-
Notifications
You must be signed in to change notification settings - Fork 24.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow kibana_system to create and invalidate API keys on behalf of other users #53824
Allow kibana_system to create and invalidate API keys on behalf of other users #53824
Conversation
Pinging @elastic/es-security (:Security/Authorization) |
Related PR on Kibana side: elastic/kibana#60423 |
Tested locally to confirm the roles are added and working as expected.
$ curl -k -s -u elastic:changeme https://localhost:9200/_security/role/kibana_system | jq .kibana_system.cluster
[
"monitor",
"manage_index_templates",
"cluster:admin/xpack/monitoring/bulk",
"manage_saml",
"manage_token",
"manage_oidc",
"cluster:admin/xpack/security/api_key/invalidate", <---- added
"grant_api_key", <---- added
"cluster:admin/xpack/security/privilege/builtin/get",
"delegate_pki",
"cluster:admin/ilm/get",
"cluster:admin/ilm/put",
"cluster:admin/analyze"
]
$ curl -k -s -u elastic:changeme https://localhost:9200/_security/user/kibana | jq -c .kibana.roles
["kibana_system"]
# create key for elastic user
$ curl -k -s -u elastic:changeme -H content-type:application/json -d '{ "name":"my-key" }' https://localhost:9200/_security/api_key | jq .
{
"id": "IEFY9HABM4_s1PGvY_DW",
"name": "my-key",
"api_key": "2VVEhxpRSwqq3PV3clHGZg"
}
# kibana user invalidates key
$ curl -k -s -u kibana:changeme -H content-type:application/json -XDELETE -d '{ "name":"my-key" }' https://localhost:9200/_security/api_key | jq .
{
"invalidated_api_keys": [
"IEFY9HABM4_s1PGvY_DW"
],
"previously_invalidated_api_keys": [],
"error_count": 0
}
# kibana grants key for elastic user
$ curl -k -s -u kibana:changeme -H content-type:application/json -d '{ "grant_type":"password", "username":"elastic", "password":"changeme" }' https://localhost:9200/_security/api_key/grant | jq .
{
"id": "HEFi9HABM4_s1PGvv_GA",
"name": null,
"api_key": "1XI-g2IWRseli9E3G3yazg"
}
# list keys for elastic user
$ curl -k -s -u elastic:changeme https://localhost:9200/_security/api_key?username=elastic | jq .
{
"api_keys": [
{
"id": "HEFi9HABM4_s1PGvv_GA",
"name": null,
"creation": 1584648077171,
"invalidated": false,
"username": "elastic",
"realm": "reserved"
}
]
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks Peter! The additional privileges look good to me. Can we also update the existing test to ensure the kibana_system
role can perform these actions?
Line 298 in 9074215
public void testKibanaSystemRole() { |
Thanks @peterschretlen I was off sick at the end of last week, and was just about to pick this up when I saw you had done it. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
This change adds the following privileges to the
kibana_system
role:grant_api_key
recently added in Add "grant_api_key" cluster privilege #53527api_key/invalidate
This is to support alerting on Kibana, which uses API keys to run scheduled background alert checks on a user's behalf as described in #48716 (comment)
Related: elastic/kibana#49398