Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security in Core] Exposes apiKeys from core.security.authc #186910

Merged

Conversation

SiddharthMantri
Copy link
Contributor

@SiddharthMantri SiddharthMantri commented Jun 25, 2024

Summary

Expose apiKeys as a service under core.security.authc.apiKeys.

Closes #184764

Details

PR introduces a new API Keys Service which is accessible under the authc namespace in core.security. The service exposes the public API that was already available on the server-side in the security plugin.

The service is initialized and registered with core using the delegate_api - allowing access to the service within the core plugin without the need for the security plugin.

Note: I had to move quite a few types/functions around to prevent cyclical dependencies.

Plugins and the APIs that use the current apiKeys function from the security plugin

Expand for table with details
Plugin File API used Can be migrated
alerting x-pack/plugins/alerting/plugin/server.ts areApiKeysEnabled()
x-pack/plugins/alerting/server/rules_client_factory.ts grantAsInternalUser()
x-pack/plugins/alerting/server/task.ts invalidatedAsInternalUser()
enterprise_search x-pack/plugins/enterprise_search/server/routes/enterprise_search/api_keys create()
x-pack/plugins/enterprise_search/server/lib/indices/create_api_key.ts create()
fleet x-pack/plugins/fleet/server/routes/setup/handlers.ts areApiKeysEnabled()
x-pack/plugins/fleet/server/services/api_keys/security invalidateAsInternalUser()
x-pack/plugins/fleet/server/services/api_keys/transform_api_keys.ts grantAsInternalUser()
x-pack/plugins/fleet/server/services/setup/fleet_server_policies_enrollment_keys.ts areApiKeysEnabled()
x-pack/plugins/fleet/server/services/setup/fleet_server_policies_enrollment_keys.ts areAPIKeysEnabled()
x-pack/plugins/observability_solution/apm/server/routes/agent_keys/get_agent_keys_privileges.ts areAPIKeysEnabled()
observability_solution x-pack/plugins/observability_solution/entity_manager/server/lib/auth/api_key/api_key.ts areAPIKeysEnabled
validate
grantAsInternalUser
x-pack/plugins/observability_solution/entity_manager/server/routes/enablement/disable.ts invalidateAsInternalUser
x-pack/plugins/observability_solution/entity_manager/server/routes/enablement/enable.ts invalidateAsInternalUser
x-pack/plugins/observability_solution/observability_onboarding/server/routes/flow/route.ts create
x-pack/plugins/observability_solution/synthetics/server/routes/synthetics_service/enablement.ts invalidateAsInternalUser
x-pack/plugins/observability_solution/synthetics/server/synthetics_service/get_api_key.ts validate
areAPIKeysEnabled
grantAsInternalUser
create
serverless_search x-pack/plugins/serverless_search/server/routes/api_key_routes.ts create
x-pack/plugins/transform/server/routes/api/reauthorize_transforms/route_handler_factory.ts grantAsInternalUser
x-pack/plugins/upgrade_assistant/server/lib/reindexing/credential_store.ts grantAsInternalUser
invalidateAsInternalUser
areAPIKeysEnabled()

@SiddharthMantri
Copy link
Contributor Author

/ci

@SiddharthMantri
Copy link
Contributor Author

/ci

@SiddharthMantri
Copy link
Contributor Author

/ci

@SiddharthMantri
Copy link
Contributor Author

/ci

@SiddharthMantri SiddharthMantri changed the title [Security in Core] Exposes apiKeys from core [Security in Core] Exposes apiKeys from core.security.authc Jun 26, 2024
@SiddharthMantri
Copy link
Contributor Author

/ci

@SiddharthMantri SiddharthMantri marked this pull request as ready for review June 26, 2024 13:29
@SiddharthMantri SiddharthMantri requested review from a team as code owners June 26, 2024 13:29
@SiddharthMantri SiddharthMantri added Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! Feature:Users/Roles/API Keys labels Jun 26, 2024
@SiddharthMantri
Copy link
Contributor Author

@elasticmachine merge upstream

@elastic-vault-github-plugin-prod elastic-vault-github-plugin-prod bot requested a review from a team as a code owner June 29, 2024 11:45
@elena-shostak elena-shostak self-assigned this Jul 1, 2024
Copy link
Contributor

@elena-shostak elena-shostak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀

@@ -26,6 +26,26 @@ export class CoreSecurityRouteHandlerContext implements SecurityRequestHandlerCo
if (this.#authc == null) {
this.#authc = {
getCurrentUser: () => this.securityStart.authc.getCurrentUser(this.request),
apiKeys: {
areAPIKeysEnabled: this.securityStart.authc.apiKeys.areAPIKeysEnabled.bind(
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: we can use arrow function instead of bind, like getCurrentUser

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good idea! Addressed in 1faeaa4

@kibana-ci
Copy link
Collaborator

💛 Build succeeded, but was flaky

Failed CI Steps

The CI Stats report is too large to be displayed here, check out the CI build annotation for this information.

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @elena-shostak

@SiddharthMantri
Copy link
Contributor Author

@elasticmachine merge upstream

@SiddharthMantri SiddharthMantri removed the request for review from a team July 9, 2024 12:05
@SiddharthMantri SiddharthMantri enabled auto-merge (squash) July 9, 2024 12:05
@SiddharthMantri SiddharthMantri merged commit ff9a48e into elastic:main Jul 9, 2024
20 checks passed
@elasticmachine
Copy link
Contributor

💛 Build succeeded, but was flaky

Failed CI Steps

Metrics [docs]

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id before after diff
@kbn/core-security-server 16 63 +47
@kbn/core-security-server-mocks 13 15 +2
@kbn/security-plugin-types-server 121 154 +33
security 206 222 +16
total +98

Any counts in public APIs

Total count of every any typed public API. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats any for more detailed information.

id before after diff
@kbn/core-security-server 0 1 +1
@kbn/security-plugin-types-server 0 1 +1
total +2
Unknown metric groups

API count

id before after diff
@kbn/core-security-server 52 146 +94
@kbn/core-security-server-mocks 13 15 +2
@kbn/security-plugin-types-server 216 275 +59
security 415 438 +23
total +178

History

cc @elena-shostak

SiddharthMantri added a commit that referenced this pull request Aug 30, 2024
…gin to core security service (#189713)

## Summary

Part of #186574
Closes #189714

Background: This PR is an example of a plugin migrating away from
depending on the Security plugin, which is a high-priority effort for
the last release before 9.0. The Enterprise search plugin uses
authc.apiKeys.create from the security plugin's start contract on the
server side.

For more context, the PR which exposes the API keys service from core is
here: #186910

This PR migrates the usage from the security plugin start contract to
the core security service.

---------

Co-authored-by: Elastic Machine <[email protected]>
Co-authored-by: kibanamachine <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport:skip This commit does not require backporting Feature:Users/Roles/API Keys release_note:skip Skip the PR/issue when compiling release notes Team:Core Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! v8.15.0 v8.16.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Security-in-core] Expose API Key service under core.security.authc
6 participants