Skip to content

Expose API key name to the ingest pipeline #49106

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
bytebilly opened this issue Nov 14, 2019 · 6 comments · Fixed by #51305
Closed

Expose API key name to the ingest pipeline #49106

bytebilly opened this issue Nov 14, 2019 · 6 comments · Fixed by #51305
Assignees
@ywangd
Labels
>enhancement release highlight :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) v7.7.0

Comments

@bytebilly
Copy link
Contributor

bytebilly commented Nov 14, 2019
edited
Loading

Description

We have the Set Security User Processor, that is able to add information about the authenticated user that performs the request.

We could do something similar when an API key is used to authenticate instead of a regular user.

Proposal

We can create a new processor (or extend the Set Security User Processor) to make API key information available to the ingest pipeline.

We should expose the name field. We can also expose other fields if they could be relevant.
@bytebilly bytebilly added >enhancement :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) labels Nov 14, 2019
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (:Security/Authentication)

@albertzaharovits
Copy link
Contributor

Authentication with API Keys or tokens is thought to appear as if coming from the user itself, i.e. be transparent. Hence the API key name or id are not exposed in the user metadata. There is a lapse here, because the realm that did the authentication in case of API Key authentication is _es_api_key , but the realm name is not exposed in Set Security User Processor.

If we were to expose this information to an ingest processor then I would be inclined to add a new processor.

@bytebilly can you please detail a little more the use case for this?

@tvernum
Copy link
Contributor

tvernum commented Nov 18, 2019

@albertzaharovits ES 7.5 will support required pipelines. This allows an admin to force that documents include information about how they were ingested.
For models where ingest tools (e.g. beats) are authenticating with API keys, knowing which API key performed the ingestion is necessary in order to know which client ingested the document.

Because we have not been able to enforce a pipeline until now, we haven't really kept Set Security User Processor up to date because it was so easy to by-pass.
Since that has changed, we ought to expand that processor with additional fields (e.g. authentication type, realm name, and API key id/name).

@albertzaharovits
Copy link
Contributor

Thank you for the context @tvernum . I can now clearly see the need for it. Upon further reflection I think that the API Key id/name should be part of the User object we attach to the ThreadContext during authentication, and afterwards it should be simple for the Set Security User Processor to pull that into a doc field. Please let me know if this doesn't jibe with your idea for it.

@tvernum
Copy link
Contributor

tvernum commented Nov 19, 2019

It probably makes sense for it to be on the User object for other reasons, but some of that information (original realm, key-id) is already in the Authentication object's metadata (and the name would be easy to add), so I think it's already fairly simple to add support in the Set Security User Processor.

I prefer adding to the existing processor (as new optional fields) because then it becomes possible to have a single object in the ingested doc that contains full information about which user ingested it, and how they authenticated.

@bytebilly
Copy link
Contributor Author

I agree on improving the Set Security User Processor, this will make easier for users to build their pipelines since they don't have to know in advance it authentication comes from users or keys.

@ywangd ywangd mentioned this issue Jan 22, 2020
Merged
@ywangd ywangd mentioned this issue Feb 5, 2020
Open
ywangd added a commit that referenced this issue Feb 10, 2020
@ywangd
Expose more authentication info to ingest pipeline (#51305)
5c9f795 
The changes add more granularity for identiying the data ingestion user.
The ingest pipeline can now be configure to record authentication realm and
type. It can also record API key name and ID when one is in use. 
This improves traceability when data are being ingested from multiple agents
and will become more relevant with the incoming support of required
pipelines (#46847)

Resolves: #49106
ywangd added a commit to ywangd/elasticsearch that referenced this issue Feb 10, 2020
@ywangd
Expose more authentication info to ingest pipeline (elastic#51305)
5cc8242 
The changes add more granularity for identiying the data ingestion user.
The ingest pipeline can now be configure to record authentication realm and
type. It can also record API key name and ID when one is in use. 
This improves traceability when data are being ingested from multiple agents
and will become more relevant with the incoming support of required
pipelines (elastic#46847)

Resolves: elastic#49106
@ywangd ywangd mentioned this issue Feb 10, 2020
Merged
ywangd added a commit that referenced this issue Feb 11, 2020
@ywangd
Expose more authentication info to ingest pipeline (#51305) (#52119)
16ba59e 
The changes add more granularity for identiying the data ingestion user.
The ingest pipeline can now be configure to record authentication realm and
type. It can also record API key name and ID when one is in use. 
This improves traceability when data are being ingested from multiple agents
and will become more relevant with the incoming support of required
pipelines (#46847)

Resolves: #49106
@albertzaharovits albertzaharovits mentioned this issue Mar 26, 2020
Closed
@codebrain codebrain mentioned this issue Apr 1, 2020
Closed
@tvernum tvernum mentioned this issue Sep 21, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ywangd ywangd

Labels
>enhancement release highlight :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) v7.7.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Expose API key name to the ingest pipeline ywangd/elasticsearch
5 participants
@tvernum @ywangd @albertzaharovits @elasticmachine @bytebilly