Skip to content

Security: add create api key transport action #34572

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 29 commits into from
Nov 2, 2018
Merged

Security: add create api key transport action #34572

merged 29 commits into from
Nov 2, 2018

Conversation

jaymode
Copy link
Member

@jaymode jaymode commented Oct 17, 2018

In order to support api keys for access to elasticsearch, we need the
ability to generate these api keys. A transport action has been added
along with the request and response objects that allow for the
generation of api keys. The api keys require a name and optionally
allow a role to be specified which defines the amount of access the key
has. Additionally an expiration may also be provided.

This change does not include the restriction that the role needs to be
a subset of the user's permissions, which will be added seperately. As
it exists in this change, the api key is currently not usable which is
another aspect that will come later.

Relates #34383

@jaymode
Security: add create api key transport action
ff5d47d 
In order to support api keys for access to elasticsearch, we need the
ability to generate these api keys. A transport action has been added
along with the request and response objects that allow for the
generation of api keys. The api keys require a name and optionally
allow a role to be specified which defines the amount of access the key
has. Additionally an expiration may also be provided.

This change does not include the restriction that the role needs to be
a subset of the user's permissions, which will be added seperately. As
it exists in this change, the api key is currently not usable which is
another aspect that will come later.

Relates elastic#34383
@jaymode jaymode added >non-issue :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) labels Oct 17, 2018
@jaymode jaymode requested review from bizybot and tvernum October 17, 2018 20:30
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security

@jaymode jaymode changed the base branch from master to security_api_keys October 17, 2018 20:33
tvernum
tvernum reviewed Oct 19, 2018
View reviewed changes
bizybot
bizybot reviewed Oct 22, 2018
View reviewed changes
@jaymode jaymode mentioned this pull request Oct 22, 2018
Merged
@jaymode jaymode requested a review from jkakavas October 24, 2018 15:37
@jaymode
Copy link
Member Author

jaymode commented Oct 31, 2018

@tvernum @jkakavas this is ready for review again

tvernum
tvernum requested changes Nov 1, 2018
View reviewed changes
Copy link
Contributor

@tvernum tvernum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's 1 issue about still indexing the api key.
The other comments are suggestions that you can take or leave as you wish.

...gin/core/src/main/java/org/elasticsearch/xpack/core/security/action/CreateApiKeyRequest.java
validationException = addValidationError("name is required", validationException);
} else if (name.length() > 256) {
validationException = addValidationError("name may not be more than 256 characters long", validationException);
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we have any other restrictions on names?
I feel like starting or ending in whitespace is likely to cause confusion, and perhaps we should reserve names start with _ just in case we need them in the future?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added those restrictions

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java
.field("principal", authentication.getUser().principal())
.field("metadata", authentication.getUser().metadata())
.field("realm", authentication.getLookedUpBy() == null ?
authentication.getAuthenticatedBy().getName() : authentication.getLookedUpBy().getName())
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess it depends on how this gets used in the future, but we may need to think about how we deal with realm names, and their potential to change over time.
In particular, out-of-the-box we have "default_file" and "default_native", but once someone adds another realm (e.g. LDAP), they tend to not use "default_native" as the name of their native realm (because we don't tell them to).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The reason behind storing the realm is based on the invalidation api and being able to invalidate by realm. It really stinks that we don't have a way to enforce realm name consistency between nodes

jkakavas
jkakavas approved these changes Nov 1, 2018
View reviewed changes
Copy link
Member

@jkakavas jkakavas left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks for the iterations !

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java Outdated
private static final String TYPE = "doc";
public static final Setting<String> PASSWORD_HASHING_ALGORITHM = new Setting<>(
"xpack.security.authc.api_key.hashing.algorithm", "pbkdf2", Function.identity(), (v, s) -> {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit but maybe xpack.security.authc.api_key_hashing.algorithm makes more sense ( consistent with xpack.security.authc.password_hashing.algorithm ) ? Naming is hard and I don't have strong opinions

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure I'll be consistent

@jaymode
Copy link
Member Author

jaymode commented Nov 1, 2018

We definitely need to think about how we expect administrators to handle existing api-keys when a user's privileges are downgraded.

This is tricky. Maybe we provide an API for an administrator to validate permissions against a set of role names for a given user? We don't keep a record of what a users roles are, so I do not think we can do this automatically unless we have shadow users. Maybe something like:

POST /_xpack/security/api_key/_check_permissions
{
        "username": "tvernum",
        "roles": [ ]
}

tvernum
tvernum approved these changes Nov 2, 2018
View reviewed changes
Copy link
Contributor

@tvernum tvernum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@jaymode jaymode merged commit f087b54 into elastic:security_api_keys Nov 2, 2018
@jaymode jaymode deleted the create_api_key branch November 2, 2018 13:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bizybot bizybot bizybot left review comments

@robgil robgil robgil left review comments

@tvernum tvernum tvernum approved these changes

@jkakavas jkakavas jkakavas approved these changes

Assignees
No one assigned
Labels
>non-issue :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@jaymode @elasticmachine @bizybot @robgil @tvernum @jkakavas