Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UI only allows creating Cross Cluster API keys with access.search.names #183682

Closed
jakelandis opened this issue May 16, 2024 · 3 comments · Fixed by #183704
Closed

UI only allows creating Cross Cluster API keys with access.search.names #183682

jakelandis opened this issue May 16, 2024 · 3 comments · Fixed by #183704
Assignees
@jeramysoucy
Labels
bug Fixes for quality problems that affect the customer experience Feature:Users/Roles/API Keys Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!

Comments

@jakelandis
Copy link
Contributor

Cross Cluster API keys allow the following options for search :

POST _security/cross_cluster/api_key
{
  "name": "ccx-apikey",
  "expiration": "300d",   
  "access": {
    "search": [  
      {
        "names": ["logs*"],
        "query": {"bool": { "must_not": { "term" : {"field2" : "value2"}}}},
        "field_security": {"grant": [ "field2" ]},
        "allow_restricted_indices" : true
      }
    ]
  }
}

Describe the bug:

The UI prevents creating the API when anything but "names" is present under search.

Steps to reproduce:
Navigate to Stack Management -> API keys -> Create API key -> choose Cross Cluster API key -> fill out a name -> add any one (or more) of the following : query, field_security, allow_restricted_indices -> Create API key

Screenshots (if relevant):
image

Any additional context:

8.14+ will prevent users from creating a single API key that has access.search.query AND a replication. See elastic/elasticsearch#108600. I don't think there are any changes needed from Kibana since ES will prevent that scenario, just FYI.
@jakelandis jakelandis added the bug Fixes for quality problems that affect the customer experience label May 16, 2024
@botelastic botelastic bot added the needs-team Issues missing a team label label May 16, 2024
@legrego legrego added Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! Feature:Users/Roles/API Keys labels May 16, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@botelastic botelastic bot removed the needs-team Issues missing a team label label May 16, 2024
@jeramysoucy
Copy link
Contributor

jeramysoucy commented May 17, 2024
edited

@jakelandis Does your example contain the full list of possible fields?

        "names": ["logs*"],
        "query": {"bool": { "must_not": { "term" : {"field2" : "value2"}}}},
        "field_security": {"grant": [ "field2" ]},
        "allow_restricted_indices" : true

Should replication allow the same options?

FYI I noticed that I was able to enter random string into the query field without any rejection, e.g.
"query": {"something": { "must_not": { "term" : {"field2" : "value2"}}}},"

The query seems to always get captured as a string:
"query": """{"bool":{"must_not":{"term":{"field2":"value2"}}}}""",

@jeramysoucy jeramysoucy mentioned this issue May 17, 2024
Merged
@jeramysoucy jeramysoucy self-assigned this May 17, 2024
@jakelandis
Copy link
Contributor Author

Does your example contain the full list of possible fields?

yup.

Should replication allow the same options?

only "names" are allowed for replication.

FYI I noticed that I was able to enter random string into the query field without any rejection, e.g.

yeah, "query" is a weird one. we support either an object or a string as the value. Typically, I use cURL and define it like "query": "{\"term\":{\"foo\":{\"value\":\"bar\"}}}" and get a bit confused by dev tools """ behavior. Also, we don't validate the syntax of the query.

jeramysoucy added a commit that referenced this issue May 22, 2024
@jeramysoucy
Amends the Kibana validation schema for cross cluster API keys (#183704)
685aadc 
closes #183682

## Summary

The validation schema in Kibana's API key endpoints for cross cluster
API keys was missing the optional query, field_security, and
allow_restricted_indices fields. These have been added, and the schemas
have been unified between the create and update endpoints.

### Testing
Updated API integration tests to include checking create and update for
cross cluster API keys that contain all search options.
- x-pack/test/api_integration/apis/security/api_keys.ts

## Release note
Fixes an issue in Kibana cross cluster API key endpoints which kept
users from creating cross cluster API keys with all possible search
options.
kibanamachine pushed a commit to kibanamachine/kibana that referenced this issue May 22, 2024
@jeramysoucy
Amends the Kibana validation schema for cross cluster API keys (elast…
5c4e270 
…ic#183704)

closes elastic#183682

## Summary

The validation schema in Kibana's API key endpoints for cross cluster
API keys was missing the optional query, field_security, and
allow_restricted_indices fields. These have been added, and the schemas
have been unified between the create and update endpoints.

