Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[DOCS] Clarifies API key breaking change #54522

Merged
merged 5 commits into from
Apr 1, 2020
Merged

[DOCS] Clarifies API key breaking change #54522

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
7d7a1c4
[DOCS] Clarify API key breaking change
lcawl Mar 31, 2020
fb195a1
[DOCS] More edits
lcawl Mar 31, 2020
b1387ac
[DOCS] Skips snippet test
lcawl Mar 31, 2020
ce0a26f
[DOCS] Addresses feedback
lcawl Apr 1, 2020
12b34e9
[DOCS] Clarify role descriptor object
lcawl Apr 1, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 30 additions & 1 deletion docs/reference/migration/migrate_7_6.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,12 +14,41 @@ See also <<release-highlights>> and <<es-release-notes>>.
//Installation and Upgrade Guide

//tag::notable-breaking-changes[]
[discrete]
[[breaking_76_security_changes]]
=== Security changes

[discrete]
==== {es} API key privileges

If you use an API key to create another API key (sometimes called a
_derived key_), its behavior is impacted by the fix for
https://www.elastic.co/community/security[CVE-2020-7009].

When you make a request to create API keys, you can specify an expiration and
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it possible or necessary to emphasize in the beginning that the change only impact derived keys? Since most users are probably not using them and they can skip the details.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point, done!

privileges for the API key. Previously, when you created a derived key, it had
no privileges. This behavior disregarded any privileges that you specified in
the {ref}/security-api-create-api-key.html[create API key API].

As of 7.6.2, this behavior changes. To create derived keys with no privileges,
you must explicitly specify an empty role descriptor. For example:

[source,js]
----
...
"role_descriptors": {
"no-privilege": {
}
}
...
----
// NOTCONSOLE

//end::notable-breaking-changes[]

[discrete]
[[breaking_76_search_changes]]
=== Search Changes
=== Search changes

[discrete]
==== Deprecation of sparse vector fields
Expand Down
10 changes: 7 additions & 3 deletions docs/reference/release-notes/7.6.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,13 @@

Also see <<breaking-changes-7.6,Breaking changes in 7.6>>.

[[breaking-7.6.2]]
[float]
=== Breaking changes

Authorization::
* Creation of derived API keys (keys created by existing keys) now requires explicit "no privileges" configuration {pull}53647[#53647], https://www.elastic.co/community/security[CVE-2020-7009]

[[bug-7.6.2]]
[float]
=== Bug fixes
Expand All @@ -13,9 +20,6 @@ Allocation::
Authentication::
* Fix potential bug in concurrent token refresh support {pull}53668[#53668]

Authorization::
* Explicitly require that delegate API keys have no privileges {pull}53647[#53647]

CCR::
* Handle no such remote cluster exception in ccr {pull}53415[#53415] (issue: {issue}53225[#53225])

Expand Down