Skip to content

Fix isApiKey test and apply it consistently (#84396) #84404

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 28, 2022
Merged

Fix isApiKey test and apply it consistently (#84396) #84404

merged 1 commit into from
Feb 28, 2022

Conversation

@ywangd
Copy link
Member

@ywangd ywangd commented Feb 28, 2022

Creating tokens using API keys is not properly supported till #80926.
Previously the created token always has no previlege. Now the token has
the same privilege as the API key itself (similar to user created
tokens). Authenticating using the token is considered equivalent to the
API key itself. Therefore the "isApiKey" check needs to be updated to
cater for both authentications of API key itself and the token created
by the API key.

This PR updates the isApiKey check and apply it consistently to ensure
the behaviour is consistent between an API key and a token created by
it.

The only exception is for supporting run-as. API key itself can run-as
another user. But a token created by the API key cannot perform run-as
(#84336) similar to how user/token works.

@ywangd
Fix isApiKey test and apply it consistently (elastic#84396)
27a0b3c 
Creating tokens using API keys is not properly supported till elastic#80926.
Previously the created token always has no previlege. Now the token has
the same privilege as the API key itself (similar to user created
tokens). Authenticating using the token is considered equivalent to the
API key itself. Therefore the "isApiKey" check needs to be updated to
cater for both authentications of API key itself and the token created
by the API key.

This PR updates the isApiKey check and apply it consistently to ensure
the behaviour is consistent between an API key and a token created by
it.

The only exception is for supporting run-as. API key itself can run-as
another user. But a token created by the API key cannot perform run-as
(elastic#84336) similar to how user/token works.
@ywangd ywangd added backport v8.1.0 auto-merge-without-approval Automatically merge pull request when CI checks pass (NB doesn't wait for reviews!) labels Feb 28, 2022
@elasticsearchmachine elasticsearchmachine merged commit d4a22de into elastic:8.1 Feb 28, 2022
@ywangd ywangd deleted the fix-authentication-is-apikey-8.1 branch February 28, 2022 08:04
@tvernum tvernum mentioned this pull request Mar 1, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

auto-merge-without-approval Automatically merge pull request when CI checks pass (NB doesn't wait for reviews!) backport v8.1.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ywangd @elasticsearchmachine