You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
With our legacy direct proxies to elasticsearch, we pass all headers from the client through to elasticsearch, which means people can pass custom headers to elasticsearch. This allows for, among other scenarios, elasticsearch/shield to be configured with custom realm support, and Kibana to pass along the necessary headers from the client.
However, we're moving to more explicit API routes on Kibana and in plugins, where developers will generally query elasticsearch using call_with_request rather than doing a direct proxy. This mechanism for querying elasticsearch currently only sends the Authorization header from the client, so it isn't possible to rely on any custom headers defined on the client.
It should be possible to configure specific headers that call_with_request will send along when they are provided by the client. This should be a whitelist behavior rather than a blacklist, and the only header that should be sent by default is Authorization.
It might also be worthwhile to apply the same whitelist to our direct proxies for 5.0 to remain consistent.
The text was updated successfully, but these errors were encountered:
With our legacy direct proxies to elasticsearch, we pass all headers from the client through to elasticsearch, which means people can pass custom headers to elasticsearch. This allows for, among other scenarios, elasticsearch/shield to be configured with custom realm support, and Kibana to pass along the necessary headers from the client.
However, we're moving to more explicit API routes on Kibana and in plugins, where developers will generally query elasticsearch using
call_with_requestrather than doing a direct proxy. This mechanism for querying elasticsearch currently only sends theAuthorizationheader from the client, so it isn't possible to rely on any custom headers defined on the client.It should be possible to configure specific headers that
call_with_requestwill send along when they are provided by the client. This should be a whitelist behavior rather than a blacklist, and the only header that should be sent by default isAuthorization.It might also be worthwhile to apply the same whitelist to our direct proxies for 5.0 to remain consistent.
The text was updated successfully, but these errors were encountered: