Skip to content

Add file-based authentication support for CEL and HTTP JSON inputs #47507

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Add file-based authentication support for CEL and HTTP JSON inputs #47507

wants to merge 3 commits into from

Conversation

@SpencerLN
Copy link
Contributor

@SpencerLN SpencerLN commented Nov 6, 2025

Proposed commit message

feat(filebeat): add file auth support for CEL and HTTP JSON inputs

  • Add auth.file configuration for CEL and HTTP JSON inputs to load header values from disk with optional prefix and refresh interval.
  • wrap client transports to inject the refreshed file-based credential on each request and guard against invalid configs

Note

The code is mostly duplicated between httpjson and CELinputs. I considered putting it in a shared location that each could reference, but I didn't see a clear pattern on how to do that. As it isn't much code I've implemented it in each input at the moment.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works. Where relevant, I have used the stresstest.sh script to run them under stress conditions and race detector to verify their stability.
  • I have added an entry in ./changelog/fragments using the changelog tool.

Disruptive User Impact

None. Existing configurations continue to work; the new file auth mechanism is opt-in.

Author's Checklist

  • [ ]

How to test this PR locally

  • Create a file (i.e. /etc/elastic/gh_token_test) containing an invalid secret
  • Start a Filebeat instance with a configuration that tries to retrieve data from a server requiring authentication:
filebeat.inputs:
  - type: httpjson
    interval: 5s
    auth.file:
      path: "/etc/elastic/gh_token_test"
      prefix: "token "
      refresh_interval: 10s
    request:
      url: https://api.github.com/repos/{org}/{repo}/issues
      method: GET
      transforms:
        - set:
            target: url.params.per_page
            value: "1"
        - set:
            target: url.params.state
            value: open
        - set:
            target: header.Accept
            value: application/vnd.github+json
  • Confirm that Filebeat logs show a 401 error
  • Update the secret file to contain a valid secret, wait 10-15 seconds, confirm the input now outputs the expected data

Related issues

Use cases

Filebeat reads short-lived (JWT, OAuth, etc.) tokens projected to disk by an external secret manager and refreshes them without restarting the input.

Note

GitHub Copilot was used to generate some code for this PR.

@SpencerLN SpencerLN requested review from a team as code owners November 6, 2025 23:37
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Nov 6, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Nov 6, 2025

🤖 GitHub comments

Just comment with:

  • run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

@mergify
Copy link
Contributor

mergify bot commented Nov 6, 2025

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @SpencerLN? 🙏.
For such, you'll need to label your PR with:

  • The upcoming major version of the Elastic Stack
  • The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit
  • backport-active-all is the label that automatically backports to all active branches.
  • backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
  • backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

@github-actions
Copy link
Contributor

github-actions bot commented Nov 6, 2025
edited
Loading

🔍 Preview links for changed docs

@SpencerLN SpencerLN changed the title Add file-based authentication support for CEL and httpjson inputs Add file-based authentication support for CEL and HTTP JSON inputs Nov 6, 2025
@SpencerLN SpencerLN added enhancement Team:Security-Service Integrations Security Service Integrations Team and removed needs_team Indicates that the issue/PR needs a Team:* label labels Nov 6, 2025
@elasticmachine
Copy link
Collaborator

elasticmachine commented Nov 6, 2025

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

colleenmcginnis
colleenmcginnis reviewed Nov 7, 2025
View reviewed changes
Copy link
Contributor

@colleenmcginnis colleenmcginnis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Starting with v9.0, there is no longer a new documentation set published with every minor release. Instead, the same page stays valid over time and shows version-related evolutions. You can read more in Write cumulative documentation.

Based on the lack of backport labels, I'm assuming you're targeting 9.3.0 for this change, but feel free to adjust my suggestion if my assumption is incorrect!

docs/reference/filebeat/filebeat-input-cel.md

* Basic
* Digest
* File
Copy link
Contributor

@colleenmcginnis colleenmcginnis Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* File
* {applies_to}`stack: ga 9.3.0` File

docs/reference/filebeat/filebeat-input-cel.md
* Basic Authentication
* Digest Authentication {applies_to}`stack: ga 8.12.0`
* OAuth2
* file-based headers
Copy link
Contributor

@colleenmcginnis colleenmcginnis Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* file-based headers
* file-based headers {applies_to}`stack: ga 9.3.0`

docs/reference/filebeat/filebeat-input-cel.md
When set to `true`, Digest Authentication challenges are not reused.


