github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-06-28 03:01:21 -04:00
Code Issues Projects Releases Packages Wiki Activity

Check where SES is running before passing along service token (#165411)

Browse source 
## Summary

If a user is running serverless ES in the cloud and serverless KBN
locally, passing the token can trigger an invalid configuration error:

`serviceAccountToken cannot be specified when "username" is also
defined`

Additionally, the token is likely invalid anyways because the SES
instance was not seeded with it. This PR checks the
`elasticsearch.hosts` configuration for non-localhost values before
passing along the token.

## Testing
Add something like the following to `config/kibana.dev.yml` and run
`yarn serverless`. Should not get a configuration error.

```yml
elasticsearch.hosts: https://xxxxxxxxxx.es.us-west2.gcp.elastic-cloud.com:443
elasticsearch.username: kibana_system_user
elasticsearch.password: xxxxxxxxxxxxxx
```

---------

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
This commit is contained in:
Brad White 2023-08-31 20:03:23 -06:00 committed by GitHub
parent eaee02f913
commit 6bbd3c67e1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 25 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

28
src/cli/serve/serve.js
View file

@ -44,8 +44,30 @@ const getBootstrapScript = (isDev) => {
} }
}; };
const setServerlessKibanaDevServiceAccountIfPossible = (set, opts) => { const setServerlessKibanaDevServiceAccountIfPossible = (get, set, opts) => {
if (!opts.dev || !opts.serverless || process.env.isDevCliChild === 'true') { const esHosts = [].concat(
get('elasticsearch.hosts', []),
opts.elasticsearch ? opts.elasticsearch.split(',') : []
);
/*
* We only handle the service token if serverless ES is running locally.
* Example would be if the user is running SES in the cloud and KBN serverless
* locally, they would be expected to handle auth on their own and this token
* is likely invalid anyways.
*/
const isESlocalhost = esHosts.length
? esHosts.some((hostUrl) => {
const parsedUrl = url.parse(hostUrl);
return (
parsedUrl.hostname === 'localhost' ||
parsedUrl.hostname === '127.0.0.1' ||
parsedUrl.hostname === 'host.docker.internal'
);
})
: true; // default is localhost:9200
if (!opts.dev || !opts.serverless || !isESlocalhost) {
return; return;
} }
@ -86,7 +108,7 @@ export function applyConfigOverrides(rawConfig, opts, extraCliOptions) {
if (opts.dev) { if (opts.dev) {
if (opts.serverless) { if (opts.serverless) {
setServerlessKibanaDevServiceAccountIfPossible(set, opts); setServerlessKibanaDevServiceAccountIfPossible(get, set, opts);
} }
if (!has('elasticsearch.serviceAccountToken') && opts.devCredentials !== false) { if (!has('elasticsearch.serviceAccountToken') && opts.devCredentials !== false) {