### Testing
Updated API integration tests to include checking create and update for
cross cluster API keys that contain all search options.
- x-pack/test/api_integration/apis/security/api_keys.ts

## Release note
Fixes an issue in Kibana cross cluster API key endpoints which kept
users from creating cross cluster API keys with all possible search
options.

(cherry picked from commit 685aadc)
kibanamachine added a commit that referenced this issue May 22, 2024
@kibanamachine @jeramysoucy
[8.14] Amends the Kibana validation schema for cross cluster API keys (
bda67b9 
…#183704) (#183998)

# Backport

This will backport the following commits from `main` to `8.14`:
- [Amends the Kibana validation schema for cross cluster API keys
(#183704)](#183704)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Jeramy
Soucy","email":"jeramy.soucy@elastic.co"},"sourceCommit":{"committedDate":"2024-05-22T10:08:49Z","message":"Amends
the Kibana validation schema for cross cluster API keys
(#183704)\n\ncloses #183682\r\n\r\n## Summary\r\n\r\nThe validation
schema in Kibana's API key endpoints for cross cluster\r\nAPI keys was
missing the optional query, field_security,
and\r\nallow_restricted_indices fields. These have been added, and the
schemas\r\nhave been unified between the create and update
endpoints.\r\n\r\n### Testing\r\nUpdated API integration tests to
include checking create and update for\r\ncross cluster API keys that
contain all search options.\r\n-
x-pack/test/api_integration/apis/security/api_keys.ts\r\n\r\n## Release
note\r\nFixes an issue in Kibana cross cluster API key endpoints which
kept\r\nusers from creating cross cluster API keys with all possible
search\r\noptions.","sha":"685aadcc5155fa33656fc1f1e0699399c78169e5","branchLabelMapping":{"^v8.15.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:fix","Team:Security","backport:prev-minor","v8.15.0"],"title":"Amends
the Kibana validation schema for cross cluster API
keys","number":183704,"url":"#183704
the Kibana validation schema for cross cluster API keys
(#183704)\n\ncloses #183682\r\n\r\n## Summary\r\n\r\nThe validation
schema in Kibana's API key endpoints for cross cluster\r\nAPI keys was
missing the optional query, field_security,
and\r\nallow_restricted_indices fields. These have been added, and the
schemas\r\nhave been unified between the create and update
endpoints.\r\n\r\n### Testing\r\nUpdated API integration tests to
include checking create and update for\r\ncross cluster API keys that
contain all search options.\r\n-
x-pack/test/api_integration/apis/security/api_keys.ts\r\n\r\n## Release
note\r\nFixes an issue in Kibana cross cluster API key endpoints which
kept\r\nusers from creating cross cluster API keys with all possible
search\r\noptions.","sha":"685aadcc5155fa33656fc1f1e0699399c78169e5"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v8.15.0","branchLabelMappingKey":"^v8.15.0$","isSourceBranch":true,"state":"MERGED","url":"#183704
the Kibana validation schema for cross cluster API keys
(#183704)\n\ncloses #183682\r\n\r\n## Summary\r\n\r\nThe validation
schema in Kibana's API key endpoints for cross cluster\r\nAPI keys was
missing the optional query, field_security,
and\r\nallow_restricted_indices fields. These have been added, and the
schemas\r\nhave been unified between the create and update
endpoints.\r\n\r\n### Testing\r\nUpdated API integration tests to
include checking create and update for\r\ncross cluster API keys that
contain all search options.\r\n-
x-pack/test/api_integration/apis/security/api_keys.ts\r\n\r\n## Release
note\r\nFixes an issue in Kibana cross cluster API key endpoints which
kept\r\nusers from creating cross cluster API keys with all possible
search\r\noptions.","sha":"685aadcc5155fa33656fc1f1e0699399c78169e5"}}]}]
BACKPORT-->

Co-authored-by: Jeramy Soucy <jeramy.soucy@elastic.co>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jeramysoucy jeramysoucy

Labels
bug Fixes for quality problems that affect the customer experience Feature:Users/Roles/API Keys Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Amends the Kibana validation schema for cross cluster API keys jeramysoucy/kibana
4 participants
@jakelandis @legrego @elasticmachine @jeramysoucy