github-mirrors/elasticsearch
1
0
Fork 0
mirror of https://github.com/elastic/elasticsearch.git synced 2025-04-24 23:27:25 -04:00
Code Issues Projects Releases Packages Wiki Activity

Add manage_own_api_key cluster privilege (#45897)

Browse source 
The existing privilege model for API keys with privileges like
`manage_api_key`, `manage_security` etc. are too permissive and
we would want finer-grained control over the cluster privileges
for API keys. Previously APIs created would also need these
privileges to get its own information.

This commit adds support for `manage_own_api_key` cluster privilege
which only allows api key cluster actions on API keys owned by the
currently authenticated user. Also adds support for retrieval of
the API key self-information when authenticating via API key
without the need for the additional API key privileges.
To support this privilege, we are introducing additional
authentication context along with the request context such that
it can be used to authorize cluster actions based on the current
user authentication.

The API key get and invalidate APIs introduce an `owner` flag
that can be set to true if the API key request (Get or Invalidate)
is for the API keys owned by the currently authenticated user only.
In that case, `realm` and `username` cannot be set as they are
assumed to be the currently authenticated ones.

The changes cover HLRC changes, documentation for the API changes.

Closes #40031
This commit is contained in:
Yogesh Gaikwad 2019-08-27 19:48:21 +10:00 committed by GitHub
parent 6b1507912e
commit 5761b0a79c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
46 changed files with 1769 additions and 740 deletions
Download patch file Download diff file Expand all files Collapse all files

8
docs/java-rest/high-level/security/get-api-key.asciidoc
View file

@ -21,6 +21,8 @@ The +{request}+ supports retrieving API key information for
. All API keys for a specific user in a specific realm
. A specific key or all API keys owned by the current authenticated user
===== Retrieve a specific API key by its id
["source","java",subs="attributes,callouts,macros"]
--------------------------------------------------
@ -51,6 +53,12 @@ include-tagged::{doc-tests-file}[get-user-api-keys-request]
include-tagged::{doc-tests-file}[get-user-realm-api-keys-request]
--------------------------------------------------
===== Retrieve all API keys for the current authenticated user
["source","java",subs="attributes,callouts,macros"]
--------------------------------------------------
include-tagged::{doc-tests-file}[get-api-keys-owned-by-authenticated-user-request]
--------------------------------------------------
include::../execution.asciidoc[]
[id="{upid}-{api}-response"]

8
docs/java-rest/high-level/security/invalidate-api-key.asciidoc
View file

@ -21,6 +21,8 @@ The +{request}+ supports invalidating
. All API keys for a specific user in a specific realm
. A specific key or all API keys owned by the current authenticated user
===== Specific API key by API key id
["source","java",subs="attributes,callouts,macros"]
--------------------------------------------------
@ -51,6 +53,12 @@ include-tagged::{doc-tests-file}[invalidate-user-api-keys-request]
include-tagged::{doc-tests-file}[invalidate-user-realm-api-keys-request]
--------------------------------------------------
===== Retrieve all API keys for the current authenticated user
["source","java",subs="attributes,callouts,macros"]
--------------------------------------------------
include-tagged::{doc-tests-file}[invalidate-api-keys-owned-by-authenticated-user-request]
--------------------------------------------------
include::../execution.asciidoc[]
[id="{upid}-{api}-response"]