Allow non super users to create API keys #40028
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When creating API keys we check for if API key with same key name already exists and fail the request if it does. The check should have been performed with XPackSecurityUser instead of authenticated user. This caused the request to fail in case of non super user trying to create API key. This commit fixes by executing search action with SECURITY_ORIGIN so it can be run with context of XPackSecurityUser. Also fixed the Rest test to avoid using user with `super_user` role.
bizybot
added
>bug
v7.0.0
:Security/Authentication
|
Pinging @elastic/es-security |
tvernum
reviewed
Mar 14, 2019
| name: "admin_role" | ||
| body: > | ||
| { | ||
| "cluster": ["all"], |
There was a problem hiding this comment.
Can we add another set of tests for a user with a minimal set of privileges?
It doesn't need to cover the complete set of tests, just that it's possible to create an API key with a reasonable set of privileges...
But, I think that's going to highlight a problem because the minimal set of privileges is manage_security, which is too much. I'll raise a separate issue for that.
There was a problem hiding this comment.
Thanks, Tim, I will address that as a separate issue.
#40031
x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java
Show resolved
Hide resolved
|
elasticsearch-ci/1 failed due to #40030 @elasticmachine run elasticsearch-ci/1 |
|
As the release for 6.7.0 is near, will merge this as this seems to be important functionality from API keys usage. I will handle the review comments if any from Tim in the next PRs. Thank you. |
bizybot
added a commit
to bizybot/elasticsearch
that referenced
this pull request
Mar 21, 2019
When creating API keys we check for if API key with the same key name already exists and fail the request if it does. The check should have been performed with XPackSecurityUser instead of the authenticated user. This caused the request to fail in case of the non-super user trying to create an API key. This commit fixes by executing search action with SECURITY_ORIGIN so it can be executed with XPackSecurityUser. Also fixed the Rest test to avoid using a user with `super_user` role. Closes elastic#40029
bizybot
added a commit
to bizybot/elasticsearch
that referenced
this pull request
Mar 21, 2019
When creating API keys we check for if API key with the same key name already exists and fail the request if it does. The check should have been performed with XPackSecurityUser instead of the authenticated user. This caused the request to fail in case of the non-super user trying to create an API key. This commit fixes by executing search action with SECURITY_ORIGIN so it can be executed with XPackSecurityUser. Also fixed the Rest test to avoid using a user with `super_user` role. Closes elastic#40029
bizybot
added a commit
to bizybot/elasticsearch
that referenced
this pull request
Mar 21, 2019
When creating API keys we check for if API key with the same key name already exists and fail the request if it does. The check should have been performed with XPackSecurityUser instead of the authenticated user. This caused the request to fail in case of the non-super user trying to create an API key. This commit fixes by executing search action with SECURITY_ORIGIN so it can be executed with XPackSecurityUser. Also fixed the Rest test to avoid using a user with `super_user` role. Closes elastic#40029
bizybot
added a commit
that referenced
this pull request
Mar 21, 2019
When creating API keys we check for if API key with the same key name already exists and fail the request if it does. The check should have been performed with XPackSecurityUser instead of the authenticated user. This caused the request to fail in case of the non-super user trying to create an API key. This commit fixes by executing search action with SECURITY_ORIGIN so it can be executed with XPackSecurityUser. Also fixed the Rest test to avoid using a user with `super_user` role. Closes #40029
bizybot
added a commit
that referenced
this pull request
Mar 21, 2019
When creating API keys we check for if API key with the same key name already exists and fail the request if it does. The check should have been performed with XPackSecurityUser instead of the authenticated user. This caused the request to fail in case of the non-super user trying to create an API key. This commit fixes by executing search action with SECURITY_ORIGIN so it can be executed with XPackSecurityUser. Also fixed the Rest test to avoid using a user with `super_user` role. Closes #40029
bizybot
added a commit
that referenced
this pull request
Mar 21, 2019
When creating API keys we check for if API key with the same key name already exists and fail the request if it does. The check should have been performed with XPackSecurityUser instead of the authenticated user. This caused the request to fail in case of the non-super user trying to create an API key. This commit fixes by executing search action with SECURITY_ORIGIN so it can be executed with XPackSecurityUser. Also fixed the Rest test to avoid using a user with `super_user` role. Closes #40029
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When creating API keys we check for if API key with
the same key name already exists and fail the request if it does.
The check should have been performed with XPackSecurityUser
instead of the authenticated user. This caused the request to fail
in case of the non-super user trying to create an API key.
This commit fixes by executing search action with SECURITY_ORIGIN
so it can be executed with XPackSecurityUser.
Also fixed the Rest test to avoid using a user with
super_userrole.Closes #40029