Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Reporting] Document Network Policy configuration #80431

Merged
merged 11 commits into from
Oct 16, 2020

Conversation

tsullivan
Copy link
Member

@tsullivan tsullivan commented Oct 13, 2020

Summary

This PR adds a documentation section for the Reporting Network Policy feature, which was added in this PR #46528 and released in 7.4.1+

Closes #71484

These screenshots show the placements of the changes in this PR (not the final or full content):

image
image

@tsullivan tsullivan force-pushed the reporting/docs/network-policy branch 2 times, most recently from efb1a5a to bf8b517 Compare October 14, 2020 00:03
@tsullivan tsullivan force-pushed the reporting/docs/network-policy branch from bf8b517 to baf182f Compare October 14, 2020 00:04
@tsullivan tsullivan requested review from legrego, gchaps and a team October 14, 2020 00:06
@tsullivan tsullivan marked this pull request as ready for review October 14, 2020 00:09
@tsullivan tsullivan added the release_note:skip Skip the PR/issue when compiling release notes label Oct 14, 2020
Copy link
Member

@legrego legrego left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tsullivan thanks for writing this up, I think you did a nice job covering the options here. Just a couple of questions/nits for you below

docs/settings/reporting-settings.asciidoc Outdated Show resolved Hide resolved
docs/user/reporting/network-policy.asciidoc Outdated Show resolved Hide resolved
Comment on lines 13 to 14
A network policy applies not only to outgoing requests, but also incoming responses. That means if a request goes out to an allowed
host, but is redirected and a response returns from a denied host, the response will be denied, and the report will fail.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Isn't this still technically an outgoing request? The redirect would involve a response from the allowed host, and then the browser would issue a new request to the denied host -- the network policy would then prevent the connection to the denied host.

The way it's currently written, I could misinterpret this to believe that Chromium would connect to the denied host, but simply ignore the response.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I mistook what is going on in the response handler code that I have become slightly familiar with.

I should have realized the point you made, but now I'm less sure about what the code is doing :)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yup, that's correct: we do a best effort prior to the request being sent, but if a DNS hijack or something else occurs, this can redirect to internal-only IPs or worse (the file:// protocol, etc).

This is why we check both the request itself, as well as the response, and if any violate network policies then the session is shutdown immediately (the browser is closed, we log the reason, and the reporting job is failed).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cool, glad to understand it better.

I think that level of detail might not be required for the docs. I'm just going to wipe out these sentences.

docs/user/reporting/network-policy.asciidoc Outdated Show resolved Hide resolved
Comment on lines 71 to 74
==== Disabling Reporting Network Policy

You can use the `xpack.reporting.capture.networkPolicy.enabled: false` setting to disable the network policy feature. The default for
this configuration property is `true`, so it is not necessary to explicitly enable it.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question is there a functional difference between disabling the network policy, and not defining a network policy at all?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The answer is no, and there probably is no use case for disabling the network policy yet still having rules defined.

That should be a schema check on the config, and we can save the user from having an accidental breakage in the config.

@tsullivan tsullivan added the WIP Work in progress label Oct 14, 2020
docs/settings/reporting-settings.asciidoc Outdated Show resolved Hide resolved
docs/user/reporting/network-policy.asciidoc Outdated Show resolved Hide resolved
docs/user/reporting/network-policy.asciidoc Outdated Show resolved Hide resolved
docs/user/reporting/network-policy.asciidoc Outdated Show resolved Hide resolved
docs/user/reporting/network-policy.asciidoc Outdated Show resolved Hide resolved
docs/user/reporting/network-policy.asciidoc Outdated Show resolved Hide resolved
docs/user/reporting/network-policy.asciidoc Outdated Show resolved Hide resolved
docs/user/reporting/network-policy.asciidoc Outdated Show resolved Hide resolved
docs/user/reporting/network-policy.asciidoc Outdated Show resolved Hide resolved
docs/user/reporting/network-policy.asciidoc Outdated Show resolved Hide resolved
@tsullivan
Copy link
Member Author

Ready for final review!

