Return file-backed service tokens from all nodes #75200
Conversation
ywangd
added
>enhancement
:Security/Security
|
Pinging @elastic/es-security (Team:Security) |
ywangd
force-pushed
the
es-74530-all-file-tokens
branch
from
19dbeae to
c56332e
Compare
...el/src/main/java/org/elasticsearch/client/security/GetServiceAccountCredentialsResponse.java
Outdated
Show resolved
Hide resolved
| return serviceTokenInfos; | ||
| public List<ServiceTokenInfo> getTokenInfos() { | ||
| return Stream.concat(fileTokensResponse.getTokenInfos().stream(), indexTokenInfos.stream()) | ||
| .collect(Collectors.toUnmodifiableList()); |
There was a problem hiding this comment.
I don't object, but it feels like you're trying too hard to restructure the response into the API you would like it to be, rather than represent the JSON API as it is.
We don't have to merge the file and index tokens into 1 list.
There was a problem hiding this comment.
I merged them because it felt easier to explain in the HLRC doc page. Now I think it's better to have consistency with the server side response. Updated to keep them separate.
x-pack/docs/en/rest-api/security/get-service-credentials.asciidoc
Outdated
Show resolved
Hide resolved
...g/elasticsearch/xpack/core/security/action/service/GetServiceAccountCredentialsResponse.java
Outdated
Show resolved
Hide resolved
|
|
||
| import java.io.IOException; | ||
| import java.util.Collection; | ||
| import java.util.Map; | ||
| import java.util.Objects; | ||
|
|
||
| public class TokenInfo implements Writeable, ToXContentObject, Comparable<TokenInfo> { | ||
|
|
||
| private final String name; | ||
| private final TokenSource source; |
There was a problem hiding this comment.
The source seems weird now - file and index are handled so separately in the response objects, that it feels unnecessary to have this field.
There was a problem hiding this comment.
The source can be computed based on the new nodeNames field, which has value null for index-based tokens. So I removed this field, but kept the getter to compute it on the fly.
…security/GetServiceAccountCredentialsResponse.java Co-authored-by: Tim Vernum <[email protected]>
Co-authored-by: Tim Vernum <[email protected]>
ywangd
force-pushed
the
es-74530-all-file-tokens
branch
from
e789bb5 to
94b7b90
Compare
|
@tvernum I updated the PR based on the discussion with the following small change to response field names: The intention is to accomodate possible future expansion for node-local credentials other than file-backed tokens. |
...vileges-tests/src/javaRestTest/java/org/elasticsearch/xpack/security/operator/Constants.java
Outdated
Show resolved
Hide resolved
…stTest/java/org/elasticsearch/xpack/security/operator/Constants.java
...lasticsearch/xpack/core/security/action/service/GetServiceAccountNodesCredentialsAction.java
Outdated
Show resolved
Hide resolved
...sticsearch/xpack/core/security/action/service/GetServiceAccountCredentialsResponseTests.java
Outdated
Show resolved
Hide resolved
| listener.onFailure(new IllegalStateException("authentication is required")); | ||
| } else { | ||
| serviceAccountService.createIndexToken(authentication, request, listener); | ||
| } |
There was a problem hiding this comment.
I don't follow why this change is here (to move things from the actions to the service).
I don't have any opinion on it - I'm just confused about where it came from.
I assume it's a consequence of having the Nodes action that needs to query for index & file tokens separately, but I can't quite piece all the bits together.
There was a problem hiding this comment.
You understanding is correct. Please let me fill in some more details.
The logic is not really moved from the "action" to the service, but rather moved from IndexServiceAccountTokenStore to the service. Because of the separation between index-token and file-token fetching, the service becomes more aware of the difference. Previously I tried to make the service not aware of the underlying difference between different stores by having just a single CompositeServiceAccountTokenStore. But this is no long suitable because we have to handle token fetching separately.
Now the service knows explicitly about both stores and can hence become a facade for both of them. So I think it is better have the abstraction layer here since it is already aware of it. That's why I decided to let the actions call into service instead of using the underlying store directly. I think in general I prefer this layer separation, but we are (I am) not consistent about it.
Since this action now uses the service and the service already handles HTTP TLS check, it is also moved into the service. One benefit is that I was able to test it in one place and delete a few tests for the actions.
Co-authored-by: Tim Vernum <[email protected]>
The Get service account credentials API now returns file-backed tokens from all nodes instead of only the local node. For each file-backed service token, we list names of the nodes where this token is found. The response for node-local credentials (currently only file-backed tokens) is place inside the "nodes_credentials.file_tokens" field. There is also a nodes_credentials._nodes field containing information about the overall request execution (it works the same way as the _nodes field of Nodes info API, etc.) Detailed response sample can be found in elastic#74530 This PR also removes the beta label from the API's documentation page. Resolves: elastic#74530
The Get service account credentials API now returns file-backed tokens from all nodes instead of only the local node. For each file-backed service token, we list names of the nodes where this token is found. The response for node-local credentials (currently only file-backed tokens) is place inside the "nodes_credentials.file_tokens" field. There is also a nodes_credentials._nodes field containing information about the overall request execution (it works the same way as the _nodes field of Nodes info API, etc.) Detailed response sample can be found in #74530 This PR also removes the beta label from the API's documentation page. Resolves: #74530
The Get service account credentials API now returns file-backed tokens from all nodes instead of only the local node. For each file-backed service token, we list names of the nodes where this token is found. The response for node-local credentials (currently only file-backed tokens) is place inside the "nodes_credentials.file_tokens" field. There is also a nodes_credentials._nodes field containing information about the overall request execution (it works the same way as the _nodes field of Nodes info API, etc.) Detailed response sample can be found in elastic#74530 This PR also removes the beta label from the API's documentation page. Resolves: elastic#74530
The Get service account credentials API now returns file-backed tokens from all nodes instead of only the local node. For each file-backed service token, we list names of the nodes where this token is found. The response also has a
file_tokens._nodesfield containing information about the overall request execution (it works the same way as the_nodesfield of Nodes info API, etc.) Detailed response sample can be found in #74530 (comment)This PR also removes the
betalabel from the API's documentation page.Resolves: #74530