Skip to content

Feature/prevent create api with cloud api key #129966

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 37 commits into
base: main
Choose a base branch
from
Open

Feature/prevent create api with cloud api key #129966

wants to merge 37 commits into from
+22 −0

Conversation

ankit--sethi
Copy link
Contributor

Not supporting this at this time per TDD

n1v0lg and others added 30 commits May 26, 2025 10:21
@n1v0lg
[UIAM] Cloud API key authentication
d5bc9d2
@n1v0lg
Clean up
c673649
@n1v0lg
Nit
3f6b6ff
@n1v0lg
Merge branch 'main' into uiam-cloud-api-key-authentication
604c630
@n1v0lg
Fix more tests
95c9a38
@n1v0lg
Nit
d45fe0c
@n1v0lg
Merge branch 'main' into uiam-cloud-api-key-authentication
cd8b9f1
@n1v0lg
Fix sig
3be47f0
@n1v0lg
Merge branch 'main' into uiam-cloud-api-key-authentication
12908fa
@n1v0lg
Fix not
0b6bdff
@n1v0lg
Nit
c974761
@n1v0lg
Merge branch 'main' into uiam-cloud-api-key-authentication
113f6a5
@n1v0lg
Merge branch 'main' into uiam-cloud-api-key-authentication
5b89907
@n1v0lg
Merge branch 'main' into uiam-cloud-api-key-authentication
7bfb559
@n1v0lg
Authenticator
6966cea
@n1v0lg
More
e3abd81
@n1v0lg
Javadoc
8b0f1d3
@n1v0lg
Javadoc
ca6efe8
@n1v0lg
Fix tests
444b9a1
@n1v0lg
Exception handling
f868daf
@n1v0lg
Javadoc
e4f5b9e
@n1v0lg
Merge branch 'main' into uiam-cloud-api-key-authentication
0686c92
@slobodanadamovic
Merge branch 'main' of github.com:elastic/elasticsearch into uiam-clo…
65aebd2 
…ud-api-key-authentication
@slobodanadamovic
add new transport version
f1965d3
@slobodanadamovic
add todo to followup in ES-11961
30dc57d
@slobodanadamovic
test cloud API key authentication serialization
bd19d18
@slobodanadamovic
Merge branch 'main' of github.com:elastic/elasticsearch into uiam-clo…
4d07cdc 
…ud-api-key-authentication

# Conflicts:
#	server/src/main/java/org/elasticsearch/TransportVersions.java
@ankit--sethi
Merge remote-tracking branch 'upstream/main' into uiam-cloud-api-key-…
fe7ffb8 
…authentication

# Conflicts:
#	server/src/main/java/org/elasticsearch/TransportVersions.java
@ankit--sethi
add a validation
1cc83f8
@ankit--sethi
Merge remote-tracking branch 'upstream/main' into feature/prevent-cre…
43ff5cd 
…ate-api-with-cloud-api-key

# Conflicts:
#	server/src/main/java/org/elasticsearch/TransportVersions.java
#	x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/Authentication.java
#	x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java
@elasticsearchmachine elasticsearchmachine added needs:triage Requires assignment of a team area label v9.1.0 labels Jun 24, 2025
slobodanadamovic
slobodanadamovic reviewed Jun 25, 2025
View reviewed changes
...rc/main/java/org/elasticsearch/xpack/security/action/apikey/TransportCreateApiKeyAction.java Outdated
if (authentication.isCloudApiKey()) {
listener.onFailure(new IllegalArgumentException("creating elasticsearch api keys using cloud api keys is not supported"));
return;
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd suggest to add this check in ApiKeyService#createApiKey method.
Reason is to cover all possible cases, including creating cross-cluster API keys and granting API keys.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, let's add a unit test for this change in ApiKeyServiceTests.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done!

@ankit--sethi ankit--sethi added :Security/Security Security issues without another label labels Jun 25, 2025
@elasticsearchmachine elasticsearchmachine added the Team:Security Meta label for security team label Jun 25, 2025
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

@elasticsearchmachine elasticsearchmachine removed the needs:triage Requires assignment of a team area label label Jun 25, 2025
@ankit--sethi ankit--sethi added >non-issue needs:triage Requires assignment of a team area label and removed Team:Security Meta label for security team needs:triage Requires assignment of a team area label labels Jun 25, 2025
@elasticsearchmachine elasticsearchmachine added the Team:Security Meta label for security team label Jun 25, 2025
slobodanadamovic
slobodanadamovic reviewed Jun 26, 2025
View reviewed changes
...plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java
Comment on lines +2568 to +2577
assertEquals(true, future.isDone());
assertThrows(ExecutionException.class, future::get);
try {
future.get();
} catch (ExecutionException ex) {
assertEquals(
"java.lang.IllegalArgumentException: creating elasticsearch api keys using cloud api keys is not supported",
ex.getMessage()
);
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

optional: The ESTestCase has the expectThrows method that accepts an ActionFuture and which can make this check a bit simpler:

Suggested change
assertEquals(true, future.isDone());
assertThrows(ExecutionException.class, future::get);
try {
future.get();
} catch (ExecutionException ex) {
assertEquals(
"java.lang.IllegalArgumentException: creating elasticsearch api keys using cloud api keys is not supported",
ex.getMessage()
);
}
final IllegalArgumentException iae = expectThrows(IllegalArgumentException.class, future);
assertThat(iae.getMessage(), equalTo("creating elasticsearch api keys using cloud api keys is not supported"));

slobodanadamovic
slobodanadamovic approved these changes Jun 26, 2025
View reviewed changes
Copy link
Contributor

@slobodanadamovic slobodanadamovic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

(left a non blocking suggestion)

slobodanadamovic
slobodanadamovic reviewed Jun 26, 2025
View reviewed changes
...plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java
@@ -2557,6 +2558,25 @@ public void testCreationWillFailIfHashingThreadPoolIsSaturated() {
assertThat(e, is(rejectedExecutionException));
}

@Test
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, I just saw this. The @Test annotation is forbidden. You'll have to remove it.

Forbidden annotation use: org.junit.Test [defaultMessage Just name your test method testFooBar]
Suggested change
@Test

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@slobodanadamovic slobodanadamovic slobodanadamovic approved these changes

Assignees
No one assigned
Labels
>non-issue :Security/Security Security issues without another label Team:Security Meta label for security team v9.2.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ankit--sethi @elasticsearchmachine @slobodanadamovic @n1v0lg