Page MenuHomePhabricator

Enable SSO for Kibana
Open, Stalled, MediumPublic

Description

A separate Apache vhost cas-logstash.wikimedia.org has been added which uses mod_auth_cas (along with the necessary cert changes) and registered as a service in CAS. The login logic on the Apache level works fine, but there are a number of issues running the Kibana web app with mod_cas.

Kibana 7 (which is being enabled with cas-logstash.wikimedia.org) added various built-in CSP features which don't work with an auth workflow which redirects to the IDP.

Elastic added a new config knob to configure the CSP policy and I created a setting which is based on the default policy shipped in the deb along with allowing wikimedia.org sub domains:

csp.rules:
  - "script-src 'unsafe-eval' 'unsafe-inline' 'self' https://*.wikimedia.org http://*.wikimedia.org"
  - "worker-src blob:"
  - "child-src blob:"
  - "style-src 'unsafe-inline' 'self' https://*.wikimedia.org http://*.wikimedia.org"

But even with that modified CSP applied, there's various CSS and Javascript blobs blocked by security policies, falling in two categories:

The latter is probably solvable by changes to the vhost, not sure about the former, needs more debugging, whether and how we can integrate this with mod_cas or whether we'll need to wait for some native SAML authentication in Kibana)

Event Timeline

It looks like most of the issues stems from CSP blocking mixed-content. idp.wikimedia.org is redirecting to http per this changeset.

Can the idp redirect to https? What happens when this is configured?

I'll revert 576921 (that was a leftover of testing), but with the service ID pointing to 443 (and CASRootProxiedAs set to https://cas-logstash.wikimedia.org (as Envoy only goes one way and other it would report the http URI as the service ID), it still fails within the bundled Bootstrap copy:

TypeError: document.querySelector(...) is null
failure https://cas-logstash.wikimedia.org/bundles/app/kibana/bootstrap.js:31

Change 579954 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] Revert service ID for Logstash

https://gerrit.wikimedia.org/r/579954

Change 579954 merged by Muehlenhoff:
[operations/puppet@production] Revert service ID for Logstash

https://gerrit.wikimedia.org/r/579954

Can the idp redirect to https? What happens when this is configured?

The server-side IDP and Apache config has been adapted, if anyone wants to poke further; a kibana.yml with the adapted CSP policy is in /home/jmm on logstash1023-1025.

That CSP works well. I think cas needs to respond with an appropriate Access-Control-Allow-Origin. https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#http-web-requests

Observation from testing: cas is pretty slow validating some requests, taking up to 10 seconds to validate and redirect back to cas-logstash.

That CSP works well. I think cas needs to respond with an appropriate Access-Control-Allow-Origin. https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#http-web-requests

I have added the following to the idp server

cas.httpWebRequest.cors.enabled: true
cas.httpWebRequest.cors.allowCredentials=false
cas.httpWebRequest.cors.allowOrigins[0]=*
cas.httpWebRequest.cors.allowMethods[0]=*
cas.httpWebRequest.cors.allowHeaders[0]=*

however looking at the network console it seems that logstash and the idp keep on redirecting to each other before things give up and the following message is shown

JSON.parse: unexpected character at line 1 column 1 of the JSON data

Version: 7.4.2
Build: 26506

I have left puppet disabled and the config in place on idp2001 so others can test

Observation from testing: cas is pretty slow validating some requests, taking up to 10 seconds to validate and redirect back to cas-logstash.

Yes this si something we are currently investigating in the following ticket https://phabricator.wikimedia.org/T246010

MoritzMuehlenhoff changed the task status from Open to Stalled.May 28 2020, 3:20 PM
MoritzMuehlenhoff removed MoritzMuehlenhoff as the assignee of this task.

Setting this as stalled until we can use a version of Kibana with integrated SAML/SSO support.

Dzahn triaged this task as Medium priority.Jun 4 2020, 9:24 AM

Change 607508 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] Remove cas-logstash from caches

https://gerrit.wikimedia.org/r/607508

Change 607509 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] Remove IDP defintions for logstash vhosts

https://gerrit.wikimedia.org/r/607509

Change 607508 merged by Muehlenhoff:
[operations/puppet@production] Remove cas-logstash from caches

https://gerrit.wikimedia.org/r/c/operations/puppet/ /607508

Change 607509 merged by Muehlenhoff:
[operations/puppet@production] Remove IDP defintions for logstash vhosts

https://gerrit.wikimedia.org/r/607509