Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove references to username/password #29458

Merged
merged 3 commits into from
Dec 23, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions x-pack/elastic-agent/CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@
- Default to port 80 and 443 for Kibana and Fleet Server connections. {pull}25723[25723]
- Remove deprecated/undocumented IncludeCreatorMetadata setting from kubernetes metadata config options {pull}28006[28006]
- The `/processes/<subprocess>` endpoint proxies to the subprocess's monitoring endpoint, instead of querying its `/stats` endpoint {pull}28165[28165]
- Remove username/password for fleet-server authentication. {pull}29458[29458]

==== Bugfixes
- Fix rename *ConfigChange to *PolicyChange to align on changes in the UI. {pull}20779[20779]
Expand Down
8 changes: 4 additions & 4 deletions x-pack/elastic-agent/_meta/config/common.p2.yml.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,9 @@ outputs:
default:
type: elasticsearch
hosts: [127.0.0.1:9200]
username: elastic
password: changeme
api-key: "example-key"
# username: "elastic"
# password: "changeme"

inputs:
- type: system/metrics
Expand Down Expand Up @@ -74,8 +75,7 @@ inputs:

# # optional values
# #protocol: "https"
# #username: "elastic"
# #password: "changeme"
# #service_token: "example-token"
# #path: ""
# #ssl.verification_mode: full
# #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,9 @@ outputs:
default:
type: elasticsearch
hosts: [127.0.0.1:9200]
username: elastic
password: changeme
api-key: "example-key"
# username: "elastic"
# password: "changeme"

inputs:
- type: system/metrics
Expand Down Expand Up @@ -43,8 +44,7 @@ inputs:

# # optional values
# #protocol: "https"
# #username: "elastic"
# #password: "changeme"
# #service_token: "example-token"
# #path: ""
# #ssl.verification_mode: full
# #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -43,8 +43,7 @@ inputs:

# # optional values
# #protocol: "https"
# #username: "elastic"
# #password: "changeme"
# #service_token: "${FLEET_SERVER_SERVICE_TOKEN}"
# #path: ""
# #ssl.verification_mode: full
# #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
Expand Down
3 changes: 1 addition & 2 deletions x-pack/elastic-agent/_meta/elastic-agent.yml
Original file line number Diff line number Diff line change
Expand Up @@ -43,8 +43,7 @@ inputs:

# # optional values
# #protocol: "https"
# #username: "elastic"
# #password: "changeme"
# #service_token: "example-token"
# #path: ""
# #ssl.verification_mode: full
# #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
Expand Down
3 changes: 1 addition & 2 deletions x-pack/elastic-agent/elastic-agent.docker.yml
Original file line number Diff line number Diff line change
Expand Up @@ -43,8 +43,7 @@ inputs:

# # optional values
# #protocol: "https"
# #username: "elastic"
# #password: "changeme"
# #service_token: "${FLEET_SERVER_SERVICE_TOKEN}"
# #path: ""
# #ssl.verification_mode: full
# #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
Expand Down
8 changes: 4 additions & 4 deletions x-pack/elastic-agent/elastic-agent.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,9 @@ outputs:
default:
type: elasticsearch
hosts: [127.0.0.1:9200]
username: elastic
password: changeme
api-key: "example-key"
# username: "elastic"
# password: "changeme"

inputs:
- type: system/metrics
Expand Down Expand Up @@ -49,8 +50,7 @@ inputs:

# # optional values
# #protocol: "https"
# #username: "elastic"
# #password: "changeme"
# #service_token: "example-token"
# #path: ""
# #ssl.verification_mode: full
# #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
Expand Down
8 changes: 4 additions & 4 deletions x-pack/elastic-agent/elastic-agent.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,9 @@ outputs:
default:
type: elasticsearch
hosts: [127.0.0.1:9200]
username: elastic
password: changeme
api-key: "example-key"
# username: "elastic"
# password: "changeme"

inputs:
- type: system/metrics
Expand Down Expand Up @@ -80,8 +81,7 @@ inputs:

# # optional values
# #protocol: "https"
# #username: "elastic"
# #password: "changeme"
# #service_token: "example-token"
# #path: ""
# #ssl.verification_mode: full
# #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2]
Expand Down
17 changes: 1 addition & 16 deletions x-pack/elastic-agent/pkg/agent/cmd/container.go
Original file line number Diff line number Diff line change
Expand Up @@ -79,8 +79,6 @@ The following actions are possible and grouped based on the actions.
The following vars are need in the scenario that Elastic Agent should automatically fetch its own token.