@tsullivan tsullivan merged commit c3b1b17 into elastic:master Oct 16, 2020
@tsullivan tsullivan deleted the reporting/docs/network-policy branch October 16, 2020 17:43
tsullivan added a commit to tsullivan/kibana that referenced this pull request Oct 16, 2020
* [Reporting] Document Network Policy configuration

* Apply suggestions from code review

Co-authored-by: Larry Gregory <[email protected]>

* Apply suggestions from code review

Co-authored-by: gchaps <[email protected]>

* remove detail about policy acting on responses

* Update docs/user/reporting/network-policy.asciidoc

Co-authored-by: gchaps <[email protected]>

* lowercase network policy

* typo

Co-authored-by: Larry Gregory <[email protected]>
Co-authored-by: gchaps <[email protected]>
tsullivan added a commit to tsullivan/kibana that referenced this pull request Oct 16, 2020
* [Reporting] Document Network Policy configuration

* Apply suggestions from code review

Co-authored-by: Larry Gregory <[email protected]>

* Apply suggestions from code review

Co-authored-by: gchaps <[email protected]>

* remove detail about policy acting on responses

* Update docs/user/reporting/network-policy.asciidoc

Co-authored-by: gchaps <[email protected]>

* lowercase network policy

* typo

Co-authored-by: Larry Gregory <[email protected]>
Co-authored-by: gchaps <[email protected]>
tsullivan added a commit to tsullivan/kibana that referenced this pull request Oct 16, 2020
* [Reporting] Document Network Policy configuration

* Apply suggestions from code review

Co-authored-by: Larry Gregory <[email protected]>

* Apply suggestions from code review

Co-authored-by: gchaps <[email protected]>

* remove detail about policy acting on responses

* Update docs/user/reporting/network-policy.asciidoc

Co-authored-by: gchaps <[email protected]>

* lowercase network policy

* typo

Co-authored-by: Larry Gregory <[email protected]>
Co-authored-by: gchaps <[email protected]>
tsullivan added a commit to tsullivan/kibana that referenced this pull request Oct 16, 2020
* [Reporting] Document Network Policy configuration

* Apply suggestions from code review

Co-authored-by: Larry Gregory <[email protected]>

* Apply suggestions from code review

Co-authored-by: gchaps <[email protected]>

* remove detail about policy acting on responses

* Update docs/user/reporting/network-policy.asciidoc

Co-authored-by: gchaps <[email protected]>

* lowercase network policy

* typo

Co-authored-by: Larry Gregory <[email protected]>
Co-authored-by: gchaps <[email protected]>
tsullivan added a commit to tsullivan/kibana that referenced this pull request Oct 16, 2020
* [Reporting] Document Network Policy configuration

* Apply suggestions from code review

Co-authored-by: Larry Gregory <[email protected]>

* Apply suggestions from code review

Co-authored-by: gchaps <[email protected]>

* remove detail about policy acting on responses

* Update docs/user/reporting/network-policy.asciidoc

Co-authored-by: gchaps <[email protected]>

* lowercase network policy

* typo

Co-authored-by: Larry Gregory <[email protected]>
Co-authored-by: gchaps <[email protected]>
tsullivan added a commit to tsullivan/kibana that referenced this pull request Oct 16, 2020
* [Reporting] Document Network Policy configuration

* Apply suggestions from code review

Co-authored-by: Larry Gregory <[email protected]>

* Apply suggestions from code review

Co-authored-by: gchaps <[email protected]>

* remove detail about policy acting on responses

* Update docs/user/reporting/network-policy.asciidoc

Co-authored-by: gchaps <[email protected]>

* lowercase network policy

* typo

Co-authored-by: Larry Gregory <[email protected]>
Co-authored-by: gchaps <[email protected]>
tsullivan added a commit to tsullivan/kibana that referenced this pull request Oct 16, 2020
* [Reporting] Document Network Policy configuration

* Apply suggestions from code review

Co-authored-by: Larry Gregory <[email protected]>

* Apply suggestions from code review

Co-authored-by: gchaps <[email protected]>

* remove detail about policy acting on responses

* Update docs/user/reporting/network-policy.asciidoc

Co-authored-by: gchaps <[email protected]>

* lowercase network policy

* typo

Co-authored-by: Larry Gregory <[email protected]>
Co-authored-by: gchaps <[email protected]>
tsullivan added a commit that referenced this pull request Oct 16, 2020
* [Reporting] Document Network Policy configuration

* Apply suggestions from code review

Co-authored-by: Larry Gregory <[email protected]>

* Apply suggestions from code review

Co-authored-by: gchaps <[email protected]>

* remove detail about policy acting on responses

* Update docs/user/reporting/network-policy.asciidoc

Co-authored-by: gchaps <[email protected]>

* lowercase network policy

* typo

Co-authored-by: Larry Gregory <[email protected]>
Co-authored-by: gchaps <[email protected]>

Co-authored-by: Larry Gregory <[email protected]>
Co-authored-by: gchaps <[email protected]>
tsullivan added a commit that referenced this pull request Oct 16, 2020
* [Reporting] Document Network Policy configuration

* Apply suggestions from code review

Co-authored-by: Larry Gregory <[email protected]>

* Apply suggestions from code review

Co-authored-by: gchaps <[email protected]>

* remove detail about policy acting on responses

* Update docs/user/reporting/network-policy.asciidoc

Co-authored-by: gchaps <[email protected]>

* lowercase network policy

* typo

Co-authored-by: Larry Gregory <[email protected]>
Co-authored-by: gchaps <[email protected]>

Co-authored-by: Larry Gregory <[email protected]>
Co-authored-by: gchaps <[email protected]>
tsullivan added a commit that referenced this pull request Oct 16, 2020
* [Reporting] Document Network Policy configuration

* Apply suggestions from code review

Co-authored-by: Larry Gregory <[email protected]>

* Apply suggestions from code review

Co-authored-by: gchaps <[email protected]>

* remove detail about policy acting on responses

* Update docs/user/reporting/network-policy.asciidoc

Co-authored-by: gchaps <[email protected]>

* lowercase network policy

* typo

Co-authored-by: Larry Gregory <[email protected]>
Co-authored-by: gchaps <[email protected]>

Co-authored-by: Larry Gregory <[email protected]>
Co-authored-by: gchaps <[email protected]>
tsullivan added a commit that referenced this pull request Oct 16, 2020
* [Reporting] Document Network Policy configuration

* Apply suggestions from code review

Co-authored-by: Larry Gregory <[email protected]>

* Apply suggestions from code review

Co-authored-by: gchaps <[email protected]>

* remove detail about policy acting on responses

* Update docs/user/reporting/network-policy.asciidoc

Co-authored-by: gchaps <[email protected]>

* lowercase network policy

* typo

Co-authored-by: Larry Gregory <[email protected]>
Co-authored-by: gchaps <[email protected]>

Co-authored-by: Larry Gregory <[email protected]>
Co-authored-by: gchaps <[email protected]>
tsullivan added a commit that referenced this pull request Oct 16, 2020
* [Reporting] Document Network Policy configuration

* Apply suggestions from code review

Co-authored-by: Larry Gregory <[email protected]>

* Apply suggestions from code review

Co-authored-by: gchaps <[email protected]>

* remove detail about policy acting on responses

* Update docs/user/reporting/network-policy.asciidoc

Co-authored-by: gchaps <[email protected]>

* lowercase network policy

* typo

Co-authored-by: Larry Gregory <[email protected]>
Co-authored-by: gchaps <[email protected]>

Co-authored-by: Larry Gregory <[email protected]>
Co-authored-by: gchaps <[email protected]>
tsullivan added a commit that referenced this pull request Oct 16, 2020
* [Reporting] Document Network Policy configuration

* Apply suggestions from code review

Co-authored-by: Larry Gregory <[email protected]>

* Apply suggestions from code review

Co-authored-by: gchaps <[email protected]>

* remove detail about policy acting on responses

* Update docs/user/reporting/network-policy.asciidoc

Co-authored-by: gchaps <[email protected]>

* lowercase network policy

* typo

Co-authored-by: Larry Gregory <[email protected]>
Co-authored-by: gchaps <[email protected]>

