Skip to content

Disallow derived cross-cluster API keys#96401

Merged
elasticsearchmachine merged 6 commits intoelastic:mainfrom
ywangd:rcs-no-derived-cross-cluster-api-key
May 31, 2023
Merged

Disallow derived cross-cluster API keys#96401
elasticsearchmachine merged 6 commits intoelastic:mainfrom
ywangd:rcs-no-derived-cross-cluster-api-key

Conversation

@ywangd
Copy link
Member

@ywangd ywangd commented May 29, 2023

This PR actively blocks creating cross-cluster API keys with another API key to avoid the issue of derived API key ownership.

Relates: #95714

@ywangd
Disallow derived cross-cluster API keys
4439697 
This PR actively blocks creating cross-cluster API keys with another API
key to avoid the issue of derived API key ownership.
@ywangd ywangd added >non-issue :Security/Security Security issues without another label v8.9.0 labels May 29, 2023
@ywangd ywangd requested a review from n1v0lg May 29, 2023 00:51
@elasticsearchmachine elasticsearchmachine added the Team:Security Meta label for security team label May 29, 2023
@elasticsearchmachine
Copy link
Collaborator

elasticsearchmachine commented May 29, 2023

Pinging @elastic/es-security (Team:Security)

n1v0lg
n1v0lg approved these changes May 30, 2023
View reviewed changes
Copy link
Contributor

@n1v0lg n1v0lg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

...curity-trial/src/javaRestTest/java/org/elasticsearch/xpack/security/apikey/ApiKeyRestIT.java Outdated
assertThat(e.getResponse().getStatusLine().getStatusCode(), equalTo(400));
assertThat(
e.getMessage(),
containsString("authentication via API key not supported: only non-API key users can create a cross-cluster API key")
Copy link
Contributor

@n1v0lg n1v0lg May 30, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: only non-API key users sounds confusing in that it feels like it can mean "not users of API keys" -- would go with "An API key cannot be used to create a cross-cluster API key." or similar.

Copy link
Member Author

@ywangd ywangd May 30, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated as suggested. Thanks!

@ywangd ywangd added the auto-merge-without-approval Automatically merge pull request when CI checks pass (NB doesn't wait for reviews!) label May 30, 2023
@ywangd
Copy link
Member Author

ywangd commented May 30, 2023

@elasticmachine update branch

@ywangd
Copy link
Member Author

ywangd commented May 31, 2023

@elasticmachine run elasticsearch-ci/part-1-fips

@elasticsearchmachine elasticsearchmachine merged commit 83bfcc6 into elastic:main May 31, 2023
@ywangd ywangd deleted the rcs-no-derived-cross-cluster-api-key branch May 31, 2023 00:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@n1v0lg n1v0lg n1v0lg approved these changes

Assignees

No one assigned

Labels

auto-merge-without-approval Automatically merge pull request when CI checks pass (NB doesn't wait for reviews!) >non-issue :Security/Security Security issues without another label Team:Security Meta label for security team v8.9.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ywangd @elasticsearchmachine @n1v0lg @elasticmachine