java.lang.Object
org.elasticsearch.xpack.security.authc.ApiKeyService
All Implemented Interfaces:
Closeable, AutoCloseable

public class ApiKeyService extends Object implements Closeable
  • Field Details

    • STORED_HASH_ALGO_SETTING

      public static final Setting<String> STORED_HASH_ALGO_SETTING
    • DELETE_TIMEOUT

      public static final Setting<org.elasticsearch.core.TimeValue> DELETE_TIMEOUT
    • DELETE_INTERVAL

      public static final Setting<org.elasticsearch.core.TimeValue> DELETE_INTERVAL
    • DELETE_RETENTION_PERIOD

      public static final Setting<org.elasticsearch.core.TimeValue> DELETE_RETENTION_PERIOD
    • CACHE_HASH_ALGO_SETTING

      public static final Setting<String> CACHE_HASH_ALGO_SETTING
    • CACHE_TTL_SETTING

      public static final Setting<org.elasticsearch.core.TimeValue> CACHE_TTL_SETTING
    • CACHE_MAX_KEYS_SETTING

      public static final Setting<Integer> CACHE_MAX_KEYS_SETTING
    • DOC_CACHE_TTL_SETTING

      public static final Setting<org.elasticsearch.core.TimeValue> DOC_CACHE_TTL_SETTING
  • Constructor Details

  • Method Details

    • createApiKey

      public void createApiKey(Authentication authentication, AbstractCreateApiKeyRequest request, Set<RoleDescriptor> userRoleDescriptors, ActionListener<CreateApiKeyResponse> listener)
      Asynchronously creates a new API key based off of the request and authentication
      Parameters:
      authentication - the authentication that this api key should be based off of
      request - the request to create the api key included any permission restrictions
      userRoleDescriptors - the user's actual roles that we always enforce
      listener - the listener that will be used to notify of completion
    • updateApiKeys

      public void updateApiKeys(Authentication authentication, BaseBulkUpdateApiKeyRequest request, Set<RoleDescriptor> userRoleDescriptors, ActionListener<BulkUpdateApiKeyResponse> listener)
    • parseRoleDescriptors

      public List<RoleDescriptor> parseRoleDescriptors(String apiKeyId, Map<String,Object> roleDescriptorsMap, RoleReference.ApiKeyRoleType roleType)
    • parseRoleDescriptorsBytes

      public List<RoleDescriptor> parseRoleDescriptorsBytes(String apiKeyId, BytesReference bytesReference, RoleReference.ApiKeyRoleType roleType)
    • withApiKeyPrefix

      public static String withApiKeyPrefix(String encodedApiKey)
    • verifyKeyAgainstHash

      protected void verifyKeyAgainstHash(String apiKeyHash, ApiKeyService.ApiKeyCredentials credentials, ActionListener<Boolean> listener)
    • ensureEnabled

      public void ensureEnabled()
    • crossClusterApiKeyUsageStats

      public void crossClusterApiKeyUsageStats(ActionListener<Map<String,Object>> listener)
    • close

      public void close()
      Specified by:
      close in interface AutoCloseable
      Specified by:
      close in interface Closeable
    • invalidateApiKeys

      public void invalidateApiKeys(String[] realmNames, String username, String apiKeyName, String[] apiKeyIds, boolean includeCrossClusterApiKeys, ActionListener<InvalidateApiKeyResponse> invalidateListener)
      Invalidate API keys for given realm, user name, API key name and id.
      Parameters:
      realmNames - realm names
      username - username
      apiKeyName - API key name
      apiKeyIds - API key ids
      includeCrossClusterApiKeys - whether to include cross-cluster api keys in the invalidation; if false any cross-cluster api keys will be skipped. skipped API keys will be included in the error details of the response
      invalidateListener - listener for InvalidateApiKeyResponse
    • filterForRealmNames

      public static QueryBuilder filterForRealmNames(String[] realmNames)
    • getApiKeys

      public void getApiKeys(String[] realmNames, String username, String apiKeyName, String[] apiKeyIds, boolean withLimitedBy, boolean activeOnly, ActionListener<Collection<ApiKey>> listener)
      Get API key information for given realm, user, API key name and id combination
      Parameters:
      realmNames - realm names
      username - user name
      apiKeyName - API key name
      apiKeyIds - API key ids
      withLimitedBy - whether to parse and return the limited by role descriptors
      listener - receives the requested collection of ApiKeys
    • queryApiKeys

      public void queryApiKeys(SearchRequest searchRequest, boolean withLimitedBy, ActionListener<ApiKeyService.QueryApiKeysResult> listener)
    • getCreatorRealmName

      public static String getCreatorRealmName(Authentication authentication)
      Returns realm name of the owner user of an API key if the effective user is an API Key. If the effective user is not an API key, it just returns the source realm name.
      Parameters:
      authentication - Authentication
      Returns:
      realm name
    • getOwnersRealmNames

      public static String[] getOwnersRealmNames(Authentication authentication)
      Returns the realm names that the username can access resources across.
    • getCreatorRealmType

      public static String getCreatorRealmType(Authentication authentication)
      Returns realm type of the owner user of an API key if the effective user is an API Key. If the effective user is not an API key, it just returns the source realm type.
      Parameters:
      authentication - Authentication
      Returns:
      realm type
    • getApiKeyMetadata

      public static Map<String,Object> getApiKeyMetadata(Authentication authentication)
      If the authentication has type of api_key, returns the metadata associated to the API key.
      Parameters:
      authentication - Authentication
      Returns:
      A map for the metadata or an empty map if no metadata is found.
    • defaultCreateDocRefreshPolicy

      public static WriteRequest.RefreshPolicy defaultCreateDocRefreshPolicy(Settings settings)
      API Key documents are refreshed after creation, such that the API Key docs are visible in searches after the create-API-key endpoint returns. In stateful deployments, the automatic refresh interval is short (hard-coded to 1 sec), so the RefreshPolicy#WAIT_UNTIL is an acceptable tradeoff for the superior doc creation throughput compared to RefreshPolicy#IMMEDIATE. But in stateless the automatic refresh interval is too long (at least 10 sec), which translates to long create-API-key endpoint latency, so in this case we opt for RefreshPolicy#IMMEDIATE and acknowledge the lower maximum doc creation throughput.