Skip to content

Support viewing API key privileges #89058

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
5 tasks done
ywangd opened this issue Aug 3, 2022 · 1 comment
Closed
5 tasks done

Support viewing API key privileges #89058

ywangd opened this issue Aug 3, 2022 · 1 comment
Assignees
@ywangd
Labels
>enhancement :Security/Security Security issues without another label Team:Security Meta label for security team

Comments

@ywangd
Copy link
Member

ywangd commented Aug 3, 2022
edited
Loading

Today the privileges of an API key cannot be viewed after its creation1. The alternative is to check its privileges with the HasPrivileges API. This is useful for authorization purpose but not helpful in terms of management and audit etc. API keys are now updatable (since #88186). Since each update can potentially alter both the key's assigned descriptors (role_descriptors) and the captured owner user's permissions (limited_by_role_descriptors). It has become even harder to accurately know about an API key's privileges at any point of time. Hence the recommendation is to add support for viewing API key privileges with relevant APIs. The proposed work items are as the follows:

  • Return role_descriptors by default in GetApiKey API. (no change to the privilege model around it)
  • Optionally return limited_by_role_descriptors in GetApiKey API when (1) a limited_by query parameter is specified and (2) the authenticating subject is the owner of the API or has manage_api_key (or higher) privilege.
  • Update GetUserPrivileges API to return error 400 (instead of the current 500) when call with API keys and advise users to use the GetApiKeyAPI
  • Update QueryApiKey API to have similar support for role_descriptors and limited_by_role_descriptors.
  • REST specs, YAML tests, Docs

Footnotes

  1. It is possible to retrieving the backing document of an API key by directly reading the security index. But directly accessing security index is generally discouraged.

@ywangd ywangd added >enhancement :Security/Security Security issues without another label labels Aug 3, 2022
@ywangd ywangd self-assigned this Aug 3, 2022
@elasticsearchmachine elasticsearchmachine added the Team:Security Meta label for security team label Aug 3, 2022
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

@ywangd ywangd mentioned this issue Aug 8, 2022
Merged
elasticsearchmachine pushed a commit that referenced this issue Aug 9, 2022
@ywangd
Show assigned role descriptors in Get/QueryApiKey response (#89166)
e6cfd9c 
This PR adds a new `role_descriptors` field in the API key entity
returned by both GetApiKey and QueryApiKey APIs. The field value is the
map of the role descriptors that are assigned to an API key when
creating or updating the key. If the key has no assigned role
descriptors, i.e. it inherits the owner user's privileges, an empty
object is returned in place.

Relates: #89058
This was referenced Aug 9, 2022
Merged
Merged
elasticsearchmachine pushed a commit that referenced this issue Aug 12, 2022
@ywangd
Limited-by role descriptors in Get/QueryApiKey response (#89273)
8dfbcd5 
An API key's effective permission is an intersection between its
assigned role descriptors and a snapshot of its owner user's role
descriptors (limited-by role descriptors). In #89166, the assigned role
descriptors are now returned by default in Get/Query API key responses.

This PR further adds support to optionally return limited-by role
descriptors in the responses. Unlike assign role descriptors, an API key
cannot view any limited-by role descriptors unless it has manage_api_key
or higher privileges.

Relates: #89058
@ywangd ywangd mentioned this issue Aug 15, 2022
Merged
elasticsearchmachine pushed a commit that referenced this issue Aug 17, 2022
@ywangd
YAML tests and docs for viewing API key role descriptors (#89186)
2841bf7 
This PR expands existing YAML tests and docs for the new
role_descriptors field returned in both Get and Query API key calls.

Relates: #89166, #89058
@ywangd ywangd mentioned this issue Aug 18, 2022
Merged
elasticsearchmachine pushed a commit that referenced this issue Aug 18, 2022
@ywangd
Return 400 error for GetUserPrivileges call with API keys (#89333)
3bb13e2 
The GetUserPrivileges API returns a 500 error when it is called with an
API key that has assigned role descriptors. This is because the
underlying LimitedRole class that represents the API key's effective
privileges does not support building a simple view of the privileges.

This PR changes the code to return 400 error instead of 500 along with a
better error message that suggests the GetApiKey API as an alternative.

Relates: #89058
ywangd added a commit that referenced this issue Aug 23, 2022
@ywangd
Docs and yaml tests for viewing API key's limited-by (#89443)
e276fd9 
This PR updates relevant docs and yaml tests to cover the new feature
of viewing API key's limited-by role descriptors introduced in #89273

Relates: #89058
@ywangd ywangd closed this as completed Sep 5, 2022
@legrego legrego mentioned this issue May 16, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ywangd ywangd

Labels
>enhancement :Security/Security Security issues without another label Team:Security Meta label for security team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ywangd @elasticsearchmachine