Add granular privileges for API keys

client/rest-high-level/src/main/java/org/elasticsearch/client/security/user/privileges/Role.java

@@ -313,14 +313,16 @@ public static class ClusterPrivilegeName {
         public static final String MANAGE_SAML = "manage_saml";
         public static final String MANAGE_OIDC = "manage_oidc";
         public static final String MANAGE_TOKEN = "manage_token";
+        public static final String MANAGE_API_KEY = "manage_api_key";
         public static final String MANAGE_PIPELINE = "manage_pipeline";
         public static final String MANAGE_CCR = "manage_ccr";
         public static final String READ_CCR = "read_ccr";
         public static final String MANAGE_ILM = "manage_ilm";
         public static final String READ_ILM = "read_ilm";
         public static final String[] ALL_ARRAY = new String[] { NONE, ALL, MONITOR, MONITOR_ML, MONITOR_WATCHER, MONITOR_ROLLUP, MANAGE,
                 MANAGE_ML, MANAGE_WATCHER, MANAGE_ROLLUP, MANAGE_INDEX_TEMPLATES, MANAGE_INGEST_PIPELINES, TRANSPORT_CLIENT,
-            MANAGE_SECURITY, MANAGE_SAML, MANAGE_OIDC, MANAGE_TOKEN, MANAGE_PIPELINE, MANAGE_CCR, READ_CCR, MANAGE_ILM, READ_ILM};
+                MANAGE_SECURITY, MANAGE_SAML, MANAGE_OIDC, MANAGE_TOKEN, MANAGE_API_KEY, MANAGE_PIPELINE, MANAGE_CCR, READ_CCR, MANAGE_ILM,
+                READ_ILM };
     }
 
     /**

plugins/examples/security-authorization-engine/src/main/java/org/elasticsearch/example/CustomAuthorizationEngine.java

@@ -36,7 +36,7 @@
 import org.elasticsearch.xpack.core.security.authz.permission.FieldPermissions;
 import org.elasticsearch.xpack.core.security.authz.permission.ResourcePrivileges;
 import org.elasticsearch.xpack.core.security.authz.privilege.ApplicationPrivilegeDescriptor;
-import org.elasticsearch.xpack.core.security.authz.privilege.ConditionalClusterPrivilege;
+import org.elasticsearch.xpack.core.security.authz.privilege.GlobalClusterPrivilege;
 import org.elasticsearch.xpack.core.security.user.User;
 
 import java.util.ArrayList;
@@ -199,7 +199,7 @@ private HasPrivilegesResponse getHasPrivilegesResponse(Authentication authentica
 
     private GetUserPrivilegesResponse getUserPrivilegesResponse(boolean isSuperuser) {
         final Set<String> cluster = isSuperuser ? Collections.singleton("ALL") : Collections.emptySet();
-        final Set<ConditionalClusterPrivilege> conditionalCluster = Collections.emptySet();
+        final Set<GlobalClusterPrivilege> conditionalCluster = Collections.emptySet();
         final Set<GetUserPrivilegesResponse.Indices> indices = isSuperuser ? Collections.singleton(new Indices(Collections.singleton("*"),
             Collections.singleton("*"), Collections.emptySet(), Collections.emptySet(), true)) : Collections.emptySet();
 

