-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security/APIKey Service] Internal API endpoint do determine if user has API keys #172884
[Security/APIKey Service] Internal API endpoint do determine if user has API keys #172884
Conversation
ad2335c
to
12f4747
Compare
cb840c9
to
d6ebe83
Compare
d6ebe83
to
89a92fd
Compare
|
||
const apiResponse = await esClient.asCurrentUser.security.getApiKey({ | ||
owner: true, | ||
}); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure the owner
field needs any conditions, but perhaps I'm not aware.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, I'm not aware of any conditions either.
ACK: will review today |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good! Just left a few comments.
|
||
const apiResponse = await esClient.asCurrentUser.security.getApiKey({ | ||
owner: true, | ||
}); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, I'm not aware of any conditions either.
owner: true, | ||
}); | ||
|
||
const validKeys = apiResponse.api_keys.filter(({ invalidated }) => !invalidated); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
question: you filter out invalidated keys, but not expired ones - is it intentional? If not, can we use active_only
request parameter to avoid this additional filtering?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@azasypkin I see your point, but I don't see the active_only
parameter supported in the SecurityGetApiKeyRequest
typings.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, it should be available since 8.10.0 - elastic/elasticsearch#98259 - let me figure this out. In the worst case I'd prefer to do something like this to filter keys on ES side instead:
const apiResponse = await esClient.asCurrentUser.security.getApiKey({
owner: true,
// @ts-expect-error @elastic/elasticsearch SecurityGetApiKeyRequest.active_only: boolean | undefined
active_only: true,
});
return response.ok<HasAPIKeysResult>({
body: {
hasApiKeys: apiResponse.api_keys.length > 0,
},
});
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay, we'll get this definition in the client soon (elastic/elasticsearch#103621), let's move forward with active_only
and @ts-expect-error
(if needed) for now (Client will include the parameter regardless wrong type definition).
x-pack/test_serverless/api_integration/test_suites/common/platform_security/api_keys.ts
Outdated
Show resolved
Hide resolved
Co-authored-by: Aleh Zasypkin <[email protected]>
…sullivan/kibana into security/api-keys-service-has-api-keys
ACK: will review today |
Pinging @elastic/kibana-security (Team:Security) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left a few final notes, but LGTM otherwise! Let's move forward with active_only
even if it requires temporary @ts-expect-error
.
owner: true, | ||
}); | ||
|
||
const validKeys = apiResponse.api_keys.filter(({ invalidated }) => !invalidated); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay, we'll get this definition in the client soon (elastic/elasticsearch#103621), let's move forward with active_only
and @ts-expect-error
(if needed) for now (Client will include the parameter regardless wrong type definition).
x-pack/test/security_api_integration/tests/api_keys/has_active_key.ts
Outdated
Show resolved
Hide resolved
} catch (error) { | ||
return response.customError(wrapIntoCustomErrorResponse(error)); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: just realized, we don't really need a try/catch
here, let's let Core to handle and log this error properly (without exposing too much raw error details).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This feedback makes sense. After removing the try/catch I also had to delete a unit test, should forward error from Elasticsearch GET API keys endpoint
Co-authored-by: Aleh Zasypkin <[email protected]>
…_key.ts Co-authored-by: Aleh Zasypkin <[email protected]>
…sullivan/kibana into security/api-keys-service-has-api-keys
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]
History
To update your PR or re-run it, just comment with: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks!
## Summary This PR offers customizations to the "Getting Started" experience for users of Serverless Elasticsearch projects. The changes involve checking Elasticsearch if the currently-logged-in user has created API Keys, and to use that information to customize the getting started messaging (destination of the call-to-action of the "no data" prompt) in the UI. ### Screenshots | | Before | After | |-|-|-| | Data Views Mgmt | <img width="1646" alt="before - serverless es data views mgmt empty state" src="https://github.com/elastic/kibana/assets/908371/b5c28dda-9ff8-40de-af89-71587bdbbe54"> | <img width="1646" alt="after - serverless es data views mgmt empty state" src="https://github.com/elastic/kibana/assets/908371/13aae073-9fef-407a-bdb1-e09d6ea1d168"> | | Analytics | <img width="1646" alt="before - serverless es discover empty state" src="https://github.com/elastic/kibana/assets/908371/ac0e70e5-9a73-4de3-8182-51350099ae87"> | <img width="1646" alt="after - serverless es discover empty state" src="https://github.com/elastic/kibana/assets/908371/6f9231e0-d2fb-480b-a5a2-79cc9f853a9b"> | Elasticsearch documentation on API Key listing: https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-get-api-key.html Depends on: #172884 Closes: elastic/search-team#5974 Closes: elastic/search-team#5975 ### Other changes * Created a React hook to send and track a request to the Kibana server to ask whether the user has access to API Keys * Added unit test for this * See discussion, this hook may be [re-organized eventually](#172225 (comment)) * Enable lazy loading for the "Analytics No Data" page within analytics apps. ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: kibanamachine <[email protected]>
## Summary This PR offers customizations to the "Getting Started" experience for users of Serverless Elasticsearch projects. The changes involve checking Elasticsearch if the currently-logged-in user has created API Keys, and to use that information to customize the getting started messaging (destination of the call-to-action of the "no data" prompt) in the UI. ### Screenshots | | Before | After | |-|-|-| | Data Views Mgmt | <img width="1646" alt="before - serverless es data views mgmt empty state" src="https://github.com/elastic/kibana/assets/908371/b5c28dda-9ff8-40de-af89-71587bdbbe54"> | <img width="1646" alt="after - serverless es data views mgmt empty state" src="https://github.com/elastic/kibana/assets/908371/13aae073-9fef-407a-bdb1-e09d6ea1d168"> | | Analytics | <img width="1646" alt="before - serverless es discover empty state" src="https://github.com/elastic/kibana/assets/908371/ac0e70e5-9a73-4de3-8182-51350099ae87"> | <img width="1646" alt="after - serverless es discover empty state" src="https://github.com/elastic/kibana/assets/908371/6f9231e0-d2fb-480b-a5a2-79cc9f853a9b"> | Elasticsearch documentation on API Key listing: https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-get-api-key.html Depends on: elastic#172884 Closes: elastic/search-team#5974 Closes: elastic/search-team#5975 ### Other changes * Created a React hook to send and track a request to the Kibana server to ask whether the user has access to API Keys * Added unit test for this * See discussion, this hook may be [re-organized eventually](elastic#172225 (comment)) * Enable lazy loading for the "Analytics No Data" page within analytics apps. ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: kibanamachine <[email protected]>
Summary
This PR enhances the Security server plugin APIKey service with a new method to determine if the user has API keys. The service is integrated into the "No Data Page" server plugin as a new HTTP route. This route is called when needed to direct users effectively through their getting started experience.
Pulled from #172225
Context
Checklist
Delete any items that are not applicable to this PR.