Page MenuHomePhabricator
Create Task
Maniphest T246998

Enable SSO for Kibana
Closed, ResolvedPublic
Actions

Description

A separate Apache vhost cas-logstash.wikimedia.org has been added which uses mod_auth_cas (along with the necessary cert changes) and registered as a service in CAS. The login logic on the Apache level works fine, but there are a number of issues running the Kibana web app with mod_cas.

Kibana 7 (which is being enabled with cas-logstash.wikimedia.org) added various built-in CSP features which don't work with an auth workflow which redirects to the IDP.

Elastic added a new config knob to configure the CSP policy and I created a setting which is based on the default policy shipped in the deb along with allowing wikimedia.org sub domains:

csp.rules:
  - "script-src 'unsafe-eval' 'unsafe-inline' 'self' https://*.wikimedia.org http://*.wikimedia.org"
  - "worker-src blob:"
  - "child-src blob:"
  - "style-src 'unsafe-inline' 'self' https://*.wikimedia.org http://*.wikimedia.org"

But even with that modified CSP applied, there's various CSS and Javascript blobs blocked by security policies, falling in two categories:

The latter is probably solvable by changes to the vhost, not sure about the former, needs more debugging, whether and how we can integrate this with mod_cas or whether we'll need to wait for some native SAML authentication in Kibana)

Details

SubjectRepoBranchLines +/-
oauth2_proxy: default to all email domainsoperations/puppetproduction+2 -2
opensearch: skip auth for healtcheck endpointsoperations/puppetproduction+27 -16
opensearch: switch dashboards to sso authoperations/puppetproduction+1 -9
Remove IDP defintions for logstash vhostsoperations/puppetproduction+0 -20
Remove cas-logstash from cachesoperations/puppetproduction+0 -5
Revert service ID for Logstashoperations/puppetproduction+2 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

MoritzMuehlenhoff created this task.Mar 5 2020, 3:59 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 5 2020, 3:59 PM
colewhite subscribed.Mar 12 2020, 10:47 PM

It looks like most of the issues stems from CSP blocking mixed-content. idp.wikimedia.org is redirecting to http per this changeset.

Can the idp redirect to https? What happens when this is configured?

MoritzMuehlenhoff added a comment.Mar 16 2020, 1:44 PM

I'll revert 576921 (that was a leftover of testing), but with the service ID pointing to 443 (and CASRootProxiedAs set to https://cas-logstash.wikimedia.org (as Envoy only goes one way and other it would report the http URI as the service ID), it still fails within the bundled Bootstrap copy:

TypeError: document.querySelector(...) is null
failure https://cas-logstash.wikimedia.org/bundles/app/kibana/bootstrap.js:31
gerritbot added a comment.Mar 16 2020, 1:49 PM

Change 579954 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] Revert service ID for Logstash

https://gerrit.wikimedia.org/r/579954

gerritbot added a project: Patch-For-Review.Mar 16 2020, 1:49 PM
gerritbot added a comment.Mar 16 2020, 3:17 PM

Change 579954 merged by Muehlenhoff:
[operations/puppet@production] Revert service ID for Logstash

https://gerrit.wikimedia.org/r/579954

MoritzMuehlenhoff added a comment.Mar 16 2020, 3:37 PM
In T246998#5966192, @colewhite wrote:

Can the idp redirect to https? What happens when this is configured?

The server-side IDP and Apache config has been adapted, if anyone wants to poke further; a kibana.yml with the adapted CSP policy is in /home/jmm on logstash1023-1025.

Maintenance_bot removed a project: Patch-For-Review.Mar 16 2020, 4:10 PM
colewhite added a comment.Mar 16 2020, 11:05 PM

That CSP works well. I think cas needs to respond with an appropriate Access-Control-Allow-Origin. https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#http-web-requests

Observation from testing: cas is pretty slow validating some requests, taking up to 10 seconds to validate and redirect back to cas-logstash.

jbond added a comment.Mar 17 2020, 11:44 AM
In T246998#5974303, @colewhite wrote:

That CSP works well. I think cas needs to respond with an appropriate Access-Control-Allow-Origin. https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#http-web-requests

I have added the following to the idp server

cas.httpWebRequest.cors.enabled: true
cas.httpWebRequest.cors.allowCredentials=false
cas.httpWebRequest.cors.allowOrigins[0]=*
cas.httpWebRequest.cors.allowMethods[0]=*
cas.httpWebRequest.cors.allowHeaders[0]=*

however looking at the network console it seems that logstash and the idp keep on redirecting to each other before things give up and the following message is shown

JSON.parse: unexpected character at line 1 column 1 of the JSON data

Version: 7.4.2
Build: 26506

I have left puppet disabled and the config in place on idp2001 so others can test

Observation from testing: cas is pretty slow validating some requests, taking up to 10 seconds to validate and redirect back to cas-logstash.

Yes this si something we are currently investigating in the following ticket https://phabricator.wikimedia.org/T246010

MoritzMuehlenhoff changed the task status from Open to Stalled.May 28 2020, 3:20 PM
MoritzMuehlenhoff removed MoritzMuehlenhoff as the assignee of this task.

Setting this as stalled until we can use a version of Kibana with integrated SAML/SSO support.

