Module org.elasticsearch.security
Class ApiKeyService
java.lang.Object
org.elasticsearch.xpack.security.authc.ApiKeyService
- All Implemented Interfaces:
Closeable,AutoCloseable
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionstatic final classstatic final classstatic final classA cached version of theApiKeyService.ApiKeyDoc.static final record -
Field Summary
FieldsModifier and TypeFieldDescriptionstatic final Setting<org.elasticsearch.core.TimeValue> static final Setting<org.elasticsearch.core.TimeValue> static final Setting<org.elasticsearch.core.TimeValue> static final Setting<org.elasticsearch.core.TimeValue> static final Setting<org.elasticsearch.core.TimeValue> -
Constructor Summary
ConstructorsConstructorDescriptionApiKeyService(Settings settings, Clock clock, Client client, SecurityIndexManager securityIndex, ClusterService clusterService, CacheInvalidatorRegistry cacheInvalidatorRegistry, ThreadPool threadPool, MeterRegistry meterRegistry) -
Method Summary
Modifier and TypeMethodDescriptionvoidclose()voidcreateApiKey(Authentication authentication, AbstractCreateApiKeyRequest request, Set<RoleDescriptor> userRoleDescriptors, ActionListener<CreateApiKeyResponse> listener) Asynchronously creates a new API key based off of the request and authenticationvoidcrossClusterApiKeyUsageStats(ActionListener<Map<String, Object>> listener) static WriteRequest.RefreshPolicydefaultCreateDocRefreshPolicy(Settings settings) API Key documents are refreshed after creation, such that the API Key docs are visible in searches after the create-API-key endpoint returns.voidstatic QueryBuilderfilterForRealmNames(String[] realmNames) getApiKeyMetadata(Authentication authentication) If the authentication has type of api_key, returns the metadata associated to the API key.voidgetApiKeys(String[] realmNames, String username, String apiKeyName, String[] apiKeyIds, boolean withLimitedBy, boolean activeOnly, ActionListener<Collection<ApiKey>> listener) Get API key information for given realm, user, API key name and id combinationstatic StringgetCreatorRealmName(Authentication authentication) Returns realm name of the owner user of an API key if the effective user is an API Key.static StringgetCreatorRealmType(Authentication authentication) Returns realm type of the owner user of an API key if the effective user is an API Key.static String[]getOwnersRealmNames(Authentication authentication) Returns the realm names that the username can access resources across.voidinvalidateApiKeys(String[] realmNames, String username, String apiKeyName, String[] apiKeyIds, boolean includeCrossClusterApiKeys, ActionListener<InvalidateApiKeyResponse> invalidateListener) Invalidate API keys for given realm, user name, API key name and id.parseRoleDescriptors(String apiKeyId, Map<String, Object> roleDescriptorsMap, RoleReference.ApiKeyRoleType roleType) parseRoleDescriptorsBytes(String apiKeyId, BytesReference bytesReference, RoleReference.ApiKeyRoleType roleType) voidqueryApiKeys(SearchRequest searchRequest, boolean withLimitedBy, ActionListener<ApiKeyService.QueryApiKeysResult> listener) voidupdateApiKeys(Authentication authentication, BaseBulkUpdateApiKeyRequest request, Set<RoleDescriptor> userRoleDescriptors, ActionListener<BulkUpdateApiKeyResponse> listener) protected voidverifyKeyAgainstHash(String apiKeyHash, ApiKeyService.ApiKeyCredentials credentials, ActionListener<Boolean> listener) static StringwithApiKeyPrefix(String encodedApiKey)
-
Field Details
-
STORED_HASH_ALGO_SETTING
-
DELETE_TIMEOUT
-
DELETE_INTERVAL
-
DELETE_RETENTION_PERIOD
-
CACHE_HASH_ALGO_SETTING
-
CACHE_TTL_SETTING
-
CACHE_MAX_KEYS_SETTING
-
DOC_CACHE_TTL_SETTING
-
-
Constructor Details
-
ApiKeyService
public ApiKeyService(Settings settings, Clock clock, Client client, SecurityIndexManager securityIndex, ClusterService clusterService, CacheInvalidatorRegistry cacheInvalidatorRegistry, ThreadPool threadPool, MeterRegistry meterRegistry)
-
-
Method Details
-
createApiKey
public void createApiKey(Authentication authentication, AbstractCreateApiKeyRequest request, Set<RoleDescriptor> userRoleDescriptors, ActionListener<CreateApiKeyResponse> listener) Asynchronously creates a new API key based off of the request and authentication- Parameters:
