mirror of
https://github.com/elastic/kibana.git
synced 2025-06-27 18:51:07 -04:00
## Summary API keys can now be updated via the API Keys Management screen ## Release Note API Keys can now be updated with new Role Descriptors and Metadata via the API Keys Management screen. ## Testing Instructions Login as `elastic` Navigate to Roles and create a new role with the `read_security` cluster privilege: <img width="962" alt="Screen Shot 2022-11-30 at 9 42 31 AM" src="https://user-images.githubusercontent.com/21210601/204826868-a8f6bf03-acf8-404c-90c8-e2b9ab62dc11.png"> Create a new user and assign that new role, `viewer`, and `kibana_admin`: <img width="936" alt="Screen Shot 2022-11-30 at 9 43 10 AM" src="https://user-images.githubusercontent.com/21210601/204827030-e5f97f8e-6676-4c18-8a46-f6afee87ba12.png"> Navigate to Dev Tools and run the following: ```json POST /_security/api_key/grant { "grant_type": "password", "username" : "elastic", "password" : "changeme", "run_as": "elastic", "api_key" : { "name": "test-expired-key", "expiration": "1ms" } } POST /_security/api_key/grant { "grant_type": "password", "username" : "elastic", "password" : "changeme", "run_as": "test_user", "api_key" : { "name": "test-user-key", "expiration": "1d" } } ``` The first command will create an API key for the `elastic` user that expires immediately. The second command will create an API key for `test_user`. Navigate to the API Key page, click the name column links to see a readonly view for the 2 previously created keys as users cannot update an API key that belongs to another user nor an API key that is expired. Create a new API key: <img width="632" alt="Screen Shot 2022-11-30 at 9 44 52 AM" src="https://user-images.githubusercontent.com/21210601/204829114-672c6583-8801-4af0-bfa8-64ae1072ef46.png"> Click the name link for the newly created API key to see the Update API key flyout. Update the fields and click submit: <img width="642" alt="Screen Shot 2022-11-30 at 9 45 59 AM" src="https://user-images.githubusercontent.com/21210601/204829914-9fb1f8e6-8b3f-4acc-b63f-d7e4a0906727.png"> If the update was successful: <img width="904" alt="Screen Shot 2022-11-30 at 9 46 42 AM" src="https://user-images.githubusercontent.com/21210601/204830133-1dcb083b-f945-4980-9e91-19081c224b55.png"> Now click the name link again for the updated key and click submit without making changes. You should see a warning: <img width="895" alt="Screen Shot 2022-11-30 at 9 46 52 AM" src="https://user-images.githubusercontent.com/21210601/204830570-2ca5e2e0-19b6-43ce-b7e4-ae594be6a86b.png"> Logout the `elastic` user and login as `test_user` Navigate to API Keys and click the existing API Key to see a readonly view flyout: <img width="639" alt="Screen Shot 2022-11-30 at 9 58 25 AM" src="https://user-images.githubusercontent.com/21210601/204832019-640ecd2e-4bcb-402b-a164-e8b8eb9f8848.png"> Thanks for reviewing! Co-authored-by: gchaps <33642766+gchaps@users.noreply.github.com> Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
141 lines
4.3 KiB
TypeScript
141 lines
4.3 KiB
TypeScript
/*
|
|
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
|
* or more contributor license agreements. Licensed under the Elastic License
|
|
* 2.0; you may not use this file except in compliance with the Elastic License
|
|
* 2.0.
