Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[DOCS] Security domain splitting impacts API keys #88677

Merged
merged 21 commits into from
Jul 28, 2022
Merged

[DOCS] Security domain splitting impacts API keys #88677

Changes from all commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
01b6ce1
[DOCS] Domain splitting impacts API keys
n1v0lg Jul 20, 2022
c53653d
Link to update api key docs
n1v0lg Jul 20, 2022
f080b20
Mention updates
n1v0lg Jul 20, 2022
9df3b96
Shorter
n1v0lg Jul 20, 2022
177002b
Nit
n1v0lg Jul 20, 2022
d58e350
Skip username
n1v0lg Jul 20, 2022
79f1f55
Tweak
n1v0lg Jul 20, 2022
98a3d8a
Wording
n1v0lg Jul 20, 2022
22d5f8f
Merge branch 'master' into update-api-keys-domain-splitting
n1v0lg Jul 21, 2022
a15885a
Rephrase
n1v0lg Jul 21, 2022
3cbc64a
Links
n1v0lg Jul 21, 2022
e7857ce
Tweak
n1v0lg Jul 21, 2022
ae20436
Nuke no longer
n1v0lg Jul 21, 2022
9ad75fc
Ditch comma
n1v0lg Jul 21, 2022
b0c42d7
Or updated
n1v0lg Jul 21, 2022
7392567
Include example
n1v0lg Jul 21, 2022
58def71
Merge branch 'master' into update-api-keys-domain-splitting
n1v0lg Jul 22, 2022
f5b5d50
Drop API specifics
n1v0lg Jul 22, 2022
70af42b
Tweak
n1v0lg Jul 22, 2022
7915752
Merge branch 'main' into update-api-keys-domain-splitting
n1v0lg Jul 28, 2022
4f50445
Remove comma
n1v0lg Jul 28, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 6 additions & 3 deletions x-pack/docs/en/security/authentication/security-domain.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,8 @@ Some types of resources in {es} are owned by a single user, such as
<<async-search,async search contexts>>, <<security-api-create-api-key,API keys>>,
and <<user-profile,user profiles>>. When a user creates a resource, {es}
captures the user's username and realm information as part of the resource's
metadata.
metadata. Likewise, if a user updates a resource, such as an API key,
Copy link
Contributor Author

@n1v0lg n1v0lg Jul 21, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not strictly necessary but feels like a worthwhile callout. It makes the transition to the next paragraph slightly more clunky so I can drop the proposed change/push it somewhere else.

{es} automatically re-captures the user's current realm information.

When a user later attempts to access the resource, {es} compares
the captured username and realm information against those from the accessing
Expand Down Expand Up @@ -124,13 +125,15 @@ When adding realms to a security domain, avoid authenticating with a newly-added

Removing realms from a security domain can lead to unexpected behaviors
and is not recommended.
Resources created before the removal can be owned by different users depending on the resource type:
Resources created or updated before the removal can be owned by different users depending on the resource type:

- <<user-profile,User profiles>> are owned by the user for whom the profile was last
<<security-api-activate-user-profile,activated>>.
For users whose realms are no longer in the same domain as the owner user, a new user profile
will be created for them next time the activate user profile API is called.
- Resources such as API keys are owned by the user who originally created them.
- An API key is owned by the user who originally <<security-api-create-api-key,created>> or last <<security-api-update-api-key,updated>> it.
Users, including the original creator of the API key, will lose ownership if their realms are no longer in the same domain as those of the current API key owner.
- Resources such as async search contexts are owned by the user who originally created them.

Instead of removing realms, consider disabling them and keeping them as part of the security domain.
Under all circumstances, resource sharing across realms is only possible between users with the same username.