[console] exclude the x-elastic-product-origin header for requests performed from the dev console

[pgayvallet]

To support system indices (#81536), Kibana is now adding the 'x-elastic-product-origin': 'kibana' header automatically in requests performed against ES: #79218

However, requests executed by the end user using the dev console from the UI should not be able to query system indices.

We need to remove/exclude this header in that scenario.

One option would be to do that from the console proxy

@elastic/kibana-core @elastic/es-ui

[jloleysens]

Hi @pgayvallet ! Has console been tested for querying system indices with this change? I ask because it looks like the x-elastic-product-origin: kibana header should not be included. Headers are included based on a user configured whitelist:

kibana/src/plugins/console/server/routes/api/console/proxy/create_handler.ts

Line 64 in 24bf256

const filteredHeaders = filterHeaders(headers, esConfig.requestHeadersWhitelist);

And some other hardcoded header values:

kibana/src/plugins/console/server/routes/api/console/proxy/create_handler.ts

Lines 91 to 92 in 24bf256

	// see https://git.io/vytQ7
	extendCommaList(headers, 'x-forwarded-for', _req.info.remoteAddress);

Without any special config in elasticsearch. requestHeadersWhitelist or elasticsearch.customHeaders I am seeing the following being passed through from Kibana:

{
  authorization: 'Basic XXXXXX',
  'x-forwarded-for': '127.0.0.1',
  'x-forwarded-port': '49304',
  'x-forwarded-proto': 'http',
  'x-forwarded-host': 'localhost:5601'
}

I might not be testing with the changes you are talking about of course, just wanted to raise this console behaviour.

[joshdover]

A test has been added that verifies the deprecation warning behavior against the Console proxy API. What's remaining is to update this test once Elasticsearch blocks these API requests completely (elastic/elasticsearch#67384). I'm going to close this and open a new issue for that work.