|
|
*/
|
|
|
|
import expect from '@kbn/expect';
|
|
import { ALL_SPACES_ID } from '@kbn/security-plugin/common/constants';
|
|
import { serviceApiKeyPrivileges } from '@kbn/synthetics-plugin/server/synthetics_service/get_api_key';
|
|
import { FtrProviderContext } from '../../ftr_provider_context';
|
|
|
|
export default function ({ getService }: FtrProviderContext) {
|
|
const supertest = getService('supertest');
|
|
|
|
describe('API Keys', () => {
|
|
describe('GET /internal/security/api_key/_enabled', () => {
|
|
it('should indicate that API Keys are enabled', async () => {
|
|
await supertest
|
|
.get('/internal/security/api_key/_enabled')
|
|
.set('kbn-xsrf', 'xxx')
|
|
.send()
|
|
.expect(200)
|
|
.then((response: Record<string, any>) => {
|
|
const payload = response.body;
|
|
expect(payload).to.eql({ apiKeysEnabled: true });
|
|
});
|
|
});
|
|
});
|
|
|
|
describe('POST /internal/security/api_key', () => {
|
|
it('should allow an API Key to be created', async () => {
|
|
await supertest
|
|
.post('/internal/security/api_key')
|
|
.set('kbn-xsrf', 'xxx')
|
|
.send({
|
|
name: 'test_api_key',
|
|
expiration: '12d',
|
|
role_descriptors: {
|
|
role_1: {
|
|
cluster: ['monitor'],
|
|
},
|
|
},
|
|
})
|
|
.expect(200)
|
|
.then((response: Record<string, any>) => {
|
|
const { name } = response.body;
|
|
expect(name).to.eql('test_api_key');
|
|
});
|
|
});
|
|
|
|
it('should allow an API Key to be created with metadata', async () => {
|
|
await supertest
|
|
.post('/internal/security/api_key')
|
|
.set('kbn-xsrf', 'xxx')
|
|
.send({
|
|
name: 'test_api_key_with_metadata',
|
|
metadata: {
|
|
foo: 'bar',
|
|
},
|
|
})
|
|
.expect(200)
|
|
.then((response: Record<string, any>) => {
|
|
const { name } = response.body;
|
|
expect(name).to.eql('test_api_key_with_metadata');
|
|
});
|
|
});
|
|
});
|
|
|
|
describe('PUT /internal/security/api_key', () => {
|
|
it('should allow an API Key to be updated', async () => {
|
|
let id = '';
|
|
|
|
await supertest
|
|
.post('/internal/security/api_key')
|
|
.set('kbn-xsrf', 'xxx')
|
|
.send({
|
|
name: 'test_api_key',
|
|
expiration: '12d',
|
|
})
|
|
.expect(200)
|
|
.then((response: Record<string, any>) => {
|
|
id = response.body.id;
|
|
});
|
|
|
|
await supertest
|
|
.put('/internal/security/api_key')
|
|
.set('kbn-xsrf', 'xxx')
|
|
.send({
|
|
id,
|
|
metadata: {
|
|
foo: 'bar',
|
|
},
|
|
role_descriptors: {
|
|
role_1: {
|
|
cluster: ['monitor'],
|
|
},
|
|
},
|
|
})
|
|
.expect(200)
|
|
.then((response: Record<string, any>) => {
|
|
const { updated } = response.body;
|
|
expect(updated).to.eql(true);
|
|
});
|
|
});
|
|
});
|
|
|
|
describe('with kibana privileges', () => {
|
|
describe('POST /internal/security/api_key', () => {
|
|
it('should allow an API Key to be created', async () => {
|
|
await supertest
|
|
.post('/internal/security/api_key')
|
|
.set('kbn-xsrf', 'xxx')
|
|
.send({
|
|
name: 'test_api_key',
|
|
expiration: '12d',
|
|
kibana_role_descriptors: {
|
|
uptime_save: {
|
|
elasticsearch: serviceApiKeyPrivileges,
|
|
kibana: [
|
|
{
|
|
base: [],
|
|
spaces: [ALL_SPACES_ID],
|
|
feature: {
|
|
uptime: ['all'],
|
|
},
|
|
},
|
|
],
|
|
},
|
|
},
|
|
})
|
|
.expect(200)
|
|
.then((response: Record<string, any>) => {
|
|
const { name } = response.body;
|
|
expect(name).to.eql('test_api_key');
|
|
});
|
|
});
|
|
});
|
|
});
|
|
});
|
|
}
|