Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A new search API for API keys - core search function #75335

Merged
merged 199 commits into from
Aug 3, 2021
Merged

A new search API for API keys - core search function #75335

Show file tree
Hide file tree
Changes from 10 commits
Commits
Show all changes
199 commits
Select commit Hold shift + click to select a range
aaa8324
WIP: working version
ywangd Jul 6, 2021
6cf8bf2
Rename search to query
ywangd Jul 7, 2021
db31169
show that manage_own_api_key is tested last
ywangd Jul 11, 2021
697d25e
Merge remote-tracking branch 'origin/master' into es-71023-new-search…
ywangd Jul 14, 2021
21aa8e6
add more tests
ywangd Jul 14, 2021
bf95613
Prefer consistent request/response format for now
ywangd Jul 14, 2021
d7a6d72
Add comment for explanation
ywangd Jul 14, 2021
fb053ad
working on tests
ywangd Jul 14, 2021
67a14cb
checkstyle
ywangd Jul 14, 2021
3133622
Merge branch 'master' into es-71023-new-search-for-api-keys
elasticmachine Jul 15, 2021
e9fd594
Apply suggestions from code review
ywangd Jul 30, 2021
704cd54
Mute SimpleFeatureFactoryTests test points (#75359)
iverase Jul 15, 2021
fd7c2db
Move some constants from SearchableSnapshotsConstants to server (#75308)
tlrx Jul 15, 2021
42d3daa
[Rest Api Compatibility] Allow transforming warnings per test (#75187)
pgomulka Jul 15, 2021
2893098
Update "ssl-config" to support X-Pack features (#74887)
tvernum Jul 15, 2021
c84ec00
Introduce searchable snapshots index setting for cascade deletion of …
tlrx Jul 15, 2021
dee3b89
[ML] Rename JobNodeLoadDetectorTests to match tested class (#75370)
dimitris-athanasiou Jul 15, 2021
e8007e5
Resolve date math expressions before looking up index metadata (#75314)
danhermann Jul 15, 2021
07676e0
Add a tool for creating enrollment tokens (#74890)
jkakavas Jul 15, 2021
7bdf43e
[DOCS] Clarify usage of the enroll Kibana API (#75348)
Jul 15, 2021
c4e84e3
Remove SET aliases from disk usage and field usage YML tests (#75381)
stevejgordon Jul 15, 2021
84d4709
Add null check for shard stats to data tier telemetry (#75185)
dakrone Jul 15, 2021
65116fa
[DOCS] Fix broken doc url values in JSON API spec (#75385)
jrodewig Jul 15, 2021
b2a317f
[DOCS] Update doc URLs for trained model deployment APIs (#75388)
lcawl Jul 15, 2021
e435073
Increase client timeout on CCS tests (#75346)
bpintea Jul 15, 2021
ec509e0
Increment Iron Bank base image to 8.4
pugnascotia Jul 15, 2021
30e0bd0
Ensure system index upgrade mechanism can handle integer _meta.verion…
gwbrown Jul 15, 2021
a9356f1
Mute GeoIpDownloaderIT#testInvalidTimestamp (#75398)
probakowski Jul 15, 2021
57aa649
Fix broken test for dimension keywords (#75408)
csoulios Jul 16, 2021
4f0b4e9
Add missing X-Pack repositories REST specs (#65548)
stevejgordon Jul 16, 2021
a5d2317
[Rest Api Compatibility] Allow to use size -1 (#75342)
pgomulka Jul 16, 2021
c420119
Remove obsolete BWC in OS stats (#75376)
danhermann Jul 16, 2021
e0bc584
Fix Snapshot Out of Order Finalization Repo Corruption (#75362)
original-brownbear Jul 16, 2021
974884d
Weaken assertions in SearchWhileRelocatingIT (#75345)
ywelsch Jul 16, 2021
fe079d4
[DOCS] Adds peak_model_bytes and assignment_memory_basis to GET model…
szabosteve Jul 16, 2021
c91f08a
Remove support for configurable PKCS#11 keystores (#75404)
tvernum Jul 19, 2021
6a6cd14
Make NestedObjectMapper its own class (#74410)
romseygeek Jul 19, 2021
284dd74
ILM: execute cached steps even if policy is updated (#75296)
andreidan Jul 19, 2021
38f6db9
[Rest Api Compatibility] Do not return _doc for empty mappings in tem…
pgomulka Jul 19, 2021
f2ad596
Fix failure on attempt to overwrite multi fields (#75454)
Jul 19, 2021
20b14c6
[DOCS] Correct docs for deprecation logging (#75361)
robin13 Jul 19, 2021
023b2b6
[DOCS] Document time series dimension mapping parameters (#75414)
jrodewig Jul 19, 2021
69e3e77
Allow ILM move-to-step without `action` or `name` (#75435)
dakrone Jul 19, 2021
a54dee0
Correct XCombinedFieldQuery equals and hashCode (#75402)
jtibshirani Jul 19, 2021
41a0dc7
[DOCS] Remove leading slashes
jrodewig Jul 19, 2021
89818e3
Fix TOC order
jrodewig Jul 19, 2021
33433ac
[DOCS] Add object subfield example for update API (#75460)
jrodewig Jul 19, 2021
3a1c1e7
Disable BWC tests for ILM move-to-step backport (#75481)
dakrone Jul 19, 2021
132f333
Re-enable BWC for ILM move-to-step backport (#75498)
dakrone Jul 19, 2021
fdb8a97
Fix toXContent of PointInTimeBuilder (#75476)
dnhatn Jul 19, 2021
324330c
Make FeatureFactory tests more resilient (#75405)
iverase Jul 20, 2021
ed9699f
[Transform] Optimize composite agg execution using ordered groupings …
Jul 20, 2021
f6a339e
Add filter support to data stream aliases (#74784)
martijnvg Jul 20, 2021
5bb47e1
Reset elastic password cli tool (#74892)
jkakavas Jul 20, 2021
63894ca
[ML] Memory based trained model task allocation (#75378)
dimitris-athanasiou Jul 20, 2021
a5acac6
Enable javac warnings in x-pack identity-provider (#75450)
pugnascotia Jul 20, 2021
3612581
Enable compiler warnings for watcher (#75516)
pugnascotia Jul 20, 2021
64930e3
Fix RestSnapshotsStatusCancellationIT (#75524)
original-brownbear Jul 20, 2021
d956307
Bump version after 7.13.4 release
joegallo Jul 20, 2021
3634f42
Align XCombinedFieldQuery with latest changes (#75483)
jtibshirani Jul 20, 2021
3f7be4d
Remove deprecated date histo interval (#75000)
not-napoleon Jul 20, 2021
a68a960
Advise away from a ping schedule on remote connxns (#75513)
DaveCTurner Jul 20, 2021
1e2c933
[DOCS] Fixes nesting of datafeed config in APIs (#75502)
lcawl Jul 20, 2021
05a486e
Simplify building the default log4j2.properties (#75535)
pugnascotia Jul 20, 2021
3b1efd1
Remove MavenFilteringHack (#73637)
jakelandis Jul 20, 2021
6475bf2
Configure security for the initial node cli (#74868)
albertzaharovits Jul 21, 2021
6181a6d
Make some vector tile body parameters as query parameters (#75522)
iverase Jul 21, 2021
1e459fd
Fix the use of wildcard expressions for data streams in update aliase…
martijnvg Jul 21, 2021
4ef5157
[Rest Api Compatibility] Enable parent_join inner_hits test (#75560)
pgomulka Jul 21, 2021
a378d41
Wait for ES to finish startup during password tests (#75420)
pugnascotia Jul 21, 2021
d4b8c30
Disable bwc tests for #74784 (#75567)
martijnvg Jul 21, 2021
5a26aea
`indices.query.bool.max_clause_count` now limits all query clauses (#…
jpountz Jul 21, 2021
aa427ab
Fix RoutingTable Lookup by Index (#75530)
original-brownbear Jul 21, 2021
8449ebb
Enable bwc tests for #74784 (#75568)
martijnvg Jul 21, 2021
22609fc
Adjust graph explore api to also support data streams. (#75541)
martijnvg Jul 21, 2021
8f3e4c0
[DOCS] SQL: Add formal API docs (#75506)
jrodewig Jul 21, 2021
d6fb1c1
Significant terms test refactor for extendability (#75452)
benwtrent Jul 21, 2021
1213572
Re-enable compiler warnings in :test:framework (#75449)
pugnascotia Jul 21, 2021
3a2e081
Fix failing HTTP client stats test (#75527)
danhermann Jul 21, 2021
28765d0
Adjust skip version for data stream alias tests (#75585)
martijnvg Jul 21, 2021
06d227a
[DOCS] Retitle 'SQL access' page to 'SQL'
jrodewig Jul 21, 2021
f95d7f4
Fix Tripped Assertion on Failed Snapshot Clone Cleanup (#75582)
original-brownbear Jul 21, 2021
2076cb6
[ML] adding new p_value scoring heuristic to significant terms aggreg…
benwtrent Jul 21, 2021
572cfb7
Print suggestion to view log on fatal error (#75418)
pugnascotia Jul 21, 2021
7c97e70
SQL: Improve verifier errors on nested aggregations (#75517)
Jul 21, 2021
468a7e4
Increase docker compose timeout on ARM CI jobs
mark-vieira Jul 21, 2021
5718d49
Enable compiler warnings in x-pack security (#75473)
pugnascotia Jul 21, 2021
5979731
Mute PValueScoreTests.testLowPValueScore
mark-vieira Jul 21, 2021
249dd02
[DOCS] Fix typos
jrodewig Jul 21, 2021
b5bb1db
Fix reported branch in build scans for pull request CI jobs (#75600)
mark-vieira Jul 21, 2021
1d96037
Mute CandidateQueryTests.testPercolateSmallAndLargeDocument
mark-vieira Jul 21, 2021
f18bdb0
Add Sha256 header in elasticsearch RPMs (#75569)
breskeby Jul 22, 2021
3ccc8e3
[doc] Document workaround for slow log levels (#75438)
pgomulka Jul 22, 2021
4e44793
[Transform] fix listener for search context missing exception (#75615)
Jul 22, 2021
76a4eb3
Address recent percolator failures. (#75620)
jpountz Jul 22, 2021
10526ad
Add the ability to fetch the latest successful shard snapshot (#75080)
fcofdez Jul 22, 2021
eeb1e16
Handle runtime subfields when shadowing dynamic mappings (#75595)
romseygeek Jul 22, 2021
b67eded
Fix ConfigInitialNode certificate SAN generation (#75622)
jkakavas Jul 22, 2021
8940f97
[DOCS] Update Kibana dev console screenshots for new EUI theme (#75626)
jrodewig Jul 22, 2021
86f3f55
Mute PValueScoreTests.testHighPValueScore (#75636)
mayya-sharipova Jul 22, 2021
f5e7c51
[DOCS] Fix Watcher chapter title (#75220)
spinscale Jul 22, 2021
c707eed
[ML] make p_value scoring tests more robust (#75629)
benwtrent Jul 22, 2021
4ca2113
Create data stream aliases from template (#73867)
danhermann Jul 22, 2021
4d868f5
Fix wrong error upper bound when performing incremental reductions (#…
Hohol Jul 22, 2021
ea5e7da
[ML] Integrating ML with the node shutdown API (#75188)
droberts195 Jul 22, 2021
c9fe937
[DOC] Add ingest error metadata (#75653)
danhermann Jul 23, 2021
b3034c1
[DOCS] Reword for clarity
jrodewig Jul 23, 2021
760edcd
[DOCS] Fix typo
jrodewig Jul 23, 2021
82c0a51
Mute org.elasticsearch.search.aggregations.bucket.TermsDocCountErrorI…
original-brownbear Jul 25, 2021
4f82c21
Fix contents of license tools zip file (#75610)
tvernum Jul 26, 2021
96cd1c8
Fix Potential Memory Leak in SecurityServerTransportInterceptor (#75669)
original-brownbear Jul 26, 2021
585ddf4
[ML] Parse time_ms field from inference result (#75570)
davidkyle Jul 26, 2021
4daa6fc
Distinguish timeouts/failures in follower checker (#75519)
DaveCTurner Jul 26, 2021
fb6e850
Drop ReceiveTimeoutTransportException stack trace (#75671)
DaveCTurner Jul 26, 2021
24b95c7
[ML] fixing datafeed preview after allowing datafeed_config in job_co…
benwtrent Jul 26, 2021
3d8a80c
Add warning header after 25 days after last db update (#75311)
probakowski Jul 26, 2021
f756bc4
Update licenses and attributions for GeoIP module (#75178)
probakowski Jul 26, 2021
1c93138
[DOCS] Updates for data stream aliases (#75654)
danhermann Jul 26, 2021
5e5666f
[DOCS] Comments out link that points to outlier detection example (#7…
szabosteve Jul 26, 2021
965f80b
[Rest Api Compatibility] Voting config exclusion exception message (#…
pgomulka Jul 26, 2021
b87d8ea
unsigned longs should be compatible with index sorting (#75599)
jimczi Jul 26, 2021
7c544e5
[ML] Mute PyTorchModelIT.testEvaluate on Aarch64 (#75690)
davidkyle Jul 26, 2021
ed1f47f
[DOCS] Drafts trained model deployment APIs (#75497)
lcawl Jul 26, 2021
868ce3e
[DOCS] Update index template API docs for data stream aliases (#75688)
jrodewig Jul 26, 2021
8621a18
[DOCS] Adds ml-cpp PRs to release notes (#75703)
lcawl Jul 26, 2021
fb7f209
[DOCS] Fix formatting for 8.0 breaking changes (#75709)
jrodewig Jul 26, 2021
cdd2183
[DOCS] Fixes link in EQL breaking changes (#75710)
lcawl Jul 26, 2021
1fa2b30
[DOCS] Fix tags and xrefs for 8.0 breaking changes (#75712)
jrodewig Jul 26, 2021
be14569
[DOCS] Add tip for Kibana Fleet APIs (#75711)
EricDavisX Jul 26, 2021
6337ed2
[DOCS] Fix typo (#75635) (#75705)
jrodewig Jul 26, 2021
d6727cb
[DOCS] Relocate tip for Fleet APIs
jrodewig Jul 26, 2021
edc293a
[DOCS] Fix formatting for several 8.0 breaking changes (#75715)
jrodewig Jul 26, 2021
f9c8e70
[DOCS] Removes ml-cpp PR from release notes (#75717)
lcawl Jul 26, 2021
f972d71
Fix license check failures on Windows
mark-vieira Jul 27, 2021
8a024fe
Vector tiles: Add support for Geometry collections (#75697)
iverase Jul 27, 2021
93cfe87
[DOCS] Adds p-value heuristic to significant terms aggregation (#75369)
szabosteve Jul 27, 2021
d1d92b6
ILM ClusterStateWaitThresholdBreachTests cycles due to `shrunk-shards…
andreidan Jul 27, 2021
8f255a0
[Transform] Fix transform fails when getting field mappings (#75694)
Jul 27, 2021
656b7af
Fix testConcurrentRestoreDeleteAndClone Timing Issue (#75523)
original-brownbear Jul 27, 2021
d3a9d7d
Include reason in cancellation exceptions (#75332)
DaveCTurner Jul 27, 2021
4b818e5
[Rest Api Compatibility] Licence accept_enterprise and response chang…
pgomulka Jul 27, 2021
43e691e
Use reader wrapper in ReadOnlyEngine (#75724)
ywelsch Jul 27, 2021
793e4ae
Fix testConcurrentRestoreDeleteAndClone Corner Case (#75728)
original-brownbear Jul 27, 2021
95d344d
[ML] notify inference listeners of pytorch process crash (#75679)
benwtrent Jul 27, 2021
f59c50b
Allow specifying index in pinned queries (#74873)
Jul 27, 2021
57f786f
Fix Concurrent Snapshot Repository Corruption from Operations Queued …
original-brownbear Jul 27, 2021
88440e1
Remove usage of deprecated JavaPluginConvention (#75106)
breskeby Jul 27, 2021
b803b8f
Update rpm build to add sha256 payload and file digest (#75731)
breskeby Jul 27, 2021
5592757
Adding shard count to node stats api (#75433)
masseyke Jul 27, 2021
1d15402
Adjust version checks after pinned query backport
jtibshirani Jul 27, 2021
0e8ae9e
Enhance Shard Level Metdata check in BlobStoreTestUtil (#75737)
original-brownbear Jul 27, 2021
839ed48
Make PublishPlugin gradle configuration cache compliant (#74828)
breskeby Jul 27, 2021
bccca8b
Vector tiles: order hits by geometry size by default (#75621)
iverase Jul 27, 2021
db5af7d
Fix dependency report link to JDK sources (#75742)
mark-vieira Jul 27, 2021
026a7ef
[DOCS] Update ingest pipeline screenshots for new EUI theme (#75744)
jrodewig Jul 27, 2021
5be6f6d
Set netty available processors system property for tests globally (#7…
mark-vieira Jul 27, 2021
2c98ba0
Fix compiler warnings in :server - part 1 (#75708)
pugnascotia Jul 27, 2021
328f5c6
[DOCS] Update index management screenshots for new EUI theme (#75754)
jrodewig Jul 27, 2021
8d9d552
[DOCS] Remove unneeded screenshot from 'Size your shards' docs
jrodewig Jul 27, 2021
f95e171
Fix the usage of CacheIteratorHelper for service account (#75510)
ywangd Jul 28, 2021
d1e107e
Add 'mvt' field type format to geo fields (#75367)
iverase Jul 28, 2021
f082ebc
Remove incorrect assertion in CollapsingTopDocsCollectorSearchAfterTests
jtibshirani Jul 27, 2021
bb163a4
