-
Notifications
You must be signed in to change notification settings - Fork 24.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GET API Key API filter out expired and/or invalidated API keys #97995
Comments
Pinging @elastic/es-security (Team:Security) |
Overall in favor of this -- I think it's a very natural extension to the API. qq @shasts @lloydmeta for your concrete use case: do you care about distinguishing between expired vs. invalidated API keys? To me a good abstraction here would be to filter out "inactive" API keys, i.e., add a flag like |
We discussed it and the team is broadly in favor of it. Other questions of the same type, that can help us decide the interface change to the API:
The |
Good question; I don't think we really care about distinguishing between expired vs invalidated, so something like For the most part, we've switched over to the Query API keys API, and IMO can rely on that if we find really need to make a distinction. |
Thanks @lloydmeta -- that was my thinking as well: the Query API is suited for more granular queries -- the Get API gives you more basic, abstracted functionality. FWIW, even if we decide to later add individual filter flags, we could add validation to ensure that I don't think we will need this though -- to me the important bit is giving users the ability to fetch active API keys; for further drilling down on the data they can leverage the Query API. There would be some complexity in adding support for |
|
This PR adds a flag `active_only` to the [Get API key API](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-get-api-key.html) to optionally retrieve active-only (i.e., neither expired nor invalidated) API keys. The flag defaults to false, i.e., by default, expired and invalidate API keys **are** included in the response (therefore we keep BWC). An example API call is: ``` GET /_security/api_key?active_only=true ``` The `active_only` flag can be used with realm and username based flags (e.g., `active_only=true&username=X`) as well as `name` and `id`. In the case it's used with `id` for an existing but non-active key the response code is 404. This is consistent with the `owner` flag behavior. Closes #97995
Description
The Get API key information API can currently filter the returned keys by:
realm_name
andusername
Irrespective of the filtering used, both invalidated and expired (but not yet deleted) keys will be included in the response.
In the response, keys have the
invalidated
boolean property, as well as theexpiration
property that contains the UNIX timestamp past of which the key is no longer valid for authentication.I propose we introduce a way for the API to support retrieving:
The text was updated successfully, but these errors were encountered: