New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Personal Access Tokens #80440
Comments
Pinging @elastic/es-security (Team:Security) |
I feel that we are mixing multiple topics here, so I'll try to clarify a few details about our existing plans for API keys and PAT. API keys can still be used to directly access Elasticsearch API in the case of SSO realms. However, API keys are not PAT and don't "follow the user". This means that their use may have unexpected behaviors in some cases. They also require a specific privilege to be created. For Cloud SSO, we agreed that API keys are enough to guarantee access to Elasticsearch API at this stage, since SSO users are always superusers, their permissions don't change, and they can create API keys. The problem for Kibana API is that API keys work in most of the cases, but not for tasks requiring the creation of other API keys (e.g. Alerting) because an API key cannot create another API key. This is a technical constraint that affects users in any realm. If there is an urgency to allow programmatic access to all Kibana API, this could be addressed independently and PAT may or may not be the right answer. |
Thank you for the detailed response, @bytebilly. Do you mind checking my understanding? We will continue to recommend that users create API keys to access both ES and Kibana HTTP APIs, for example in Cloud. These API Keys will not work for programmatic access to Kibana HTTP APIs that should only be used by people because we should be using personal access tokens for this. Additionally, these API Keys will not work for programmatic access to Kibana HTTP APIs that internally create API Keys because API Keys can't create API Keys. This is potentially a separate problem from what would be solved by personal access tokens. |
👍
I'm not sure that they will not work. But there will be limitations in some cases.
👍 |
Thank you for correcting my prior thinking, @bytebilly, I'll update the issue description accordingly as the situation is not as dire as I feared. |
The last part of that description might be a bit of over-editorialisation. Given the range of ways in which ES API Keys are used today, it is definitely not safe to treat an API Key as being the user that owns it. For example
Whether API keys are designed to be used as "personal access tokens" probably depends on what definition we want to use for a PAT. Our view is that it's perfectly fine for them to be used as PATs if their behaviour fits the needs of the people who want to use them. |
To be honest, this is what concerns me. API Keys don't currently work well for Kibana HTTP APIs. We already have the issue that API Keys can't be used to create alerting rules because API Keys can't create API Keys. @bytebilly has brought up that the solution to this problem potentially isn't personal access tokens, so I'm happy to discuss this complication elsewhere. And while I totally get that it's not fine for Elastic products to assume that an API Key owned by |
In a recent RFC regarding how Kibana handles Authentication headers provided by proxies, the following statement was made
While API keys have not been designed to be used as "personal access tokens", we have seen them used in this manner. For example, when a user authenticates to Kibana using an SSO realm, we've commonly recommended that they create an API key if they want to use a tool like
curl
to communicate with either Elasticsearch or Kibana HTTP APIs.This will likely only get more common over time in situations like Elastic Cloud (ESS) as we continue to support additional different types of users who can authenticate using the preconfigured Elastic Cloud SSO realm.
As we begin adding Kibana features that are "per user" and the API Keys that a user has created are seen as a different user, we will introduce some interesting behaviors for the situations where we have historically been using API keys like "personal access tokens" and will eventually need personal access tokens.
/cc @elastic/kibana-security
The text was updated successfully, but these errors were encountered: