Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kibana app security #365

Open
in-1911 opened this issue Dec 11, 2024 · 2 comments
Open

Kibana app security #365

in-1911 opened this issue Dec 11, 2024 · 2 comments
Assignees
@Ak-sky
Labels
enhancement New feature or request internal-synced

Comments

@in-1911
Copy link

in-1911 commented Dec 11, 2024

Description

When the user enables the deployment of Kibana app on Code Engine, several security issues should be addressed:

  • Restrictions on private endpoint - see Kibana app in DA should have private endpoint. #333, if the endpoint is not limited to specific source IPs (e.g. a VPC), it does not offer much protection, as any other IBM Cloud account with a VPC can connect to it
  • Kibana credentials for Elastic instance - ideally a different service credentials should be used, not the super admin. Probably a dedicated set of credentials should be set up, so that it can be rotated or disabled if necessary without affecting other credentials. It's not clear what Elastic permissions are required for Kibana, we may need some sort of option to reduce the permissions - e.g. so that access from Kibana is read-only.
  • UI authentication in Kibana app. It seems that the user is supposed to authenticate with Elastic credentials to Kibana, but it's not clear if that can be restricted to only specific Elastic roles. Ideally, a separate authentication mechanism may need to be implemented (e.g. AppID), but that may not be supported in Kibana app image.

New or affected modules

By submitting this issue, you agree to follow our Code of Conduct
@in-1911 in-1911 added the enhancement New feature or request label Dec 11, 2024
@Ak-sky Ak-sky self-assigned this Jan 22, 2025
@Ak-sky
Copy link
Member

Ak-sky commented Jan 24, 2025
edited
Loading

@in-1911,

1st point is addressed in this PR.
2nd point, users list passed in the users variable like below, this can be used to login to Kibana dashboard.

[
  {
    "name": "es_reader",
    "password": "readpassword123",
    "type": "database"
  }
]

3rd point, for now the authentication is based on username/password, for other authentication types, SSO can be used with SAML, which I believe has to be set up separately.

cc: @ocofaigh @vburckhardt

@in-1911
Copy link
Author

in-1911 commented Jan 24, 2025

  • Private endpoint: the fix: updated Kibana app endpoint to private #346 enables private endpoint, but is there a way to actually limit network access? Can a CBR be applied to a Code Engine project? Or some other way to restrict the origin of the connection?
  • User credentials for Kibana - I was referring to the Elastic credentials used to set up the Kibana instance and its access to Elastic. The users input can configure multiple user accounts, but I believe the Kibana deployment uses super-admin for the initial setup - that's what I am concerned with. I think the credentials passed to Kibana image should be one of the lesser accounts specified in users input.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Ak-sky Ak-sky

Labels
enhancement New feature or request internal-synced
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Ak-sky @in-1911 @terraform-ibm-modules-ops