KIBANA_FLEET_HOST - kibana host to enable create enrollment token on [$KIBANA_HOST]
KIBANA_FLEET_USERNAME - kibana username to create enrollment token [$KIBANA_USERNAME]
KIBANA_FLEET_PASSWORD - kibana password to create enrollment token [$KIBANA_PASSWORD]
FLEET_TOKEN_NAME - token name to use for fetching token from Kibana. This requires Kibana configs to be set.
FLEET_TOKEN_POLICY_NAME - token policy name to use for fetching token from Kibana. This requires Kibana configs to be set.

Expand All @@ -93,8 +91,6 @@ The following actions are possible and grouped based on the actions.

FLEET_SERVER_ENABLE - set to 1 enables bootstrapping of Fleet Server inside Elastic Agent (forces FLEET_ENROLL enabled)
FLEET_SERVER_ELASTICSEARCH_HOST - elasticsearch host for Fleet Server to communicate with [$ELASTICSEARCH_HOST]
FLEET_SERVER_ELASTICSEARCH_USERNAME - elasticsearch username for Fleet Server [$ELASTICSEARCH_USERNAME]
FLEET_SERVER_ELASTICSEARCH_PASSWORD - elasticsearch password for Fleet Server [$ELASTICSEARCH_PASSWORD]
FLEET_SERVER_ELASTICSEARCH_CA - path to certificate authority to use with communicate with elasticsearch [$ELASTICSEARCH_CA]
FLEET_SERVER_ELASTICSEARCH_CA_TRUSTED_FINGERPRINT - The sha-256 fingerprint value of the certificate authority to trust
FLEET_SERVER_ELASTICSEARCH_INSECURE - disables cert validation for communication with Elasticsearch
Expand All @@ -113,8 +109,6 @@ The following actions are possible and grouped based on the actions.

KIBANA_FLEET_SETUP - set to 1 enables the setup of Fleet in Kibana by Elastic Agent. This was previously FLEET_SETUP.
KIBANA_FLEET_HOST - Kibana host accessible from fleet-server. [$KIBANA_HOST]
KIBANA_FLEET_USERNAME - kibana username to enable Fleet [$KIBANA_USERNAME]
KIBANA_FLEET_PASSWORD - kibana password to enable Fleet [$KIBANA_PASSWORD]
KIBANA_FLEET_CA - path to certificate authority to use with communicate with Kibana [$KIBANA_CA]
KIBANA_REQUEST_RETRY_SLEEP - specifies sleep duration taken when agent performs a request to kibana [default 1s]
KIBANA_REQUEST_RETRY_COUNT - specifies number of retries agent performs when executing a request to kibana [default 30]
Expand All @@ -123,12 +117,8 @@ The following environment variables are provided as a convenience to prevent a l
be used when the same credentials will be used across all the possible actions above.

ELASTICSEARCH_HOST - elasticsearch host [http://elasticsearch:9200]
ELASTICSEARCH_USERNAME - elasticsearch username [elastic]
ELASTICSEARCH_PASSWORD - elasticsearch password [changeme]
ELASTICSEARCH_CA - path to certificate authority to use with communicate with elasticsearch
KIBANA_HOST - kibana host [http://kibana:5601]
KIBANA_USERNAME - kibana username [$ELASTICSEARCH_USERNAME]
KIBANA_PASSWORD - kibana password [$ELASTICSEARCH_PASSWORD]
KIBANA_CA - path to certificate authority to use with communicate with Kibana [$ELASTICSEARCH_CA]


Expand Down Expand Up @@ -427,10 +417,7 @@ func buildFleetServerConnStr(cfg fleetServerConfig) (string, error) {
if u.Path != "" {
path += "/" + strings.TrimLeft(u.Path, "/")
}
if cfg.Elasticsearch.ServiceToken != "" {
return fmt.Sprintf("%s://%s%s", u.Scheme, u.Host, path), nil
}
return fmt.Sprintf("%s://%s:%s@%s%s", u.Scheme, cfg.Elasticsearch.Username, cfg.Elasticsearch.Password, u.Host, path), nil
return fmt.Sprintf("%s://%s%s", u.Scheme, u.Host, path), nil
}

func kibanaSetup(cfg setupConfig, client *kibana.Client, streams *cli.IOStreams) error {
Expand Down Expand Up @@ -485,8 +472,6 @@ func kibanaClient(cfg kibanaConfig, headers map[string]string) (*kibana.Client,

return kibana.NewClientWithConfigDefault(&kibana.ClientConfig{
Host: cfg.Fleet.Host,
Username: cfg.Fleet.Username,
Password: cfg.Fleet.Password,
ServiceToken: cfg.Fleet.ServiceToken,
IgnoreVersion: true,
Transport: transport,
Expand Down
6 changes: 0 additions & 6 deletions x-pack/elastic-agent/pkg/agent/cmd/enroll_cmd_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -157,8 +157,6 @@ func TestEnroll(t *testing.T) {
require.NoError(t, err)
require.Equal(t, "my-access-api-key", config.AccessAPIKey)
require.Equal(t, host, config.Client.Host)
require.Equal(t, "", config.Client.Username)
require.Equal(t, "", config.Client.Password)
},
))

