[Security/APIKey Service] Internal API endpoint do determine if user has API keys #172884
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 tasks
tsullivan
force-pushed
the
security/api-keys-service-has-api-keys
branch
3 times, most recently
from
ad2335c to
12f4747
Compare
tsullivan
force-pushed
the
security/api-keys-service-has-api-keys
branch
from
cb840c9 to
d6ebe83
Compare
tsullivan
force-pushed
the
security/api-keys-service-has-api-keys
branch
from
d6ebe83 to
89a92fd
Compare
tsullivan
changed the title
tsullivan
added
the
release_note:skip
tsullivan
commented
Dec 14, 2023
|
|
||
| const apiResponse = await esClient.asCurrentUser.security.getApiKey({ | ||
| owner: true, | ||
| }); |
There was a problem hiding this comment.
I'm not sure the owner field needs any conditions, but perhaps I'm not aware.
There was a problem hiding this comment.
Hmm, I'm not aware of any conditions either.
tsullivan
commented
Dec 14, 2023
|
ACK: will review today |
azasypkin
reviewed
Dec 18, 2023
|
|
||
| const apiResponse = await esClient.asCurrentUser.security.getApiKey({ | ||
| owner: true, | ||
| }); |
There was a problem hiding this comment.
Hmm, I'm not aware of any conditions either.
| owner: true, | ||
| }); | ||
|
|
||
| const validKeys = apiResponse.api_keys.filter(({ invalidated }) => !invalidated); |
There was a problem hiding this comment.
question: you filter out invalidated keys, but not expired ones - is it intentional? If not, can we use active_only request parameter to avoid this additional filtering?
There was a problem hiding this comment.
@azasypkin I see your point, but I don't see the active_only parameter supported in the SecurityGetApiKeyRequest typings.
There was a problem hiding this comment.
Hmm, it should be available since 8.10.0 - elastic/elasticsearch#98259 - let me figure this out. In the worst case I'd prefer to do something like this to filter keys on ES side instead:
const apiResponse = await esClient.asCurrentUser.security.getApiKey({
owner: true,
// @ts-expect-error @elastic/elasticsearch SecurityGetApiKeyRequest.active_only: boolean | undefined
active_only: true,
});
return response.ok<HasAPIKeysResult>({
body: {
hasApiKeys: apiResponse.api_keys.length > 0,
},
});There was a problem hiding this comment.
Okay, we'll get this definition in the client soon (elastic/elasticsearch#103621), let's move forward with active_only and @ts-expect-error (if needed) for now (Client will include the parameter regardless wrong type definition).
x-pack/test_serverless/api_integration/test_suites/common/platform_security/api_keys.ts
Outdated
Show resolved
Hide resolved
Co-authored-by: Aleh Zasypkin <[email protected]>
…sullivan/kibana into security/api-keys-service-has-api-keys
|
ACK: will review today |
azasypkin
added
Team:Security
|
Pinging @elastic/kibana-security (Team:Security) |
azasypkin
reviewed
Dec 20, 2023
| owner: true, | ||
| }); | ||
|
|
||
| const validKeys = apiResponse.api_keys.filter(({ invalidated }) => !invalidated); |
There was a problem hiding this comment.
Okay, we'll get this definition in the client soon (elastic/elasticsearch#103621), let's move forward with active_only and @ts-expect-error (if needed) for now (Client will include the parameter regardless wrong type definition).
x-pack/test/security_api_integration/tests/api_keys/has_active_key.ts
Outdated
Show resolved
Hide resolved
azasypkin
reviewed
Dec 20, 2023
Comment on lines
59
to
61
| } catch (error) { | ||
| return response.customError(wrapIntoCustomErrorResponse(error)); | ||
| } |
There was a problem hiding this comment.
nit: just realized, we don't really need a try/catch here, let's let Core to handle and log this error properly (without exposing too much raw error details).
There was a problem hiding this comment.
