From e23292403cd0d75cbd690ebc07a5eefdc850c118 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Wed, 22 Jul 2020 09:55:58 +0300 Subject: [PATCH 1/8] Docs docs docs --- .../en/security/auditing/event-types.asciidoc | 48 +++++++++++++++---- 1 file changed, 40 insertions(+), 8 deletions(-) diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index c63f2908c76d5..b36da6e18afe7 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -157,16 +157,35 @@ There are a few events that have some more attributes in addition to those that have been previously described: * `authentication_success`: - `realm` :: The name of the realm that successfully - authenticated the user. + `realm` :: The name of the realm that successfully authenticated the user, + or the special value of `_es_api_key` if authentication is + performed using an API Key. This is a shorthand attribute + for the same information that is described by the `user.realm`, + `user.run_by.realm` and `authentication.type` attributes. `user.name` :: The name of the _effective_ user. This is usually the same as the _authenticated_ user, but if using the <> this instead denotes the name of the _impersonated_ user. + If authentication is performed using an API Key this attribute + designates the name of the owner user of the key. + `user.realm` :: The realm name that the _effective_ user belongs to. If authentication + is performed using an API Key this attribute designates the realm name + that the owner of the key belongs to. `user.run_by.name` :: This attribute is present only if the request is using the <> and denotes the name of the _authenticated_ user, which is also known as the _impersonator_. + `user.run_by.realm` :: This attribute is present only if the request is + using the <> + and denotes the name of the realm that the _authenticated_ + (_impersonator_) user belongs to. + `authentication.type`:: One of `REALM`, `API_KEY`, `TOKEN`, `ANONYMOUS` or `INTERNAL`. + `api_key.id` :: This attribute is present only if authentication is performed using an + API Key, and contains the value for the key id that is returned in response + to the <> call. + `api_key.name` :: This attribute is present only if authentication is performed using an + API Key, and contains the value for the key name given in the request + to <> * `authentication_failed`: `user.name` :: The name of the user that failed authentication. @@ -188,13 +207,19 @@ that have been previously described: action is granted or denied. `user.run_as.realm` :: The realm name of that the _impersonated_ user belongs to. -* `access_granted` or `access_denied`: - `user.roles` :: The role names of the user as an array. - `user.name` :: The name of the _effective_ user that is being - authorized or unauthorized. This is usually the _authenticated_ - user, but if using the <> +* `access_granted` and `access_denied`: + `user.roles` :: The role names of the user as an array. If authentication is + performed using an API Key this attribute designates the + role names of the owner user of the key. + `user.name` :: The name of the _effective_ user. This is usually the + same as the _authenticated_ user, but if using the + <> this instead denotes the name of the _impersonated_ user. - `user.realm` :: The realm name that the _effective_ user belongs to. + If authentication is performed using an API Key this attribute + designates the name of the owner user of the key. + `user.realm` :: The realm name that the _effective_ user belongs to. If authentication + is performed using an API Key this attribute designates the realm name + that the owner of the key belongs to. `user.run_by.name` :: This attribute is present only if the request is using the <> and denoted the name of the _authenticated_ user, @@ -203,6 +228,13 @@ that have been previously described: using the <> and denotes the name of the realm that the _authenticated_ (_impersonator_) user belongs to. + `authentication.type`:: One of `REALM`, `API_KEY`, `TOKEN`, `ANONYMOUS` or `INTERNAL`. + `api_key.id` :: This attribute is present only if authentication is performed using an + API Key, and contains the value for the key id that is returned in response + to the <> call. + `api_key.name` :: This attribute is present only if authentication is performed using an + API Key, and contains the value for the key name given in the request + to <> [float] From 27d7e0e77c3d3495001560f372ac33d86efb25e9 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Thu, 23 Jul 2020 07:59:45 +0300 Subject: [PATCH 2/8] Update x-pack/docs/en/security/auditing/event-types.asciidoc Co-authored-by: James Rodewig --- x-pack/docs/en/security/auditing/event-types.asciidoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index b36da6e18afe7..5a5e98ae806dc 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -157,9 +157,9 @@ There are a few events that have some more attributes in addition to those that have been previously described: * `authentication_success`: - `realm` :: The name of the realm that successfully authenticated the user, - or the special value of `_es_api_key` if authentication is - performed using an API Key. This is a shorthand attribute + `realm` :: The name of the realm that successfully authenticated the user. + If authenticated using an API key, this is the special value of + `_es_api_key`. This is a shorthand attribute for the same information that is described by the `user.realm`, `user.run_by.realm` and `authentication.type` attributes. `user.name` :: The name of the _effective_ user. This is usually the From 2fd6a737bbb0e7e1dd6fc93a15c8c39e5559e4ba Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Thu, 23 Jul 2020 08:01:03 +0300 Subject: [PATCH 3/8] Update x-pack/docs/en/security/auditing/event-types.asciidoc Co-authored-by: James Rodewig --- x-pack/docs/en/security/auditing/event-types.asciidoc | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index 5a5e98ae806dc..6c899483be397 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -166,11 +166,11 @@ that have been previously described: same as the _authenticated_ user, but if using the <> this instead denotes the name of the _impersonated_ user. - If authentication is performed using an API Key this attribute - designates the name of the owner user of the key. - `user.realm` :: The realm name that the _effective_ user belongs to. If authentication - is performed using an API Key this attribute designates the realm name - that the owner of the key belongs to. + If authenticated using an API key, this is + the name of the API key owner. + `user.realm` :: Name of the the realm to which the _effective_ user + belongs. If authenticated using an API key, this is + the name of the realm to which the API key owner belongs. `user.run_by.name` :: This attribute is present only if the request is using the <> and denotes the name of the _authenticated_ user, From c25f1468e06e9131087c26b812ea62bd975a5f73 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Thu, 23 Jul 2020 08:02:26 +0300 Subject: [PATCH 4/8] Update x-pack/docs/en/security/auditing/event-types.asciidoc Co-authored-by: James Rodewig --- .../en/security/auditing/event-types.asciidoc | 21 +++++++++---------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index 6c899483be397..ec9d3ee2932e5 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -175,17 +175,16 @@ that have been previously described: using the <> and denotes the name of the _authenticated_ user, which is also known as the _impersonator_. - `user.run_by.realm` :: This attribute is present only if the request is - using the <> - and denotes the name of the realm that the _authenticated_ - (_impersonator_) user belongs to. - `authentication.type`:: One of `REALM`, `API_KEY`, `TOKEN`, `ANONYMOUS` or `INTERNAL`. - `api_key.id` :: This attribute is present only if authentication is performed using an - API Key, and contains the value for the key id that is returned in response - to the <> call. - `api_key.name` :: This attribute is present only if authentication is performed using an - API Key, and contains the value for the key name given in the request - to <> + `user.run_by.realm` :: Name of the realm to which the _authenticated_ + (_impersonator_) user belongs. + This attribute is provided only if the request + uses the <>. + `authentication.type`:: Method used to authenticate the user. + Possible values are `REALM`, `API_KEY`, `TOKEN`, `ANONYMOUS` or `INTERNAL`. + `api_key.id` :: API key ID returned by the <> request. + This attribute is only provided for authentication using an API key. + `api_key.name` :: API key name provided in the <> request. + This attribute is only provided for authentication using an API key. * `authentication_failed`: `user.name` :: The name of the user that failed authentication. From 66aeb49347ff59fc45f4bb76a7fbbcf4471522d4 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Thu, 23 Jul 2020 08:03:17 +0300 Subject: [PATCH 5/8] Update x-pack/docs/en/security/auditing/event-types.asciidoc Co-authored-by: James Rodewig --- x-pack/docs/en/security/auditing/event-types.asciidoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index ec9d3ee2932e5..ee541e564bfab 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -207,9 +207,9 @@ that have been previously described: `user.run_as.realm` :: The realm name of that the _impersonated_ user belongs to. * `access_granted` and `access_denied`: - `user.roles` :: The role names of the user as an array. If authentication is - performed using an API Key this attribute designates the - role names of the owner user of the key. + `user.roles` :: The role names of the user as an array. If authenticated + using an API key, this contains the + role names of the API key owner. `user.name` :: The name of the _effective_ user. This is usually the same as the _authenticated_ user, but if using the <> From 6405af46d3ca23d72d98f32f21504b3062086eb4 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Thu, 23 Jul 2020 08:03:29 +0300 Subject: [PATCH 6/8] Update x-pack/docs/en/security/auditing/event-types.asciidoc Co-authored-by: James Rodewig --- x-pack/docs/en/security/auditing/event-types.asciidoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index ee541e564bfab..2235aa5a40e63 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -214,8 +214,8 @@ that have been previously described: same as the _authenticated_ user, but if using the <> this instead denotes the name of the _impersonated_ user. - If authentication is performed using an API Key this attribute - designates the name of the owner user of the key. + If authenticated using an API key, this is + the name of the API key owner. `user.realm` :: The realm name that the _effective_ user belongs to. If authentication is performed using an API Key this attribute designates the realm name that the owner of the key belongs to. From 8f4b4c1660ea30e0ca2ec6815a5df8e9adfe651e Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Thu, 23 Jul 2020 08:03:54 +0300 Subject: [PATCH 7/8] Update x-pack/docs/en/security/auditing/event-types.asciidoc Co-authored-by: James Rodewig --- x-pack/docs/en/security/auditing/event-types.asciidoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index 2235aa5a40e63..c2c7e7acdeb9a 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -216,9 +216,9 @@ that have been previously described: this instead denotes the name of the _impersonated_ user. If authenticated using an API key, this is the name of the API key owner. - `user.realm` :: The realm name that the _effective_ user belongs to. If authentication - is performed using an API Key this attribute designates the realm name - that the owner of the key belongs to. + `user.realm` :: Name of the the realm to which the _effective_ user + belongs. If authenticated using an API key, this is + the name of the realm to which the API key owner belongs. `user.run_by.name` :: This attribute is present only if the request is using the <> and denoted the name of the _authenticated_ user, From ec5629dbc93f3b004252888e527fe268270b2845 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Thu, 23 Jul 2020 08:04:29 +0300 Subject: [PATCH 8/8] Update x-pack/docs/en/security/auditing/event-types.asciidoc Co-authored-by: James Rodewig --- .../docs/en/security/auditing/event-types.asciidoc | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/x-pack/docs/en/security/auditing/event-types.asciidoc b/x-pack/docs/en/security/auditing/event-types.asciidoc index c2c7e7acdeb9a..198ff53ac91a6 100644 --- a/x-pack/docs/en/security/auditing/event-types.asciidoc +++ b/x-pack/docs/en/security/auditing/event-types.asciidoc @@ -227,13 +227,12 @@ that have been previously described: using the <> and denotes the name of the realm that the _authenticated_ (_impersonator_) user belongs to. - `authentication.type`:: One of `REALM`, `API_KEY`, `TOKEN`, `ANONYMOUS` or `INTERNAL`. - `api_key.id` :: This attribute is present only if authentication is performed using an - API Key, and contains the value for the key id that is returned in response - to the <> call. - `api_key.name` :: This attribute is present only if authentication is performed using an - API Key, and contains the value for the key name given in the request - to <> + `authentication.type`:: Method used to authenticate the user. + Possible values are `REALM`, `API_KEY`, `TOKEN`, `ANONYMOUS` or `INTERNAL`. + `api_key.id` :: API key ID returned by the <> request. + This attribute is only provided for authentication using an API key. + `api_key.name` :: API key name provided in the <> request. + This attribute is only provided for authentication using an API key. [float]