-
Notifications
You must be signed in to change notification settings - Fork 24.4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Create API Key on behalf of other user (#52886)
This change adds a "grant API key action" POST /_security/api_key/grant that creates a new API key using the privileges of one user ("the system user") to execute the action, but creates the API key with the roles of the second user ("the end user"). This allows a system (such as Kibana) to create API keys representing the identity and access of an authenticated user without requiring that user to have permission to create API keys on their own. This also creates a new QA project for security on trial licenses and runs the API key tests there
- Loading branch information
Showing
22 changed files
with
1,216 additions
and
51 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
24 changes: 24 additions & 0 deletions
24
...in/core/src/main/java/org/elasticsearch/xpack/core/security/action/GrantApiKeyAction.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License; | ||
* you may not use this file except in compliance with the Elastic License. | ||
*/ | ||
|
||
package org.elasticsearch.xpack.core.security.action; | ||
|
||
import org.elasticsearch.action.ActionType; | ||
|
||
/** | ||
* ActionType for the creation of an API key on behalf of another user | ||
* This returns the {@link CreateApiKeyResponse} because the REST output is intended to be identical to the {@link CreateApiKeyAction}. | ||
*/ | ||
public final class GrantApiKeyAction extends ActionType<CreateApiKeyResponse> { | ||
|
||
public static final String NAME = "cluster:admin/xpack/security/api_key/grant"; | ||
public static final GrantApiKeyAction INSTANCE = new GrantApiKeyAction(); | ||
|
||
private GrantApiKeyAction() { | ||
super(NAME, CreateApiKeyResponse::new); | ||
} | ||
|
||
} |
166 changes: 166 additions & 0 deletions
166
...n/core/src/main/java/org/elasticsearch/xpack/core/security/action/GrantApiKeyRequest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,166 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License; | ||
* you may not use this file except in compliance with the Elastic License. | ||
*/ | ||
|
||
package org.elasticsearch.xpack.core.security.action; | ||
|
||
import org.elasticsearch.action.ActionRequest; | ||
import org.elasticsearch.action.ActionRequestValidationException; | ||
import org.elasticsearch.action.support.WriteRequest; | ||
import org.elasticsearch.common.io.stream.StreamInput; | ||
import org.elasticsearch.common.io.stream.StreamOutput; | ||
import org.elasticsearch.common.io.stream.Writeable; | ||
import org.elasticsearch.common.settings.SecureString; | ||
|
||
import java.io.IOException; | ||
import java.util.Objects; | ||
|
||
import static org.elasticsearch.action.ValidateActions.addValidationError; | ||
|
||
/** | ||
* Request class used for the creation of an API key on behalf of another user. | ||
* Logically this is similar to {@link CreateApiKeyRequest}, but is for cases when the user that has permission to call this action | ||
* is different to the user for whom the API key should be created | ||
*/ | ||
public final class GrantApiKeyRequest extends ActionRequest { | ||
|
||
public static final String PASSWORD_GRANT_TYPE = "password"; | ||
public static final String ACCESS_TOKEN_GRANT_TYPE = "access_token"; | ||
|
||
/** | ||
* Fields related to the end user authentication | ||
*/ | ||
public static class Grant implements Writeable { | ||
private String type; | ||
private String username; | ||
private SecureString password; | ||
private SecureString accessToken; | ||
|
||
public Grant() { | ||
} | ||
|
||
public Grant(StreamInput in) throws IOException { | ||
this.type = in.readString(); | ||
this.username = in.readOptionalString(); | ||
this.password = in.readOptionalSecureString(); | ||
this.accessToken = in.readOptionalSecureString(); | ||
} | ||
|
||
public void writeTo(StreamOutput out) throws IOException { | ||
out.writeString(type); | ||
out.writeOptionalString(username); | ||
out.writeOptionalSecureString(password); | ||
out.writeOptionalSecureString(accessToken); | ||
} | ||
|
||
public String getType() { | ||
return type; | ||
} | ||
|
||
public String getUsername() { | ||
return username; | ||
} | ||
|
||
public SecureString getPassword() { | ||
return password; | ||
} | ||
|
||
public SecureString getAccessToken() { | ||
return accessToken; | ||
} | ||
|
||
public void setType(String type) { | ||
this.type = type; | ||
} | ||
|
||
public void setUsername(String username) { | ||
this.username = username; | ||
} | ||
|
||
public void setPassword(SecureString password) { | ||
this.password = password; | ||
} | ||
|
||
public void setAccessToken(SecureString accessToken) { | ||
this.accessToken = accessToken; | ||
} | ||
} | ||
|
||
private final Grant grant; | ||
private CreateApiKeyRequest apiKey; | ||
|
||
public GrantApiKeyRequest() { | ||
this.grant = new Grant(); | ||
this.apiKey = new CreateApiKeyRequest(); | ||
} | ||
|
||
public GrantApiKeyRequest(StreamInput in) throws IOException { | ||
super(in); | ||
this.grant = new Grant(in); | ||
this.apiKey = new CreateApiKeyRequest(in); | ||
} | ||
|
||
@Override | ||
public void writeTo(StreamOutput out) throws IOException { | ||
super.writeTo(out); | ||
grant.writeTo(out); | ||
apiKey.writeTo(out); | ||
} | ||
|
||
public WriteRequest.RefreshPolicy getRefreshPolicy() { | ||
return apiKey.getRefreshPolicy(); | ||
} | ||
|
||
public void setRefreshPolicy(WriteRequest.RefreshPolicy refreshPolicy) { | ||