Refactor SSL setup in X-Pack (#75410)
tvernum Jul 28, 2021
19c801d
New release notes generator tasks (#71125)
pugnascotia Jul 28, 2021
657d476
Refactor plugin CLI commands (#75259)
pugnascotia Jul 28, 2021
f018dc1
[Rest Api Compatibility] Deprecate the use of synced flush (#75372)
pgomulka Jul 28, 2021
61acc54
Disabling BWC tests for _nodes/stats shard count backport (#75787)
masseyke Jul 28, 2021
5499267
[Transform][Rollup] remove unnecessary list indirection (#75459)
Jul 28, 2021
0c43ff9
Re-enabling BWC tests, and updating supported versions for shard coun…
masseyke Jul 28, 2021
ae9bd01
Avoid running all EQL BWC tasks when running check (#75743)
mark-vieira Jul 28, 2021
76897cd
Removing local abort availability checks (#75785)
droberts195 Jul 28, 2021
8a014da
[ML] Mute PyTorchModelIT in advance of input format changes (#75800)
davidkyle Jul 28, 2021
968233f
[ML] fixing potential network thread lockup on Pytorch model load (#7…
benwtrent Jul 28, 2021
1d68b8f
[DOCS] Fixes bulleted list in ML aggregations (#75806)
lcawl Jul 28, 2021
6bac600
[DOCS] Steps for updating TLS certificates (#73781)
Jul 28, 2021
4c37c47
Ensure we still test older operating systems where supported
mark-vieira Jul 28, 2021
f4e2b1f
Fix Jenkins job configuration syntax
mark-vieira Jul 28, 2021
681ead0
Remove Jenkins matrix job combination filter
mark-vieira Jul 28, 2021
0e08be9
Fix privileges for GetRollupIndexCapabilities API (#75614)
ywangd Jul 29, 2021
f3ae991
Remove usage of RAM accounting of segments (#75674)
jpountz Jul 29, 2021
81ad470
Docs: ILM document behaviour for changing lifecycle setting (#75790)
andreidan Jul 29, 2021
1776cec
[ML] Don't try to respond to shutdown API when disabled (#75828)
droberts195 Jul 29, 2021
10d361e
Make Authentication/Authorization Stacks Shallower/Simpler (#75662)
original-brownbear Jul 29, 2021
9fedd01
[ML] fix count ks test aggregator test consistency (#75793)
benwtrent Jul 29, 2021
dead681
[ML] throttle job audit msgs if delayed data occurs for consecutive b…
benwtrent Jul 29, 2021
ed7b27b
[ML] Delete expired annotations (#75617)
przemekwitek Jul 29, 2021
d036ed0
[DOCS] 8.0.0-alpha1 release notes
jakelandis Jul 29, 2021
bbf4c94
[ML] disable bwc for backporting new Job setting (system_annotations_…
przemekwitek Jul 29, 2021
8dd1deb
[ML] Adapt wire serialization code and re-enable BWC tests after back…
przemekwitek Jul 29, 2021
43229bf
Properly apply `system` flag on data streams when restoring a snapsho…
gwbrown Jul 29, 2021
a8d63ad
Add SLES 15 SP3 to docker exclusion list
mark-vieira Jul 29, 2021
4af8008
fix imports
ywangd Jul 30, 2021
cab9797
Merge remote-tracking branch 'origin/master' into es-71023-new-search…
ywangd Jul 30, 2021
810d8ef
Merge remote-tracking branch 'origin/master' into es-71023-new-search…
ywangd Jul 30, 2021
598d4f8
address feedback
ywangd Jul 30, 2021
786daad
Address feedback for checking query API key action.
ywangd Jul 30, 2021
8be55cb
fix test
ywangd Jul 30, 2021
6bf40fa
Address feedback to add javadoc
ywangd Aug 3, 2021
072e02e
Merge branch 'master' into es-71023-new-search-for-api-keys
elasticmachine Aug 3, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 16 additions & 3 deletions server/src/main/java/org/elasticsearch/index/query/SearchExecutionContext.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,7 @@ public class SearchExecutionContext extends QueryRewriteContext {
private NestedScope nestedScope;
private final ValuesSourceRegistry valuesSourceRegistry;
private final Map<String, MappedFieldType> runtimeMappings;
private Predicate<String> allowedFields;

