From f4ff07da75c91e12c0a3eefa42c3bbd2769b2239 Mon Sep 17 00:00:00 2001
From: Yang Wang <yang.wang@elastic.co>
Date: Mon, 29 Mar 2021 16:44:24 +1100
Subject: [PATCH] Add api key metadata version check in ApiKeyService

---
 .../core/security/action/CreateApiKeyRequest.java |  2 +-
 .../xpack/security/authc/ApiKeyService.java       | 15 ++++++++++++---
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/CreateApiKeyRequest.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/CreateApiKeyRequest.java
index 6103981601835..ec3bdee422248 100644
--- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/CreateApiKeyRequest.java
+++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/CreateApiKeyRequest.java
@@ -154,7 +154,7 @@ public void writeTo(StreamOutput out) throws IOException {
         if (metadata != null && false == metadata.isEmpty()) {
             if (out.getVersion().before(Version.V_7_13_0)) {
                 throw new IllegalArgumentException(
-                    "api key metadata requires minimum node version to be [7.13.0], got: [" + out.getVersion() + "]");
+                    "api key metadata requires minimum node version to be [7.13], got: [" + out.getVersion() + "]");
             } else {
                 out.writeMap(metadata);
             }
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java
index f0a32400f0b9c..a1b9e6f79f837 100644
--- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java
+++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java
@@ -285,7 +285,7 @@ private void createApiKeyAndIndexIt(Authentication authentication, CreateApiKeyR
                         indexResponse -> listener.onResponse(
                             new CreateApiKeyResponse(request.getName(), indexResponse.getId(), apiKey, expiration)),
                         listener::onFailure))));
-        } catch (IOException e) {
+        } catch (Exception e) {
             listener.onFailure(e);
         }
     }
@@ -334,8 +334,17 @@ XContentBuilder newDocument(SecureString apiKey, String name, Authentication aut
         builder.endObject();
 
         builder.field("name", name)
-            .field("version", version.id)
-            .field("metadata_flattened", metadata)
+            .field("version", version.id);
+        final Version masterNodeVersion = clusterService.state().nodes().getMasterNode().getVersion();
+        if (masterNodeVersion.onOrAfter(Version.V_7_13_0)) {
+            builder.field("metadata_flattened", metadata);
+        } else {
+            if (metadata != null && false == metadata.isEmpty()) {
+                throw new IllegalArgumentException(
+                    "api key metadata requires master node to be on version [7.13] or later, got [" + masterNodeVersion + "]");
+            }
+        }
+        builder
             .startObject("creator")
             .field("principal", authentication.getUser().principal())
             .field("full_name", authentication.getUser().fullName())