Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updatable API keys - auto-update legacy superuser RDs #88514

Merged
merged 11 commits into from
Jul 14, 2022
Merged

Updatable API keys - auto-update legacy superuser RDs #88514

merged 11 commits into from
Jul 14, 2022

Conversation

n1v0lg
Copy link
Contributor

@n1v0lg n1v0lg commented Jul 13, 2022
edited
Loading

API keys created in 7.x may have legacy superuser user role
descriptors. In 8.x this is handled by translating these to 8.x
superuser role descriptors when they are read. Instead, we can
automatically update them (once) when an API key is first updated. This
PR tweaks our noop detection logic to enable this.

Labeling non-issue since this is an implementation detail of a
not-yet released feature.

@n1v0lg n1v0lg added >enhancement :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC labels Jul 13, 2022
@n1v0lg n1v0lg self-assigned this Jul 13, 2022
@elasticsearchmachine
Copy link
Collaborator

Hi @n1v0lg, I've created a changelog YAML for you.

@n1v0lg n1v0lg requested a review from ywangd July 13, 2022 16:37
@n1v0lg n1v0lg marked this pull request as ready for review July 13, 2022 16:40
@elasticmachine elasticmachine added the Team:Security Meta label for security team label Jul 13, 2022
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

ywangd
ywangd approved these changes Jul 14, 2022
View reviewed changes
Copy link
Member

@ywangd ywangd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java Show resolved Hide resolved
x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java Show resolved Hide resolved
n1v0lg
n1v0lg commented Jul 14, 2022
View reviewed changes
x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java
);
if (false == (newRoleDescriptors.size() == currentRoleDescriptors.size()
&& Set.copyOf(newRoleDescriptors).containsAll(new HashSet<>(currentRoleDescriptors)))) {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The HashSet bit here is actually redundant: we check that the list sizes are equal and that one collection (as a set) contains the other.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indeed. My suggestion on the previous PR did not have it.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#88346 (comment)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My bad!

@n1v0lg
Copy link
Contributor Author

n1v0lg commented Jul 14, 2022

@elasticmachine run elasticsearch-ci/part-2

@n1v0lg n1v0lg merged commit edf3b6c into elastic:master Jul 14, 2022
@n1v0lg n1v0lg deleted the update-api-keys-legacy-superuser-rds branch July 14, 2022 11:04
weizijun added a commit to weizijun/elasticsearch that referenced this pull request Jul 15, 2022
@weizijun
Merge branch 'upstream/master' into number-support-single-type
0d878ac 
* upstream/master: (2974 commits)
  Reserved cluster state service (elastic#88527)
  Add transport action immutable state checks (elastic#88491)
  Remove suggest flag from index stats docs (elastic#85479)
  Polling cluster formation state for master-is-stable health indicator (elastic#88397)
  Add test execution guide in yamlRestTest asciidoc (elastic#88490)
  Add troubleshooting guide for corrupt repository (elastic#88391)
  [Transform] Finetune Schedule to be less noisy on retry and retry slower (elastic#88531)
  Updatable API keys - auto-update legacy RDs (elastic#88514)
  Fix typo in TransportForceMergeAction and TransportClearIndicesCacheA… (elastic#88064)
  Fixed NullPointerException on bulk request (elastic#88358)
  Avoid needless index metadata builders during reroute (elastic#88506)
  Set metadata on request in API key noop test (elastic#88507)
  Fix passing positional args to ES in Docker (elastic#88502)
  Improve description for task api detailed param (elastic#88493)
  Support cartesian shape with doc values (elastic#88487)
  Promote usage of Subjects in Authentication class (elastic#88494)
  Add CCx 2.0 feature flag (elastic#88451)
  Reword the watcher 'always' and 'never' condition docs (elastic#86105)
  Simplify azure discovery installation docs (elastic#88404)
  Breakup FIPS CI testing jobs
  ...

# Conflicts:
#	server/src/main/java/org/elasticsearch/index/mapper/NumberFieldMapper.java
#	x-pack/plugin/mapper-aggregate-metric/src/main/java/org/elasticsearch/xpack/aggregatemetric/mapper/AggregateDoubleMetricFieldMapper.java
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ywangd ywangd ywangd approved these changes

Assignees

@n1v0lg n1v0lg

Labels
>non-issue :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Security Meta label for security team v8.4.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@n1v0lg @elasticsearchmachine @elasticmachine @ywangd