Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ignore security disabled HTTP response header #115632

Closed
kobelb opened this issue Oct 19, 2021 · 4 comments
Closed

Ignore security disabled HTTP response header #115632

kobelb opened this issue Oct 19, 2021 · 4 comments
Assignees
Labels
bug Fixes for quality problems that affect the customer experience impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. loe:medium Medium Level of Effort

Comments

@kobelb
Copy link
Contributor

kobelb commented Oct 19, 2021

Starting in 7.15, we began showing a toast warning whenever Elasticsearch responds with a Warning HTTP response header. This was added to explicitly support exposing CCS warnings to users.

This had the unintentional side effect of causing the following warning toast to be displayed many times when the user has not explicitly disabled/enabled security in the elasticsearch.yml:

Screen Shot 2021-10-19 at 11 56 22 AM

The @elastic/kibana-security team has already implemented their own warning when security is not enabled that does so without endlessly nagging the user. As a result, we don't ever want the security disabled Warning HTTP response header from ever triggering a warning toast.

At the moment, the only way that we have to identify the security disabled Warning HTTP response header is using a regex. The @elastic/es-security team has suggested using the following: ^Elasticsearch built-in security features are not enabled.*. Using a regex is rather brittle. However, Elasticsearch will only be responding with the HTTP response header for 7.x because starting in 8.0 they will enable security by default and users will be required to explicitly disable security and the warning response header won't be sent in this situation.

FAQ

Can't ES just stop sending the HTTP response warning to Kibana?

It could; however, it would conceptually require Elasticsearch to know Kibana's implementation details and this is architecturally awkward.

How dare you suggest a hacky regex!

😬 It's not a maintainable solution, I fully admit that. However, the 7.16 branch will not be prone to change, so while the solution is brittle in theory, in actuality it shouldn't be. If it does end up being brittle, we have the opportunity to change the approach in the future.

Are we comfortable hard-coding the regex in the data.search service? It's security-related, shouldn't it be in the security plugin?

I mean, not really. However, making this pluggable to allow the security plugin to suppress this warning will be additional work for very little benefit since this code will only exist for 7.16.

Can we only create the PR against the 7.16 branch?

Sure. We don't need this code in 8.0. However, I defer to the implementing team whether this makes things easier or not.

@kobelb kobelb added bug Fixes for quality problems that affect the customer experience Team:AppServicesSv labels Oct 19, 2021
@kobelb
Copy link
Contributor Author

kobelb commented Oct 20, 2021

@petrklapka is this something we could have prioritized to have fixed in 7.16?

@petrklapka petrklapka assigned petrklapka and Dosant and unassigned petrklapka Oct 20, 2021
@exalate-issue-sync exalate-issue-sync bot added impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. loe:small Small Level of Effort labels Oct 20, 2021
@Dosant
Copy link
Contributor

Dosant commented Oct 21, 2021

@kobelb, do we need to also backport to the 7.15 branch?

@kobelb
Copy link
Contributor Author

kobelb commented Oct 21, 2021

@Dosant sure, it'd be great if this could go out in a 7.15.patch as well.

@exalate-issue-sync exalate-issue-sync bot added loe:medium Medium Level of Effort and removed loe:small Small Level of Effort labels Oct 25, 2021
@Dosant
Copy link
Contributor

Dosant commented Oct 27, 2021

Closed by #115945 and also backported to 7.15

@Dosant Dosant closed this as completed Oct 27, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Fixes for quality problems that affect the customer experience impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. loe:medium Medium Level of Effort
Projects
None yet
Development

No branches or pull requests

3 participants