Expand Down Expand Up @@ -217,8 +215,6 @@ func TestEnroll(t *testing.T) {
require.NoError(t, err)
require.Equal(t, "my-access-api-key", config.AccessAPIKey)
require.Equal(t, host, config.Client.Host)
require.Equal(t, "", config.Client.Username)
require.Equal(t, "", config.Client.Password)
},
))

Expand Down Expand Up @@ -277,8 +273,6 @@ func TestEnroll(t *testing.T) {
require.NoError(t, err)
require.Equal(t, "my-access-api-key", config.AccessAPIKey)
require.Equal(t, host, config.Client.Host)
require.Equal(t, "", config.Client.Username)
require.Equal(t, "", config.Client.Password)
},
))

Expand Down
8 changes: 0 additions & 8 deletions x-pack/elastic-agent/pkg/agent/cmd/setup_config.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,8 +43,6 @@ type elasticsearchConfig struct {
CA string `config:"ca"`
CATrustedFingerprint string `config:"ca_trusted_fingerprint"`
Host string `config:"host"`
Username string `config:"username"`
Password string `config:"password"`
ServiceToken string `config:"service_token"`
Insecure bool `config:"insecure"`
}
Expand All @@ -59,9 +57,7 @@ type kibanaConfig struct {
type kibanaFleetConfig struct {
CA string `config:"ca"`
Host string `config:"host"`
Password string `config:"password"`
Setup bool `config:"setup"`
Username string `config:"username"`
ServiceToken string `config:"service_token"`
}

Expand Down Expand Up @@ -93,8 +89,6 @@ func defaultAccessConfig() (setupConfig, error) {
CertKey: envWithDefault("", "FLEET_SERVER_CERT_KEY"),
Elasticsearch: elasticsearchConfig{
Host: envWithDefault("http://elasticsearch:9200", "FLEET_SERVER_ELASTICSEARCH_HOST", "ELASTICSEARCH_HOST"),
Username: envWithDefault("elastic", "FLEET_SERVER_ELASTICSEARCH_USERNAME", "ELASTICSEARCH_USERNAME"),
Password: envWithDefault("changeme", "FLEET_SERVER_ELASTICSEARCH_PASSWORD", "ELASTICSEARCH_PASSWORD"),
ServiceToken: envWithDefault("", "FLEET_SERVER_SERVICE_TOKEN"),
CA: envWithDefault("", "FLEET_SERVER_ELASTICSEARCH_CA", "ELASTICSEARCH_CA"),
CATrustedFingerprint: envWithDefault("", "FLEET_SERVER_ELASTICSEARCH_CA_TRUSTED_FINGERPRINT"),
Expand All @@ -115,8 +109,6 @@ func defaultAccessConfig() (setupConfig, error) {
// reflect that its setting up Fleet in Kibana versus setting up Fleet Server.
Setup: envBool("KIBANA_FLEET_SETUP", "FLEET_SETUP"),
Host: envWithDefault("http://kibana:5601", "KIBANA_FLEET_HOST", "KIBANA_HOST"),
Username: envWithDefault("elastic", "KIBANA_FLEET_USERNAME", "KIBANA_USERNAME", "ELASTICSEARCH_USERNAME"),
Password: envWithDefault("changeme", "KIBANA_FLEET_PASSWORD", "KIBANA_PASSWORD", "ELASTICSEARCH_PASSWORD"),
ServiceToken: envWithDefault("", "KIBANA_FLEET_SERVICE_TOKEN", "FLEET_SERVER_SERVICE_TOKEN"),
CA: envWithDefault("", "KIBANA_FLEET_CA", "KIBANA_CA", "ELASTICSEARCH_CA"),
},
Expand Down
17 changes: 3 additions & 14 deletions x-pack/elastic-agent/pkg/agent/configuration/fleet_server.go
Original file line number Diff line number Diff line change
Expand Up @@ -37,8 +37,6 @@ type Elasticsearch struct {
Protocol string `config:"protocol" yaml:"protocol"`
Hosts []string `config:"hosts" yaml:"hosts"`
Path string `config:"path" yaml:"path,omitempty"`
Username string `config:"username" yaml:"username,omitempty"`
Password string `config:"password" yaml:"password,omitempty"`
ServiceToken string `config:"service_token" yaml:"service_token,omitempty"`
TLS *tlscommon.Config `config:"ssl" yaml:"ssl,omitempty"`
Headers map[string]string `config:"headers" yaml:"headers,omitempty"`
Expand Down Expand Up @@ -70,18 +68,9 @@ func ElasticsearchFromConnStr(conn string, serviceToken string, insecure bool) (
VerificationMode: tlscommon.VerifyNone,
}
}
if serviceToken != "" {
cfg.ServiceToken = serviceToken
return cfg, nil
if serviceToken == "" {
return Elasticsearch{}, errors.New("invalid connection string: must include a service token")
}
if u.User == nil || u.User.Username() == "" {
return Elasticsearch{}, errors.New("invalid connection string: must include a username unless a service token is provided")
}
password, ok := u.User.Password()
if !ok {
return Elasticsearch{}, errors.New("invalid connection string: must include a password unless a service token is provided")
}
cfg.Username = u.User.Username()
cfg.Password = password
cfg.ServiceToken = serviceToken
return cfg, nil
}
14 changes: 0 additions & 14 deletions x-pack/elastic-agent/pkg/remote/client.go
Original file line number Diff line number Diff line change
Expand Up @@ -60,19 +60,10 @@ func NewConfigFromURL(kURL string) (Config, error) {
return Config{}, errors.Wrap(err, "could not parse url")
}

var username, password string
if u.User != nil {
username = u.User.Username()
// _ is true when password is set.
password, _ = u.User.Password()
}

c := DefaultClientConfig()
c.Protocol = Protocol(u.Scheme)
c.Host = u.Host
c.Path = u.Path
c.Username = username
c.Password = password

return c, nil
}
Expand Down Expand Up @@ -126,11 +117,6 @@ func NewWithConfig(log *logger.Logger, cfg Config, wrapper wrapperFunc) (*Client
return nil, err
}

if cfg.IsBasicAuth() {
// Pass basic auth credentials to all the underlying calls.
transport = NewBasicAuthRoundTripper(transport, cfg.Username, cfg.Password)
}

if wrapper != nil {
transport, err = wrapper(transport)
if err != nil {
Expand Down
65 changes: 0 additions & 65 deletions x-pack/elastic-agent/pkg/remote/client_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -160,58 +160,6 @@ func TestHTTPClient(t *testing.T) {
},
))

t.Run("Basic auth when credentials are valid", withServer(
func(t *testing.T) *http.ServeMux {
msg := `{ message: "hello" }`
mux := http.NewServeMux()
mux.HandleFunc("/echo-hello", basicAuthHandler(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
fmt.Fprint(w, msg)
}, "hello", "world", "testing"))
return mux
}, func(t *testing.T, host string) {
cfg := config.MustNewConfigFrom(map[string]interface{}{
"username": "hello",
"password": "world",
"host": host,
})

client, err := NewWithRawConfig(nil, cfg, nil)
require.NoError(t, err)
resp, err := client.Send(ctx, "GET", "/echo-hello", nil, nil, nil)
require.NoError(t, err)

body, err := ioutil.ReadAll(resp.Body)
require.NoError(t, err)
defer resp.Body.Close()
assert.Equal(t, `{ message: "hello" }`, string(body))
},
))

t.Run("Basic auth when credentials are invalid", withServer(
func(t *testing.T) *http.ServeMux {
msg := `{ message: "hello" }`
mux := http.NewServeMux()
mux.HandleFunc("/echo-hello", basicAuthHandler(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
fmt.Fprint(w, msg)
}, "hello", "world", "testing"))
return mux
}, func(t *testing.T, host string) {
cfg := config.MustNewConfigFrom(map[string]interface{}{
"username": "bye",
"password": "world",
"host": host,
})

client, err := NewWithRawConfig(nil, cfg, nil)
require.NoError(t, err)
resp, err := client.Send(ctx, "GET", "/echo-hello", nil, nil, nil)
require.NoError(t, err)
assert.Equal(t, http.StatusUnauthorized, resp.StatusCode)
},
))

t.Run("Custom user agent", withServer(
func(t *testing.T) *http.ServeMux {
msg := `{ message: "hello" }`
Expand Down Expand Up @@ -400,19 +348,6 @@ func withServer(m func(t *testing.T) *http.ServeMux, test func(t *testing.T, hos
}
}

func basicAuthHandler(handler http.HandlerFunc, username, password, realm string) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
u, p, ok := r.BasicAuth()

if !ok || u != username || p != password {
w.Header().Set("WWW-Authenticate", `Basic realm="`+realm+`"`)
http.Error(w, "Unauthorized", http.StatusUnauthorized)
return
}
handler(w, r)
}
}

type debugStack struct {
sync.Mutex
messages []string
Expand Down
Loading