Adding authc.grantAPIKeyAsInternalUser

[kobelb]

I tried to find a way to prevent having to parse KibanaRequest::headers to use Elasticsearch's grant API Key API, but I was unable to find a way without breaking support for clients like cURL. So instead, I've attempted to parse the Authorization header in the "nicest way possible".

The kibana_system role doesn't have the recently added grant_api cluster privilege , so for the time being I've been creating a new role and creating a new user with the kibana_system and the new role:

### Create grant_api_key role
POST {{es}}/_xpack/security/role/grant_api_key
Content-Type: application/json
Authorization: Basic elastic changeme

{
  "cluster": ["cluster:admin/xpack/security/api_key/grant"]
}

### Create kibana_system user
PUT {{es}}/_xpack/security/user/kibana_system
Content-Type: application/json
Authorization: Basic elastic changeme

{
  "password" : "changeme",
  "roles" : [ "kibana_system", "grant_api_key" ],
  "full_name" : "Kibana"
}

And then changing my elasticsearch.username to kibana_system.

[kobelb]

With the old implementation of getHTTPAuthenticationScheme, .toLowerCase() was being called when initially parsing the scheme from the request's headers. This felt inconsistent when I began to use the HTTPAuthorizationHeader class and .toString() to create the Authorization headers themselves. It has the effect of requiring consumers to call .toLowerCase(), or instead use .localeCompare, to treat this as being case insensitive.

@azasypkin I'm interested in how you feel about this.

[azasypkin]

It's fine by me as long as we mention this in the property JS docs. I'm curious if there is any reason we cannot do toLowerCase() for both scheme and credentials in HTTPAuthorizationHeader constructor though?

[kobelb]

We definitely can do this in the constructor. When we were previously building the Authorization header manually within the auth providers, we were using a capitalized version, for example: Bearer ${accessToken}. Changing this behavior for the sake of making matching the scheme easier felt wrong. However, I don't want to be introducing future bugs by being pedantic... I wish there was CaseInsensitiveString in JavaScript which overrode equals, etc. but AFAIK there is no such thing, or no ability to create one ourselves which would work with things like a Map and a Set.

[azasypkin]

Changing this behavior for the sake of making matching the scheme easier felt wrong. However, I don't want to be introducing future bugs by being pedantic...

Yeah, I agree. We use and compare schemes just in a couple of places, I think the risk of accidentally breaking something in this area may be negligible.

[kobelb]

@tvernum I've been able to make the current ES Grant API key endpoint work, but it requires that Kibana parse the Authorization header to determine the grant_type and extract the access_token or username/password. For a majority of the auth provider flows, this approach wouldn't be absolutely necessary. However, we allow users/systems to authenticate using the Authorization header directly against Kibana HTTP endpoints and we don't want to constrain their ability to grant API Keys in these scenarios.

[mikecote]

Tested this locally. I changed some alerting code to make the alerting APIs use this new API and everything worked based on @kobelb temporary workaround. I tested with a user who didn't have any access to API keys and Kibana allowed the creation of alerts. Tested the API key the alert created to ensure it's usable, etc and it worked! LGTMike 👍

[mikecote]

We chatted a bit about the function naming. Did you decide to keep as is or go with something like grantAsInternalUser?

[azasypkin]

ACK: will review today

[kobelb]

@elasticmachine merge upstream

[azasypkin]

Looks great, thanks! Tested locally with both SAML and Basic.

[azasypkin]

note: would you mind also updating https://github.com/elastic/kibana/blob/master/x-pack/plugins/security/server/routes/users/change_password.ts#L46 to use HTTPAuthorizationHeader?

[kobelb]

You got it!

[azasypkin]

optional nit: how do you feel about something like this instead?

Suggested change

	interface GrantAPIKeyParams {
	grant_type: 'password' | 'access_token';
	username?: string;
	password?: string;
	access_token?: string;
	}
	type GrantAPIKeyParams =
	| { grant_type: 'password'; username: string; password: string }
	| { grant_type: 'access_token'; access_token: string };

[azasypkin]

question: hmm I'm surprised that Elasticsearch doesn't allow client to specify Api Key name like it does in create API key API. Do you know why? Just out of curiosity.

[kobelb]

I don't, unfortunately. It also doesn't allow you to specify a role descriptor. It's not blocking Alerting's usage, so I :ostrich_head_in_sand:'ed it.

[azasypkin]

question: I guess we don't need asScoped here (as well as as GrantAPIKeyResult)?

Suggested change

	result = (await this.clusterClient
	.asScoped(request)
	.callAsInternalUser('shield.grantAPIKey', { body: params })) as GrantAPIKeyResult;
	result = await this.clusterClient.callAsInternalUser('shield.grantAPIKey', { body: params });

[kobelb]

The conceptual equivalent to an asScoped "grant" is just createAPIKey. It's safe for us to always allow end-users to use the create API Key API in Elasticsearch and ES will enforce all of the necessary authorization for this to be safe. The ability to grant an API Key in this manner is a new "two credentials API" where the Kibana server should only be able to perform the operation when it has the user's credentials, and the result of the operation should be safe-guarded...

[azasypkin]

Yeah, but I what I meant is that you're using callAsInternalUser and callAsInternalUser on ScopedClusterClient is exactly the same as on non-scoped ClusterClient and doesn't use request headers you scoped client with. So unless I'm missing something clusterClient.asScoped(request).callAsInternalUser is a bit less performant equivalent of just clusterClient.callAsInternalUser.

[kobelb]

I'm with you now, apologies for being dense. Fix forthcoming.

[azasypkin]

note: I'm not super happy that we should do that, but I can't think of a better solution for the time being as well. So +1.

Just for the records: my main concern is that the fact that we have Authorization header within request.headers is just "temporary" backward compatibility escape hatch for the places that still rely on legacy requests. The idea was to store authHeaders returned from auth hook internally in the core so that it can add them automatically whenever authenticated requested is relayed to ES. And nothing else would have access to them.

However we (Security) register and own this hook, provide auth headers and hence should have an exclusive right to access these headers whenever we need them (e.g. via Core "auth headers accessor" returned as part of the auth hook registration). So even if Core decides to no longer populate request.headers with Authorization we'll still have access to them via some API. Migrating to this API will be an implementation detail that won't change public API we expose unless I'm missing something.

[kobelb]

What you've said makes sense. I'm also open to alternatives which require some changes to the authentication providers. I began exploring what it'd look like to allow the auth providers to store the parameters we need to grant an API key in a WeakMap<KibanaRequest, GrantAPIKeyParams> that only the security plugin had access to, but then came on the necessity to parse the Authorization header within the http authentication provider and decided to just do the header parsing logic here.

[azasypkin]

Yeah, I think what you have now is the best option for the time being. Parsing headers because of http is where I ended up as well when we had initial discussion on that requirement.

It feels we're still missing some pieces either in Security plugin or in the Core that would have allowed us to come with a more future-proof approach, but I'm sure we'll get there and reuse the work you've done here anyway.

[kibanamachine]

💚 Build Succeeded

• continuous-integration/kibana-ci/pull-request
• Commit: 15defd3

History

• 💚 Build #35117 succeeded 161d6cf
• 💚 Build #34982 succeeded dc6c511
• 💔 Build #34896 failed abab5e2
• 💔 Build #34772 failed 7d6a76e
• 💔 Build #34660 failed 8a5f23c

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream