Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix security.get_api_key and security.query_api_keys APIs #3146

Merged
merged 4 commits into from
Nov 22, 2024
Merged

Fix security.get_api_key and security.query_api_keys APIs #3146

merged 4 commits into from
Nov 22, 2024

Conversation

pquentin
Copy link
Member

  • Added missing fields invalidation, access and type.
  • Added ApiKeyRead using the OverloadOf behavior as some fields are optional with the Authenticate API but always defined when reading API keys.

@pquentin pquentin requested review from flobernd, l-trotta and a team November 19, 2024 09:44
@github-actions GitHub Actions

This comment was marked as outdated.

Sign in to view
@pquentin pquentin changed the title Fix security.get_api_key API Fix security.get_api_key and security.query_api_keys APIs Nov 19, 2024
@l-trotta l-trotta self-assigned this Nov 19, 2024
l-trotta
l-trotta reviewed Nov 19, 2024
View reviewed changes
specification/security/_types/ApiKey.ts Outdated
* @availability stack since=8.12.0
* @availability serverless
*/
invalidation?: EpochTime<UnitMillis>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

invalidation on the server side is an Instant, like creation and expiration. should we keep them all longs?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

They are serialized using toEpochMillis though: https://github.com/elastic/elasticsearch/blob/ea90fbc10d3371e5e3b9921a81a4936c2e39d5f4/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/action/apikey/ApiKey.java#L281-L288

I'm happy to use long for consistency and not breaking typed clients, but as far as I can tell EpochTime<UnitMillis> is the correct type?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we can set them all as EpochTime<UnitMillis> then, for java it's the same. how about @flobernd ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

EpochTime<T> all the way! This allows my generator to emit a proper TimeSpan type. @l-trotta @pquentin

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Anaethelion also validated offline that this was fine for the Go client.

@pquentin
Copy link
Member Author

pquentin commented Nov 19, 2024
edited
Loading

I just realized that it's not Read vs. Write: security.authenticate uses ApiKey for responses but only ever writes name and id: https://github.com/elastic/elasticsearch/blob/ea90fbc10d3371e5e3b9921a81a4936c2e39d5f4/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/Authentication.java#L737-L744. I'll create a specific ApiKey class just for that API.

Edit: done in e2894c7 (#3146)

@pquentin
Use specific APIKey type for authenticate API
e2894c7 
This allows remove a number of optional fields from APIKey itself.
@github-actions GitHub Actions

This comment was marked as outdated.

Sign in to view
slobodanadamovic
slobodanadamovic approved these changes Nov 20, 2024
View reviewed changes
Copy link
Contributor

@slobodanadamovic slobodanadamovic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@pquentin pquentin requested a review from l-trotta November 22, 2024 07:34
@github-actions GitHub Actions
Copy link
Contributor

Following you can find the validation results for the APIs you have changed.

API Status Request Response
security.activate_user_profile 🟢 9/9 9/9
security.authenticate 🟢 30/30 30/30
security.bulk_delete_role 🟢 1/1 1/1
security.bulk_put_role 🟢 1/1 1/1
security.bulk_update_api_keys 🟠 Missing type Missing type
security.change_password 🟢 9/9 9/9
security.clear_api_key_cache 🟢 13/13 13/13
security.clear_cached_privileges 🟢 3/3 3/3
security.clear_cached_realms 🟢 1/1 1/1
security.clear_cached_roles 🟢 2/2 2/2
security.clear_cached_service_tokens 🟢 4/4 4/4
security.create_api_key 🟢 68/68 59/59
security.create_cross_cluster_api_key 🟢 3/3 3/3
security.create_service_token 🟢 3/3 3/3
security.delete_privileges 🟢 6/6 6/6
security.delete_role_mapping 🟢 9/9 9/9
security.delete_role 🟢 8/8 8/8
security.delete_service_token Missing test Missing test
security.delete_user 🟢 9/9 9/9
security.disable_user_profile 🟢 1/1 1/1
security.disable_user 🟢 3/3 3/3
security.enable_user_profile 🟢 1/1 1/1
security.enable_user 🟢 4/4 4/4
security.enroll_kibana Missing test Missing test
security.enroll_node Missing test Missing test
security.get_api_key 🟢 26/26 26/26
security.get_builtin_privileges 🟢 1/1 1/1
security.get_privileges 🟢 12/12 12/12
security.get_role_mapping 🔴 18/18 10/18
security.get_role 🔴 24/24 22/24
security.get_service_accounts Missing test Missing test
security.get_service_credentials 🟢 1/1 1/1
security.get_settings 🟠 Missing type Missing type
security.get_token 🟢 25/25 24/24
security.get_user_privileges 🔴 8/8 7/8
security.get_user_profile 🟢 8/8 8/8
security.get_user 🟢 25/25 25/25
security.grant_api_key 🟢 7/7 7/7
security.has_privileges_user_profile 🟢 3/3 3/3
security.has_privileges 🟢 24/24 24/24
security.invalidate_api_key 🟢 12/12 12/12
security.invalidate_token 🟢 11/11 11/11
security.oidc_authenticate 🟠 Missing type Missing type
security.oidc_logout 🟠 Missing type Missing type
security.oidc_prepare_authentication 🟠 Missing type Missing type
security.put_privileges 🟢 10/10 10/10
security.put_role_mapping 🔴 2/11 11/11
security.put_role 🟢 39/39 38/38
security.put_user 🟢 48/48 47/47
security.query_api_keys 🟢 14/14 14/14
security.query_role 🟢 2/2 2/2
security.query_user 🟢 4/4 4/4
security.saml_authenticate Missing test Missing test
security.saml_complete_logout Missing test Missing test
security.saml_invalidate Missing test Missing test
security.saml_logout Missing test Missing test
security.saml_prepare_authentication Missing test Missing test
security.saml_service_provider_metadata Missing test Missing test
security.suggest_user_profiles 🟢 1/1 1/1
security.update_api_key 🟢 5/5 5/5
security.update_cross_cluster_api_key 🟢 2/2 2/2
security.update_settings 🟠 Missing type Missing type
security.update_user_profile_data 🟢 1/1 1/1

You can validate these APIs yourself by using the make validate target.

@pquentin pquentin merged commit 986d9db into main Nov 22, 2024
7 checks passed
@pquentin pquentin deleted the fix-security.get_api_key branch November 22, 2024 10:14
github-actions bot pushed a commit that referenced this pull request Nov 22, 2024
@pquentin @github-actions
Fix security.get_api_key and security.query_api_keys APIs (#3146)
3628298 
* Fix security.get_api_key API

* Use specific APIKey type for authenticate API

This allows remove a number of optional fields from APIKey itself.

* Use more EpochTime<UnitMillis>

(cherry picked from commit 986d9db)
@github-actions github-actions bot mentioned this pull request Nov 22, 2024
Merged
@github-actions GitHub Actions
Copy link
Contributor

The backport to 8.16 failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-8.16 8.16
# Navigate to the new working tree
cd .worktrees/backport-8.16
# Create a new branch
git switch --create backport-3146-to-8.16
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 986d9dba35768389938eb9801846668682138734
# Push it to GitHub
git push --set-upstream origin backport-3146-to-8.16
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-8.16

Then, create a pull request where the base branch is 8.16 and the compare/head branch is backport-3146-to-8.16.

pquentin added a commit that referenced this pull request Nov 22, 2024
@pquentin
Fix security.get_api_key and security.query_api_keys APIs (#3146)
d478ca0 
* Fix security.get_api_key API

* Use specific APIKey type for authenticate API

This allows remove a number of optional fields from APIKey itself.

* Use more EpochTime<UnitMillis>

(cherry picked from commit 986d9db)
pquentin added a commit that referenced this pull request Nov 22, 2024
@pquentin
[Backport 8.16] Fix security.get_api_key and security.query_api_keys …
7a90dff 
…APIs (#3146) (#3171)
github-actions bot pushed a commit that referenced this pull request Nov 26, 2024
@pquentin @github-actions
Fix security.get_api_key and security.query_api_keys APIs (#3146)
1989413 
* Fix security.get_api_key API

* Use specific APIKey type for authenticate API

This allows remove a number of optional fields from APIKey itself.

* Use more EpochTime<UnitMillis>

(cherry picked from commit 986d9db)
@github-actions github-actions bot mentioned this pull request Nov 26, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@l-trotta l-trotta l-trotta approved these changes

@flobernd flobernd flobernd approved these changes

@slobodanadamovic slobodanadamovic slobodanadamovic approved these changes

Assignees

@l-trotta l-trotta

Labels
backport 8.x backport 8.16 backport 8.17 specification
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@pquentin @slobodanadamovic @flobernd @l-trotta