[Fleet] Document behavior of /api/fleet/enrollment_api_keys #155550
Comments
andrewkroh
added
Team:Fleet
|
Pinging @elastic/fleet (Team:Fleet) |
jen-huang
added
documentation
and removed
Question
|
It would be great to document also the behaviour of |
|
I also filed a bug related to this area, it might be useful to take a look at it: #190708 |
|
I've opened #191585 to improve the OpenAPI spec. As detailed in the PR description, I think it would be beneficial to add some clarification to the docs as well. Our OpenAPI spec only gives so much context, so it would probably be a good complement. Regarding what happens to revoked/invalidated tokens, the Security API doc mentions that they are automatically deleted after the retention period, which is an Elasticsearch setting. I've suggested clarifying this in the Fleet docs. Regarding the constraint that enrollment token names must be unique, I agree that it seems strange. I found the original issue that put this constraint in place, but it's still unclear to me why the name itself would have to be unique, given that the UUID is appended (see #85118 (comment)). @nchaulet would you happen to remember this? |
|
Followup issue to update Fleet docs: elastic/ingest-docs#1270 |
Not sure to totally remember I think it's probably was implemented before adding a For the delete operation I think we could probably introduce a new option (could be usefull for agents too) |
|
Thanks for your reply @nchaulet 1. Regarding the existing constraint: the doc has been updated to reflect this. However, it's unnecessary perhaps it could be captured elsewhere. 2. Also good point regarding the delete operation. If I'm not mistaken, the documents are never removed from kibana/x-pack/plugins/fleet/server/services/api_keys/enrollment_api_key.ts Lines 162 to 179 in 230d274 So maybe my previous comment was misleading:
Which I assume means the documents are deleted from the security index (see also https://support.elastic.dev/knowledge/view/18faf2df). I've been trying to prove this locally by running ES with cc @kpollich for these two questions. |
## Summary Closes #191719 Attempting to generate a Fleet enrollment token with a name that ends with `!` produces a malformed ES query which causes `POST agents/enrollment_api_keys` to fail with 500. This PR adds a narrow fix by escaping question marks (which is a `query_string` [special character](https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-query-string-query.html#query-string-syntax)). Note: this query probably wouldn't be necessary if we removed the constraint of unique name, as discussed in #155550. Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
While using the Fleet enrollment_api_keys API I had some usage observations and questions that I'm hoping can be documented/answered within the openapi spec.
Creating Enrollment API key requires unique name
The limitation that
namemust be unique from all existing enrollment api keys should be documented. IMO that limitation does seem arbitrary given that enrollment token are identified by a UUID generated at creation time. But if this is documented, then callers can be aware of this and build in workarounds like appending random suffixes.Deleting Enrollment API key does not delete, it revokes
This API does not delete the resource (it's more of a revocation). It changes the
activeattribute to false. Can the API documentation be update to explain this behavior?If this operation does not actually delete the enrollment api key, then how can that be accomplished?
GET /api/fleet/enrollment_api_keys/{id}continues to return the resource. Do these age out after some period? Should users be worried about creating too many if these cannot be deleted?I don't really mind the fact that it is not deleted, but it is limiting that users cannot create a new enrollment token using the same
namebecause another one exists. If that limitation were removed this would be less of an issue.The text was updated successfully, but these errors were encountered: