Invalidating cross cluster API keys requires manage_security
#107411
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
n1v0lg
added
>non-issue
:Security/Security
n1v0lg
changed the title
manage_security
n1v0lg
commented
Apr 15, 2024
| String apiKeyName = request.getName(); | ||
| String username = request.getUserName(); | ||
| String[] realms = Strings.hasText(request.getRealmName()) ? new String[] { request.getRealmName() } : null; | ||
|
|
||
| final Authentication authentication = securityContext.getAuthentication(); | ||
| if (authentication == null) { | ||
| listener.onFailure(new IllegalStateException("authentication is required")); |
There was a problem hiding this comment.
This was a bug -- we need to return, if we call onFailure.
|
Hi @n1v0lg, I've created a changelog YAML for you. |
n1v0lg
commented
Apr 15, 2024
| for (String apiKeyId : apiKeyIds) { | ||
| UpdateRequest request = client.prepareUpdate(SECURITY_MAIN_ALIAS, apiKeyId) | ||
| .setDoc(Map.of("api_key_invalidated", true, "invalidation_time", invalidationTime)) | ||
| .request(); |
There was a problem hiding this comment.
Drive-by clean up: skipping request() since the add method on the bulk request builder is deprecated for request instances, and we should pass a builder instead.
|
Pinging @elastic/es-security (Team:Security) |
n1v0lg
added
:Security/Authorization
jakelandis
approved these changes
Apr 15, 2024
x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java
Outdated
Show resolved
Hide resolved
x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java
Show resolved
Hide resolved
|
@elasticmachine update branch |
n1v0lg
added
the
auto-merge
|
@elasticmachine run elasticsearch-ci/part-1-fips |
|
@elasticmachine update branch |
n1v0lg
removed
the
auto-merge
|
@elasticmachine update branch |
n1v0lg
added
the
auto-merge
elasticsearchmachine
pushed a commit
that referenced
this pull request
May 6, 2024
This PR documents privilege requirements for cross-cluster API key invalidation, which were updated in #107411.
n1v0lg
added a commit
to n1v0lg/elasticsearch
that referenced
this pull request
May 6, 2024
This PR documents privilege requirements for cross-cluster API key invalidation, which were updated in elastic#107411.
elasticsearchmachine
pushed a commit
that referenced
this pull request
May 6, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR updates the privilege model to require
manage_securitycluster privilege to invalidate cross cluster API keys, to better match the access requirements of the creation and update APIs. Requests made with lower privileges will receive descriptive errors in the response payload indicating failure to invalidate, for each cross cluster API key. There are no changes to invalidating REST API keys, nor to the Query or Get APIs.