Kibana: Watcher UI and redacted passwords

Created on 19 Jul 2018  路  5Comments  路  Source: elastic/kibana

Kibana version: 6.3.1
Elasticsearch version: 6.3.1

As of Elasticsearch 6.3.0, watches that contain passwords for authentication such as HTTP input with basic credentials, are returned by the Watcher API with passwords redacted. For example:

"auth": {
          "basic": {
            "username": "elastic",
            "password": "::es_redacted::"
          }
        }

If the Watcher API receives a simulate request having "password": "::es_redacted::" in the payload, Elasticsearch responds with:

{"statusCode":400,"error":"Bad Request","message":"[parse_exception] found redacted password in field [password]"}

And Kibana displays a big red warning banner about the situation.
screen shot 2018-07-19 at 4 38 05 pm

Is there any way to make the user experience better? Maybe existing watches could be executed by ID instead of relying on the payload. Watches in edit mode would still require entering a valid password as it is required for saving the watch anyway.

Watches with HTTP input credentials worked prior to 6.3

This behavior is coming from a change made for Elasticsearch 6.3.0 where passwords coming back from the Watcher API are redacted. The added security is great. However, this appears to be broken to users coming from versions prior to 6.3.0 as the UI did not work like this previously. Is it a breaking change?

@spinscale

Watcher Elasticsearch UI

Most helpful comment

Also experienced this on 7.5.1.

Update:

Wouldn't it make sense to use the keystore for this since authentication has occurred? I have to put in the password each time I make a change or want to simulate a rule; this isn't ideal.

I understand the security implications of why this happened in the first place, but the inconvenience factor should hold some weight on this issue as well.

All 5 comments

Is this still an issue or can this be closed?

@remd this is still valid.

Still relevant issue :(

Also experienced this on 7.5.1.

Update:

Wouldn't it make sense to use the keystore for this since authentication has occurred? I have to put in the password each time I make a change or want to simulate a rule; this isn't ideal.

I understand the security implications of why this happened in the first place, but the inconvenience factor should hold some weight on this issue as well.

Was this page helpful?
0 / 5 - 0 ratings