Skip to content

Feature/prevent create api with cloud api key #129966

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 37 commits into
base: main
Choose a base branch
from
+22 −0
Open

Feature/prevent create api with cloud api key #129966

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
37 commits
Select commit Hold shift + click to select a range
d5bc9d2
[UIAM] Cloud API key authentication
n1v0lg May 26, 2025
c673649
Clean up
n1v0lg May 26, 2025
3f6b6ff
Nit
n1v0lg May 26, 2025
604c630
Merge branch 'main' into uiam-cloud-api-key-authentication
n1v0lg May 26, 2025
95c9a38
Fix more tests
n1v0lg May 26, 2025
d45fe0c
Nit
n1v0lg May 26, 2025
cd8b9f1
Merge branch 'main' into uiam-cloud-api-key-authentication
n1v0lg May 26, 2025
3be47f0
Fix sig
n1v0lg May 26, 2025
12908fa
Merge branch 'main' into uiam-cloud-api-key-authentication
n1v0lg May 27, 2025
0b6bdff
Fix not
n1v0lg May 27, 2025
c974761
Nit
n1v0lg May 27, 2025
113f6a5
Merge branch 'main' into uiam-cloud-api-key-authentication
n1v0lg May 27, 2025
5b89907
Merge branch 'main' into uiam-cloud-api-key-authentication
n1v0lg May 27, 2025
7bfb559
Merge branch 'main' into uiam-cloud-api-key-authentication
n1v0lg May 28, 2025
6966cea
Authenticator
n1v0lg May 28, 2025
e3abd81
More
n1v0lg May 28, 2025
8b0f1d3
Javadoc
n1v0lg May 28, 2025
ca6efe8
Javadoc
n1v0lg May 28, 2025
444b9a1
Fix tests
n1v0lg May 28, 2025
f868daf
Exception handling
n1v0lg May 28, 2025
e4f5b9e
Javadoc
n1v0lg May 28, 2025
0686c92
Merge branch 'main' into uiam-cloud-api-key-authentication
n1v0lg May 28, 2025
65aebd2
Merge branch 'main' of github.com:elastic/elasticsearch into uiam-clo…
slobodanadamovic Jun 3, 2025
f1965d3
add new transport version
slobodanadamovic Jun 3, 2025
30dc57d
add todo to followup in ES-11961
slobodanadamovic Jun 3, 2025
bd19d18
test cloud API key authentication serialization
slobodanadamovic Jun 3, 2025
4d07cdc
Merge branch 'main' of github.com:elastic/elasticsearch into uiam-clo…
slobodanadamovic Jun 6, 2025
fe7ffb8
Merge remote-tracking branch 'upstream/main' into uiam-cloud-api-key-…
ankit--sethi Jun 9, 2025
1cc83f8
add a validation
ankit--sethi Jun 11, 2025
43ff5cd
Merge remote-tracking branch 'upstream/main' into feature/prevent-cre…
ankit--sethi Jun 24, 2025
d18304c
fix merge
ankit--sethi Jun 24, 2025
39b2bb6
fix merge
ankit--sethi Jun 24, 2025
ebd554d
Merge branch 'main' into feature/prevent-create-api-with-cloud-api-key
ankit--sethi Jun 24, 2025
402b118
Merge remote-tracking branch 'upstream/main' into feature/prevent-cre…
ankit--sethi Jun 25, 2025
d84886e
code review feedback + test
ankit--sethi Jun 25, 2025
b2ead37
Merge remote-tracking branch 'origin/feature/prevent-create-api-with-…
ankit--sethi Jun 25, 2025
6ff2231
Merge branch 'main' into feature/prevent-create-api-with-cloud-api-key
ankit--sethi Jun 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions ...k/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -368,6 +368,8 @@ public void createApiKey(
ensureEnabled();
if (authentication == null) {
listener.onFailure(new IllegalArgumentException("authentication must be provided"));
} else if (authentication.isCloudApiKey()) {
listener.onFailure(new IllegalArgumentException("creating elasticsearch api keys using cloud api keys is not supported"));
} else {
final TransportVersion transportVersion = getMinTransportVersion();
if (validateRoleDescriptorsForMixedCluster(listener, request.getRoleDescriptors(), transportVersion) == false) {
Expand Down
20 changes: 20 additions & 0 deletions ...gin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -125,6 +125,7 @@
import org.elasticsearch.xpack.security.test.SecurityMocks;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import org.mockito.ArgumentMatcher;
import org.mockito.Mockito;

Expand Down Expand Up @@ -2557,6 +2558,25 @@ public void testCreationWillFailIfHashingThreadPoolIsSaturated() {
assertThat(e, is(rejectedExecutionException));
}

@Test
public void testCreationFailsIfAuthenticationIsCloudApiKey() throws InterruptedException {
final Authentication authentication = AuthenticationTestHelper.randomCloudApiKeyAuthentication();
final CreateApiKeyRequest createApiKeyRequest = new CreateApiKeyRequest(randomAlphaOfLengthBetween(3, 8), null, null);
ApiKeyService service = createApiKeyService(Settings.EMPTY);
final PlainActionFuture<CreateApiKeyResponse> future = new PlainActionFuture<>();
service.createApiKey(authentication, createApiKeyRequest, Set.of(), future);
assertEquals(true, future.isDone());
assertThrows(ExecutionException.class, future::get);
try {
future.get();
} catch (ExecutionException ex) {
assertEquals(
"java.lang.IllegalArgumentException: creating elasticsearch api keys using cloud api keys is not supported",
ex.getMessage()
);
}
}

public void testCachedApiKeyValidationWillNotBeBlockedByUnCachedApiKey() throws IOException, ExecutionException, InterruptedException {
final String apiKeyId1 = randomAlphaOfLength(12);
final String apiKey1 = randomAlphaOfLength(16);
Expand Down