Kibana: Watcher UI and redacted passwords

Created on 19 Jul 2018  路  5Comments  路  Source: elastic/kibana

Kibana version: 6.3.1
Elasticsearch version: 6.3.1

As of Elasticsearch 6.3.0, watches that contain passwords for authentication such as HTTP input with basic credentials, are returned by the Watcher API with passwords redacted. For example:

"auth": {
          "basic": {
            "username": "elastic",
            "password": "::es_redacted::"
          }
        }

If the Watcher API receives a simulate request having "password": "::es_redacted::" in the payload, Elasticsearch responds with:

{"statusCode":400,"error":"Bad Request","message":"[parse_exception] found redacted password in field [password]"}

And Kibana displays a big red warning banner about the situation.
screen shot 2018-07-19 at 4 38 05 pm

Is there any way to make the user experience better? Maybe existing watches could be executed by ID instead of relying on the payload. Watches in edit mode would still require entering a valid password as it is required for saving the watch anyway.

Watches with HTTP input credentials worked prior to 6.3

This behavior is coming from a change made for Elasticsearch 6.3.0 where passwords coming back from the Watcher API are redacted. The added security is great. However, this appears to be broken to users coming from versions prior to 6.3.0 as the UI did not work like this previously. Is it a breaking change?

@spinscale

Watcher Elasticsearch UI
Source
picture inqueue

Most helpful comment

Also experienced this on 7.5.1.

Update:

Wouldn't it make sense to use the keystore for this since authentication has occurred? I have to put in the password each time I make a change or want to simulate a rule; this isn't ideal.

I understand the security implications of why this happened in the first place, but the inconvenience factor should hold some weight on this issue as well.

picture JSkier21 on 7 Jan 2020
👍7

All 5 comments

Appears to be a dup of https://github.com/elastic/kibana/issues/18309.

inqueue picture inqueue on 27 Jul 2018

Is this still an issue or can this be closed?

remd picture remd on 23 Aug 2019

@remd this is still valid.

alisonelizabeth picture alisonelizabeth on 4 Sep 2019

Still relevant issue :(

zeleznypa picture zeleznypa on 7 Jan 2020

Also experienced this on 7.5.1.

Update:

Wouldn't it make sense to use the keystore for this since authentication has occurred? I have to put in the password each time I make a change or want to simulate a rule; this isn't ideal.

I understand the security implications of why this happened in the first place, but the inconvenience factor should hold some weight on this issue as well.

JSkier21 picture JSkier21 on 7 Jan 2020
👍7
Was this page helpful?
0 / 5 - 0 ratings

Related issues

timmolter picture timmolter  路  3Comments
ctindel picture ctindel  路  3Comments
bradvido picture bradvido  路  3Comments
stacey-gammon picture stacey-gammon  路  3Comments
Ginja picture Ginja  路  3Comments