Skip to content

[UIAM] Cloud API key authentication #128440

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 22 commits into
base: main
Choose a base branch
from
Draft

[UIAM] Cloud API key authentication #128440

wants to merge 22 commits into from
+260 −31

Conversation

n1v0lg
Copy link
Contributor

@n1v0lg n1v0lg commented May 26, 2025
edited
Loading

This PR adds a new cloud API key subject type and authenticator, and an extension point for internal plugins to inject custom implementations for cloud API key authentication.

Resolves: ES-11882

@n1v0lg n1v0lg self-assigned this May 26, 2025
@n1v0lg n1v0lg added >non-issue :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) labels May 26, 2025
@elasticsearchmachine elasticsearchmachine added serverless-linked Added by automation, don't add manually v9.1.0 labels May 26, 2025
tvernum
tvernum reviewed May 28, 2025
View reviewed changes
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/SecurityExtension.java
@@ -128,6 +129,10 @@ default ServiceAccountTokenStore getServiceAccountTokenStore(SecurityComponents
return null;
}

default CloudApiKeyService getCloudApiKeyService(SecurityComponents components) {
return null;
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I really don't love this. Is there a reason you specifically want a pluggable CloudApiKeyService rather than just additional authenticators?

That is, I would have opted to have a more generic extension point and push most of the CloudApiKey code into the extension itself rather than in core security.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That was my original idea too. It would require moving quite a lot of classes around though since Authenticator is not accessible from SecurityExtension:

  • SecurityExtension is in org.elasticsearch.xpack.core.security which does not have access to Authenticator
  • Authenticator is in org.elasticsearch.xpack.security.authc which depends on org.elasticsearch.xpack.core.security

Moving it would require quite a few classes getting pulled up -- it feels like something we can follow up on in a bigger refactor subsequently but let me know if it's too big a blocker for you.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One thing we could consider is injecting a cloud API key authenticator like class into ApiKeyAuthenticator

cc @slobodanadamovic

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I pushed a commit that uses a CustomApiKeyAuthenticator extension point -- as discussed on Slack.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tvernum tvernum tvernum left review comments

@slobodanadamovic slobodanadamovic Awaiting requested review from slobodanadamovic

At least 1 approving review is required to merge this pull request.

Assignees

@n1v0lg n1v0lg

Labels
>non-issue :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) serverless-linked Added by automation, don't add manually v9.1.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@n1v0lg @tvernum @elasticsearchmachine