Skip to content

Allow API key to retrieve its own information with no API key privilege #45433

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Aug 15, 2019
Merged

Allow API key to retrieve its own information with no API key privilege #45433

merged 7 commits into from
Aug 15, 2019

Conversation

@bizybot
Copy link
Contributor

@bizybot bizybot commented Aug 12, 2019

Unless the API key has manage_api_key privilege, it cannot get its
own API key information when authenticating using an API key. There can
be a use case wherein we do not wish the user authenticating using an API
key to be able to invalidate or view any other API keys but only view information
about itself. This commit addresses this by allowing the request when
API key id from the GetApiKeyRequest matches the API key id present in the
authentication metadata.

Relates: #40031

Allow API key to retrieve its own information with no API key privilege
145ce1f 
Unless the API key has `manage_api_key` privilege, it cannot get its
own API key information when authenticating using API key. There can
be a use case wherein we do not wish the user authenticating using API
key to be able to invalidate or view any other API keys. This commit
solves this by adding allowing the request in case the API key id from
the `GetApiKeyRequest` matches the API key id present in the
`authentication` metadata.

Relates: elastic#40031
@bizybot bizybot added >bug :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC labels Aug 12, 2019
@elasticmachine
Copy link
Collaborator

elasticmachine commented Aug 12, 2019

Pinging @elastic/es-security

@bizybot
Copy link
Contributor Author

bizybot commented Aug 12, 2019

build failure due to ForecastIT, the issue has already been raised.
@elasticmachine run elasticsearch-ci/1

@bizybot bizybot requested a review from tvernum August 12, 2019 12:15
@bizybot
Copy link
Contributor Author

bizybot commented Aug 12, 2019

hit a failure in MlDistributedFailureIT.testFullClusterRestart, issue already exists.
@elasticmachine run elasticsearch-ci/1

albertzaharovits
albertzaharovits approved these changes Aug 13, 2019
View reviewed changes
Copy link
Contributor

@albertzaharovits albertzaharovits left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One comment, otherwise LGTM.

tvernum
tvernum approved these changes Aug 15, 2019
View reviewed changes
Copy link
Contributor

@tvernum tvernum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@bizybot bizybot merged commit 4d1bed0 into elastic:manage-own-api-key-privilege Aug 15, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tvernum tvernum tvernum approved these changes

@albertzaharovits albertzaharovits albertzaharovits approved these changes

Assignees

No one assigned

Labels

>bug :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@bizybot @elasticmachine @tvernum @albertzaharovits