mirror of
https://github.com/elastic/kibana.git
synced 2025-07-01 12:33:23 -04:00
9a6985eeef
## Summary API keys can now be updated via the API Keys Management screen ## Release Note API Keys can now be updated with new Role Descriptors and Metadata via the API Keys Management screen. ## Testing Instructions Login as `elastic` Navigate to Roles and create a new role with the `read_security` cluster privilege: <img width="962" alt="Screen Shot 2022-11-30 at 9 42 31 AM" src="https://user-images.githubusercontent.com/21210601/204826868-a8f6bf03-acf8-404c-90c8-e2b9ab62dc11.png"> Create a new user and assign that new role, `viewer`, and `kibana_admin`: <img width="936" alt="Screen Shot 2022-11-30 at 9 43 10 AM" src="https://user-images.githubusercontent.com/21210601/204827030-e5f97f8e-6676-4c18-8a46-f6afee87ba12.png"> Navigate to Dev Tools and run the following: ```json POST /_security/api_key/grant { "grant_type": "password", "username" : "elastic", "password" : "changeme", "run_as": "elastic", "api_key" : { "name": "test-expired-key", "expiration": "1ms" } } POST /_security/api_key/grant { "grant_type": "password", "username" : "elastic", "password" : "changeme", "run_as": "test_user", "api_key" : { "name": "test-user-key", "expiration": "1d" } } ``` The first command will create an API key for the `elastic` user that expires immediately. The second command will create an API key for `test_user`. Navigate to the API Key page, click the name column links to see a readonly view for the 2 previously created keys as users cannot update an API key that belongs to another user nor an API key that is expired. Create a new API key: <img width="632" alt="Screen Shot 2022-11-30 at 9 44 52 AM" src="https://user-images.githubusercontent.com/21210601/204829114-672c6583-8801-4af0-bfa8-64ae1072ef46.png"> Click the name link for the newly created API key to see the Update API key flyout. Update the fields and click submit: <img width="642" alt="Screen Shot 2022-11-30 at 9 45 59 AM" src="https://user-images.githubusercontent.com/21210601/204829914-9fb1f8e6-8b3f-4acc-b63f-d7e4a0906727.png"> If the update was successful: <img width="904" alt="Screen Shot 2022-11-30 at 9 46 42 AM" src="https://user-images.githubusercontent.com/21210601/204830133-1dcb083b-f945-4980-9e91-19081c224b55.png"> Now click the name link again for the updated key and click submit without making changes. You should see a warning: <img width="895" alt="Screen Shot 2022-11-30 at 9 46 52 AM" src="https://user-images.githubusercontent.com/21210601/204830570-2ca5e2e0-19b6-43ce-b7e4-ae594be6a86b.png"> Logout the `elastic` user and login as `test_user` Navigate to API Keys and click the existing API Key to see a readonly view flyout: <img width="639" alt="Screen Shot 2022-11-30 at 9 58 25 AM" src="https://user-images.githubusercontent.com/21210601/204832019-640ecd2e-4bcb-402b-a164-e8b8eb9f8848.png"> Thanks for reviewing! Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
73 lines
2.8 KiB
Text
73 lines
2.8 KiB
Text
[role="xpack"]
|
|
[[api-keys]]
|
|
=== API Keys
|
|
|
|
|
|
API keys enable you to create secondary credentials so that you can send
|
|
requests on behalf of a user. Secondary credentials have
|
|
the same or lower access rights.
|
|
|
|
For example, if you extract data from an {es} cluster on a daily
|
|
basis, you might create an API key tied to your credentials,
|
|
configure it with minimum access,
|
|
and then put the API credentials into a cron job.
|
|
Or, you might create API keys to automate ingestion of new data from
|
|
remote sources, without a live user interaction.
|
|
|
|
To manage API keys, open the main menu, then click *Stack Management > API Keys*.
|
|
|
|
[role="screenshot"]
|
|
image:images/api-keys.png["API Keys UI"]
|
|
|
|
[float]
|
|
[[api-keys-security-privileges]]
|
|
=== Security privileges
|
|
|
|
You must have the `manage_security`, `manage_api_key`, or the `manage_own_api_key`
|
|
cluster privileges to use API keys in {kib}. API keys can also be seen in a readonly view with access to the page and the `read_security` cluster privilege. To manage roles, open the main menu, then click
|
|
*Stack Management > Roles*, or use the <<role-management-api, {kib} Role Management API>>.
|
|
|
|
|
|
[float]
|
|
[[create-api-key]]
|
|
=== Create an API key
|
|
|
|
To create an API key, open the main menu, then click *Stack Management > API Keys > Create API key*.
|
|
|
|
[role="screenshot"]
|
|
image:images/create-api-key.png["Create API Key UI"]
|
|
|
|
Once created, you can copy the API key (Base64 encoded) and use it to send requests to {es} on your behalf. For example:
|
|
|
|
[source,bash]
|
|
curl --location --request GET 'http://localhost:5601/api/security/role' \
|
|
--header 'Content-Type: application/json;charset=UTF-8' \
|
|
--header 'kbn-xsrf: true' \
|
|
--header 'Authorization: ApiKey aVZlLUMzSUJuYndxdDJvN0k1bU46aGxlYUpNS2lTa2FKeVZua1FnY1VEdw==' \
|
|
|
|
|
|
[IMPORTANT]
|
|
============================================================================
|
|
API keys are intended for programmatic access to {kib} and {es}. Do not use API keys to authenticate access via a web browser.
|
|
============================================================================
|
|
|
|
[float]
|
|
[[udpate-api-key]]
|
|
=== Update an API key
|
|
|
|
To update an API key, open the main menu, click *Stack Management > API Keys*, and then click on the name of the key.
|
|
|
|
You can only update the `Restrict privileges` and `metadata` fields.
|
|
|
|
[float]
|
|
[[view-api-keys]]
|
|
=== View and delete API keys
|
|
|
|
The *API Keys* feature in Kibana lists your API keys, including the name, date created, and status. If an API key expires, its status changes from `Active` to `Expired`.
|
|
|
|
If you have `manage_security` or `manage_api_key` permissions,
|
|
you can view the API keys of all users, and see which API key was
|
|
created by which user in which realm.
|
|
If you have only the `manage_own_api_key` permission, you see only a list of your own keys.
|
|
|
|
You can delete API keys individually or in bulk.
|