Remove TLS requirement for alerting when security is enabled #115234
Conversation
mikecote
added
release_note:enhancement
v8.0.0
Team:ResponseOps
| @@ -17,8 +17,7 @@ If you are using an *on-premises* Elastic Stack deployment: | |||
|
|
|||
| If you are using an *on-premises* Elastic Stack deployment with <<using-kibana-with-security, *security*>>: | |||
|
|
|||
| * You must enable Transport Layer Security (TLS) for communication <<configuring-tls-kib-es, between {es} and {kib}>>. {kib} alerting uses <<api-keys, API keys>> to secure background rule checks and actions, and API keys require {ref}/configuring-tls.html#tls-http[TLS on the HTTP interface]. A proxy will not suffice. | |||
| * If you have enabled TLS and are still unable to access Alerting, ensure that you have not {ref}/security-settings.html#api-key-service-settings[explicitly disabled API keys]. | |||
| * If you are unable to access Alerting, ensure that you have not {ref}/security-settings.html#api-key-service-settings[explicitly disabled API keys]. | |||
There was a problem hiding this comment.
@gchaps to review this change. It was the following before:
If you have enabled TLS and are still unable to access Alerting, ensure that you have not {ref}/security-settings.html#api-key-service-settings[explicitly disabled API keys].
| id="xpack.triggersActionsUI.components.healthCheck.tlsErrorTitle" | ||
| defaultMessage="You must enable Transport Layer Security and API keys" | ||
| id="xpack.triggersActionsUI.components.healthCheck.apiKeysDisabledErrorTitle" | ||
| defaultMessage="You must enable API keys" |
There was a problem hiding this comment.
@gchaps to review this change. It was the following before:
You must enable Transport Layer Security and API keys
| defaultMessage: | ||
| 'Alerting relies on API keys, which require TLS between Elasticsearch and Kibana. ', | ||
| {i18n.translate('xpack.triggersActionsUI.components.healthCheck.apiKeysDisabledError', { | ||
| defaultMessage: 'Alerting relies on API keys. ', |
There was a problem hiding this comment.
@gchaps to review this change. It was the following before:
Alerting relies on API keys, which require TLS between Elasticsearch and Kibana.
There was a problem hiding this comment.
This text now just repeats the title. Is there something more you can add? Or can it simply be:
You must enable API keys to use Alerting
Learn how
I'm also wondering if we should make the two messages parallel:
Additional setup required
You must enable API keys to use Alerting. Learn how.
| {i18n.translate( | ||
| 'xpack.triggersActionsUI.components.healthCheck.apiKeysDisabledErrorAction', | ||
| { | ||
| defaultMessage: 'Learn how to enable API keys.', |
There was a problem hiding this comment.
@gchaps to review this change. It was the following before:
Learn how to enable TLS.
| {i18n.translate( | ||
| 'xpack.triggersActionsUI.components.healthCheck.apiKeysAndEncryptionError', | ||
| { | ||
| defaultMessage: 'You must enable API keys and configure an encryption key. ', |
There was a problem hiding this comment.
@gchaps to review this change. It was the following before:
You must enable Transport Layer Security between Kibana and Elasticsearch and configure an encryption key in your kibana.yml file.
|
Pinging @elastic/kibana-alerting-services (Team:Alerting Services) |
|
@elasticmachine merge upstream |
|
Here's the text to make the messages parallel: Additional setup required Additional setup required |
mikecote
added
the
auto-backport
💚 Build Succeeded
Metrics [docs]Async chunks
Page load bundle
History
To update your PR or re-run it, just comment with: cc @mikecote |
💔 Backport failed
To backport manually run: |
#115622) * Initial commit * Fix CI failures * Fix test label * Update messages * Cleanup translations * Fix type check Co-authored-by: Kibana Machine <[email protected]> # Conflicts: # docs/user/alerting/alerting-setup.asciidoc
Resolves #111721
With elastic/elasticsearch#76801 now merged, alerting now works without TLS being enabled. The remaining pieces for us to change are our documentation and UI messages whenever Kibana fails to create API keys.
Note that our logic is still necessary when
xpack.security.authc.api_key.enabled: falseis set. But this is less likely than TLS not being set up.The PR does the following:
Follow ups:
Previews:
API keys disabled message
API keys and encryption key message
Encription key message
Testing steps
Explicitly disabling API keys
yarn es snapshot -E xpack.security.authc.api_key.enabled: falseandyarn startEphemeral encryption key + disabling API keys
const canEncrypt = false;yarn es snapshot -E xpack.security.authc.api_key.enabled=falseandyarn start