Skip to content

Commit

Permalink
Merge branch 'master' into ingest/fix/ds-no-pkg
Browse files Browse the repository at this point in the history
  • Loading branch information
elasticmachine authored May 14, 2020
2 parents b253a73 + 5333a04 commit 23f4de7
Show file tree
Hide file tree
Showing 5 changed files with 68 additions and 53 deletions.
81 changes: 49 additions & 32 deletions docs/user/security/api-keys/index.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -3,18 +3,18 @@
=== API Keys


API keys enable you to create secondary credentials so that you can send
requests on behalf of the user. Secondary credentials have
the same or lower access rights.
API keys enable you to create secondary credentials so that you can send
requests on behalf of the user. Secondary credentials have
the same or lower access rights.

For example, if you extract data from an {es} cluster on a daily
basis, you might create an API key tied to your credentials,
configure it with minimum access,
basis, you might create an API key tied to your credentials,
configure it with minimum access,
and then put the API credentials into a cron job.
Or, you might create API keys to automate ingestion of new data from
remote sources, without a live user interaction.
Or, you might create API keys to automate ingestion of new data from
remote sources, without a live user interaction.

You can create API keys from the {kib} Console. To view and invalidate
You can create API keys from the {kib} Console. To view and invalidate
API keys, use *Management > Security > API Keys*.

[role="screenshot"]
Expand All @@ -24,63 +24,80 @@ image:user/security/api-keys/images/api-keys.png["API Keys UI"]
[[api-keys-service]]
=== {es} API key service

The {es} API key service is automatically enabled when you configure
{ref}/configuring-tls.html#tls-http[TLS on the HTTP interface].
The {es} API key service is automatically enabled when you configure
{ref}/configuring-tls.html#tls-http[TLS on the HTTP interface].
This ensures that clients are unable to send API keys in clear-text.

When HTTPS connections are not enabled between {kib} and {es},
When HTTPS connections are not enabled between {kib} and {es},
you cannot create or manage API keys, and you get an error message.
For more information, see the
{ref}/security-api-create-api-key.html[{es} API key documentation],
For more information, see the
{ref}/security-api-create-api-key.html[{es} API key documentation],
or contact your system administrator.

[float]
[[api-keys-security-privileges]]
=== Security privileges

You must have the `manage_security`, `manage_api_key`, or the `manage_own_api_key`
cluster privileges to use API keys in {kib}. You can manage roles in
*Management > Security > Roles*, or use the <<role-management-api, {kib} Role Management API>>.
You must have the `manage_security`, `manage_api_key`, or the `manage_own_api_key`
cluster privileges to use API keys in {kib}. You can manage roles in
*Management > Security > Roles*, or use the <<role-management-api, {kib} Role Management API>>.


[float]
[[create-api-key]]
=== Create an API key
You can {ref}/security-api-create-api-key.html[create an API key] from
the Kibana Console. For example:
You can {ref}/security-api-create-api-key.html[create an API key] from
the {kib} Console. This example shows how to create an API key
to authenticate to a <<api, Kibana API>>.

[source,js]
POST /_security/api_key
{
"name": "my_api_key",
"expiration": "1d"
"name": "kibana_api_key",
}

This creates an API key with the name `my_api_key` that
expires after one day. API key names must be globally unique.
An expiration date is optional and follows {ref}/common-options.html#time-units[{es} time unit format].
This creates an API key with the
name `kibana_api_key`. API key
names must be globally unique.
An expiration date is optional and follows
{ref}/common-options.html#time-units[{es} time unit format].
When an expiration is not provided, the API key does not expire.

The response should look something like this:

[source,js]
{
"id" : "XFcbCnIBnbwqt2o79G4q",
"name" : "kibana_api_key",
"api_key" : "FD6P5UA4QCWlZZQhYF3YGw"
}

Now, you can use the API key to request {kib} roles. You will need
to base64-encode the `id` and `api_key` provided in the response
and add it to your request as an authorization header. For example:

[source,js]
curl --location --request GET 'http://localhost:5601/api/security/role' \
--header 'Content-Type: application/json;charset=UTF-8' \
--header 'kbn-xsrf: true' \
--header 'Authorization: ApiKey aVZlLUMzSUJuYndxdDJvN0k1bU46aGxlYUpNS2lTa2FKeVZua1FnY1VEdw==' \

[float]
[[view-api-keys]]
=== View and invalidate API keys
The *API Keys* UI lists your API keys, including the name, date created,
The *API Keys* feature in Kibana lists your API keys, including the name, date created,
and expiration date. If an API key expires, its status changes from `Active` to `Expired`.

