Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add cross cluster security APIs #3070

Open
wants to merge 13 commits into
base: main
Choose a base branch
from
Open

Add cross cluster security APIs #3070

wants to merge 13 commits into from

Conversation

lcawl
Copy link
Contributor

@lcawl lcawl commented Oct 23, 2024

The create and update cross cluster key APIs were not appearing in the OpenAPI output, so I've created an initial pass at the necessary files per https://github.com/elastic/elasticsearch-specification/blob/main/docs/add-new-api.md

The descriptions are copied from https://www.elastic.co/guide/en/elasticsearch/reference/master/security-api-update-cross-cluster-api-key.html and

@github-actions GitHub Actions
Copy link
Contributor

Following you can find the validation results for the APIs you have changed.

API Status Request Response
security.update_cross_cluster_api_key 🔴 1/2 2/2

You can validate these APIs yourself by using the make validate target.

@github-actions GitHub Actions
Copy link
Contributor

Following you can find the validation results for the APIs you have changed.

API Status Request Response
security.create_cross_cluster_api_key 🔴 0/3 3/3
security.update_cross_cluster_api_key 🔴 1/2 2/2

You can validate these APIs yourself by using the make validate target.

@github-actions GitHub Actions
Copy link
Contributor

Following you can find the validation results for the APIs you have changed.

API Status Request Response
security.create_cross_cluster_api_key 🔴 0/3 3/3
security.update_cross_cluster_api_key 🔴 1/2 2/2

You can validate these APIs yourself by using the make validate target.

@lcawl lcawl marked this pull request as ready for review October 23, 2024 20:56
@github-actions GitHub Actions
Copy link
Contributor

Following you can find the validation results for the APIs you have changed.

API Status Request Response
security.activate_user_profile 🟢 9/9 9/9
security.authenticate 🟢 30/30 30/30
security.bulk_delete_role 🟢 1/1 1/1
security.bulk_put_role 🔴 0/1 1/1
security.bulk_update_api_keys 🟠 Missing type Missing type
security.change_password 🟢 9/9 9/9
security.clear_api_key_cache 🟢 13/13 13/13
security.clear_cached_privileges 🟢 3/3 3/3
security.clear_cached_realms 🟢 1/1 1/1
security.clear_cached_roles 🟢 2/2 2/2
security.clear_cached_service_tokens 🟢 4/4 4/4
security.create_api_key 🔴 66/68 59/59
security.create_cross_cluster_api_key 🔴 0/3 3/3
security.create_service_token 🟢 3/3 3/3
security.delete_privileges 🟢 6/6 6/6
security.delete_role_mapping 🟢 9/9 9/9
security.delete_role 🟢 8/8 8/8
security.delete_service_token Missing test Missing test
security.delete_user 🟢 9/9 9/9
security.disable_user_profile 🟢 1/1 1/1
security.disable_user 🟢 3/3 3/3
security.enable_user_profile 🟢 1/1 1/1
security.enable_user 🟢 4/4 4/4
security.enroll_kibana Missing test Missing test
security.enroll_node Missing test Missing test
security.get_api_key 🔴 38/38 15/38
security.get_builtin_privileges 🔴 2/2 1/2
security.get_privileges 🟢 12/12 12/12
security.get_role_mapping 🔴 18/18 10/18
security.get_role 🔴 24/24 21/24
security.get_service_accounts Missing test Missing test
security.get_service_credentials 🟢 1/1 1/1
security.get_settings 🟠 Missing type Missing type
security.get_token 🟢 25/25 24/24
security.get_user_privileges 🔴 8/8 7/8
security.get_user_profile 🟢 8/8 8/8
security.get_user 🟢 25/25 25/25
security.grant_api_key 🟢 7/7 7/7
security.has_privileges_user_profile 🟢 3/3 3/3
security.has_privileges 🟢 24/24 24/24
security.invalidate_api_key 🟢 12/12 12/12
security.invalidate_token 🟢 11/11 11/11
security.oidc_authenticate 🟠 Missing type Missing type
security.oidc_logout 🟠 Missing type Missing type
security.oidc_prepare_authentication 🟠 Missing type Missing type
security.put_privileges 🟢 10/10 10/10
security.put_role_mapping 🔴 2/11 11/11
security.put_role 🔴 31/39 38/38
security.put_user 🟢 48/48 47/47
security.query_api_keys 🔴 14/14 1/14
security.query_role 🟢 2/2 2/2
security.query_user 🟢 4/4 4/4
security.saml_authenticate Missing test Missing test
security.saml_complete_logout Missing test Missing test
security.saml_invalidate Missing test Missing test
security.saml_logout Missing test Missing test
security.saml_prepare_authentication Missing test Missing test
security.saml_service_provider_metadata Missing test Missing test
security.suggest_user_profiles 🟢 1/1 1/1
security.update_api_key 🟢 5/5 5/5
security.update_cross_cluster_api_key 🟢 2/2 2/2
security.update_settings 🟠 Missing type Missing type
security.update_user_profile_data 🟢 1/1 1/1