/**
* Build a {@linkplain SearchExecutionContext}.
Expand Down Expand Up @@ -153,7 +154,8 @@ public SearchExecutionContext(
),
allowExpensiveQueries,
valuesSourceRegistry,
parseRuntimeMappings(runtimeMappings, mapperService)
parseRuntimeMappings(runtimeMappings, mapperService),
null
);
}

Expand All @@ -176,7 +178,8 @@ public SearchExecutionContext(SearchExecutionContext source) {
source.fullyQualifiedIndex,
source.allowExpensiveQueries,
source.valuesSourceRegistry,
source.runtimeMappings
source.runtimeMappings,
source.allowedFields
);
}

Expand All @@ -198,7 +201,8 @@ private SearchExecutionContext(int shardId,
Index fullyQualifiedIndex,
BooleanSupplier allowExpensiveQueries,
ValuesSourceRegistry valuesSourceRegistry,
Map<String, MappedFieldType> runtimeMappings) {
Map<String, MappedFieldType> runtimeMappings,
Predicate<String> allowedFields) {
super(xContentRegistry, namedWriteableRegistry, client, nowInMillis);
this.shardId = shardId;
this.shardRequestIndex = shardRequestIndex;
Expand All @@ -217,6 +221,7 @@ private SearchExecutionContext(int shardId,
this.allowExpensiveQueries = allowExpensiveQueries;
this.valuesSourceRegistry = valuesSourceRegistry;
this.runtimeMappings = runtimeMappings;
this.allowedFields = allowedFields;
}

private void reset() {
Expand Down Expand Up @@ -351,6 +356,10 @@ public boolean isFieldMapped(String name) {
}

private MappedFieldType fieldType(String name) {
// If the field is not allowed, behave as if it is not mapped
if (allowedFields != null && false == allowedFields.test(name)) {
return null;
}
MappedFieldType fieldType = runtimeMappings.get(name);
return fieldType == null ? mappingLookup.getFieldType(name) : fieldType;
}
Expand Down Expand Up @@ -418,6 +427,10 @@ public void setMapUnmappedFieldAsString(boolean mapUnmappedFieldAsString) {
this.mapUnmappedFieldAsString = mapUnmappedFieldAsString;
}

public void setAllowedFields(Predicate<String> allowedFields) {
this.allowedFields = allowedFields;
}

MappedFieldType failIfFieldMappingNotFound(String name, MappedFieldType fieldMapping) {
if (fieldMapping != null || allowUnmappedFields) {
return fieldMapping;
Expand Down
21 changes: 21 additions & 0 deletions .../src/main/java/org/elasticsearch/xpack/core/security/action/apikey/QueryApiKeyAction.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/

package org.elasticsearch.xpack.core.security.action.apikey;

import org.elasticsearch.action.ActionType;

public final class QueryApiKeyAction extends ActionType<QueryApiKeyResponse> {

public static final String NAME = "cluster:admin/xpack/security/api_key/query";
public static final QueryApiKeyAction INSTANCE = new QueryApiKeyAction();

private QueryApiKeyAction() {
super(NAME, QueryApiKeyResponse::new);
}

}
60 changes: 60 additions & 0 deletions ...src/main/java/org/elasticsearch/xpack/core/security/action/apikey/QueryApiKeyRequest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/

package org.elasticsearch.xpack.core.security.action.apikey;

import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.ActionRequestValidationException;
import org.elasticsearch.common.io.stream.StreamInput;
import org.elasticsearch.common.io.stream.StreamOutput;
import org.elasticsearch.core.Nullable;
import org.elasticsearch.index.query.QueryBuilder;

import java.io.IOException;

public final class QueryApiKeyRequest extends ActionRequest {

@Nullable
private final QueryBuilder queryBuilder;
private boolean filterForCurrentUser;

public QueryApiKeyRequest() {
this((QueryBuilder) null);
}

public QueryApiKeyRequest(QueryBuilder queryBuilder) {
this.queryBuilder = queryBuilder;
}

public QueryApiKeyRequest(StreamInput in) throws IOException {
super(in);
queryBuilder = in.readOptionalNamedWriteable(QueryBuilder.class);
}

public QueryBuilder getQueryBuilder() {
return queryBuilder;
}

public boolean isFilterForCurrentUser() {
return filterForCurrentUser;
}

public void setFilterForCurrentUser() {
filterForCurrentUser = true;
}

@Override
public ActionRequestValidationException validate() {
return null;
}

@Override
public void writeTo(StreamOutput out) throws IOException {
super.writeTo(out);
out.writeOptionalNamedWriteable(queryBuilder);
}
}
102 changes: 102 additions & 0 deletions ...rc/main/java/org/elasticsearch/xpack/core/security/action/apikey/QueryApiKeyResponse.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,102 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/

package org.elasticsearch.xpack.core.security.action.apikey;

import org.elasticsearch.action.ActionResponse;
import org.elasticsearch.common.io.stream.StreamInput;
import org.elasticsearch.common.io.stream.StreamOutput;
import org.elasticsearch.common.io.stream.Writeable;
import org.elasticsearch.common.xcontent.ConstructingObjectParser;
import org.elasticsearch.common.xcontent.ParseField;
import org.elasticsearch.common.xcontent.ToXContentObject;
import org.elasticsearch.common.xcontent.XContentBuilder;
import org.elasticsearch.common.xcontent.XContentParser;
import org.elasticsearch.xpack.core.security.action.ApiKey;

import java.io.IOException;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Objects;

import static org.elasticsearch.common.xcontent.ConstructingObjectParser.optionalConstructorArg;

/**
* Response for search API keys.<br>
* The result contains information about the API keys that were found.
*/
public final class QueryApiKeyResponse extends ActionResponse implements ToXContentObject, Writeable {

private final ApiKey[] foundApiKeysInfo;

public QueryApiKeyResponse(StreamInput in) throws IOException {
super(in);
this.foundApiKeysInfo = in.readArray(ApiKey::new, ApiKey[]::new);
}

public QueryApiKeyResponse(Collection<ApiKey> foundApiKeysInfo) {
Objects.requireNonNull(foundApiKeysInfo, "found_api_keys_info must be provided");
this.foundApiKeysInfo = foundApiKeysInfo.toArray(new ApiKey[0]);
}

public static QueryApiKeyResponse emptyResponse() {
return new QueryApiKeyResponse(Collections.emptyList());
}

public ApiKey[] getApiKeyInfos() {
return foundApiKeysInfo;
}

@Override
public XContentBuilder toXContent(XContentBuilder builder, Params params) throws IOException {
builder.startObject()
.array("api_keys", (Object[]) foundApiKeysInfo);
return builder.endObject();
}

@Override
public void writeTo(StreamOutput out) throws IOException {
out.writeArray(foundApiKeysInfo);
}

@SuppressWarnings("unchecked")
static final ConstructingObjectParser<QueryApiKeyResponse, Void> PARSER =
new ConstructingObjectParser<>("query_api_key_response", args -> {
return (args[0] == null) ? QueryApiKeyResponse.emptyResponse() : new QueryApiKeyResponse((List<ApiKey>) args[0]);
});

static {
PARSER.declareObjectArray(optionalConstructorArg(), (p, c) -> ApiKey.fromXContent(p), new ParseField("api_keys"));
}

public static QueryApiKeyResponse fromXContent(XContentParser parser) throws IOException {
return PARSER.parse(parser, null);
}
tvernum marked this conversation as resolved.
Show resolved Hide resolved

@Override
public boolean equals(Object o) {
if (this == o)
return true;
if (o == null || getClass() != o.getClass())
return false;
QueryApiKeyResponse that = (QueryApiKeyResponse) o;
return Arrays.equals(foundApiKeysInfo, that.foundApiKeysInfo);
}

@Override
public int hashCode() {
return Arrays.hashCode(foundApiKeysInfo);
}

@Override
public String toString() {
return "QueryApiKeyResponse [foundApiKeysInfo=" + foundApiKeysInfo + "]";
}

}
1 change: 0 additions & 1 deletion ...lugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/Role.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -216,7 +216,6 @@ private Builder(RoleDescriptor rd, @Nullable FieldPermissionsCache fieldPermissi

public Builder cluster(Set<String> privilegeNames, Iterable<ConfigurableClusterPrivilege> configurableClusterPrivileges) {
ClusterPermission.Builder builder = ClusterPermission.builder();
List<ClusterPermission> clusterPermissions = new ArrayList<>();
if (privilegeNames.isEmpty() == false) {
for (String name : privilegeNames) {
builder = ClusterPrivilegeResolver.resolve(name).buildPermission(builder);
Expand Down
5 changes: 5 additions & 0 deletions ...rg/elasticsearch/xpack/core/security/authz/privilege/ManageOwnApiKeyClusterPrivilege.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
import org.elasticsearch.xpack.core.security.action.CreateApiKeyRequest;
import org.elasticsearch.xpack.core.security.action.GetApiKeyRequest;
import org.elasticsearch.xpack.core.security.action.InvalidateApiKeyRequest;
import org.elasticsearch.xpack.core.security.action.apikey.QueryApiKeyRequest;
import org.elasticsearch.xpack.core.security.authc.Authentication;
import org.elasticsearch.xpack.core.security.authc.Authentication.AuthenticationType;
import org.elasticsearch.xpack.core.security.authz.permission.ClusterPermission;
Expand Down Expand Up @@ -75,6 +76,10 @@ protected boolean extendedCheck(String action, TransportRequest request, Authent
invalidateApiKeyRequest.getUserName(), invalidateApiKeyRequest.getRealmName(),
invalidateApiKeyRequest.ownedByAuthenticatedUser()));
}
} else if (request instanceof QueryApiKeyRequest) {
final QueryApiKeyRequest queryApiKeyRequest = (QueryApiKeyRequest) request;
queryApiKeyRequest.setFilterForCurrentUser();
return true;
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As discussed, this is the simple way of applying calling user's security context. It works but is probably not a long term solution. I am open to alternatives.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My preference would be to do this in an interceptor, but I don't think that's very easy to do.

Logically, it would be a case of checking whether the Role has unconditional access to some action, but that's not actually easy to do with an artibrary Authz Engine, and what action would you use?

We could take an approach like we do with the create_doc index privilege and have different logical action names for the unrestricted query vs the restricted query.