This feedback makes sense. After removing the try/catch I also had to delete a unit test, should forward error from Elasticsearch GET API keys endpoint
Co-authored-by: Aleh Zasypkin <[email protected]>
…_key.ts Co-authored-by: Aleh Zasypkin <[email protected]>
…sullivan/kibana into security/api-keys-service-has-api-keys
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]
History
To update your PR or re-run it, just comment with: |
kibanamachine
added
v8.13.0
backport:skip
tsullivan
added a commit
that referenced
this pull request
Jan 6, 2024
## Summary This PR offers customizations to the "Getting Started" experience for users of Serverless Elasticsearch projects. The changes involve checking Elasticsearch if the currently-logged-in user has created API Keys, and to use that information to customize the getting started messaging (destination of the call-to-action of the "no data" prompt) in the UI. ### Screenshots | | Before | After | |-|-|-| | Data Views Mgmt | <img width="1646" alt="before - serverless es data views mgmt empty state" src="https://github.com/elastic/kibana/assets/908371/b5c28dda-9ff8-40de-af89-71587bdbbe54"> | <img width="1646" alt="after - serverless es data views mgmt empty state" src="https://github.com/elastic/kibana/assets/908371/13aae073-9fef-407a-bdb1-e09d6ea1d168"> | | Analytics | <img width="1646" alt="before - serverless es discover empty state" src="https://github.com/elastic/kibana/assets/908371/ac0e70e5-9a73-4de3-8182-51350099ae87"> | <img width="1646" alt="after - serverless es discover empty state" src="https://github.com/elastic/kibana/assets/908371/6f9231e0-d2fb-480b-a5a2-79cc9f853a9b"> | Elasticsearch documentation on API Key listing: https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-get-api-key.html Depends on: #172884 Closes: elastic/search-team#5974 Closes: elastic/search-team#5975 ### Other changes * Created a React hook to send and track a request to the Kibana server to ask whether the user has access to API Keys * Added unit test for this * See discussion, this hook may be [re-organized eventually](#172225 (comment)) * Enable lazy loading for the "Analytics No Data" page within analytics apps. ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: kibanamachine <[email protected]>
delanni
pushed a commit
to delanni/kibana
that referenced
this pull request
Jan 11, 2024
## Summary This PR offers customizations to the "Getting Started" experience for users of Serverless Elasticsearch projects. The changes involve checking Elasticsearch if the currently-logged-in user has created API Keys, and to use that information to customize the getting started messaging (destination of the call-to-action of the "no data" prompt) in the UI. ### Screenshots | | Before | After | |-|-|-| | Data Views Mgmt | <img width="1646" alt="before - serverless es data views mgmt empty state" src="https://github.com/elastic/kibana/assets/908371/b5c28dda-9ff8-40de-af89-71587bdbbe54"> | <img width="1646" alt="after - serverless es data views mgmt empty state" src="https://github.com/elastic/kibana/assets/908371/13aae073-9fef-407a-bdb1-e09d6ea1d168"> | | Analytics | <img width="1646" alt="before - serverless es discover empty state" src="https://github.com/elastic/kibana/assets/908371/ac0e70e5-9a73-4de3-8182-51350099ae87"> | <img width="1646" alt="after - serverless es discover empty state" src="https://github.com/elastic/kibana/assets/908371/6f9231e0-d2fb-480b-a5a2-79cc9f853a9b"> | Elasticsearch documentation on API Key listing: https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-get-api-key.html Depends on: elastic#172884 Closes: elastic/search-team#5974 Closes: elastic/search-team#5975 ### Other changes * Created a React hook to send and track a request to the Kibana server to ask whether the user has access to API Keys * Added unit test for this * See discussion, this hook may be [re-organized eventually](elastic#172225 (comment)) * Enable lazy loading for the "Analytics No Data" page within analytics apps. ### Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: kibanamachine <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR enhances the Security server plugin APIKey service with a new method to determine if the user has API keys. The service is integrated into the "No Data Page" server plugin as a new HTTP route. This route is called when needed to direct users effectively through their getting started experience.
Pulled from #172225
Context
Checklist
Delete any items that are not applicable to this PR.