### `auth.file.enabled` [_auth_file_enabled]
Copy link
Contributor

@colleenmcginnis colleenmcginnis Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
### `auth.file.enabled` [_auth_file_enabled]
### `auth.file.enabled` [_auth_file_enabled]
```{applies_to}
stack: ga 9.3.0
```

docs/reference/filebeat/filebeat-input-cel.md
::::


### `auth.file.path` [_auth_file_path]
Copy link
Contributor

@colleenmcginnis colleenmcginnis Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
### `auth.file.path` [_auth_file_path]
### `auth.file.path` [_auth_file_path]
```{applies_to}
stack: ga 9.3.0
```

docs/reference/filebeat/filebeat-input-cel.md
The path to the file containing the authentication value. The file contents are trimmed before use. This field is required when file auth is enabled.


### `auth.file.header` [_auth_file_header]
Copy link
Contributor

@colleenmcginnis colleenmcginnis Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
### `auth.file.header` [_auth_file_header]
### `auth.file.header` [_auth_file_header]
```{applies_to}
stack: ga 9.3.0
```

docs/reference/filebeat/filebeat-input-httpjson.md
The password to use.


### `auth.file.enabled` [_auth_file_enabled_2]
Copy link
Contributor

@colleenmcginnis colleenmcginnis Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
### `auth.file.enabled` [_auth_file_enabled_2]
### `auth.file.enabled` [_auth_file_enabled_2]
```{applies_to}
stack: ga 9.3.0
```

docs/reference/filebeat/filebeat-input-httpjson.md
::::


### `auth.file.path` [_auth_file_path_2]
Copy link
Contributor

@colleenmcginnis colleenmcginnis Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
### `auth.file.path` [_auth_file_path_2]
### `auth.file.path` [_auth_file_path_2]
```{applies_to}
stack: ga 9.3.0
```

docs/reference/filebeat/filebeat-input-httpjson.md
The path to the file that contains the authentication value. The file contents are trimmed before use. This field is required when file auth is enabled.


### `auth.file.header` [_auth_file_header_2]
Copy link
Contributor

@colleenmcginnis colleenmcginnis Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
### `auth.file.header` [_auth_file_header_2]
### `auth.file.header` [_auth_file_header_2]
```{applies_to}
stack: ga 9.3.0
```

docs/reference/filebeat/filebeat-input-httpjson.md
The request header that receives the value loaded from `path`. Defaults to `Authorization` when omitted or empty.


### `auth.file.prefix` [_auth_file_prefix_2]
Copy link
Contributor

@colleenmcginnis colleenmcginnis Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
### `auth.file.prefix` [_auth_file_prefix_2]
### `auth.file.prefix` [_auth_file_prefix_2]
```{applies_to}
stack: ga 9.3.0
```

docs/reference/filebeat/filebeat-input-httpjson.md
An optional prefix that is prepended to the trimmed value from `path` before it is sent on the request header. This is commonly used for tokens that require a leading value such as `Bearer `.


### `auth.file.refresh_interval` [_auth_file_refresh_interval_2]
Copy link
Contributor

@colleenmcginnis colleenmcginnis Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
### `auth.file.refresh_interval` [_auth_file_refresh_interval_2]
### `auth.file.refresh_interval` [_auth_file_refresh_interval_2]
```{applies_to}
stack: ga 9.3.0
```

@SpencerLN
Copy link
Contributor Author

SpencerLN commented Nov 7, 2025

Based on the lack of backport labels, I'm assuming you're targeting 9.3.0 for this change, but feel free to adjust my suggestion if my assumption is incorrect!

I'll defer to the maintaners on which release this should go into, as I'm not sure what the policy is on adding minor new functionality. From my perspective, I'd like it as soon as possible and 9.3.0 still looks to be quite far out 😁.

I've submitted 21356c6 to fix the linting errors that were newly introduced by this code, the rest of the errors appear to be pre-existing issues.

@andrewkroh andrewkroh added the Filebeat Filebeat label Nov 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@colleenmcginnis colleenmcginnis colleenmcginnis left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@SpencerLN SpencerLN

Labels

enhancement Filebeat Filebeat Team:Security-Service Integrations Security Service Integrations Team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Filebeat] [httpjson/cel] Support setting authentication headers based on file content

4 participants

@SpencerLN @elasticmachine @colleenmcginnis @andrewkroh