-    password: changeme
+    api-key: "example-key"
+    # username: "elastic"
+    # password: "changeme"
 
 inputs:
   - type: system/metrics
@@ -43,8 +44,7 @@ inputs:
 
 #     # optional values
 #     #protocol: "https"
-#     #username: "elastic"
-#     #password: "changeme"
+#     #service_token: "example-token"
 #     #path: ""
 #     #ssl.verification_mode: full
 #     #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]

@@ -43,8 +43,7 @@ inputs:
 
 #     # optional values
 #     #protocol: "https"
-#     #username: "elastic"
-#     #password: "changeme"
+#     #service_token: "${FLEET_SERVER_SERVICE_TOKEN}"
 #     #path: ""
 #     #ssl.verification_mode: full
 #     #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]

@@ -43,8 +43,7 @@ inputs:
 
 #     # optional values
 #     #protocol: "https"
-#     #username: "elastic"
-#     #password: "changeme"
+#     #service_token: "example-token"
 #     #path: ""
 #     #ssl.verification_mode: full
 #     #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]

@@ -43,8 +43,7 @@ inputs:
 
 #     # optional values
 #     #protocol: "https"
-#     #username: "elastic"
-#     #password: "changeme"
+#     #service_token: "${FLEET_SERVER_SERVICE_TOKEN}"
 #     #path: ""
 #     #ssl.verification_mode: full
 #     #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]

@@ -11,8 +11,9 @@ outputs:
   default:
     type: elasticsearch
     hosts: [127.0.0.1:9200]
-    username: elastic
-    password: changeme
+    api-key: "example-key"
+    # username: "elastic"
+    # password: "changeme"
 
 inputs:
   - type: system/metrics
@@ -49,8 +50,7 @@ inputs:
 
 #     # optional values
 #     #protocol: "https"
-#     #username: "elastic"
-#     #password: "changeme"
+#     #service_token: "example-token"
 #     #path: ""
 #     #ssl.verification_mode: full
 #     #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]

@@ -11,8 +11,9 @@ outputs:
   default:
     type: elasticsearch
     hosts: [127.0.0.1:9200]
-    username: elastic
-    password: changeme
+    api-key: "example-key"
+    # username: "elastic"
+    # password: "changeme"
 
 inputs:
   - type: system/metrics
@@ -80,8 +81,7 @@ inputs:
 
 #     # optional values
 #     #protocol: "https"
-#     #username: "elastic"
-#     #password: "changeme"
+#     #service_token: "example-token"
 #     #path: ""
 #     #ssl.verification_mode: full
 #     #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]

@@ -79,8 +79,6 @@ The following actions are possible and grouped based on the actions.
   The following vars are need in the scenario that Elastic Agent should automatically fetch its own token.
 
   KIBANA_FLEET_HOST - kibana host to enable create enrollment token on [$KIBANA_HOST]
-  KIBANA_FLEET_USERNAME - kibana username to create enrollment token [$KIBANA_USERNAME]
-  KIBANA_FLEET_PASSWORD - kibana password to create enrollment token [$KIBANA_PASSWORD]
   FLEET_TOKEN_NAME - token name to use for fetching token from Kibana. This requires Kibana configs to be set.
   FLEET_TOKEN_POLICY_NAME - token policy name to use for fetching token from Kibana. This requires Kibana configs to be set.
 
@@ -93,8 +91,6 @@ The following actions are possible and grouped based on the actions.
 
   FLEET_SERVER_ENABLE - set to 1 enables bootstrapping of Fleet Server inside Elastic Agent (forces FLEET_ENROLL enabled)
   FLEET_SERVER_ELASTICSEARCH_HOST - elasticsearch host for Fleet Server to communicate with [$ELASTICSEARCH_HOST]
-  FLEET_SERVER_ELASTICSEARCH_USERNAME - elasticsearch username for Fleet Server [$ELASTICSEARCH_USERNAME]
-  FLEET_SERVER_ELASTICSEARCH_PASSWORD - elasticsearch password for Fleet Server [$ELASTICSEARCH_PASSWORD]
   FLEET_SERVER_ELASTICSEARCH_CA - path to certificate authority to use with communicate with elasticsearch [$ELASTICSEARCH_CA]
   FLEET_SERVER_ELASTICSEARCH_CA_TRUSTED_FINGERPRINT - The sha-256 fingerprint value of the certificate authority to trust
   FLEET_SERVER_ELASTICSEARCH_INSECURE - disables cert validation for communication with Elasticsearch
@@ -113,8 +109,6 @@ The following actions are possible and grouped based on the actions.
 
