Add "grant_api_key" cluster privilege (#54042)

tvernum · web-flow · commit 4bd853a6f225 · 2020-03-24T13:17:45.000+11:00
This change adds a new cluster privilege "grant_api_key" that allows the use of the new /_security/api_key/grant endpoint Backport of: #53527
diff --git a/x-pack/docs/en/rest-api/security/get-builtin-privileges.asciidoc b/x-pack/docs/en/rest-api/security/get-builtin-privileges.asciidoc
@@ -64,6 +64,7 @@ A successful call returns an object with "cluster" and "index" fields.
     "all",
     "create_snapshot",
     "delegate_pki",
+    "grant_api_key",
     "manage",
     "manage_api_key",
     "manage_autoscaling",
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java
@@ -22,6 +22,7 @@
 import org.elasticsearch.xpack.core.ilm.action.StartILMAction;
 import org.elasticsearch.xpack.core.ilm.action.StopILMAction;
 import org.elasticsearch.xpack.core.security.action.DelegatePkiAuthenticationAction;
+import org.elasticsearch.xpack.core.security.action.GrantApiKeyAction;
 import org.elasticsearch.xpack.core.security.action.token.InvalidateTokenAction;
 import org.elasticsearch.xpack.core.security.action.token.RefreshTokenAction;
 import org.elasticsearch.xpack.core.security.action.user.HasPrivilegesAction;
@@ -49,6 +50,7 @@ public class ClusterPrivilegeResolver {
     private static final Set<String> MANAGE_OIDC_PATTERN = Collections.singleton("cluster:admin/xpack/security/oidc/*");
     private static final Set<String> MANAGE_TOKEN_PATTERN = Collections.singleton("cluster:admin/xpack/security/token/*");
     private static final Set<String> MANAGE_API_KEY_PATTERN = Collections.singleton("cluster:admin/xpack/security/api_key/*");
+    private static final Set<String> GRANT_API_KEY_PATTERN = Collections.singleton(GrantApiKeyAction.NAME + "*");
     private static final Set<String> MONITOR_PATTERN = Collections.singleton("cluster:monitor/*");
     private static final Set<String> MONITOR_TRANSFORM_PATTERN = Collections.unmodifiableSet(
         Sets.newHashSet("cluster:monitor/data_frame/*", "cluster:monitor/transform/*"));
@@ -118,6 +120,7 @@ public class ClusterPrivilegeResolver {
     public static final NamedClusterPrivilege MANAGE_SAML = new ActionClusterPrivilege("manage_saml", MANAGE_SAML_PATTERN);
     public static final NamedClusterPrivilege MANAGE_OIDC = new ActionClusterPrivilege("manage_oidc", MANAGE_OIDC_PATTERN);
     public static final NamedClusterPrivilege MANAGE_API_KEY = new ActionClusterPrivilege("manage_api_key", MANAGE_API_KEY_PATTERN);
+    public static final NamedClusterPrivilege GRANT_API_KEY = new ActionClusterPrivilege("grant_api_key", GRANT_API_KEY_PATTERN);
     public static final NamedClusterPrivilege MANAGE_PIPELINE = new ActionClusterPrivilege("manage_pipeline",
         Collections.singleton("cluster:admin/ingest/pipeline/*"));
     public static final NamedClusterPrivilege MANAGE_AUTOSCALING = new ActionClusterPrivilege(
@@ -160,6 +163,7 @@ public class ClusterPrivilegeResolver {
         MANAGE_SAML,
         MANAGE_OIDC,
         MANAGE_API_KEY,
+        GRANT_API_KEY,
         MANAGE_PIPELINE,
         MANAGE_ROLLUP,
         MANAGE_AUTOSCALING,
diff --git a/x-pack/plugin/security/qa/security-trial/src/test/java/org/elasticsearch/xpack/security/apikey/ApiKeyRestIT.java b/x-pack/plugin/security/qa/security-trial/src/test/java/org/elasticsearch/xpack/security/apikey/ApiKeyRestIT.java
@@ -47,7 +47,7 @@ public class ApiKeyRestIT extends SecurityOnTrialLicenseRestTestCase {
     @Before
     public void createUsers() throws IOException {
         createUser(SYSTEM_USER, SYSTEM_USER_PASSWORD, Collections.singletonList("system_role"));
-        createRole("system_role", Collections.singleton("manage_api_key"));
+        createRole("system_role", Collections.singleton("grant_api_key"));
         createUser(END_USER, END_USER_PASSWORD, Collections.singletonList("user_role"));
         createRole("user_role", Collections.singleton("monitor"));
     }
diff --git a/x-pack/plugin/src/test/resources/rest-api-spec/test/privileges/11_builtin.yml b/x-pack/plugin/src/test/resources/rest-api-spec/test/privileges/11_builtin.yml
@@ -15,5 +15,5 @@ setup:
   # This is fragile - it needs to be updated every time we add a new cluster/index privilege
   # I would much prefer we could just check that specific entries are in the array, but we don't have
   # an assertion for that
-  - length: { "cluster" : 35 }
+  - length: { "cluster" : 36 }
   - length: { "index" : 18 }

Original file line number	Diff line number	Diff line change
`@@ -47,7 +47,7 @@ public class ApiKeyRestIT extends SecurityOnTrialLicenseRestTestCase {`
`47`	`47`	`@Before`
`48`	`48`	`public void createUsers() throws IOException {`
`49`	`49`	`createUser(SYSTEM_USER, SYSTEM_USER_PASSWORD, Collections.singletonList("system_role"));`
`50`		`- createRole("system_role", Collections.singleton("manage_api_key"));`
	`50`	`+ createRole("system_role", Collections.singleton("grant_api_key"));`
`51`	`51`	`createUser(END_USER, END_USER_PASSWORD, Collections.singletonList("user_role"));`
`52`	`52`	`createRole("user_role", Collections.singleton("monitor"));`
`53`	`53`	`}`