Add "network.publish_host" style configuration in Kibana #45815
Comments
mikecote
added
the
Team:Core
|
Pinging @elastic/kibana-platform |
|
I'd guess this is obvious, but such a |
|
I'm not opposed to us adding a centralized I do question the premise that a |
|
I understand this sort of setting is problematic, but it's also a fairly standard setting for apps which need to generate links back to themselves. I like the idea of "self-checking" in the browser, but don't think it should be the mechanism to explicitly set it. To suggest it, to compare against the current setting, yes, nice! I suspect we'll run into problems if we try to set it automagically like this. It also feels like this is bigger than alerting/actions - some other app/solution/plugin will need it eventually. We could also extend the URL shortening API to include the full URL, if we had this. I have been wondering what devs should do if this URL is not set, when we want to create a URL. Was thinking of having a doc page specifically targeted for this case: "you don't have your publish URL set yet, here's how you can set it". |
Agreed. I spent some more time thinking about how this could work, the lessons we can learn from Reporting, and some of the other options we can consider. Apologies for the wall-of-text which follows... If you want to skip to the solution which I've gravitated towards, it's Solution 2. Add ProblemGenerally, most functionality in Kibana works perfectly fine with relative URLs, which exclude the protocol, hostname, and port. However, there are certain situations where an absolute public URL is required. Reporting spawns a headless browser that navigates to a URL to take a screenshot. In some configurations, Reporting can just navigate to Various Actions would like to also use the absolute public URL so that they can include links back to Kibana. These links will appear in mediums like e-mail, so they can't use relative URLs. There are future features that likely require or at least benefit from absolute public URLs also. For example, Slack integration. Based on the architecture of the Slack integration, there might be a way around needing Kibana itself to build the absolute public URL, but this is purely speculation at this point. Reporting as a cautionary taleBefore discussing possible solutions, there's a lot we can learn from Reporting. Reporting utilizes By default, Reporting uses the protocol, hostname and port which Kibana's HTTP server is listening, but allows these values to be overridden by disparate settings:
The most common configuration mistake that I've seen is when the user doesn't realize that Kibana uses the non-standard port of 5601, and sets When this misconfiguration does occur, an opaque error is thrown and the user is not provided any instructions on how to remedy the error. Solutions1. Use information from the "client" to build the URLIn a majority of situations, it's possible to use information from the "client" to determine the missing pieces to build an absolute public URL. For example, when the user creates an Alert using the UI it's possible to use the browser's There are some caveats though. Kibana can't safely use the information provided by the client in all situations because there's potential that this could be abused to perform a server-side request forgery. In the situation of Reporting, Reporting uses a headless browser to visit the absolute URL. If we used the values from This approach can also be quite complicated, as the protocol, host and port have to be available to the consumers which want to build the full URL, and we have to pass these values all the way through from the client to the portion of the code that needs to consume them. For Alerting, these are asynchronous background jobs that are building the full URLs, so they're stored in an Elasticsearch document, and it's possible that the protocol, host and port changed since the last time they were stored. There are also some potential situations where there isn't a "client" initiating the operation which creates the absolute public URL. For example, Alerting would like to have an Alert that comes pre-packaged with Kibana and sends an e-mail using values purely from the Despite all these caveats, the major benefit of this approach is that it "just works" in most situations without any user intervention and simplifies the getting started experience. 2. Add `kibana.yml` settingsI hope it's obvious, but we shouldn't copy exactly what Reporting is doing at the moment and generalize it. Instead of allowing the user to configure the protocol, hostname and port separately, I'd recommend allowing the user to specify them all together. For example: We should also display a warning notification when the user logs into Kibana and we notice a mismatch between When a user first starts using Kibana and they access it at Users generally shouldn't need to configure Since this is configured in the kibana.yml, it's safe to use in all situations where we need an absolute public URL, and there are no server-side request forgery concerns. 3. Add Advanced SettingsThis is relatively similar to the "Add kibana.yml settings" option, but it can't be used in situations where a server-side request forgery is a concern. It is somewhat easier for the user to configure than the kibana.yml option since they don't have to modify a file on the Kibana server or go to Cloud console. However, I don't think that the benefits overcome the drawbacks and we shouldn't pursue this option, so I haven't elaborated upon it. 4. Hybrid approach with fallbackTheoretically, we could use option 2 in combination with option 1 where the |
|
After going through the considerations, I'm in favour of Solution 2, it will work nicely for being able to append a View in Kibana link to all emails sent from alerts. |
|
cc @elastic/kibana-alerting-services |
|
@elastic/kibana-platform any thoughts around this or timeline if we decide to implement something like this at the core level? |
|
TBH I suggested a very similar API during the globalSearch RFC, for the same need of knowing the 'public' url of the server. Adding the property to the configuration file and adding a simple 'string getter api' for it should be rather trivial. However, I would like to take some time to think a little about the implications on existing APIs here. For example, we got a Also,
Not sure displaying that kind of warning to the 'end' user really makes sense, as it's very unlikely he's in charge of configuring the Kibana instance? |
Apologies for shooting down the suggestion then. I was wrong :hiding:
I don't necessarily think it's an issue if an API returns information about the protocol/host/port that the HTTP server is listening on, and another API returns the "public base URL", as long as the difference is clear. This is all based on the assumption that there are valid situations where we want to know the protocol/host/port that the HTTP server is listening on.
I agree that it could be frustrating to see an alert that you can't take any action on. However, there's no way to know whether or not the currently authenticated end-user is has access to modify the |
I guess we gonna need user settings for that 😄
We would need to check on consumers of the @mikecote for when would you ideally need that feature? @kobelb If there is urgency, how acceptable would it be to just add the configuration option / access API in a first step, and then add the check + notification you suggested in a follow-up (the team short term capacity is quite small). |
7.11 would be ideal for the alerting team, we would start work in parallel on our side. |
😬 else-where, we store values like this in local storage because we don't have persistent user-specific storage.
I think that's a good idea. |
|
I haven't exhausted all other possibilities yet, but this is potentially useful for #69411, which I'm also planning for 7.11 in order to support Drilldowns. I'd like to be able to take an arbitrary URL or URL path, and determine if the destination is external to the Kibana instance. Having a canonical public URL would make this a lot easier |
|
I started putting some code together for how alerting would use this solution. There's two use cases (look for |
|
One issue that has been raised is that some customers have multiple addresses at which they access Kibana, one public (with IP filtering) and one private (via a VPN or similar service such as PrivateLink on AWS). If we were to add a warning toast (like in #85344) when a user access the instance from the private address, it would create noise for these customers. I wonder if we should try to be a bit more intelligent here to support this use case, for example, we could:
@mikecote Thoughts? |
|
From alerting side, we are ok with such change. Though, we will always be using the "primary" URL since the executions happen in a task manager task. |
In this situation, are we just concerned with the toast warning being noisy or will features not work if we use the public URL instead of the private URL? If we're only concerned with the toast warning being noisy, I wonder if we should just add a |
There is a requirement in Alerting to create links on the server side that point to Kibana. These links would be used inside emails (and different types of actions) that allow users to click and get redirected to a section within Kibana. We could create our own configuration under
xpack.alertingbut seems better to have as a platform level configuration.The comparable in Elasticsearch would be the
network.publish_hostconfiguration https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-network.html#advanced-network-settings.As suggested by @joshdover, there could also be a
core.http.buildUrl()function to help build URLs that considersnetwork.publish_host,basePathand the path within kibana.The text was updated successfully, but these errors were encountered: