a75436d93e
* change setClientFactory api to setClientFactoryProvider * cleanup and add test for service * change the signatures of SO start/setup * fix registerCoreContext by accessing stored start contract reference * move migration inside `start` * adapt and add service tests * add doc and export new types * adapt plugins code * update generated doc * better core access * address some review comments * remove parametrized type from SavedObjectsClientFactory, use KibanaRequest instead * add logs when starting and ending so migration * fix KibanaRequest imports * NITs and review comments * fix alerting FTR test * review comments |
||
|---|---|---|
| .. | ||
| server | ||
| kibana.json | ||
| README.md | ||
Encrypted Saved Objects
Overview
The purpose of this plugin is to provide a way to encrypt/decrypt attributes on the custom Saved Objects that works with security and spaces filtering as well as performing audit logging.
RFC #2: Encrypted Saved Objects Attributes.
Usage
Follow these steps to use encryptedSavedObjects in your plugin:
- Declare
encryptedSavedObjectsas a dependency inkibana.json:
{
...
"requiredPlugins": ["encryptedSavedObjects"],
...
}
- Add attributes to be encrypted in
mappings.jsonfile for the respective Saved Object type. These attributes should always have abinarytype since they'll contain encrypted content as aBase64encoded string and should never be searchable or analyzed:
{
"my-saved-object-type": {
"properties": {
"name": { "type": "keyword" },
"mySecret": { "type": "binary" }
}
}
}
- Register Saved Object type using the provided API at the
setupstage:
...
public setup(core: CoreSetup, { encryptedSavedObjects }: PluginSetupDependencies) {
encryptedSavedObjects.registerType({
type: 'my-saved-object-type',
attributesToEncrypt: new Set(['mySecret']),
});
}
...
- For any Saved Object operation that does not require retrieval of decrypted content, use standard REST or programmatic Saved Object API, e.g.:
...
router.get(
{ path: '/some-path', validate: false },
async (context, req, res) => {
return res.ok({
body: await context.core.savedObjects.client.create(
'my-saved-object-type',
{ name: 'some name', mySecret: 'non encrypted secret' }
),
});
}
);
...
- To retrieve Saved Object with decrypted content use the dedicated
getDecryptedAsInternalUserAPI method.
Note: As name suggests the method will retrieve the encrypted values and decrypt them on behalf of the internal Kibana
user to make it possible to use this method even when user request context is not available (e.g. in background tasks).
Hence this method should only be used wherever consumers would otherwise feel comfortable using callAsInternalUser
and preferably only as a part of the Kibana server routines that are outside of the lifecycle of a HTTP request that a
user has control over.
const savedObjectWithDecryptedContent = await encryptedSavedObjects.getDecryptedAsInternalUser(
'my-saved-object-type',
'saved-object-id'
);
getDecryptedAsInternalUser also accepts the 3rd optional options argument that has exactly the same type as options
one would pass to SavedObjectsClient.get. These argument allows to specify namespace property that, for example, is
required if Saved Object was created within a non-default space.
Testing
Unit tests
From kibana-root-folder/x-pack, run:
$ node scripts/jest.js
API Integration tests
In one shell, from kibana-root-folder/x-pack:
$ node scripts/functional_tests_server.js --config test/plugin_api_integration/config.js
In another shell, from kibana-root-folder/x-pack:
$ node ../scripts/functional_test_runner.js --config test/plugin_api_integration/config.js --grep="{TEST_NAME}"