Dzahn triaged this task as Medium priority.Jun 4 2020, 9:24 AM
gerritbot added a comment.Jun 24 2020, 1:48 PM

Change 607508 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] Remove cas-logstash from caches

https://gerrit.wikimedia.org/r/607508

gerritbot added a project: Patch-For-Review.Jun 24 2020, 1:48 PM

Change 607509 had a related patch set uploaded (by Muehlenhoff; owner: Muehlenhoff):
[operations/puppet@production] Remove IDP defintions for logstash vhosts

https://gerrit.wikimedia.org/r/607509

gerritbot added a comment.Jul 1 2020, 1:19 PM

Change 607508 merged by Muehlenhoff:
[operations/puppet@production] Remove cas-logstash from caches

https://gerrit.wikimedia.org/r/c/operations/puppet/ /607508

gerritbot added a comment.Jul 21 2020, 10:00 AM

Change 607509 merged by Muehlenhoff:
[operations/puppet@production] Remove IDP defintions for logstash vhosts

https://gerrit.wikimedia.org/r/607509

Maintenance_bot removed a project: Patch-For-Review.Jul 21 2020, 10:11 AM
MoritzMuehlenhoff mentioned this in T237630: Production logstash should be protected by two-factor auth, at the least.Apr 20 2021, 9:32 AM
fgiunchedi added a project: Observability-Logging.Oct 22 2021, 1:25 PM
bd808 awarded a token.Nov 16 2021, 1:16 AM
bd808 subscribed.
MoritzMuehlenhoff added a comment.Mar 24 2022, 4:43 PM

Since we've replaced Kibana with Opensearch Dashboards we now actually can use OIDC or SAML it seems:
https://opensearch.org/docs/latest/security-plugin/configuration/openid-connect/
https://opensearch.org/docs/latest/security-plugin/configuration/saml/

colewhite added a comment.Mar 24 2022, 8:22 PM
In T246998#7804127, @MoritzMuehlenhoff wrote:

Since we've replaced Kibana with Opensearch Dashboards we now actually can use OIDC or SAML it seems:

Indeed! We have asked Legal to clarify if the security plugin is an option for us given its history.

lmata moved this task from Inbox to Prioritized on the Observability-Logging board.Jan 16 2023, 9:57 PM
colewhite added a subtask: T337818: apache2 cpu-stuck on logstash hosts causes kafka logging lag.Apr 9 2024, 9:09 PM

Current SSO work being investigated in T337818

colewhite mentioned this in T360414: Phase out cergen for Observability services.Apr 9 2024, 9:20 PM
fgiunchedi added a project: SRE Observability (FY2023/2024-Q4).Apr 10 2024, 2:45 PM
gerritbot added a comment.Apr 11 2024, 7:13 AM

Change #1018872 had a related patch set uploaded (by Filippo Giunchedi; author: Filippo Giunchedi):

[operations/puppet@production] opensearch: switch dashboards to sso auth

https://gerrit.wikimedia.org/r/1018872

gerritbot added a project: Patch-For-Review.Apr 11 2024, 7:13 AM
gerritbot added a comment.Apr 15 2024, 8:35 AM

Change #1018872 merged by Filippo Giunchedi:

[operations/puppet@production] opensearch: switch dashboards to sso auth

https://gerrit.wikimedia.org/r/1018872

Stashbot added a comment.Apr 15 2024, 8:46 AM

Mentioned in SAL (#wikimedia-operations) [2024-04-15T08:46:18Z] <godog> logstash.w.o now uses sso - T246998

fgiunchedi closed subtask T337818: apache2 cpu-stuck on logstash hosts causes kafka logging lag as Resolved.Apr 15 2024, 8:55 AM
gerritbot added a comment.Apr 15 2024, 9:15 AM

Change #1019684 had a related patch set uploaded (by Filippo Giunchedi; author: Filippo Giunchedi):

[operations/puppet@production] opensearch: skip auth for healtcheck endpoints

https://gerrit.wikimedia.org/r/1019684

gerritbot added a comment.Apr 15 2024, 9:19 AM

Change #1019684 merged by Filippo Giunchedi:

[operations/puppet@production] opensearch: skip auth for healtcheck endpoints

https://gerrit.wikimedia.org/r/1019684

gerritbot added a comment.Apr 15 2024, 9:49 AM

Change #1019692 had a related patch set uploaded (by Filippo Giunchedi; author: Filippo Giunchedi):

[operations/puppet@production] oauth2_proxy: default to all email domains

https://gerrit.wikimedia.org/r/1019692

gerritbot added a comment.Apr 15 2024, 9:50 AM

Change #1019692 merged by Filippo Giunchedi:

[operations/puppet@production] oauth2_proxy: default to all email domains

https://gerrit.wikimedia.org/r/1019692

fgiunchedi closed this task as Resolved.Apr 15 2024, 3:11 PM
fgiunchedi claimed this task.
fgiunchedi subscribed.

I'm optimistically resolving this since logstash.w.o (nowadays opensearch dashboards) is working as expected

herron awarded a token.Apr 15 2024, 5:06 PM
fgiunchedi mentioned this in T326657: Add prometheus-https load balancer.May 13 2024, 10:42 AM
lmata moved this task from Inbox to Done on the SRE Observability (FY2023/2024-Q4) board.Jul 4 2024, 9:39 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits