Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add
manage_own_api_key
cluster privilege #45696Add
manage_own_api_key
cluster privilege #45696Changes from 28 commits
80fa13f
60f436b
1af1308
8896dcd
4976d78
54490a7
9033996
541cfad
aa623c3
efc2c2b
7db504c
adc6d69
2497c6f
6bd259a
66fc5b3
508a718
29cefd2
0eba55f
de88e11
69b56c6
a94fa92
d5a295c
73498ea
2f7933c
5c9c422
186e599
45b0192
dc512c2
d740034
7a9cfb7
569cae6
1a2a371
43cf4e3
1e59c70
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this logic be a function that is used in
ManageOwnApiKeyClusterPrivilege
?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here we are intercepting the request and passing default values to the
ApiKeyService#getApiKeys
when you specifyowner
flag astrue
.ManageOwnApiKeyClusterPrivilege
only performs the authz checks and should not modify the request while doing so.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, the question I am raising is that you have here a way of extracting the realm name which is different than the way of extracting the realm name in
ManageOwnApiKeyClusterPrivilege
. I believe they should be the same.It works as is, but it's brittle.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It never needs to extract the realm, user details when
owner
flag is true we return immediately inManageOwnApiKeyClusterPrivilege#checkIfUserIsOwnerOfApiKeys
.This is a code change after Tim's comment so you may want to look at the method in
ManageOwnApiKeyClusterPrivilege
that does that.Here we need to do so we can populate the realm and username before invoking ApiKeyService in case
owner
flag is true.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The same logic is in 2 transport actions. That seems like a strong enough argument to move it to a static method on the service.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The
ManageOwnApiKeyClusterPrivilege
is incore
whereas theApiKeyService
is insecurity
, but I have made changes to share between transport actions. Thank you.