   KIBANA_FLEET_SETUP - set to 1 enables the setup of Fleet in Kibana by Elastic Agent. This was previously FLEET_SETUP.
   KIBANA_FLEET_HOST - Kibana host accessible from fleet-server. [$KIBANA_HOST]
-  KIBANA_FLEET_USERNAME - kibana username to enable Fleet [$KIBANA_USERNAME]
-  KIBANA_FLEET_PASSWORD - kibana password to enable Fleet [$KIBANA_PASSWORD]
   KIBANA_FLEET_CA - path to certificate authority to use with communicate with Kibana [$KIBANA_CA]
   KIBANA_REQUEST_RETRY_SLEEP - specifies sleep duration taken when agent performs a request to kibana [default 1s]
   KIBANA_REQUEST_RETRY_COUNT - specifies number of retries agent performs when executing a request to kibana [default 30]
@@ -123,12 +117,8 @@ The following environment variables are provided as a convenience to prevent a l
 be used when the same credentials will be used across all the possible actions above.
 
   ELASTICSEARCH_HOST - elasticsearch host [http://elasticsearch:9200]
-  ELASTICSEARCH_USERNAME - elasticsearch username [elastic]
-  ELASTICSEARCH_PASSWORD - elasticsearch password [changeme]
   ELASTICSEARCH_CA - path to certificate authority to use with communicate with elasticsearch
   KIBANA_HOST - kibana host [http://kibana:5601]
-  KIBANA_USERNAME - kibana username [$ELASTICSEARCH_USERNAME]
-  KIBANA_PASSWORD - kibana password [$ELASTICSEARCH_PASSWORD]
   KIBANA_CA - path to certificate authority to use with communicate with Kibana [$ELASTICSEARCH_CA]
 
 
@@ -427,10 +417,7 @@ func buildFleetServerConnStr(cfg fleetServerConfig) (string, error) {
 	if u.Path != "" {
 		path += "/" + strings.TrimLeft(u.Path, "/")
 	}
-	if cfg.Elasticsearch.ServiceToken != "" {
-		return fmt.Sprintf("%s://%s%s", u.Scheme, u.Host, path), nil
-	}
-	return fmt.Sprintf("%s://%s:%s@%s%s", u.Scheme, cfg.Elasticsearch.Username, cfg.Elasticsearch.Password, u.Host, path), nil
+	return fmt.Sprintf("%s://%s%s", u.Scheme, u.Host, path), nil
 }
 
 func kibanaSetup(cfg setupConfig, client *kibana.Client, streams *cli.IOStreams) error {
@@ -485,8 +472,6 @@ func kibanaClient(cfg kibanaConfig, headers map[string]string) (*kibana.Client,
 
 	return kibana.NewClientWithConfigDefault(&kibana.ClientConfig{
 		Host:          cfg.Fleet.Host,
-		Username:      cfg.Fleet.Username,
-		Password:      cfg.Fleet.Password,
 		ServiceToken:  cfg.Fleet.ServiceToken,
 		IgnoreVersion: true,
 		Transport:     transport,

@@ -157,8 +157,6 @@ func TestEnroll(t *testing.T) {
 			require.NoError(t, err)
 			require.Equal(t, "my-access-api-key", config.AccessAPIKey)
 			require.Equal(t, host, config.Client.Host)
-			require.Equal(t, "", config.Client.Username)
-			require.Equal(t, "", config.Client.Password)
 		},
 	))
 
@@ -217,8 +215,6 @@ func TestEnroll(t *testing.T) {
 			require.NoError(t, err)
 			require.Equal(t, "my-access-api-key", config.AccessAPIKey)
 			require.Equal(t, host, config.Client.Host)
-			require.Equal(t, "", config.Client.Username)
-			require.Equal(t, "", config.Client.Password)
 		},
 	))
 
@@ -277,8 +273,6 @@ func TestEnroll(t *testing.T) {
 			require.NoError(t, err)
 			require.Equal(t, "my-access-api-key", config.AccessAPIKey)
 			require.Equal(t, host, config.Client.Host)
-			require.Equal(t, "", config.Client.Username)
-			require.Equal(t, "", config.Client.Password)
 		},
 	))
 