apiKey.setRefreshPolicy(refreshPolicy); | ||
} | ||
|
||
public Grant getGrant() { | ||
return grant; | ||
} | ||
|
||
public CreateApiKeyRequest getApiKeyRequest() { | ||
return apiKey; | ||
} | ||
|
||
public void setApiKeyRequest(CreateApiKeyRequest apiKeyRequest) { | ||
this.apiKey = Objects.requireNonNull(apiKeyRequest, "Cannot set a null api_key"); | ||
} | ||
|
||
@Override | ||
public ActionRequestValidationException validate() { | ||
ActionRequestValidationException validationException = apiKey.validate(); | ||
if (grant.type == null) { | ||
validationException = addValidationError("[grant_type] is required", validationException); | ||
} else if (grant.type.equals(PASSWORD_GRANT_TYPE)) { | ||
validationException = validateRequiredField("username", grant.username, validationException); | ||
validationException = validateRequiredField("password", grant.password, validationException); | ||
validationException = validateUnsupportedField("access_token", grant.accessToken, validationException); | ||
} else if (grant.type.equals(ACCESS_TOKEN_GRANT_TYPE)) { | ||
validationException = validateRequiredField("access_token", grant.accessToken, validationException); | ||
validationException = validateUnsupportedField("username", grant.username, validationException); | ||
validationException = validateUnsupportedField("password", grant.password, validationException); | ||
} else { | ||
validationException = addValidationError("grant_type [" + grant.type + "] is not supported", validationException); | ||
} | ||
return validationException; | ||
} | ||
|
||
private ActionRequestValidationException validateRequiredField(String fieldName, CharSequence fieldValue, | ||
ActionRequestValidationException validationException) { | ||
if (fieldValue == null || fieldValue.length() == 0) { | ||
return addValidationError("[" + fieldName + "] is required for grant_type [" + grant.type + "]", validationException); | ||
} | ||
return validationException; | ||
} | ||
|
||
private ActionRequestValidationException validateUnsupportedField(String fieldName, CharSequence fieldValue, | ||
ActionRequestValidationException validationException) { | ||
if (fieldValue != null && fieldValue.length() > 0) { | ||
return addValidationError("[" + fieldName + "] is not supported for grant_type [" + grant.type + "]", validationException); | ||
} | ||
return validationException; | ||
} | ||
} |
49 changes: 49 additions & 0 deletions
49
...ity-basic/src/test/java/org/elasticsearch/xpack/security/SecurityInBasicRestTestCase.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License; | ||
* you may not use this file except in compliance with the Elastic License. | ||
*/ | ||
|
||
package org.elasticsearch.xpack.security; | ||
|
||
import org.elasticsearch.client.RestHighLevelClient; | ||
import org.elasticsearch.common.settings.SecureString; | ||
import org.elasticsearch.common.settings.Settings; | ||
import org.elasticsearch.common.util.concurrent.ThreadContext; | ||
import org.elasticsearch.test.rest.ESRestTestCase; | ||
|
||
import java.util.List; | ||
|
||
import static org.elasticsearch.xpack.core.security.authc.support.UsernamePasswordToken.basicAuthHeaderValue; | ||
|
||
public abstract class SecurityInBasicRestTestCase extends ESRestTestCase { | ||
private RestHighLevelClient highLevelAdminClient; | ||
|
||
@Override | ||
protected Settings restAdminSettings() { | ||
String token = basicAuthHeaderValue("admin_user", new SecureString("admin-password".toCharArray())); | ||
return Settings.builder() | ||
.put(ThreadContext.PREFIX + ".Authorization", token) | ||
.build(); | ||
} | ||
|
||
@Override | ||
protected Settings restClientSettings() { | ||
String token = basicAuthHeaderValue("security_test_user", new SecureString("security-test-password".toCharArray())); | ||
return Settings.builder() | ||
.put(ThreadContext.PREFIX + ".Authorization", token) | ||
.build(); | ||
} | ||
|
||
private RestHighLevelClient getHighLevelAdminClient() { | ||
if (highLevelAdminClient == null) { | ||
highLevelAdminClient = new RestHighLevelClient( | ||
adminClient(), | ||
ignore -> { | ||
}, | ||
List.of()) { | ||
}; | ||
} | ||
return highLevelAdminClient; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
apply plugin: 'elasticsearch.testclusters' | ||
apply plugin: 'elasticsearch.standalone-rest-test' | ||
apply plugin: 'elasticsearch.rest-test' | ||
|
||
dependencies { | ||
testCompile project(path: xpackModule('core'), configuration: 'default') | ||
testCompile project(path: xpackModule('security'), configuration: 'testArtifacts') | ||
testCompile project(path: xpackModule('core'), configuration: 'testArtifacts') | ||
} | ||
|
||
testClusters.integTest { | ||
testDistribution = 'DEFAULT' | ||
numberOfNodes = 2 | ||
|
||
setting 'xpack.ilm.enabled', 'false' | ||
setting 'xpack.ml.enabled', 'false' | ||
setting 'xpack.license.self_generated.type', 'trial' | ||
setting 'xpack.security.enabled', 'true' | ||
setting 'xpack.security.ssl.diagnose.trust', 'true' | ||
setting 'xpack.security.http.ssl.enabled', 'false' | ||
setting 'xpack.security.transport.ssl.enabled', 'false' | ||
setting 'xpack.security.authc.token.enabled', 'true' | ||
setting 'xpack.security.authc.api_key.enabled', 'true' | ||
|
||
extraConfigFile 'roles.yml', file('src/test/resources/roles.yml') | ||
user username: "admin_user", password: "admin-password" | ||
user username: "security_test_user", password: "security-test-password", role: "security_test_role" | ||
} |
Oops, something went wrong.