You can validate these APIs yourself by using the make validate target.

1 similar comment
@github-actions GitHub Actions
Copy link
Contributor

Following you can find the validation results for the APIs you have changed.

API Status Request Response
security.activate_user_profile 🟢 9/9 9/9
security.authenticate 🟢 30/30 30/30
security.bulk_delete_role 🟢 1/1 1/1
security.bulk_put_role 🔴 0/1 1/1
security.bulk_update_api_keys 🟠 Missing type Missing type
security.change_password 🟢 9/9 9/9
security.clear_api_key_cache 🟢 13/13 13/13
security.clear_cached_privileges 🟢 3/3 3/3
security.clear_cached_realms 🟢 1/1 1/1
security.clear_cached_roles 🟢 2/2 2/2
security.clear_cached_service_tokens 🟢 4/4 4/4
security.create_api_key 🔴 66/68 59/59
security.create_cross_cluster_api_key 🔴 0/3 3/3
security.create_service_token 🟢 3/3 3/3
security.delete_privileges 🟢 6/6 6/6
security.delete_role_mapping 🟢 9/9 9/9
security.delete_role 🟢 8/8 8/8
security.delete_service_token Missing test Missing test
security.delete_user 🟢 9/9 9/9
security.disable_user_profile 🟢 1/1 1/1
security.disable_user 🟢 3/3 3/3
security.enable_user_profile 🟢 1/1 1/1
security.enable_user 🟢 4/4 4/4
security.enroll_kibana Missing test Missing test
security.enroll_node Missing test Missing test
security.get_api_key 🔴 38/38 15/38
security.get_builtin_privileges 🔴 2/2 1/2
security.get_privileges 🟢 12/12 12/12
security.get_role_mapping 🔴 18/18 10/18
security.get_role 🔴 24/24 21/24
security.get_service_accounts Missing test Missing test
security.get_service_credentials 🟢 1/1 1/1
security.get_settings 🟠 Missing type Missing type
security.get_token 🟢 25/25 24/24
security.get_user_privileges 🔴 8/8 7/8
security.get_user_profile 🟢 8/8 8/8
security.get_user 🟢 25/25 25/25
security.grant_api_key 🟢 7/7 7/7
security.has_privileges_user_profile 🟢 3/3 3/3
security.has_privileges 🟢 24/24 24/24
security.invalidate_api_key 🟢 12/12 12/12
security.invalidate_token 🟢 11/11 11/11
security.oidc_authenticate 🟠 Missing type Missing type
security.oidc_logout 🟠 Missing type Missing type
security.oidc_prepare_authentication 🟠 Missing type Missing type
security.put_privileges 🟢 10/10 10/10
security.put_role_mapping 🔴 2/11 11/11
security.put_role 🔴 31/39 38/38
security.put_user 🟢 48/48 47/47
security.query_api_keys 🔴 14/14 1/14
security.query_role 🟢 2/2 2/2
security.query_user 🟢 4/4 4/4
security.saml_authenticate Missing test Missing test
security.saml_complete_logout Missing test Missing test
security.saml_invalidate Missing test Missing test
security.saml_logout Missing test Missing test
security.saml_prepare_authentication Missing test Missing test
security.saml_service_provider_metadata Missing test Missing test
security.suggest_user_profiles 🟢 1/1 1/1
security.update_api_key 🟢 5/5 5/5
security.update_cross_cluster_api_key 🟢 2/2 2/2
security.update_settings 🟠 Missing type Missing type
security.update_user_profile_data 🟢 1/1 1/1

You can validate these APIs yourself by using the make validate target.