Co-authored-by: Larry Gregory <[email protected]>
Co-authored-by: gchaps <[email protected]>
tsullivan added a commit that referenced this pull request Oct 16, 2020
* [Reporting] Document Network Policy configuration

* Apply suggestions from code review

Co-authored-by: Larry Gregory <[email protected]>

* Apply suggestions from code review

Co-authored-by: gchaps <[email protected]>

* remove detail about policy acting on responses

* Update docs/user/reporting/network-policy.asciidoc

Co-authored-by: gchaps <[email protected]>

* lowercase network policy

* typo

Co-authored-by: Larry Gregory <[email protected]>
Co-authored-by: gchaps <[email protected]>

Co-authored-by: Larry Gregory <[email protected]>
Co-authored-by: gchaps <[email protected]>
gmmorris added a commit to gmmorris/kibana that referenced this pull request Oct 19, 2020
* master: (43 commits)
  [ML] Transforms: Fix tab ids for expanded row. (elastic#80666)
  server logs config paths to use for runner (elastic#52980)
  Fix audit logger logging to console even when disabled (elastic#80928)
  skip flaky suite (elastic#80929)
  Added Enterprise Search config to kibana-docker (elastic#80872)
  skip flaky suite (elastic#80914)
  [keystore_cli] parse values as JSON before adding to keystore (elastic#80848)
  [Ingest Manager] Fix for comparing versions with -SNAPSHOT suffix (elastic#80742)
  ECS audit logging (elastic#74640)
  [Uptime] Add client-side unit tests for remaining synthetics code (elastic#80215)
  [Security_Solution][Resolver] Promote z-index on node labels (elastic#80854)
  Move renderHeaderActions back into mount useEffect + update tests (elastic#80861)
  [Reporting] Document Network Policy configuration (elastic#80431)
  [Reporting] Add contextual documentation for CSV Max Bytes setting (elastic#80782)
  Add catch for Enterprise Search sending back a 401 response instead of redirect (elastic#80757)
  [Actions] Back Button on Add Connector Flyout (elastic#80160)
  removing `kibana_datatable` in favor of `datatable`  (elastic#80548)
  [Alerting UI] Updating 'Add new' wording (elastic#80509)
  [Docs] Document Encrypted Saved Objects functionality. (elastic#80183)
  [Discover] fix auto-refresh (elastic#80635)
  ...
gmmorris added a commit to gmmorris/kibana that referenced this pull request Oct 19, 2020
* master: (23 commits)
  [ML] Transforms: Fix tab ids for expanded row. (elastic#80666)
  server logs config paths to use for runner (elastic#52980)
  Fix audit logger logging to console even when disabled (elastic#80928)
  skip flaky suite (elastic#80929)
  Added Enterprise Search config to kibana-docker (elastic#80872)
  skip flaky suite (elastic#80914)
  [keystore_cli] parse values as JSON before adding to keystore (elastic#80848)
  [Ingest Manager] Fix for comparing versions with -SNAPSHOT suffix (elastic#80742)
  ECS audit logging (elastic#74640)
  [Uptime] Add client-side unit tests for remaining synthetics code (elastic#80215)
  [Security_Solution][Resolver] Promote z-index on node labels (elastic#80854)
  Move renderHeaderActions back into mount useEffect + update tests (elastic#80861)
  [Reporting] Document Network Policy configuration (elastic#80431)
  [Reporting] Add contextual documentation for CSV Max Bytes setting (elastic#80782)
  Add catch for Enterprise Search sending back a 401 response instead of redirect (elastic#80757)
  [Actions] Back Button on Add Connector Flyout (elastic#80160)
  removing `kibana_datatable` in favor of `datatable`  (elastic#80548)
  [Alerting UI] Updating 'Add new' wording (elastic#80509)
  [Docs] Document Encrypted Saved Objects functionality. (elastic#80183)
  [Discover] fix auto-refresh (elastic#80635)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Document reporting network policy
4 participants