authentication- the authentication that this api key should be based off ofrequest- the request to create the api key included any permission restrictionsuserRoleDescriptors- the user's actual roles that we always enforcelistener- the listener that will be used to notify of completion
-
updateApiKeys
public void updateApiKeys(Authentication authentication, BaseBulkUpdateApiKeyRequest request, Set<RoleDescriptor> userRoleDescriptors, ActionListener<BulkUpdateApiKeyResponse> listener) -
parseRoleDescriptors
public List<RoleDescriptor> parseRoleDescriptors(String apiKeyId, Map<String, Object> roleDescriptorsMap, RoleReference.ApiKeyRoleType roleType) -
parseRoleDescriptorsBytes
public List<RoleDescriptor> parseRoleDescriptorsBytes(String apiKeyId, BytesReference bytesReference, RoleReference.ApiKeyRoleType roleType) -
withApiKeyPrefix
-
verifyKeyAgainstHash
protected void verifyKeyAgainstHash(String apiKeyHash, ApiKeyService.ApiKeyCredentials credentials, ActionListener<Boolean> listener) -
ensureEnabled
public void ensureEnabled() -
crossClusterApiKeyUsageStats
-
close
public void close()- Specified by:
closein interfaceAutoCloseable- Specified by:
closein interfaceCloseable
-
invalidateApiKeys
public void invalidateApiKeys(String[] realmNames, String username, String apiKeyName, String[] apiKeyIds, boolean includeCrossClusterApiKeys, ActionListener<InvalidateApiKeyResponse> invalidateListener) Invalidate API keys for given realm, user name, API key name and id.- Parameters:
realmNames- realm namesusername- usernameapiKeyName- API key nameapiKeyIds- API key idsincludeCrossClusterApiKeys- whether to include cross-cluster api keys in the invalidation; if false any cross-cluster api keys will be skipped. skipped API keys will be included in the error details of the responseinvalidateListener- listener forInvalidateApiKeyResponse
-
filterForRealmNames
-
getApiKeys
public void getApiKeys(String[] realmNames, String username, String apiKeyName, String[] apiKeyIds, boolean withLimitedBy, boolean activeOnly, ActionListener<Collection<ApiKey>> listener) Get API key information for given realm, user, API key name and id combination- Parameters:
realmNames- realm namesusername- user nameapiKeyName- API key nameapiKeyIds- API key idswithLimitedBy- whether to parse and return the limited by role descriptorslistener- receives the requested collection ofApiKeys
-
queryApiKeys
public void queryApiKeys(SearchRequest searchRequest, boolean withLimitedBy, ActionListener<ApiKeyService.QueryApiKeysResult> listener) -
getCreatorRealmName
Returns realm name of the owner user of an API key if the effective user is an API Key. If the effective user is not an API key, it just returns the source realm name.- Parameters:
authentication-Authentication- Returns:
- realm name
-
getOwnersRealmNames
Returns the realm names that the username can access resources across. -
getCreatorRealmType
Returns realm type of the owner user of an API key if the effective user is an API Key. If the effective user is not an API key, it just returns the source realm type.- Parameters:
authentication-Authentication- Returns:
- realm type
-
getApiKeyMetadata
If the authentication has type of api_key, returns the metadata associated to the API key.- Parameters:
authentication-Authentication- Returns:
- A map for the metadata or an empty map if no metadata is found.
-
defaultCreateDocRefreshPolicy
API Key documents are refreshed after creation, such that the API Key docs are visible in searches after the create-API-key endpoint returns. In stateful deployments, the automatic refresh interval is short (hard-coded to 1 sec), so theRefreshPolicy#WAIT_UNTILis an acceptable tradeoff for the superior doc creation throughput compared toRefreshPolicy#IMMEDIATE. But in stateless the automatic refresh interval is too long (at least 10 sec), which translates to long create-API-key endpoint latency, so in this case we opt forRefreshPolicy#IMMEDIATEand acknowledge the lower maximum doc creation throughput.
-