Skip to content

Commit f5ccf93

Browse files
lcawllcawl
committed
[DOCS] Clarifies API key breaking change (elastic#54522)
1 parent 21abc31 commit f5ccf93

File tree

2 files changed

+37
-4
lines changed

2 files changed

+37
-4
lines changed

docs/reference/migration/migrate_7_6.asciidoc

Lines changed: 30 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,12 +13,41 @@ See also <<release-highlights>> and <<es-release-notes>>.
1313
//Installation and Upgrade Guide
1414

1515
//tag::notable-breaking-changes[]
16+
[discrete]
17+
[[breaking_76_security_changes]]
18+
=== Security changes
19+
20+
[discrete]
21+
==== {es} API key privileges
22+
23+
If you use an API key to create another API key (sometimes called a
24+
_derived key_), its behavior is impacted by the fix for
25+
https://www.elastic.co/community/security[CVE-2020-7009].
26+
27+
When you make a request to create API keys, you can specify an expiration and
28+
privileges for the API key. Previously, when you created a derived key, it had
29+
no privileges. This behavior disregarded any privileges that you specified in
30+
the {ref}/security-api-create-api-key.html[create API key API].
31+
32+
As of 7.6.2, this behavior changes. To create derived keys with no privileges,
33+
you must explicitly specify an empty role descriptor. For example:
34+
35+
[source,js]
36+
----
37+
...
38+
"role_descriptors": {
39+
"no-privilege": {
40+
}
41+
}
42+
...
43+
----
44+
// NOTCONSOLE
1645

1746
//end::notable-breaking-changes[]
1847

1948
[discrete]
2049
[[breaking_76_search_changes]]
21-
=== Search Changes
50+
=== Search changes
2251

2352
[discrete]
2453
==== Deprecation of sparse vector fields

docs/reference/release-notes/7.6.asciidoc

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,13 @@
33

44
Also see <<breaking-changes-7.6,Breaking changes in 7.6>>.
55

6+
[[breaking-7.6.2]]
7+
[float]
8+
=== Breaking changes
9+
10+
Authorization::
11+
* Creation of derived API keys (keys created by existing keys) now requires explicit "no privileges" configuration {pull}53647[#53647], https://www.elastic.co/community/security[CVE-2020-7009]
12+
613
[[bug-7.6.2]]
714
[float]
815
=== Bug fixes
@@ -13,9 +20,6 @@ Allocation::
1320
Authentication::
1421
* Fix potential bug in concurrent token refresh support {pull}53668[#53668]
1522

16-
Authorization::
17-
* Explicitly require that delegate API keys have no privileges {pull}53647[#53647]
18-
1923
CCR::
2024
* Handle no such remote cluster exception in ccr {pull}53415[#53415] (issue: {issue}53225[#53225])
2125

0 commit comments

Comments
 (0)