That is,

 public final class QueryApiKeyAction extends ActionType<QueryApiKeyResponse> {

    public static final String QUERY_ALL = NAME + "/all"
}

And then have special case code somewhere like:

if( role.grantsAction(QueryApiKeyAction.QUERY_ALL ) ) {
   request.setFilterForCurrentUser(false);
} else {
   request.setFilterForCurrentUser(true);
}

I don't have a great suggestion, but this approach really bothers me and I don't want to set a precedent that gets reused for other actions. This is definitely not how we want to make this work in general.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume your example is about the interceptor approach. We don't have such an interceptor for cluster actions, but I assume it would work similarly to the interceptors for index requests. The interface is

void intercept(
  RequestInfo requestInfo, 
  AuthorizationEngine authorizationEngine, 
  AuthorizationInfo authorizationInfo,
  ActionListener<Void> listener);

Are you concerning about that, inside this method, we need to only rely on the fact that both AuthorizationEngine and AuthorizationInfo are interfaces and we need do it in a way that does not make RBACEngine and our Role special for at least in this method? It's challenging even with the "separate action name" approach. None of the existing methods fit this purpose really well. We can sorta fit it into AuthorizationEngine#authorizeClusterAction. But it would be better if we can add a new method to AuthorizationEngine. I think we'll need high bandwidth conversation on this.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I came up with a new approach inspired by your comment. The idea is to authorize the action a second time if it fails for the first time and it is the QueryApiKey action. I think this approach is promising because:

  • It is simple. A few lines change in AuthorizationService
  • In theory works with arbitrary AuthorizationEngine and AuthorizationInfo
  • Does not need a separate action name and works kinda smoothly with the manage_own_api_key privilege.

It has the overhead of a second authorization for the QueryApiKey action. But I think it is acceptable because it authorizing on name is pretty fast and it does not affect any other actions.

}
throw new IllegalArgumentException(
"manage own api key privilege only supports API key requests (not " + request.getClass().getName() + ")");
Expand Down
61 changes: 61 additions & 0 deletions ...est/java/org/elasticsearch/xpack/core/security/action/apikey/QueryApiKeyRequestTests.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/

package org.elasticsearch.xpack.core.security.action.apikey;

import org.elasticsearch.common.io.stream.BytesStreamOutput;
import org.elasticsearch.common.io.stream.InputStreamStreamInput;
import org.elasticsearch.common.io.stream.NamedWriteableAwareStreamInput;
import org.elasticsearch.common.io.stream.NamedWriteableRegistry;
import org.elasticsearch.common.io.stream.StreamInput;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.index.query.BoolQueryBuilder;
import org.elasticsearch.index.query.QueryBuilders;
import org.elasticsearch.search.SearchModule;
import org.elasticsearch.test.ESTestCase;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.util.List;

import static org.hamcrest.Matchers.equalTo;
import static org.hamcrest.Matchers.is;
import static org.hamcrest.Matchers.nullValue;

public class QueryApiKeyRequestTests extends ESTestCase {

@Override
protected NamedWriteableRegistry writableRegistry() {
final SearchModule searchModule = new SearchModule(Settings.EMPTY, List.of());
return new NamedWriteableRegistry(searchModule.getNamedWriteables());
}

public void testReadWrite() throws IOException {
final QueryApiKeyRequest request1 = new QueryApiKeyRequest();
try (BytesStreamOutput out = new BytesStreamOutput()) {
request1.writeTo(out);
try (StreamInput in = new InputStreamStreamInput(new ByteArrayInputStream(out.bytes().array()))) {
assertThat(new QueryApiKeyRequest(in).getQueryBuilder(), nullValue());
}
}

final BoolQueryBuilder boolQueryBuilder2 = QueryBuilders.boolQuery()
.filter(QueryBuilders.termQuery("foo", "bar"))
.should(QueryBuilders.idsQuery().addIds("id1", "id2"))
.must(QueryBuilders.wildcardQuery("a.b", "t*y"))
.mustNot(QueryBuilders.prefixQuery("value", "prod"));
final QueryApiKeyRequest request2 = new QueryApiKeyRequest(boolQueryBuilder2);
try (BytesStreamOutput out = new BytesStreamOutput()) {
request2.writeTo(out);
try (StreamInput in = new NamedWriteableAwareStreamInput(out.bytes().streamInput(), writableRegistry())) {
final QueryApiKeyRequest deserialized = new QueryApiKeyRequest(in);
assertThat(deserialized.getQueryBuilder().getClass(), is(BoolQueryBuilder.class));
assertThat((BoolQueryBuilder) deserialized.getQueryBuilder(), equalTo(boolQueryBuilder2));
}
}
}
}
Loading