If you have `manage_security` or `manage_api_key` permissions,
you can view the API keys of all users, and see which API key was
If you have `manage_security` or `manage_api_key` permissions,
you can view the API keys of all users, and see which API key was
created by which user in which realm.
If you have only the `manage_own_api_key` permission, you see only a list of your own keys.

You can invalidate API keys individually or in bulk.
You can invalidate API keys individually or in bulk.
Invalidated keys are deleted in batch after seven days.

[role="screenshot"]
image:user/security/api-keys/images/api-key-invalidate.png["API Keys invalidate"]

You cannot modify an API key. If you need additional privileges,
You cannot modify an API key. If you need additional privileges,
you must create a new key with the desired configuration and invalidate the old key.




29 changes: 13 additions & 16 deletions packages/kbn-es/src/utils/native_realm.js
Original file line number Diff line number Diff line change
Expand Up @@ -76,10 +76,6 @@ exports.NativeRealm = class NativeRealm {
}

const reservedUsers = await this.getReservedUsers();
if (!reservedUsers || reservedUsers.length < 1) {
throw new Error('no reserved users found, unable to set native realm passwords');
}

await Promise.all(
reservedUsers.map(async user => {
await this.setPassword(user, options[`password.${user}`]);
Expand All @@ -88,16 +84,18 @@ exports.NativeRealm = class NativeRealm {
}

async getReservedUsers() {
const users = await this._autoRetry(async () => {
return await this._client.security.getUser();
});
return await this._autoRetry(async () => {
const resp = await this._client.security.getUser();
const usernames = Object.keys(resp.body).filter(
user => resp.body[user].metadata._reserved === true
);

return Object.keys(users.body).reduce((acc, user) => {
if (users.body[user].metadata._reserved === true) {
acc.push(user);
if (!usernames?.length) {
throw new Error('no reserved users found, unable to set native realm passwords');
}
return acc;
}, []);

return usernames;
});
}

async isSecurityEnabled() {
Expand Down Expand Up @@ -125,10 +123,9 @@ exports.NativeRealm = class NativeRealm {
throw error;
}

this._log.warning(
'assuming [elastic] user not available yet, waiting 1.5 seconds and trying again'
);
await new Promise(resolve => setTimeout(resolve, 1500));
const sec = 1.5 * attempt;
this._log.warning(`assuming ES isn't initialized completely, trying again in ${sec} seconds`);
await new Promise(resolve => setTimeout(resolve, sec * 1000));
return await this._autoRetry(fn, attempt + 1);
}
}
Expand Down
3 changes: 2 additions & 1 deletion test/functional/apps/visualize/_tsvb_chart.ts
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,8 @@ export default function({ getService, getPageObjects }: FtrProviderContext) {
const security = getService('security');
const PageObjects = getPageObjects(['visualize', 'visualBuilder', 'timePicker', 'visChart']);

describe('visual builder', function describeIndexTests() {
// FLAKY: https://github.com/elastic/kibana/issues/43150
describe.skip('visual builder', function describeIndexTests() {
this.tags('includeFirefox');
beforeEach(async () => {
await security.testUser.setRoles(['kibana_admin', 'test_logstash_reader']);
Expand Down
3 changes: 1 addition & 2 deletions x-pack/test/functional/apps/dashboard/_async_dashboard.ts
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,7 @@ export default function({ getService, getPageObjects }: FtrProviderContext) {
'timePicker',
]);

// FLAKY: https://github.com/elastic/kibana/issues/65949
describe.skip('sample data dashboard', function describeIndexTests() {
describe('sample data dashboard', function describeIndexTests() {
before(async () => {
await PageObjects.common.sleep(5000);
await PageObjects.common.navigateToUrl('home', '/tutorial_directory/sampleData', {
Expand Down
5 changes: 3 additions & 2 deletions x-pack/test/functional_endpoint/apps/endpoint/policy_list.ts
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,8 @@ export default function({ getPageObjects, getService }: FtrProviderContext) {
const testSubjects = getService('testSubjects');
const policyTestResources = getService('policyTestResources');

describe('When on the Endpoint Policy List', function() {
// FLAKY: https://github.com/elastic/kibana/issues/66579
describe.skip('When on the Endpoint Policy List', function() {
this.tags(['ciGroup7']);
before(async () => {
await pageObjects.common.navigateToUrlWithBrowserHistory('endpoint', '/policy');
Expand Down Expand Up @@ -46,7 +47,7 @@ export default function({ getPageObjects, getService }: FtrProviderContext) {
expect(noItemsFoundMessage).to.equal('No items found');
});

describe('and policies exists', () => {
xdescribe('and policies exists', () => {
let policyInfo: PolicyTestResourceInfo;

before(async () => {
Expand Down

0 comments on commit 23f4de7

Please sign in to comment.