@@ -43,8 +43,6 @@ type elasticsearchConfig struct {
 	CA                   string `config:"ca"`
 	CATrustedFingerprint string `config:"ca_trusted_fingerprint"`
 	Host                 string `config:"host"`
-	Username             string `config:"username"`
-	Password             string `config:"password"`
 	ServiceToken         string `config:"service_token"`
 	Insecure             bool   `config:"insecure"`
 }
@@ -59,9 +57,7 @@ type kibanaConfig struct {
 type kibanaFleetConfig struct {
 	CA           string `config:"ca"`
 	Host         string `config:"host"`
-	Password     string `config:"password"`
 	Setup        bool   `config:"setup"`
-	Username     string `config:"username"`
 	ServiceToken string `config:"service_token"`
 }
 
@@ -93,8 +89,6 @@ func defaultAccessConfig() (setupConfig, error) {
 			CertKey: envWithDefault("", "FLEET_SERVER_CERT_KEY"),
 			Elasticsearch: elasticsearchConfig{
 				Host:                 envWithDefault("http://elasticsearch:9200", "FLEET_SERVER_ELASTICSEARCH_HOST", "ELASTICSEARCH_HOST"),
-				Username:             envWithDefault("elastic", "FLEET_SERVER_ELASTICSEARCH_USERNAME", "ELASTICSEARCH_USERNAME"),
-				Password:             envWithDefault("changeme", "FLEET_SERVER_ELASTICSEARCH_PASSWORD", "ELASTICSEARCH_PASSWORD"),
 				ServiceToken:         envWithDefault("", "FLEET_SERVER_SERVICE_TOKEN"),
 				CA:                   envWithDefault("", "FLEET_SERVER_ELASTICSEARCH_CA", "ELASTICSEARCH_CA"),
 				CATrustedFingerprint: envWithDefault("", "FLEET_SERVER_ELASTICSEARCH_CA_TRUSTED_FINGERPRINT"),
@@ -115,8 +109,6 @@ func defaultAccessConfig() (setupConfig, error) {
 				// reflect that its setting up Fleet in Kibana versus setting up Fleet Server.
 				Setup:        envBool("KIBANA_FLEET_SETUP", "FLEET_SETUP"),
 				Host:         envWithDefault("http://kibana:5601", "KIBANA_FLEET_HOST", "KIBANA_HOST"),
-				Username:     envWithDefault("elastic", "KIBANA_FLEET_USERNAME", "KIBANA_USERNAME", "ELASTICSEARCH_USERNAME"),
-				Password:     envWithDefault("changeme", "KIBANA_FLEET_PASSWORD", "KIBANA_PASSWORD", "ELASTICSEARCH_PASSWORD"),
 				ServiceToken: envWithDefault("", "KIBANA_FLEET_SERVICE_TOKEN", "FLEET_SERVER_SERVICE_TOKEN"),
 				CA:           envWithDefault("", "KIBANA_FLEET_CA", "KIBANA_CA", "ELASTICSEARCH_CA"),
 			},

@@ -37,8 +37,6 @@ type Elasticsearch struct {
 	Protocol     string            `config:"protocol" yaml:"protocol"`
 	Hosts        []string          `config:"hosts" yaml:"hosts"`
 	Path         string            `config:"path" yaml:"path,omitempty"`
-	Username     string            `config:"username" yaml:"username,omitempty"`
-	Password     string            `config:"password" yaml:"password,omitempty"`
 	ServiceToken string            `config:"service_token" yaml:"service_token,omitempty"`
 	TLS          *tlscommon.Config `config:"ssl" yaml:"ssl,omitempty"`
 	Headers      map[string]string `config:"headers" yaml:"headers,omitempty"`
@@ -70,18 +68,9 @@ func ElasticsearchFromConnStr(conn string, serviceToken string, insecure bool) (
 			VerificationMode: tlscommon.VerifyNone,
 		}
 	}
-	if serviceToken != "" {
-		cfg.ServiceToken = serviceToken
-		return cfg, nil
+	if serviceToken == "" {
+		return Elasticsearch{}, errors.New("invalid connection string: must include a service token")
 	}
-	if u.User == nil || u.User.Username() == "" {
-		return Elasticsearch{}, errors.New("invalid connection string: must include a username unless a service token is provided")
-	}
-	password, ok := u.User.Password()
-	if !ok {
-		return Elasticsearch{}, errors.New("invalid connection string: must include a password unless a service token is provided")
-	}
-	cfg.Username = u.User.Username()
-	cfg.Password = password
+	cfg.ServiceToken = serviceToken
 	return cfg, nil
 }
@@ -60,19 +60,10 @@ func NewConfigFromURL(kURL string) (Config, error) {
 		return Config{}, errors.Wrap(err, "could not parse url")
 	}
 
