Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add validation for API key role descriptors #82049

Merged
merged 1 commit into from
Jan 10, 2022
Merged

Add validation for API key role descriptors #82049

merged 1 commit into from
Jan 10, 2022

Conversation

ywangd
Copy link
Member

@ywangd ywangd commented Dec 23, 2021

Put Role API prevents creation of invalidate role descriptors by
validating that the given cluster privileges and index previleges can be
resolved. However, the same validation is not performed when creating
API keys. As a result, users are able to create invalidate API keys
which then fail at use time. The experience is not user friendly and
inconsistent. This PR fixes it by adding the same validation logic for
API key creation.

Resolves: #67311

@ywangd
Add validation for API key role descriptors
8e1dc66 
Put Role API prevents creation of invalidate role descriptors by
validating that the given cluster privileges and index previleges can be
resolved. However, the same validation is not performed when creating
API keys. As a result, users are able to create invalidate API keys
which then fail at use time. The experience is not user friendly and
inconsistent. This PR fixes it by adding the same validation logic for
API key creation.

Resolves: elastic#67311
@ywangd ywangd added >bug :Security/Security Security issues without another label v8.1.0 labels Dec 23, 2021
@elasticmachine elasticmachine added the Team:Security Meta label for security team label Dec 23, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

albertzaharovits
albertzaharovits approved these changes Jan 5, 2022
View reviewed changes
Copy link
Contributor

@albertzaharovits albertzaharovits left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM
Thanks for tackling this long standing bug!

@ywangd ywangd merged commit 5822aa2 into elastic:master Jan 10, 2022
@ywangd ywangd mentioned this pull request Jan 12, 2022
Merged
This was referenced Jan 12, 2022
Closed
Merged
@nchaulet nchaulet mentioned this pull request Feb 11, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@albertzaharovits albertzaharovits albertzaharovits approved these changes

Assignees
No one assigned
Labels
>bug :Security/Security Security issues without another label Team:Security Meta label for security team v8.1.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

API keys should throw an error, if unknown privilege gets added
3 participants
@ywangd @elasticmachine @albertzaharovits