From a3536867aa871dc8590256b6ef01d91518b58f5d Mon Sep 17 00:00:00 2001 From: Nikolaj Volgushev Date: Thu, 28 Jul 2022 14:24:03 +0200 Subject: [PATCH] [DOCS] Domain splitting impacts API keys (#88677) (#88892) This PR documents the impact of domain splitting on API keys. API key ownership is determined via username and user realm information, including the user's security domain. API key ownership is shared across users with the same username that are part of the same security domain. A user loses ownership over an API key if their realm is removed from the security domain that previously enabled ownership through cross-realm resource sharing. --- .../en/security/authentication/security-domain.asciidoc | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/x-pack/docs/en/security/authentication/security-domain.asciidoc b/x-pack/docs/en/security/authentication/security-domain.asciidoc index 2d0be7e61c32b..3fa442eed712b 100644 --- a/x-pack/docs/en/security/authentication/security-domain.asciidoc +++ b/x-pack/docs/en/security/authentication/security-domain.asciidoc @@ -22,7 +22,8 @@ Some types of resources in {es} are owned by a single user, such as <>, <>, and <>. When a user creates a resource, {es} captures the user's username and realm information as part of the resource's -metadata. +metadata. Likewise, if a user updates a resource, such as an API key, +{es} automatically re-captures the user's current realm information. When a user later attempts to access the resource, {es} compares the captured username and realm information against those from the accessing @@ -124,13 +125,15 @@ When adding realms to a security domain, avoid authenticating with a newly-added Removing realms from a security domain can lead to unexpected behaviors and is not recommended. -Resources created before the removal can be owned by different users depending on the resource type: +Resources created or updated before the removal can be owned by different users depending on the resource type: - <> are owned by the user for whom the profile was last <>. For users whose realms are no longer in the same domain as the owner user, a new user profile will be created for them next time the activate user profile API is called. -- Resources such as API keys are owned by the user who originally created them. +- An API key is owned by the user who originally <> or last <> it. +Users, including the original creator of the API key, will lose ownership if their realms are no longer in the same domain as those of the current API key owner. +- Resources such as async search contexts are owned by the user who originally created them. Instead of removing realms, consider disabling them and keeping them as part of the security domain. Under all circumstances, resource sharing across realms is only possible between users with the same username.