Alerting Service Phase 1 - Secret Service #25263
Labels
enhancement
New value added to drive a business result
Feature:Alerting
Team:Core
Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc
Comments
njd5475
added
Team:Core
|
Pinging @elastic/kibana-platform |
tbragin
changed the title
spalger
changed the title
|
@bleskes yes sir, that is correct. |
njd5475
changed the title
|
Handled in 2df3880 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Alerting Service Phase 1 - Secret Service
Alerting Service meta issue 24214
PRs
Prereq PR 28722
Phase 1 PR 28894
Describe the feature:
Plugins will be able to store encrypted objects in the kibana index using the saved object service.
Describe a specific use case for the feature:
Action connectors such as slack, smtp, S3, etc will need to store user credentials and allow for those credentials to be accessed across multiple instances of kibana. We do not want to force those connectors to only be configurable via a server configuration file. But in order to allow safe storage and access to those credentials we need an encryption method. So the Secret Service will provide a means of encrypting and securing these objects using the saved object service.
Design details
The secret service will use a private key stored in the keystore. It will create a keystore if none exist as well as a private key if none existed. It will use a dummy saved object to determine if the key that was created or retrieved works. This private key will be used to encrypt an arbitrary object using the Elastic node-crypto package. The saved objects that are used in the secret service will be marked as
hiddento the saved object service rendering them undefined to the default saved object repository and the REST api end-points.Changes to the saved object service will be made in the open source version and will simply restrict saved object type access to the known types by the code. This will in effect reduce the risk of exposure of objects with encrypted details.
In the case that a private key is lost the objects will need to be recreated. No migration or key rotation services are planned at this time or in this phase of the service.
Status
keystoreto autogenerate encryption key if not in config.Middleware for SavedObjectService that filters secret saved objectsThe text was updated successfully, but these errors were encountered: