-
Notifications
You must be signed in to change notification settings - Fork 24.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for the type
parameter to the Query API Key API
#103695
Add support for the type
parameter to the Query API Key API
#103695
Conversation
"creator.principal", | ||
"creator.realm" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I slipped in this tiny unrelated change.
It explicitly mentions creator.principal
and creator.realm
as fields allowed to be referred to in queries, rather than the current "anything that starts with creator.
" approach. I think this slightly simplifies the understanding of it all (only metadata.*
is allowed in a wildcard fashion), since only these two fields can be handled by ApiKeyFieldNameTranslators#FIELD_NAME_TRANSLATORS
and anything else errors.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Makes sense, thanks for the clean up!
Hi @albertzaharovits, I've created a changelog YAML for you. |
Pinging @elastic/es-security (Team:Security) |
type
parameter to the Query API Key API
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
One follow up we should keep track of is to see if we need to update the API spec (e.g., see here: elastic/elasticsearch-specification#2371).
.../security/src/main/java/org/elasticsearch/xpack/security/support/ApiKeyBoolQueryBuilder.java
Outdated
Show resolved
Hide resolved
"creator.principal", | ||
"creator.realm" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Makes sense, thanks for the clean up!
); | ||
final AtomicBoolean accessesApiKeyTypeField = new AtomicBoolean(false); | ||
final ApiKeyBoolQueryBuilder apiKeyBoolQueryBuilder = ApiKeyBoolQueryBuilder.build(request.getQueryBuilder(), fieldName -> { | ||
if (API_KEY_TYPE_RUNTIME_MAPPING_FIELD.equals(fieldName)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wondering if we can skip the boolean ref here and do this directly, in the lambda:
// only add the query-level runtime field to the search request if it's actually referring the "type" field
if (API_KEY_TYPE_RUNTIME_MAPPING_FIELD.equals(fieldName)) {
searchSourceBuilder.runtimeMappings(API_KEY_TYPE_RUNTIME_MAPPING);
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah no that wouldn't work because we need this to happen only once
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well... I don't think it needs to happen once, searchSourceBuilder.runtimeMappings(API_KEY_TYPE_RUNTIME_MAPPING)
can be invoked multiple times, but I would still prefer the current implementation.
apiKeyIdsSubsetDifference.removeAll(apiKeyIdsSubset); | ||
|
||
List<String> apiKeyRestTypeQueries = List.of(""" | ||
{"query": {"term": {"type": "rest" }}}""", """ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Optional, but could also add a NOT cross_cluster
query here since that's probably a query end-users might try.
finalQuery.must(processedQuery); | ||
} | ||
finalQuery.filter(QueryBuilders.termQuery("doc_type", "api_key")); | ||
fieldNameVisitor.accept("doc_type"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It feels a little off to pass this in like that but I don't have a good alternative suggestion. I had hoped we'd have a generic utility method that allows us to get all field names from a QueryBuilder
but we don't.
We could think about turning the consumer into a dedicated class but not worth it for now IMO.
So I'm ++ on this approach as is.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I took inspiration from the field visitor that lucene queries implement:
Line 67 in 4b21499
weight.getQuery().visit(new QueryVisitor() { |
I haven't considered it, but I don't think we need to do anything, the spec mentions the parameters of the API, but this PR extends the language of one of the parameters (the |
944541d
to
20727d1
Compare
…ecurity/support/ApiKeyBoolQueryBuilder.java Co-authored-by: Nikolaj Volgushev <[email protected]>
* Change release version lookup to an instance method (#104902) * Upgrade to Lucene 9.9.2 (#104753) This commit upgrades to Lucene 9.9.2. * Improve `CANNOT_REBALANCE_CAN_ALLOCATE` explanation (#104904) Clarify that in this situation there is a rebalancing move that would improve the cluster balance, but there's some reason why rebalancing is not happening. Also points at the `can_rebalance_cluster_decisions` as well as the node-by-node decisions since the action needed could be described in either place. * Get from translog fails with large dense_vector (#104700) This change fixes the engine to apply the current codec when retrieving documents from the translog. We need to use the same codec than the main index in order to ensure that all the source data is indexable. The internal codec treats some fields differently than the default one, for instance dense_vectors are limited to 1024 dimensions. This PR ensures that these customizations are applied when indexing document for translog retrieval. Closes #104639 Co-authored-by: Elastic Machine <[email protected]> * [Connector Secrets] Add delete API endpoint (#104815) * Add DELETE endpoint for /_connector/_secret/{id} * Add endpoint to write_connector_secrets cluster privilege * Merge Aggregations into InternalAggregations (#104896) This commit merges Aggregations into InternalAggregations in order to remove the unnecessary hierarchy. * [Profiling] Simplify cost calculation (#104816) * [Profiling] Add the number of cores to HostMetadata * Update AWS pricelist (remove cost_factor, add usd_per_hour) * Switch cost calculations from 'cost_factor' to 'usd_per_hour' * Remove superfluous CostEntry.toXContent() * Check for Number type in CostEntry.fromSource() * Add comment * Retry get_from_translog during relocations (#104579) During a promotable relocation, a `get_from_translog` sent by the unpromotable shard to handle a real-time get might encounter `ShardNotFoundException` or `IndexNotFoundException`. In these cases, we should retry. This is just for `GET`. I'll open a second PR for `mGET`. The relevant IT is in the Stateless PR. Relates ES-5727 * indicating fix for 8.12.1 for int8_hnsw (#104912) * Removing the assumption from some tests that the request builder's request() method always returns the same object (#104881) * [DOCS] Adds get setting and update settings asciidoc files to security API index (#104916) * [DOCS] Adds get setting and update settings asciidoc files to security API index. * [DOCS] Fixes references in docs. * Reuse APMMeterService of APMTelemetryProvider (#104906) * Mute more tests that tend to leak searchhits (#104922) * ESQL: Fix SearchStats#count(String) to count values not rows (#104891) SearchStats#count incorrectly counts the number of documents (or rows) in which a document appears instead of the actual number of values. This PR fixes this by looking at the term frequency instead of the doc count. Fix #104795 * Adding request source for cohere (#104926) * Fixing a broken javadoc comment in ReindexDocumentationIT (#104930) This fixes a javadoc comment that was broken by #104881 * Fix enabling / disabling of APM agent "recording" in APMAgentSettings (#104324) * Add `type` parameter support, for sorting, to the Query API Key API (#104625) This adds support for the `type` parameter, for sorting, to the Query API key API. The type for an API Key can currently be either `rest` or `cross_cluster`. This was overlooked in #103695 when support for the `type` parameter was first introduced only for querying. * Apply publish plugin to es-opensaml-security-api project (#104933) * Support `match` for the Query API Key API (#104594) This adds support for the `match` query type to the Query API key Information API. Note that since string values associated to API Keys are mapped as `keywords`, a `match` query with no analyzer parameter is effectively equivalent to a `term` query for such fields (e.g. `name`, `username`, `realm_name`). Relates: #101691 * [Connectors API] Relax strict response parsing for get/list operations (#104909) * Limit concurrent shards per node for ESQL (#104832) Today, we allow ESQL to execute against an unlimited number of shards concurrently on each node. This can lead to cases where we open and hold too many shards, equivalent to opening too many file descriptors or using too much memory for FieldInfos in ValuesSourceReaderOperator. This change limits the number of concurrent shards to 10 per node. This number was chosen based on the _search API, which limits it to 5. Besides the primary reason stated above, this change has other implications: We might execute fewer shards for queries with LIMIT only, leading to scenarios where we execute only some high-priority shards then stop. For now, we don't have a partial reduce at the node level, but if we introduce one in the future, it might not be as efficient as executing all shards at the same time. There are pauses between batches because batches are executed sequentially one by one. However, I believe the performance of queries executing against many shards (after can_match) is less important than resiliency. Closes #103666 * [DOCS] Support for nested functions in ES|QL STATS...BY (#104788) * Document nested expressions for stats * More docs * Apply suggestions from review - count-distinct.asciidoc - Content restructured, moving the section about approximate counts to end of doc. - count.asciidoc - Clarified that omitting the `expression` parameter in `COUNT` is equivalent to `COUNT(*)`, which counts the number of rows. - percentile.asciidoc - Moved the note about `PERCENTILE` being approximate and non-deterministic to end of doc. - stats.asciidoc - Clarified the `STATS` command - Added a note indicating that individual `null` values are skipped during aggregation * Comment out mentioning a buggy behavior * Update sum with inline function example, update test file * Fix typo * Delete line * Simplify wording * Fix conflict fix typo --------- Co-authored-by: Liam Thompson <[email protected]> Co-authored-by: Liam Thompson <[email protected]> * [ML] Passing input type through to cohere request (#104781) * Pushing input type through to cohere request * switching logic to allow request to always override * Fixing failure * Removing getModelId calls * Addressing feedback * Switching to enumset * [Transform] Unmute 2 remaining continuous tests: HistogramGroupByIT and TermsGroupByIT (#104898) * Adding ActionRequestLazyBuilder implementation of RequestBuilder (#104927) This introduces a second implementation of RequestBuilder (#104778). As opposed to ActionRequestBuilder, ActionRequestLazyBuilder does not create its request until the request() method is called, and does not hold onto that request (so each call to request() gets a new request instance). This PR also updates BulkRequestBuilder to inherit from ActionRequestLazyBuilder as an example of its use. * Update versions to skip after backport to 8.12 (#104953) * Update/Cleanup references to old tracing.apm.* legacy settings in favor of the telemetry.* settings (#104917) * Exclude tests that do not work in a mixed cluster scenario (#104935) * ES|QL: Improve type validation in aggs for UNSIGNED_LONG and better support for VERSION (#104911) * [Connector API] Make update configuration action non-additive (#104615) * Save allocating enum values array in two hot spots (#104952) Our readEnum code instantiates/clones enum value arrays on read. Normally, this doesn't matter much but the two spots adjusted here are visibly hot during bulk indexing, causing GBs of allocations during e.g. the http_logs indexing run. * ESQL: Correct out-of-range filter pushdowns (#99961) Fix pushed down filters for binary comparisons that compare a byte/short/int/long with an out of range value, like WHERE some_int_field < 1E300. * [DOCS] Dense vector element type should be float for OpenAI (#104966) * Fix test assertions (#104963) * Move functions that generate lucene geometries under a utility class (#104928) We have functions that generate lucene geometries scattered in different places of the code. This commit moves everything under a utility class. * fixing index versions --------- Co-authored-by: Simon Cooper <[email protected]> Co-authored-by: Chris Hegarty <[email protected]> Co-authored-by: David Turner <[email protected]> Co-authored-by: Jim Ferenczi <[email protected]> Co-authored-by: Elastic Machine <[email protected]> Co-authored-by: Navarone Feekery <[email protected]> Co-authored-by: Ignacio Vera <[email protected]> Co-authored-by: Tim Rühsen <[email protected]> Co-authored-by: Pooya Salehi <[email protected]> Co-authored-by: Keith Massey <[email protected]> Co-authored-by: István Zoltán Szabó <[email protected]> Co-authored-by: Moritz Mack <[email protected]> Co-authored-by: Costin Leau <[email protected]> Co-authored-by: Jonathan Buttner <[email protected]> Co-authored-by: Albert Zaharovits <[email protected]> Co-authored-by: Mark Vieira <[email protected]> Co-authored-by: Jedr Blaszyk <[email protected]> Co-authored-by: Nhat Nguyen <[email protected]> Co-authored-by: Abdon Pijpelink <[email protected]> Co-authored-by: Liam Thompson <[email protected]> Co-authored-by: Liam Thompson <[email protected]> Co-authored-by: Przemysław Witek <[email protected]> Co-authored-by: Joe Gallo <[email protected]> Co-authored-by: Lorenzo Dematté <[email protected]> Co-authored-by: Luigi Dell'Aquila <[email protected]> Co-authored-by: Armin Braun <[email protected]> Co-authored-by: Alexander Spies <[email protected]> Co-authored-by: David Kyle <[email protected]>
This adds support for the
type
parameter to the Query API key API.The
type
for an API Key can currently be eitherrest
orcross_cluster
.Relates: #101691