-
Notifications
You must be signed in to change notification settings - Fork 24.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Invalidating cross cluster API keys requires manage_security
#107411
Invalidating cross cluster API keys requires manage_security
#107411
Conversation
manage_security
String apiKeyName = request.getName(); | ||
String username = request.getUserName(); | ||
String[] realms = Strings.hasText(request.getRealmName()) ? new String[] { request.getRealmName() } : null; | ||
|
||
final Authentication authentication = securityContext.getAuthentication(); | ||
if (authentication == null) { | ||
listener.onFailure(new IllegalStateException("authentication is required")); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was a bug -- we need to return, if we call onFailure
.
Hi @n1v0lg, I've created a changelog YAML for you. |
for (String apiKeyId : apiKeyIds) { | ||
UpdateRequest request = client.prepareUpdate(SECURITY_MAIN_ALIAS, apiKeyId) | ||
.setDoc(Map.of("api_key_invalidated", true, "invalidation_time", invalidationTime)) | ||
.request(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Drive-by clean up: skipping request()
since the add
method on the bulk request builder is deprecated for request instances, and we should pass a builder instead.
Pinging @elastic/es-security (Team:Security) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks for handling this !
x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java
Outdated
Show resolved
Hide resolved
x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java
Show resolved
Hide resolved
@elasticmachine update branch |
@elasticmachine run elasticsearch-ci/part-1-fips |
@elasticmachine update branch |
@elasticmachine update branch |
This PR documents privilege requirements for cross-cluster API key invalidation, which were updated in #107411.
This PR documents privilege requirements for cross-cluster API key invalidation, which were updated in elastic#107411.
This PR updates the privilege model to require
manage_security
cluster privilege to invalidate cross cluster API keys, to better match the access requirements of the creation and update APIs. Requests made with lower privileges will receive descriptive errors in the response payload indicating failure to invalidate, for each cross cluster API key. There are no changes to invalidating REST API keys, nor to the Query or Get APIs.