@mattc58 mattc58 requested a review from n1v0lg October 24, 2024 12:57
@github-actions GitHub Actions
Copy link
Contributor

Following you can find the validation results for the APIs you have changed.

API Status Request Response
security.activate_user_profile 🟢 9/9 9/9
security.authenticate 🟢 30/30 30/30
security.bulk_delete_role 🟢 1/1 1/1
security.bulk_put_role 🔴 0/1 1/1
security.bulk_update_api_keys 🟠 Missing type Missing type
security.change_password 🟢 9/9 9/9
security.clear_api_key_cache 🟢 13/13 13/13
security.clear_cached_privileges 🟢 3/3 3/3
security.clear_cached_realms 🟢 1/1 1/1
security.clear_cached_roles 🟢 2/2 2/2
security.clear_cached_service_tokens 🟢 4/4 4/4
security.create_api_key 🔴 66/68 59/59
security.create_cross_cluster_api_key 🔴 0/3 3/3
security.create_service_token 🟢 3/3 3/3
security.delete_privileges 🟢 6/6 6/6
security.delete_role_mapping 🟢 9/9 9/9
security.delete_role 🟢 8/8 8/8
security.delete_service_token Missing test Missing test
security.delete_user 🟢 9/9 9/9
security.disable_user_profile 🟢 1/1 1/1
security.disable_user 🟢 3/3 3/3
security.enable_user_profile 🟢 1/1 1/1
security.enable_user 🟢 4/4 4/4
security.enroll_kibana Missing test Missing test
security.enroll_node Missing test Missing test
security.get_api_key 🔴 38/38 15/38
security.get_builtin_privileges 🔴 2/2 1/2
security.get_privileges 🟢 12/12 12/12
security.get_role_mapping 🔴 18/18 10/18
security.get_role 🔴 24/24 21/24
security.get_service_accounts Missing test Missing test
security.get_service_credentials 🟢 1/1 1/1
security.get_settings 🟠 Missing type Missing type
security.get_token 🟢 25/25 24/24
security.get_user_privileges 🔴 8/8 7/8
security.get_user_profile 🟢 8/8 8/8
security.get_user 🟢 25/25 25/25
security.grant_api_key 🟢 7/7 7/7
security.has_privileges_user_profile 🟢 3/3 3/3
security.has_privileges 🟢 24/24 24/24
security.invalidate_api_key 🟢 12/12 12/12
security.invalidate_token 🟢 11/11 11/11
security.oidc_authenticate 🟠 Missing type Missing type
security.oidc_logout 🟠 Missing type Missing type
security.oidc_prepare_authentication 🟠 Missing type Missing type
security.put_privileges 🟢 10/10 10/10
security.put_role_mapping 🔴 2/11 11/11
security.put_role 🔴 31/39 38/38
security.put_user 🟢 48/48 47/47
security.query_api_keys 🔴 14/14 1/14
security.query_role 🟢 2/2 2/2
security.query_user 🟢 4/4 4/4
security.saml_authenticate Missing test Missing test
security.saml_complete_logout Missing test Missing test
security.saml_invalidate Missing test Missing test
security.saml_logout Missing test Missing test
security.saml_prepare_authentication Missing test Missing test
security.saml_service_provider_metadata Missing test Missing test
security.suggest_user_profiles 🟢 1/1 1/1
security.update_api_key 🟢 5/5 5/5
security.update_cross_cluster_api_key 🟢 2/2 2/2
security.update_settings 🟠 Missing type Missing type
security.update_user_profile_data 🟢 1/1 1/1

You can validate these APIs yourself by using the make validate target.

n1v0lg
n1v0lg reviewed Oct 29, 2024
View reviewed changes
Copy link
Contributor

@n1v0lg n1v0lg left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for picking this up! I have a high-level comment on the Access model -- we want a new SearchAccess model there, instead of re-using RemoteIndicesPrivileges since those are subtly different (see my inline comment).

specification/security/create_cross_cluster_api_key/CreateCrossClusterApiKeyRequest.ts Outdated Show resolved Hide resolved
n1v0lg
n1v0lg reviewed Oct 29, 2024
View reviewed changes
specification/security/_types/Access.ts Outdated
/**
* A list of indices permission entries for cross-cluster search.
*/
search?: RemoteIndicesPrivileges[]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need a separate model (SearchAccess) instead of RemoteIndicesPrivileges since there are subtle differences:

  • SearchAccess does not take a list of privileges
  • SearchAccess does not take a list of remote clusters

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay! I've added a separate definition in ef524c3

@github-actions GitHub Actions
Copy link
Contributor

Following you can find the validation results for the APIs you have changed.

