-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[alerts] http 500 response when creating an alert using an API key has the http authorization #96683
Comments
Pinging @elastic/kibana-alerting-services (Team:Alerting Services) |
Beyond fixing the code to throw some kind of a 40x response with a nice message, we'll need to doc this somewhere in the alerting docs. I'm not sure if actions are affected. Any other HTTP endpoints that use alerting could also hit this and probably need doc (and perhaps try/catch wrappers). Other alerting APIs are also probably affected, like update. |
👍 to documenting this as a known issue. However, we'll want to ensure that we fix the code to allow API Keys to create Alerts. With Cloud SSO, it's going to be extremely common for users to no longer have a username/password to authenticate with. @elastic/kibana-security - are there changes we can make to |
There's two (similar?) Elasticsearch issues I recall requesting this: elastic/elasticsearch#59304 and elastic/elasticsearch#52244. |
@kobelb this requires work on the ES side -- API Keys are not able to self-replicate today. The issues that Mike linked directly above have more detail |
A user tried to create an alert via curl, using an es api key as the authorization. They had previously used other alerting HTTP endpoints successfully with the api key, but the create failed.
The logs looked like this:
I think this is the code:
kibana/x-pack/plugins/alerts/server/alerts_client_factory.ts
Lines 115 to 133 in bdba929
Looks like the call
await securityPluginStart.authc.apiKeys.grantAsInternalUser()
will need to be wrapped in a try/catch. Or whatever code calls this.Looking into the security code, this looks like a known restriction, and it rings a bell with me.
kibana/x-pack/plugins/security/server/authentication/api_keys/api_keys.ts
Lines 289 to 315 in bdba929
The text was updated successfully, but these errors were encountered: