Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use kibana_system user to create API keys on behalf of other users. #49398

Closed
mikecote opened this issue Oct 25, 2019 · 5 comments · Fixed by #60967
Closed

Use kibana_system user to create API keys on behalf of other users. #49398

mikecote opened this issue Oct 25, 2019 · 5 comments · Fixed by #60967
Assignees
@mikecote
Labels
Feature:Alerting Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!

Comments

@mikecote
Copy link
Contributor

mikecote commented Oct 25, 2019
edited by peterschretlen
Loading

This needs to wait until elastic/elasticsearch#48716 is finished. Currently users require manage_api_key privilege when using alerting with security enabled.
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-stack-services (Team:Stack Services)

@bmcconaghy bmcconaghy added Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) and removed Team:Stack Services labels Dec 12, 2019
@mikecote mikecote self-assigned this Jan 15, 2020
@mikecote mikecote removed their assignment Feb 18, 2020
@mikecote
Copy link
Contributor Author

The kibana_system user should also be the user invalidating API keys. Currently we use the new API key owner's credentials to invalidate an API key (that could belong to someone else).

@legrego legrego added the Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! label Feb 28, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@kobelb kobelb mentioned this issue Feb 28, 2020
Closed
@mikecote
Copy link
Contributor Author

mikecote commented Mar 9, 2020

According to elastic/elasticsearch#52886 and elastic/elasticsearch#48716, the security plugin will need to extract the user's credentials (password or access_token) for the the security.authc.createAPIKey function to create API keys on behalf of the user.

@mikecote
Copy link
Contributor Author

It looks like there's some work we can get a head start on now that elastic/elasticsearch#52886 is merged and more PRs coming (ex: elastic/elasticsearch#53527).

I think the last piece missing will be the kibana_system user getting the cluster:admin/xpack/security/api_key/grant and cluster:admin/xpack/security/api_key/invalidate privilege but we can get a head start by testing this with a user who has manage_api_key or grant_api_key privilege.

Removing blocked label now.

@mikecote mikecote removed the blocked label Mar 13, 2020
@legrego legrego self-assigned this Mar 13, 2020
@mikecote mikecote self-assigned this Mar 13, 2020
@legrego legrego removed their assignment Mar 18, 2020
@peterschretlen peterschretlen mentioned this issue Mar 19, 2020
Merged
This was referenced Mar 20, 2020
Merged
Merged
@kobelb kobelb added the needs-team Issues missing a team label label Jan 31, 2022
@botelastic botelastic bot removed the needs-team Issues missing a team label label Jan 31, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mikecote mikecote

Labels
Feature:Alerting Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Projects
None yet
Milestone
No milestone
5 participants
@kobelb @bmcconaghy @legrego @mikecote @elasticmachine