Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix: Canvas socket auth #24094

Merged
merged 4 commits into from
Oct 24, 2018
Merged

Fix: Canvas socket auth #24094

merged 4 commits into from
Oct 24, 2018

Conversation

w33ble
Copy link
Contributor

@w33ble w33ble commented Oct 16, 2018
edited by cqliu1
Loading

Summary

Closes #23303 (@cqliu1 can you confirm this too?) confirmed

Fixes the way we capture the request info when configuring the socket and providing it to plugins via callWithRequest. Instead of exposing a route that returns the info, simply use the request object that comes back from server.inject.

Also adds a check in the elasticsearchClient handler exposed to plugins to ensure the session is still valid because using callWithRequest.

screenshot 2018-10-16 10 37 56
Note: the actual error message is a bit different, but this is how the failure is exposed to the user

@w33ble w33ble added v7.0.0 v6.5.0 Team:Presentation Presentation Team for Dashboard, Input Controls, and Canvas labels Oct 16, 2018
@w33ble w33ble added the review label Oct 16, 2018
@elastic elastic deleted a comment from elasticmachine Oct 16, 2018
@elastic elastic deleted a comment from elasticmachine Oct 16, 2018
@elastic elastic deleted a comment from elasticmachine Oct 16, 2018
cqliu1
cqliu1 approved these changes Oct 17, 2018
View reviewed changes
Copy link
Contributor

@cqliu1 cqliu1 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! I confirmed that we don't get authorization errors on any of the functions that query elasticsearch while logged into a user, so this does indeed fix #23303.

Proof:
screen shot 2018-10-17 at 3 37 09 pm

kobelb
kobelb approved these changes Oct 22, 2018
View reviewed changes
Copy link
Contributor

@kobelb kobelb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is definitely better than the previous situation. The one side-effect which we'll have to figure out is how this should work with auth providers which use short-lived tokens which need to be refreshed. When we run authenticate directly, or indirectly via server.inject there's potential for us to be using the refresh token to get a new access token, which should be returned to the end-user with the set-cookie header, which we end up ignoring. This currently impacts SAML, but more and more auth providers will be switching to using these tokens, and this will definitely become exacerbated at that point.

@kobelb
Copy link
Contributor

kobelb commented Oct 22, 2018

Also, my LGTM is conditional on CI going green.

@w33ble
Copy link
Contributor Author

w33ble commented Oct 22, 2018

@kobelb would you mind opening a new issue about refreshing tokens? It's certainly something we should figure out for GA.

@kobelb kobelb mentioned this pull request Oct 22, 2018
Closed
@elastic elastic deleted a comment from elasticmachine Oct 23, 2018
@elastic elastic deleted a comment from elasticmachine Oct 23, 2018
@elastic elastic deleted a comment from elasticmachine Oct 23, 2018
@elastic elastic deleted a comment from elasticmachine Oct 23, 2018
@elastic elastic deleted a comment from elasticmachine Oct 23, 2018
@elastic elastic deleted a comment from elasticmachine Oct 23, 2018
@elasticmachine
Copy link
Contributor

💚 Build Succeeded

@w33ble w33ble merged commit 5009efd into elastic:master Oct 24, 2018
@w33ble
Copy link
Contributor Author

w33ble commented Oct 24, 2018

6.x fe7c9ec

w33ble added a commit that referenced this pull request Oct 24, 2018
@w33ble
Fix: Canvas socket auth (#24094)
fe7c9ec 
## Summary

Closes #23303 ~(@cqliu1 can you confirm this too?)~ confirmed

Fixes the way we capture the request info when configuring the socket and providing it to plugins via `callWithRequest`. Instead of exposing a route that returns the info, simply use the request object that comes back from `server.inject`.

Also adds a check in the `elasticsearchClient` handler exposed to plugins to ensure the session is still valid because using `callWithRequest`.

![screenshot 2018-10-16 10 37 56](https://user-images.githubusercontent.com/404731/47036828-32768c00-d132-11e8-81a0-122b5e83c7ef.png)
*Note:* the actual error message is a bit different, but this is how the failure is exposed to the user
@w33ble w33ble deleted the fix/socket-auth branch October 24, 2018 16:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kobelb kobelb kobelb approved these changes

@cqliu1 cqliu1 cqliu1 approved these changes

@rashidkpc rashidkpc Awaiting requested review from rashidkpc

Assignees
No one assigned
Labels
review Team:Presentation Presentation Team for Dashboard, Input Controls, and Canvas v6.5.0 v7.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@w33ble @kobelb @elasticmachine @cqliu1