API Status Request Response
security.activate_user_profile 🟢 9/9 9/9
security.authenticate 🟢 30/30 30/30
security.bulk_delete_role 🟢 1/1 1/1
security.bulk_put_role 🔴 0/1 1/1
security.bulk_update_api_keys 🟠 Missing type Missing type
security.change_password 🟢 9/9 9/9
security.clear_api_key_cache 🟢 13/13 13/13
security.clear_cached_privileges 🟢 3/3 3/3
security.clear_cached_realms 🟢 1/1 1/1
security.clear_cached_roles 🟢 2/2 2/2
security.clear_cached_service_tokens 🟢 4/4 4/4
security.create_api_key 🔴 66/68 59/59
security.create_cross_cluster_api_key 🔴 2/3 3/3
security.create_service_token 🟢 3/3 3/3
security.delete_privileges 🟢 6/6 6/6
security.delete_role_mapping 🟢 9/9 9/9
security.delete_role 🟢 8/8 8/8
security.delete_service_token Missing test Missing test
security.delete_user 🟢 9/9 9/9
security.disable_user_profile 🟢 1/1 1/1
security.disable_user 🟢 3/3 3/3
security.enable_user_profile 🟢 1/1 1/1
security.enable_user 🟢 4/4 4/4
security.enroll_kibana Missing test Missing test
security.enroll_node Missing test Missing test
security.get_api_key 🔴 38/38 15/38
security.get_builtin_privileges 🔴 2/2 1/2
security.get_privileges 🟢 12/12 12/12
security.get_role_mapping 🔴 18/18 10/18
security.get_role 🔴 24/24 21/24
security.get_service_accounts Missing test Missing test
security.get_service_credentials 🟢 1/1 1/1
security.get_settings 🟠 Missing type Missing type
security.get_token 🟢 25/25 24/24
security.get_user_privileges 🔴 8/8 7/8
security.get_user_profile 🟢 8/8 8/8
security.get_user 🟢 25/25 25/25
security.grant_api_key 🟢 7/7 7/7
security.has_privileges_user_profile 🟢 3/3 3/3
security.has_privileges 🟢 24/24 24/24
security.invalidate_api_key 🟢 12/12 12/12
security.invalidate_token 🟢 11/11 11/11
security.oidc_authenticate 🟠 Missing type Missing type
security.oidc_logout 🟠 Missing type Missing type
security.oidc_prepare_authentication 🟠 Missing type Missing type
security.put_privileges 🟢 10/10 10/10
security.put_role_mapping 🔴 2/11 11/11
security.put_role 🔴 31/39 38/38
security.put_user 🟢 48/48 47/47
security.query_api_keys 🔴 14/14 1/14
security.query_role 🟢 2/2 2/2
security.query_user 🟢 4/4 4/4
security.saml_authenticate Missing test Missing test
security.saml_complete_logout Missing test Missing test
security.saml_invalidate Missing test Missing test
security.saml_logout Missing test Missing test
security.saml_prepare_authentication Missing test Missing test
security.saml_service_provider_metadata Missing test Missing test
security.suggest_user_profiles 🟢 1/1 1/1
security.update_api_key 🟢 5/5 5/5
security.update_cross_cluster_api_key 🟢 2/2 2/2
security.update_settings 🟠 Missing type Missing type
security.update_user_profile_data 🟢 1/1 1/1

You can validate these APIs yourself by using the make validate target.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@flobernd flobernd flobernd left review comments

@n1v0lg n1v0lg n1v0lg left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
backport 8.x backport 8.16 specification
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@lcawl @flobernd @n1v0lg