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackClientPlugin.java

@@ -168,8 +168,8 @@
 import org.elasticsearch.xpack.core.security.authc.support.mapper.expressiondsl.ExceptExpression;
 import org.elasticsearch.xpack.core.security.authc.support.mapper.expressiondsl.FieldExpression;
 import org.elasticsearch.xpack.core.security.authc.support.mapper.expressiondsl.RoleMapperExpression;
-import org.elasticsearch.xpack.core.security.authz.privilege.ConditionalClusterPrivilege;
-import org.elasticsearch.xpack.core.security.authz.privilege.ConditionalClusterPrivileges;
+import org.elasticsearch.xpack.core.security.authz.privilege.ManageApplicationPrivileges;
+import org.elasticsearch.xpack.core.security.authz.privilege.GlobalClusterPrivilege;
 import org.elasticsearch.xpack.core.sql.SqlFeatureSetUsage;
 import org.elasticsearch.xpack.core.ssl.action.GetCertificateInfoAction;
 import org.elasticsearch.xpack.core.upgrade.actions.IndexUpgradeAction;
@@ -386,9 +386,9 @@ public List<NamedWriteableRegistry.Entry> getNamedWriteables() {
                 new NamedWriteableRegistry.Entry(NamedDiff.class, TokenMetaData.TYPE, TokenMetaData::readDiffFrom),
                 new NamedWriteableRegistry.Entry(XPackFeatureSet.Usage.class, XPackField.SECURITY, SecurityFeatureSetUsage::new),
                 // security : conditional privileges
-                new NamedWriteableRegistry.Entry(ConditionalClusterPrivilege.class,
-                    ConditionalClusterPrivileges.ManageApplicationPrivileges.WRITEABLE_NAME,
-                    ConditionalClusterPrivileges.ManageApplicationPrivileges::createFrom),
+                new NamedWriteableRegistry.Entry(GlobalClusterPrivilege.class,
+                        ManageApplicationPrivileges.WRITEABLE_NAME,
+                        ManageApplicationPrivileges::createFrom),
                 // security : role-mappings
                 new NamedWriteableRegistry.Entry(RoleMapperExpression.class, AllExpression.NAME, AllExpression::new),
                 new NamedWriteableRegistry.Entry(RoleMapperExpression.class, AnyExpression.NAME, AnyExpression::new),

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/GetApiKeyRequest.java

@@ -117,16 +117,6 @@ public ActionRequestValidationException validate() {
             validationException = addValidationError("One of [api key id, api key name, username, realm name] must be specified",
                     validationException);
         }
-        if (Strings.hasText(apiKeyId) || Strings.hasText(apiKeyName)) {
-            if (Strings.hasText(realmName) || Strings.hasText(userName)) {
-                validationException = addValidationError(
-                        "username or realm name must not be specified when the api key id or api key name is specified",
-                        validationException);
-            }
-        }
-        if (Strings.hasText(apiKeyId) && Strings.hasText(apiKeyName)) {
-            validationException = addValidationError("only one of [api key id, api key name] can be specified", validationException);
-        }
         return validationException;
     }
 

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/InvalidateApiKeyRequest.java

@@ -117,16 +117,6 @@ public ActionRequestValidationException validate() {
             validationException = addValidationError("One of [api key id, api key name, username, realm name] must be specified",
                     validationException);
         }
-        if (Strings.hasText(id) || Strings.hasText(name)) {
-            if (Strings.hasText(realmName) || Strings.hasText(userName)) {
-                validationException = addValidationError(
-                        "username or realm name must not be specified when the api key id or api key name is specified",
-                        validationException);
-            }
-        }
-        if (Strings.hasText(id) && Strings.hasText(name)) {
-            validationException = addValidationError("only one of [api key id, api key name] can be specified", validationException);
-        }
         return validationException;
     }
 

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/role/PutRoleRequest.java

@@ -15,8 +15,8 @@
 import org.elasticsearch.common.io.stream.StreamOutput;
 import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
 import org.elasticsearch.xpack.core.security.authz.privilege.ApplicationPrivilege;
-import org.elasticsearch.xpack.core.security.authz.privilege.ConditionalClusterPrivilege;
-import org.elasticsearch.xpack.core.security.authz.privilege.ConditionalClusterPrivileges;
+import org.elasticsearch.xpack.core.security.authz.privilege.GlobalClusterPrivilege;
+import org.elasticsearch.xpack.core.security.authz.privilege.GlobalClusterPrivileges;
 import org.elasticsearch.xpack.core.security.support.MetadataUtils;
 
 import java.io.IOException;
@@ -35,7 +35,7 @@ public class PutRoleRequest extends ActionRequest implements WriteRequest<PutRol
 
     private String name;
     private String[] clusterPrivileges = Strings.EMPTY_ARRAY;
-    private ConditionalClusterPrivilege[] conditionalClusterPrivileges = ConditionalClusterPrivileges.EMPTY_ARRAY;
+    private GlobalClusterPrivilege[] conditionalClusterPrivileges = GlobalClusterPrivileges.EMPTY_ARRAY;
     private List<RoleDescriptor.IndicesPrivileges> indicesPrivileges = new ArrayList<>();
     private List<RoleDescriptor.ApplicationResourcePrivileges> applicationPrivileges = new ArrayList<>();
     private String[] runAs = Strings.EMPTY_ARRAY;
@@ -82,7 +82,7 @@ public void cluster(String... clusterPrivileges) {
         this.clusterPrivileges = clusterPrivileges;
     }
 
-    void conditionalCluster(ConditionalClusterPrivilege... conditionalClusterPrivileges) {
+    void conditionalCluster(GlobalClusterPrivilege... conditionalClusterPrivileges) {
         this.conditionalClusterPrivileges = conditionalClusterPrivileges;
     }
 
@@ -145,7 +145,7 @@ public List<RoleDescriptor.ApplicationResourcePrivileges> applicationPrivileges(
         return Collections.unmodifiableList(applicationPrivileges);
     }
 
-    public ConditionalClusterPrivilege[] conditionalClusterPrivileges() {
+    public GlobalClusterPrivilege[] conditionalClusterPrivileges() {
         return conditionalClusterPrivileges;
     }
 
@@ -168,7 +168,7 @@ public void readFrom(StreamInput in) throws IOException {
             indicesPrivileges.add(new RoleDescriptor.IndicesPrivileges(in));
         }
         applicationPrivileges = in.readList(RoleDescriptor.ApplicationResourcePrivileges::new);
-        conditionalClusterPrivileges = ConditionalClusterPrivileges.readArray(in);
+        conditionalClusterPrivileges = GlobalClusterPrivileges.readArray(in);
         runAs = in.readStringArray();
         refreshPolicy = RefreshPolicy.readFrom(in);
         metadata = in.readMap();
@@ -184,7 +184,7 @@ public void writeTo(StreamOutput out) throws IOException {
             index.writeTo(out);
         }
         out.writeList(applicationPrivileges);
-        ConditionalClusterPrivileges.writeArray(out, this.conditionalClusterPrivileges);
+        GlobalClusterPrivileges.writeArray(out, this.conditionalClusterPrivileges);
         out.writeStringArray(runAs);
         refreshPolicy.writeTo(out);
         out.writeMap(metadata);

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/user/GetUserPrivilegesResponse.java

@@ -15,8 +15,8 @@
 import org.elasticsearch.common.xcontent.XContentBuilder;
 import org.elasticsearch.xpack.core.security.authz.RoleDescriptor;
 import org.elasticsearch.xpack.core.security.authz.permission.FieldPermissionsDefinition;
-import org.elasticsearch.xpack.core.security.authz.privilege.ConditionalClusterPrivilege;
-import org.elasticsearch.xpack.core.security.authz.privilege.ConditionalClusterPrivileges;
+import org.elasticsearch.xpack.core.security.authz.privilege.GlobalClusterPrivilege;
+import org.elasticsearch.xpack.core.security.authz.privilege.GlobalClusterPrivileges;
 
 import java.io.IOException;
 import java.util.Collection;
@@ -32,7 +32,7 @@
 public final class GetUserPrivilegesResponse extends ActionResponse {
 
     private Set<String> cluster;
-    private Set<ConditionalClusterPrivilege> conditionalCluster;
+    private Set<GlobalClusterPrivilege> conditionalCluster;
     private Set<Indices> index;
     private Set<RoleDescriptor.ApplicationResourcePrivileges> application;
     private Set<String> runAs;
@@ -41,7 +41,7 @@ public GetUserPrivilegesResponse() {
         this(Collections.emptySet(), Collections.emptySet(), Collections.emptySet(), Collections.emptySet(), Collections.emptySet());
     }
 
-    public GetUserPrivilegesResponse(Set<String> cluster, Set<ConditionalClusterPrivilege> conditionalCluster,
+    public GetUserPrivilegesResponse(Set<String> cluster, Set<GlobalClusterPrivilege> conditionalCluster,
                                      Set<Indices> index,
                                      Set<RoleDescriptor.ApplicationResourcePrivileges> application,
                                      Set<String> runAs) {
@@ -56,7 +56,7 @@ public Set<String> getClusterPrivileges() {
         return cluster;
     }
 
-    public Set<ConditionalClusterPrivilege> getConditionalClusterPrivileges() {
+    public Set<GlobalClusterPrivilege> getConditionalClusterPrivileges() {
         return conditionalCluster;
     }
 
@@ -75,7 +75,7 @@ public Set<String> getRunAs() {
     public void readFrom(StreamInput in) throws IOException {
         super.readFrom(in);
         cluster = Collections.unmodifiableSet(in.readSet(StreamInput::readString));
-        conditionalCluster = Collections.unmodifiableSet(in.readSet(ConditionalClusterPrivileges.READER));
+        conditionalCluster = Collections.unmodifiableSet(in.readSet(GlobalClusterPrivileges.READER));
         index = Collections.unmodifiableSet(in.readSet(Indices::new));
         application = Collections.unmodifiableSet(in.readSet(RoleDescriptor.ApplicationResourcePrivileges::new));
         runAs = Collections.unmodifiableSet(in.readSet(StreamInput::readString));
@@ -85,7 +85,7 @@ public void readFrom(StreamInput in) throws IOException {
     public void writeTo(StreamOutput out) throws IOException {
         super.writeTo(out);
         out.writeCollection(cluster, StreamOutput::writeString);
-        out.writeCollection(conditionalCluster, ConditionalClusterPrivileges.WRITER);
+        out.writeCollection(conditionalCluster, GlobalClusterPrivileges.WRITER);
         out.writeCollection(index);
         out.writeCollection(application);
         out.writeCollection(runAs, StreamOutput::writeString);

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/RoleDescriptor.java

@@ -23,8 +23,8 @@
 import org.elasticsearch.common.xcontent.XContentParser;
 import org.elasticsearch.common.xcontent.XContentType;
 import org.elasticsearch.common.xcontent.json.JsonXContent;
-import org.elasticsearch.xpack.core.security.authz.privilege.ConditionalClusterPrivilege;
-import org.elasticsearch.xpack.core.security.authz.privilege.ConditionalClusterPrivileges;
+import org.elasticsearch.xpack.core.security.authz.privilege.GlobalClusterPrivilege;
+import org.elasticsearch.xpack.core.security.authz.privilege.GlobalClusterPrivileges;
 import org.elasticsearch.xpack.core.security.support.Validation;
 import org.elasticsearch.xpack.core.security.xcontent.XContentUtils;
 
@@ -48,7 +48,7 @@ public class RoleDescriptor implements ToXContentObject, Writeable {
 
     private final String name;
     private final String[] clusterPrivileges;
-    private final ConditionalClusterPrivilege[] conditionalClusterPrivileges;
+    private final GlobalClusterPrivilege[] conditionalClusterPrivileges;
     private final IndicesPrivileges[] indicesPrivileges;
     private final ApplicationResourcePrivileges[] applicationPrivileges;
     private final String[] runAs;
@@ -64,7 +64,7 @@ public RoleDescriptor(String name,
 
     /**
      * @deprecated Use {@link #RoleDescriptor(String, String[], IndicesPrivileges[], ApplicationResourcePrivileges[],
-     * ConditionalClusterPrivilege[], String[], Map, Map)}
+     * GlobalClusterPrivilege[], String[], Map, Map)}
      */
     @Deprecated
     public RoleDescriptor(String name,
@@ -77,7 +77,7 @@ public RoleDescriptor(String name,
 
     /**
      * @deprecated Use {@link #RoleDescriptor(String, String[], IndicesPrivileges[], ApplicationResourcePrivileges[],
-     * ConditionalClusterPrivilege[], String[], Map, Map)}
+     * GlobalClusterPrivilege[], String[], Map, Map)}
      */
     @Deprecated
     public RoleDescriptor(String name,
@@ -93,14 +93,14 @@ public RoleDescriptor(String name,
                           @Nullable String[] clusterPrivileges,
                           @Nullable IndicesPrivileges[] indicesPrivileges,
                           @Nullable ApplicationResourcePrivileges[] applicationPrivileges,
-                          @Nullable ConditionalClusterPrivilege[] conditionalClusterPrivileges,
+                          @Nullable GlobalClusterPrivilege[] conditionalClusterPrivileges,
                           @Nullable String[] runAs,
                           @Nullable Map<String, Object> metadata,
                           @Nullable Map<String, Object> transientMetadata) {
         this.name = name;
         this.clusterPrivileges = clusterPrivileges != null ? clusterPrivileges : Strings.EMPTY_ARRAY;
         this.conditionalClusterPrivileges = conditionalClusterPrivileges != null
-            ? conditionalClusterPrivileges : ConditionalClusterPrivileges.EMPTY_ARRAY;
+            ? conditionalClusterPrivileges : GlobalClusterPrivileges.EMPTY_ARRAY;
         this.indicesPrivileges = indicesPrivileges != null ? indicesPrivileges : IndicesPrivileges.NONE;
         this.applicationPrivileges = applicationPrivileges != null ? applicationPrivileges : ApplicationResourcePrivileges.NONE;
         this.runAs = runAs != null ? runAs : Strings.EMPTY_ARRAY;
@@ -122,7 +122,7 @@ public RoleDescriptor(StreamInput in) throws IOException {
         this.transientMetadata = in.readMap();
 
         this.applicationPrivileges = in.readArray(ApplicationResourcePrivileges::new, ApplicationResourcePrivileges[]::new);
-        this.conditionalClusterPrivileges = ConditionalClusterPrivileges.readArray(in);
+        this.conditionalClusterPrivileges = GlobalClusterPrivileges.readArray(in);
     }
 
     public String getName() {
@@ -133,7 +133,7 @@ public String[] getClusterPrivileges() {
         return this.clusterPrivileges;
     }
 
-    public ConditionalClusterPrivilege[] getConditionalClusterPrivileges() {
+    public GlobalClusterPrivilege[] getConditionalClusterPrivileges() {
         return this.conditionalClusterPrivileges;
     }
 
@@ -231,7 +231,7 @@ public XContentBuilder toXContent(XContentBuilder builder, Params params, boolea
         builder.array(Fields.CLUSTER.getPreferredName(), clusterPrivileges);
         if (conditionalClusterPrivileges.length != 0) {
             builder.field(Fields.GLOBAL.getPreferredName());
-            ConditionalClusterPrivileges.toXContent(builder, params, Arrays.asList(conditionalClusterPrivileges));
+            GlobalClusterPrivileges.toXContent(builder, params, Arrays.asList(conditionalClusterPrivileges));
         }
         builder.array(Fields.INDICES.getPreferredName(), (Object[]) indicesPrivileges);
         builder.array(Fields.APPLICATIONS.getPreferredName(), (Object[]) applicationPrivileges);
@@ -259,7 +259,7 @@ public void writeTo(StreamOutput out) throws IOException {
         out.writeMap(metadata);
         out.writeMap(transientMetadata);
         out.writeArray(ApplicationResourcePrivileges::write, applicationPrivileges);
-        ConditionalClusterPrivileges.writeArray(out, getConditionalClusterPrivileges());
+        GlobalClusterPrivileges.writeArray(out, getConditionalClusterPrivileges());
     }
 
     public static RoleDescriptor parse(String name, BytesReference source, boolean allow2xFormat, XContentType xContentType)
@@ -290,7 +290,7 @@ public static RoleDescriptor parse(String name, XContentParser parser, boolean a
         String currentFieldName = null;
         IndicesPrivileges[] indicesPrivileges = null;
         String[] clusterPrivileges = null;
-        List<ConditionalClusterPrivilege> conditionalClusterPrivileges = Collections.emptyList();
+        List<GlobalClusterPrivilege> conditionalClusterPrivileges = Collections.emptyList();
         ApplicationResourcePrivileges[] applicationPrivileges = null;
         String[] runAsUsers = null;
         Map<String, Object> metadata = null;
@@ -308,7 +308,7 @@ public static RoleDescriptor parse(String name, XContentParser parser, boolean a
                     || Fields.APPLICATION.match(currentFieldName, parser.getDeprecationHandler())) {
                 applicationPrivileges = parseApplicationPrivileges(name, parser);
             } else if (Fields.GLOBAL.match(currentFieldName, parser.getDeprecationHandler())) {
-                conditionalClusterPrivileges = ConditionalClusterPrivileges.parse(parser);
+                conditionalClusterPrivileges = GlobalClusterPrivileges.parse(parser);
             } else if (Fields.METADATA.match(currentFieldName, parser.getDeprecationHandler())) {
                 if (token != XContentParser.Token.START_OBJECT) {
                     throw new ElasticsearchParseException(
@@ -329,7 +329,7 @@ public static RoleDescriptor parse(String name, XContentParser parser, boolean a
             }
         }
         return new RoleDescriptor(name, clusterPrivileges, indicesPrivileges, applicationPrivileges,
-            conditionalClusterPrivileges.toArray(new ConditionalClusterPrivilege[conditionalClusterPrivileges.size()]), runAsUsers,
+            conditionalClusterPrivileges.toArray(new GlobalClusterPrivilege[conditionalClusterPrivileges.size()]), runAsUsers,
             metadata, null);
     }