-	var username, password string
-	if u.User != nil {
-		username = u.User.Username()
-		// _ is true when password is set.
-		password, _ = u.User.Password()
-	}
-
 	c := DefaultClientConfig()
 	c.Protocol = Protocol(u.Scheme)
 	c.Host = u.Host
 	c.Path = u.Path
-	c.Username = username
-	c.Password = password
 
 	return c, nil
 }
@@ -126,11 +117,6 @@ func NewWithConfig(log *logger.Logger, cfg Config, wrapper wrapperFunc) (*Client
 			return nil, err
 		}
 
-		if cfg.IsBasicAuth() {
-			// Pass basic auth credentials to all the underlying calls.
-			transport = NewBasicAuthRoundTripper(transport, cfg.Username, cfg.Password)
-		}
-
 		if wrapper != nil {
 			transport, err = wrapper(transport)
 			if err != nil {

@@ -160,58 +160,6 @@ func TestHTTPClient(t *testing.T) {
 		},
 	))
 
-	t.Run("Basic auth when credentials are valid", withServer(
-		func(t *testing.T) *http.ServeMux {
-			msg := `{ message: "hello" }`
-			mux := http.NewServeMux()
-			mux.HandleFunc("/echo-hello", basicAuthHandler(func(w http.ResponseWriter, r *http.Request) {
-				w.WriteHeader(http.StatusOK)
-				fmt.Fprint(w, msg)
-			}, "hello", "world", "testing"))
-			return mux
-		}, func(t *testing.T, host string) {
-			cfg := config.MustNewConfigFrom(map[string]interface{}{
-				"username": "hello",
-				"password": "world",
-				"host":     host,
-			})
-
-			client, err := NewWithRawConfig(nil, cfg, nil)
-			require.NoError(t, err)
-			resp, err := client.Send(ctx, "GET", "/echo-hello", nil, nil, nil)
-			require.NoError(t, err)
-
-			body, err := ioutil.ReadAll(resp.Body)
-			require.NoError(t, err)
-			defer resp.Body.Close()
-			assert.Equal(t, `{ message: "hello" }`, string(body))
-		},
-	))
-
-	t.Run("Basic auth when credentials are invalid", withServer(
-		func(t *testing.T) *http.ServeMux {
-			msg := `{ message: "hello" }`
-			mux := http.NewServeMux()
-			mux.HandleFunc("/echo-hello", basicAuthHandler(func(w http.ResponseWriter, r *http.Request) {
-				w.WriteHeader(http.StatusOK)
-				fmt.Fprint(w, msg)
-			}, "hello", "world", "testing"))
-			return mux
-		}, func(t *testing.T, host string) {
-			cfg := config.MustNewConfigFrom(map[string]interface{}{
-				"username": "bye",
-				"password": "world",
-				"host":     host,
-			})
-
-			client, err := NewWithRawConfig(nil, cfg, nil)
-			require.NoError(t, err)
-			resp, err := client.Send(ctx, "GET", "/echo-hello", nil, nil, nil)
-			require.NoError(t, err)
-			assert.Equal(t, http.StatusUnauthorized, resp.StatusCode)
-		},
-	))
-
 	t.Run("Custom user agent", withServer(
 		func(t *testing.T) *http.ServeMux {
 			msg := `{ message: "hello" }`
@@ -400,19 +348,6 @@ func withServer(m func(t *testing.T) *http.ServeMux, test func(t *testing.T, hos
 	}
 }
 
-func basicAuthHandler(handler http.HandlerFunc, username, password, realm string) http.HandlerFunc {
-	return func(w http.ResponseWriter, r *http.Request) {
-		u, p, ok := r.BasicAuth()
-
-		if !ok || u != username || p != password {
-			w.Header().Set("WWW-Authenticate", `Basic realm="`+realm+`"`)
-			http.Error(w, "Unauthorized", http.StatusUnauthorized)
-			return
-		}
-		handler(w, r)
-	}
-}
-
 type debugStack struct {
 	sync.Mutex
 	messages []string