[Beats Management] Add flag to require verification #19355
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* Initial scaffolding for Beats plugin * Removing bits not (yet) necessary in initial scaffolding
…ic#19072) * Install Beats index template on plugin init * Adding missing files
* WIP checkin * Register API routes * Fixing typo in index name * Adding TODOs * Removing commented out license checking code that isn't yet implemented * Remove unnecessary async/await * Don't return until indices have been refreshed * Add API integration test * Converting to Jest test * Fixing API for default case + adding test for it * Fixing copy pasta typos * Adding TODO * Fixing variable name * Using a single index * Adding expiration date field * Adding test for expiration date field * Ignore non-existent index * Fixing logic in test * Creating constant for default enrollment tokens TTL value * Updating test
* WIP checkin * Add API integration test * Converting to Jest test * Create API for enrolling a beat * Handle invalid or expired enrollment tokens * Use create instead of index to prevent same beat from being enrolled twice * Adding unit test for duplicate beat enrollment * Do not persist enrollment token with beat once token has been checked and used * Fix datatype of host_ip field * Make Kibana API guess host IP instead of requiring it in payload * Fixing error introduced in rebase conflict resolution
* WIP checkin * Add API integration test * Converting to Jest test * WIP checkin * Fixing API for default case + adding test for it * Fixing copy pasta typos * Fixing variable name * Using a single index * Implementing GET /api/beats/agents API * Updating mapping
* WIP checkin * WIP checkin * Add API integration test * Converting to Jest test * Fixing API for default case + adding test for it * Fixing copy pasta typos * Fixing variable name * Using a single index * Implementing GET /api/beats/agents API * Creating POST /api/beats/agents/verify API * Refactoring: extracting out helper functions * Fleshing out remaining tests * Expanding TODO note so I won't forget :) * Fixing file name * Updating mapping * Moving TODO comment to right file * Rename determine* helper functions to find*
* WIP checkin
* WIP checkin
* Add API integration test
* Converting to Jest test
* Fixing API for default case + adding test for it
* Fixing copy pasta typos
* Fixing variable name
* Using a single index
* Implementing GET /api/beats/agents API
* Creating POST /api/beats/agents/verify API
* Refactoring: extracting out helper functions
* Expanding TODO note so I won't forget :)
* Fixing file name
* Updating mapping
* Add API tests
* Update template to allow version field for beat
* Implement PUT /api/beats/agent/{beat ID} API
* Make enroll beat code consistent with update beat code
* Fixing minor typo in TODO comment
* Allow version in request payload
* Make sure beat is not updated in ES in error scenarios
* Adding version as required field in Enroll Beat API payload
* Using destructuring
* Fixing rename that was accidentally reversed in conflict fixing
* WIP checkin * WIP checkin * Add API integration test * Converting to Jest test * Fixing API for default case + adding test for it * Fixing copy pasta typos * Fixing variable name * Using a single index * Implementing GET /api/beats/agents API * Creating POST /api/beats/agents/verify API * Refactoring: extracting out helper functions * Expanding TODO note so I won't forget :) * Fixing file name * Updating mapping * Fixing minor typo in TODO comment * Make "Enroll Beat" API take enrollment token via header instead of request body * Make "Update Beat" API take access token via header instead of request body
* WIP checkin * WIP checkin * Add API integration test * Converting to Jest test * Fixing API for default case + adding test for it * Fixing copy pasta typos * Fixing variable name * Using a single index * Implementing GET /api/beats/agents API * Creating POST /api/beats/agents/verify API * Refactoring: extracting out helper functions * Expanding TODO note so I won't forget :) * Fixing file name * Updating mapping * Fixing minor typo in TODO comment * Implementing POST /api/beats/configuration_blocks API * Removing unnecessary escaping * Fleshing out types + adding validation for them * Making output singular (was outputs) * Removing metricbeat.inputs
This API allowed the user to operate at a level of abstraction that is unnecessarily and dangerously too low. A better API would be at one level higher, where users can create, update, and delete tags (where a tag can contain multiple configuration blocks).
|
@alexbrasetvik Would it be possible for this |
|
/cc @monicasarbu @tsg since we discussed this change yesterday. |
ycombinator
force-pushed
the
feature/x-pack/management/beats
branch
from
f4ab093 to
8d1a76c
Compare
|
@mattapperson @exekias I think we can close this PR without merging, right, given that there is no verification step any more? |
|
Yes, verification step is not needed anymore, all enrolled beats must have access to the APIs |
💔 Build Failed |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR is current a WIP and not yet ready for review.
Prior to this PR, for a Beat to use central management, three operations needed to happen in this order:
POST /api/beats/agent/{beat UUID}API, passing in the single-use enrollment token (see [Beats Management] APIs: Enroll beat #19056 and [Beats Management] APIs: take auth tokens via headers #19210 for details). At this time the Beat would be enrolled in an "unverified" state.However, for ease-of-use, we want to make the verification step (step 3) optional by default. This PR makes this possible by:
kibana.ymlcalledxpack.beats.requireVerification, which will default tofalse.false, the Beat will automatically be marked as "verified" in the enrollment step itself (step 2 above), making step 3 unnecessary.true, the Beat will be enrolled in an "unverified" state in step 2 and an administrative user will have to perform step 3 to verify the Beat (i.e. same workflow as before).