Enhance API Key Querying#103192
Conversation
albertzaharovits
added
>enhancement
:Security/Security
|
Hi @albertzaharovits, I've created a changelog YAML for you. |
albertzaharovits
changed the title
| ApiKeyAggregationsBuilder.verifyRequested(aggsBuilder, filteringAuthentication); | ||
| searchSourceBuilder.aggregationsBuilder(aggsBuilder); |
There was a problem hiding this comment.
The above verifies & modifies the requested aggregation to:
- prohib scripts that can directly access the API Key docs
- rewrite the field names (because the query & agg use different field names from the document ones, in order to reflect the terminology that we use in the returned API Keys)
- rewrite queries to scope them to API Key docs only (and sometimes to the keys owned by the calling user only)
| this.format = clone.format; | ||
| this.missing = clone.missing; | ||
| this.timeZone = clone.timeZone; | ||
| this.config = clone.config; |
There was a problem hiding this comment.
Removed this unused bit, as it looked like one way to change the value source for the agg, and the point of this PR is to restrict that for API Keys aggs.
|
|
||
| public static class KeyedFilter implements Writeable, ToXContentFragment { | ||
| private final String key; | ||
| private final QueryBuilder filter; |
There was a problem hiding this comment.
Unfortunately, I had to make the filter here mutable, because the query for API Key aggs has to be modified to go only over API Key docs, and also optionally of a single user.
| public class FilterAggregationBuilder extends AbstractAggregationBuilder<FilterAggregationBuilder> { | ||
| public static final String NAME = "filter"; | ||
|
|
||
| private final QueryBuilder filter; |
There was a problem hiding this comment.
| public static final String API_KEY_TYPE_RUNTIME_MAPPING_FIELD = "runtime_key_type"; | ||
| private static final Map<String, Object> API_KEY_TYPE_RUNTIME_MAPPING = Map.of( | ||
| API_KEY_TYPE_RUNTIME_MAPPING_FIELD, | ||
| Map.of("type", "keyword", "script", Map.of("source", "emit(doc['type'].value ?: \"rest\");")) | ||
| ); |
There was a problem hiding this comment.
Keys created before 8.9 (#95714) don't have a type field and they effectively work as "rest" types do post 8.9.
2 participants
Adds support for the following to the Query API Key API:
typeas an allowed field to be queried (whose value can be set to eitherrestorcross_cluster)Closes: #101691