Add validations to check if current license supports Kibana running in FIPS mode #169738
Assignees
Labels
Feature:FIPS
FIPS mode for Kibana
needs-product-input
Team:Security
Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Comments
kc13greiner
added
Team:Security
|
Pinging @elastic/kibana-security (Team:Security) |
|
@arisonl assigning this to you for assistance with product requirements |
|
Blocked on product requirements |
Tasks
Estimate ~3 days |
kc13greiner
added a commit
that referenced
this issue
Jul 2, 2024
## Updates ### Latest updates - Expose whether KB is configured to run in FIPS mode from Core -> Security <img width="653" alt="Screenshot 2024-06-20 at 9 55 17 PM" src="https://github.com/elastic/kibana/assets/21210601/56a9f50f-0a05-41ca-9292-ed225b3d8062"> Consolidating all FIPS PRs into this PR *Previous PRs were Approved ### Changes - Config option is now experimental: `xpack.security.experimental.fipsMode.enabled` - Documentation has been revised - Listed as an experimental feature - Added keystore references for adding a password ## Summary Closes #169738 Closes #169739 Closes #169740 Closes #185948 FIPS is a platinum license feature. KIbana instances must have a platinum or better license to start up in FIPS mode, a lesser license will result in Kibana failing to start up If the license is degraded, Kibana will still run, but an error will be logged letting the user know that Kibana will not be able to restart. ## Config changes This PR required the changes that were approved from [a previous PR](#174558), since that PR couldn't be merged into main, I merged it here. ## Testing ### Locally In your `kibana.dev.yml` add: `xpack.security.experimental.fipsMode.enabled: true` To allow Kibana to start without actually providing a compliant OpenSSL provider, in `x-pack/plugins/security/server/config.ts` change L328 from `if (isFipsEnabled !== isNodeRunningWithFipsEnabled)` to `if (false)` You are now configured to run in FIPS-spoof mode! Run: `yarn es snapshot` and `yarn start` > You should see Kibana fail to start with an error about using a basic license. Run: `yarn es snapshot --license trial` and `yarn start` > Kibana should start. Login as `elastic` and navigate to Stack Management > License Management Switch your license to `basic` and accept. In your logs, you will see an error letting users know that you no longer have an appropriate license and Kibana will not restart. ### For FIPS enthusiasts Start an ES instance in a method of your choosing, but not using `yarn es snapshot`. I like to use an 8.15.0-snapshot from the `.es/cache` directory by running `tar -xzvf elasticsearch-8.15.0-SNAPSHOT-darwin-aarch64.tar.gz ` and cd into the new directory's `bin` folder to run `./elasticsearch` Ensure you have Docker running locally. From any command line, run: `docker run --rm -it -e XPACK_SECURITY_FIPSMODE_ENABLED='true' -p 5601:5601/tcp docker.elastic.co/kibana-ci/kibana-ubi-fips:8.15.0-SNAPSHOT-bc3150316ed317c08d57c6bd785ba39586072e1d` This will start Kibana into Interactive Setup mode, copy and paste the token from the ES startup logs. Kibana should fail to start and you should see Kibana fail to start with an error about using a basic license. Repeat the above process except before you paste the token from ES, do the following to enable a trial license on your ES instance: In a new terminal window, navigate to your the top level of your elasticsearch folder and run `curl -X POST --cacert config/certs/http_ca.crt -u elastic:YOUR_PASSWORD_HERE "https://localhost:9200/_license/start_trial?acknowledge=true&pretty"` You should receive a successful response. Now paste the token from the ES startup logs into the Kibana Interactive Setup window and Kibana should start. Login as `elastic` and navigate to Stack Management > License Management Switch your license to `basic` and accept. In your logs, you will see an error letting users know that you no longer have an appropriate license and Kibana will not restart. --------- Co-authored-by: kibanamachine <[email protected]> Co-authored-by: lcawl <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the feature:
Running Kibana in FIPS mode has been determined to be a premium (TBD, but most likely platinum and up) feature and will require a proper license to run.
When running in FIPS mode, Kibana will need to have a check that is run both on startup and periodically to ensure the license has not changed.
To avoid outages Kibana will fail to start if the license is incorrect, but if the license changes while Kibana is running, it should continue to run until it is restarted, at which point it should not start.
A distinction should be made between an improper license and a license having an unknown status.
If an improper license is detected, users should be warned that Kibana will not be able to restart unless a proper license is detected.
**The exact experience is being discussed by Product, some functionality described above is subject to change
The text was updated successfully, but these errors were encountered: