Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for API keys to access Elasticsearch (#38291) #38399

Merged
merged 5 commits into from
Feb 6, 2019
Merged

Add support for API keys to access Elasticsearch (#38291) #38399

merged 5 commits into from
Feb 6, 2019

Commits on Feb 5, 2019

  1. Add support for API keys to access Elasticsearch (elastic#38291) 

    X-Pack security supports built-in authentication service
`token-service` that allows access tokens to be used to
access Elasticsearch without using Basic authentication.
The tokens are generated by `token-service` based on
OAuth2 spec. The access token is a short-lived token
(defaults to 20m) and refresh token with a lifetime of 24 hours,
making them unsuitable for long-lived or recurring tasks where
the system might go offline thereby failing refresh of tokens.

This commit introduces a built-in authentication service
`api-key-service` that adds support for long-lived tokens aka API
keys to access Elasticsearch. The `api-key-service` is consulted
after `token-service` in the authentication chain. By default,
if TLS is enabled then `api-key-service` is also enabled.
The service can be disabled using the configuration setting.

The API keys:-
- by default do not have an expiration but expiration can be
  configured where the API keys need to be expired after a
  certain amount of time.
- when generated will keep authentication information of the user that
   generated them.
- can be defined with a role describing the privileges for accessing
   Elasticsearch and will be limited by the role of the user that
   generated them
- can be invalidated via invalidation API
- information can be retrieved via a get API
- that have been expired or invalidated will be retained for 1 week
  before being deleted. The expired API keys remover task handles this.

Following are the API key management APIs:-
1. Create API Key - `PUT/POST /_security/api_key`
2. Get API key(s) - `GET /_security/api_key`
3. Invalidate API Key(s) `DELETE /_security/api_key`

The API keys can be used to access Elasticsearch using `Authorization`
header, where the auth scheme is `ApiKey` and the credentials, is the
base64 encoding of API key Id and API key separated by a colon.
Example:-
```
curl -H "Authorization: ApiKey YXBpLWtleS1pZDphcGkta2V5" http://localhost:9200/_cluster/health
```

Closes elastic#34383
    @bizybot
    bizybot authored and Yogesh Gaikwad committed Feb 5, 2019
    Configuration menu
    Copy the full SHA
    3554850 View commit details
    Browse the repository at this point in the history

  2. Merge remote-tracking branch 'upstream/6.x' into backport-api-keys

    Yogesh Gaikwad committed Feb 5, 2019
    Configuration menu
    Copy the full SHA
    29a98c4 View commit details
    Browse the repository at this point in the history

  3. Merge branch '6.x' into backport-api-keys

    @jaymode
    jaymode committed Feb 5, 2019
    Configuration menu
    Copy the full SHA
    124569b View commit details
    Browse the repository at this point in the history

  4. use V_6_7_0 instead of V_6_6_0

    @jaymode
    jaymode committed Feb 5, 2019
    Configuration menu
    Copy the full SHA
    953dd8c View commit details
    Browse the repository at this point in the history

  5. Merge branch '6.x' into backport-api-keys

    @jaymode
    jaymode committed Feb 5, 2019
    Configuration menu
    Copy the full SHA
    fb3fa6d View commit details
    Browse the repository at this point in the history