Allow users to Update API Keys

[kc13greiner]

Summary

API keys can now be updated via the API Keys Management screen

Release Note

API Keys can now be updated with new Role Descriptors and Metadata via the API Keys Management screen.

Testing Instructions

Login as elastic

Navigate to Roles and create a new role with the read_security cluster privilege:

Create a new user and assign that new role, viewer, and kibana_admin:

Navigate to Dev Tools and run the following:

POST /_security/api_key/grant
{
  "grant_type": "password",
  "username" : "elastic",  
  "password" : "changeme",  
  "run_as": "elastic",  
  "api_key" : {
    "name": "test-expired-key",
    "expiration": "1ms"
  }
}

POST /_security/api_key/grant
{
  "grant_type": "password",
  "username" : "elastic",  
  "password" : "changeme",  
  "run_as": "test_user",  
  "api_key" : {
    "name": "test-user-key",
    "expiration": "1d"
  }
}

The first command will create an API key for the elastic user that expires immediately.

The second command will create an API key for test_user.

Navigate to the API Key page, click the name column links to see a readonly view for the 2 previously created keys as users cannot update an API key that belongs to another user nor an API key that is expired.

Create a new API key:

Click the name link for the newly created API key to see the Update API key flyout.

Update the fields and click submit:

If the update was successful:

Now click the name link again for the updated key and click submit without making changes. You should see a warning:

Logout the elastic user and login as test_user

Navigate to API Keys and click the existing API Key to see a readonly view flyout:

Thanks for reviewing!

[kc13greiner]

Question to reviewer: Do you think this is an appropriate expiration value to display?

[jeramysoucy]

The expiration summary on the table page is certainly more natural to interpret (i.e. number of hours or mins). I noticed we're limited to days in the flyout (reason?), but I could see this being a more free-form input like we see in other duration/time-based controls (like in discover for example).

If we don't want to change the control to more than just days (e.g. weeks or months), I would suggest displaying either the originally configured lifetime OR the remaining number of whole days (if possible a special case of "<1" for less than 1 day but more than 0). And then always show the "expires in"/"expired" summary text underneath the control (same as what's in the table).

Right now it will also display negative days after a key has expired, which I am not sure was intended. Is it useful to know how long ago a key expired? If so, I would just leave the lifetime at zero and add a text summary (e.g. "expired 3 hours ago"). I think this would be more intuitive than negative floating-point days.

[kc13greiner]

Thank you for the suggestion on this - it looks so much cleaner now with the Status

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security)

[jeramysoucy]

Looks good! As discussed, let's ping Thom to get his thoughts on a couple of things.

[jeramysoucy]

This seems to also be true if you have the 'read_sec' permission and access to the API key's screen (via kibana admin or viewer role)?

[kc13greiner]

Great catch! I've added a line in the docs to reference the readonly view. @gchaps Would you mind reviewing the new sentence I added?

[jeramysoucy]

Just for my own knowledge, is it pretty typical (on other platforms/apis) that expiration dates are locked once an API key is created?

[kc13greiner]

The original ticket said only those fields could be updated (that appears to be all ES allows). I think the process if a key is expired is to invalidate it and re- create

[thomheymann]

If Elasticsearch allows updating expiration time then we should support it in the UI as well

[kc13greiner]

Elasticsearch only allows those fields in the request body

[jeramysoucy]

Complete nit, but the rest of the tests use 'queries the correct endpoint' language.

[kc13greiner]

Fixed!

[jeramysoucy]

Consistency nit

Suggested change

	createdApiKeyResponse: CreateApiKeyResponse | undefined,
	createApiKeyResponse: CreateApiKeyResponse | undefined,

[kc13greiner]

Fixed!

[jeramysoucy]

The expiration summary on the table page is certainly more natural to interpret (i.e. number of hours or mins). I noticed we're limited to days in the flyout (reason?), but I could see this being a more free-form input like we see in other duration/time-based controls (like in discover for example).

If we don't want to change the control to more than just days (e.g. weeks or months), I would suggest displaying either the originally configured lifetime OR the remaining number of whole days (if possible a special case of "<1" for less than 1 day but more than 0). And then always show the "expires in"/"expired" summary text underneath the control (same as what's in the table).

Right now it will also display negative days after a key has expired, which I am not sure was intended. Is it useful to know how long ago a key expired? If so, I would just leave the lifetime at zero and add a text summary (e.g. "expired 3 hours ago"). I think this would be more intuitive than negative floating-point days.

[jeramysoucy]

Should we include cases to check for manage-own vs. manage all view? Test callouts?

[kc13greiner]

Since we are mocking the data from ES it will show whatever we put in the mock. Looking at the routes/api-keys/get.ts it passes an isAdmin value which I believe is the flag that determines if the user gets all the keys or just theirs.

[jeramysoucy]

There's no api_key_flyout.test.tsx file. Should we add one that tests the flyout in readonly vs. create vs. edit mode?

EDIT: Looks like this is all tested by the functional tests in x-pack/test/functional/apps/api_keys/home_page.ts

[azasypkin]

Tagging @gchaps for the docs changes.

[gchaps]

LGTM with a few minor comments

[gchaps]

Can we remove (days) here as the word "days" is included in the field?

[kc13greiner]

@gchaps Just the days in the label? or on the input box as well?

[gchaps]

Just the days in the label.

[kc13greiner]

(days) removed in latest commit!

[thomheymann]

All working well, a few comments below.

The "View API key" button doesn't make any sense (what would it do if it was enabled?) - I would change it to "Close":

I appreciate that you tried to be consistent with the Create API key flow here but that flow is an exception since we need to show the token of the generated API key. Normal updates and errors should be shown using toast notifications so the behaviour is consistent with the rest of Kibana:

The "no update has been made" warning is an unnecessary detail. I would either disable the submit button until a change has been made (similar to user profile form) or show a success toast irregardless of whether the API key actually changed or not:

[thomheymann]

Forgot to mention, can we move the "Status" field before or after the two checkboxes so the UI looks a bit neater?

[gchaps]

Some comments on copy.

Can we eliminate the back-to-back "API keys" text in the intro? Maybe something like

Manage your API keys, which send requests on behalf of the user.

Open to suggestions for the second half of the sentence.

Also, instead of "View API key" for the title of the flyout, how about "API key details"?

[kc13greiner]

All working well, a few comments below.

The "View API key" button doesn't make any sense (what would it do if it was enabled?) - I would change it to "Close":

I appreciate that you tried to be consistent with the Create API key flow here but that flow is an exception since we need to show the token of the generated API key. Normal updates and errors should be shown using toast notifications so the behaviour is consistent with the rest of Kibana:

The "no update has been made" warning is an unnecessary detail. I would either disable the submit button until a change has been made (similar to user profile form) or show a success toast irregardless of whether the API key actually changed or not:

All fixed in latest commit! I chose to leave the 'Update' button clickable and have it return 'Success' even when no updates were made; the Users and Roles screens appear to follow that pattern.

[kc13greiner]

Forgot to mention, can we move the "Status" field before or after the two checkboxes so the UI looks a bit neater?

Fixed in latest commit!

[kc13greiner]

Some comments on copy.

Can we eliminate the back-to-back "API keys" text in the intro? Maybe something like

Manage your API keys, which send requests on behalf of the user.

Open to suggestions for the second half of the sentence.

Also, instead of "View API key" for the title of the flyout, how about "API key details"?

Fixed in latest commit!

[kc13greiner]

@elasticmachine merge upstream

[kibana-ci]

💚 Build Succeeded

• Buildkite Build
• Commit: cb5cc5a

Metrics [docs]

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id	before	after	diff
security	90	91	+1

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
security	549.6KB	553.1KB	+3.5KB

Unknown metric groups

API count

id	before	after	diff
security	250	251	+1

ESLint disabled in files

id	before	after	diff
osquery	1	2	+1

ESLint disabled line counts

id	before	after	diff
enterpriseSearch	19	21	+2
fleet	60	66	+6
osquery	109	115	+6
securitySolution	445	451	+6
total			+20

Total ESLint disabled count

id	before	after	diff
enterpriseSearch	20	22	+2
fleet	69	75	+6
osquery	110	117	+7
securitySolution	521	527	+6
total			+21

History

• 💔 Build #94445 failed 5eacf4a
• 💔 Build #94411 failed 9ecb176
• 💔 Build #94390 failed 92079c8
• 💔 Build #94384 failed 1a10fc8
• 💔 Build #94346 failed 200e57e
• 💚 Build #93507 succeeded f23230a

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

[thomheymann]

All looking good! 🎉