Expose API key name to the ingest pipeline #49106
Comments
bytebilly
added
>enhancement
:Security/Authentication
|
Pinging @elastic/es-security (:Security/Authentication) |
|
Authentication with API Keys or tokens is thought to appear as if coming from the user itself, i.e. be transparent. Hence the API key name or id are not exposed in the user metadata. There is a lapse here, because the realm that did the authentication in case of API Key authentication is _es_api_key , but the realm name is not exposed in If we were to expose this information to an ingest processor then I would be inclined to add a new processor. @bytebilly can you please detail a little more the use case for this? |
|
@albertzaharovits ES 7.5 will support required pipelines. This allows an admin to force that documents include information about how they were ingested. Because we have not been able to enforce a pipeline until now, we haven't really kept |
|
Thank you for the context @tvernum . I can now clearly see the need for it. Upon further reflection I think that the API Key id/name should be part of the |
|
It probably makes sense for it to be on the I prefer adding to the existing processor (as new optional fields) because then it becomes possible to have a single object in the ingested doc that contains full information about which user ingested it, and how they authenticated. |
|
I agree on improving the |
The changes add more granularity for identiying the data ingestion user. The ingest pipeline can now be configure to record authentication realm and type. It can also record API key name and ID when one is in use. This improves traceability when data are being ingested from multiple agents and will become more relevant with the incoming support of required pipelines (#46847) Resolves: #49106
The changes add more granularity for identiying the data ingestion user. The ingest pipeline can now be configure to record authentication realm and type. It can also record API key name and ID when one is in use. This improves traceability when data are being ingested from multiple agents and will become more relevant with the incoming support of required pipelines (elastic#46847) Resolves: elastic#49106
The changes add more granularity for identiying the data ingestion user. The ingest pipeline can now be configure to record authentication realm and type. It can also record API key name and ID when one is in use. This improves traceability when data are being ingested from multiple agents and will become more relevant with the incoming support of required pipelines (#46847) Resolves: #49106
Description
We have the Set Security User Processor, that is able to add information about the authenticated user that performs the request.
We could do something similar when an API key is used to authenticate instead of a regular user.
Proposal
We can create a new processor (or extend the
Set Security User Processor) to make API key information available to the ingest pipeline.We should expose the
namefield. We can also expose other fields if they could be relevant.The text was updated successfully, but these errors were encountered: