[DOCS] Clarifies API key breaking change #54522
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -14,12 +14,44 @@ See also <<release-highlights>> and <<es-release-notes>>. | |
| //Installation and Upgrade Guide | ||
|
|
||
| //tag::notable-breaking-changes[] | ||
| [discrete] | ||
| [[breaking_76_security_changes]] | ||
| === Security changes | ||
|
|
||
| [discrete] | ||
| ==== {es} authentication API key privileges | ||
|
|
||
| If you use the {es} API key service to generate API keys, the behavior of new | ||
| API keys is impacted by the fix for | ||
| https://www.elastic.co/community/security[CVE-2020-7009]. | ||
|
|
||
| When you make a request to create API keys, you can specify an expiration and | ||
|
There was a problem hiding this comment. Is it possible or necessary to emphasize in the beginning that the change only impact derived keys? Since most users are probably not using them and they can skip the details. |
||
| permissions for the API key. Previously, if you used an API key to create | ||
| another API key (sometimes called a _derived key_), by default it had no | ||
|
There was a problem hiding this comment. Should we be more explicity about the previous behaviour? that is the derived key had no privilege regardless of the role descriptors specified at creation time |
||
| privileges. It could nonetheless perform some operations such as running | ||
|
There was a problem hiding this comment.
The documentation for the create API key API (https://www.elastic.co/guide/en/elasticsearch/reference/master/security-api-create-api-key.html) says "When [role_descriptors] is not specified or is an empty array, then the API key will have a point in time snapshot of permissions of the authenticated user. If you supply role descriptors then the resultant permissions would be an intersection of API keys permissions and authenticated user’s permissions thereby limiting the access scope for API keys...". Is that still correct? Or does it need a clarification that this behaviour differs when you're creating a derived key? There was a problem hiding this comment. This is still correct for "non-derived" keys. For any derived keys, the role descriptors must be specified and its member must be an empty descriptor. There was a problem hiding this comment.
Sorry, but I don't understand this qualifier. Could you please clarify? There was a problem hiding this comment. The basically means the example you put into the breaking change section: "role_descriptors": {
"no_privileges": {}
}The internal There was a problem hiding this comment. Thanks, I'll create a separate PR to augment the description in the create API key API reference There was a problem hiding this comment. @ywangd what is the point of having a derived key with no privilege? I mean is there any way to have a admin-key that can be used to create other derived keys with limited but non-empty privileges. Currently I can create only empty privilege derived key and could not found a way to associate roles with it? There was a problem hiding this comment. @baturozgur Previously we had a bug that derived keys are always created with no privileges regardless of what you specify in the role descriptors at creation time. We'd like to support derived keys properly and have an issue #52244 to track it. But we are still working out details on how we should approach the implementation. In the mean time, we decided to fix the bug temporarily by explicitly require no privilege should be specified at creation time for derived keys. This avoids the confusion that our users used to have. In summary, currently there is no way to create derived keys with non-empty privileges. This has been the case since day 1 of the API key feature. The fix did not change this behaviour. It only tightens what you can specify in the input to avoid the false impression that you could create derived keys with non-empty privileges. Derived keys can still be used for the authentication API, i.e. |
||
| the {ref}/security-api-authenticate.html[authenticate API]. This is no longer | ||
| the default behavior. | ||
|
|
||
| To create derived keys with no privileges, specify an empty object in the | ||
| `role_descriptors` array when you run the | ||
| {ref}/security-api-create-api-key.html[create API key API]. For example: | ||
|
|
||
| [source,js] | ||
| ---- | ||
| ... | ||
| "role_descriptors": { | ||
| "no-privilege": { | ||
| } | ||
| } | ||
| ... | ||
| ---- | ||
| // NOTCONSOLE | ||
|
|
||
| //end::notable-breaking-changes[] | ||
|
|
||
| [discrete] | ||
| [[breaking_76_search_changes]] | ||
| === Search changes | ||
|
|
||
| [discrete] | ||
| ==== Deprecation of sparse vector fields | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The word "authentication" does not seem to be necessary here. Also privileges are in the scope of authorization.