Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Grant API key should mandate key name as create API key action #59484

Closed
ywangd opened this issue Jul 14, 2020 · 1 comment · Fixed by #59836
Closed

Grant API key should mandate key name as create API key action #59484

ywangd opened this issue Jul 14, 2020 · 1 comment · Fixed by #59836
Labels
>bug :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) Team:Security Meta label for security team

Comments

@ywangd
Copy link
Member

ywangd commented Jul 14, 2020

The name of an API key is mandatory when creating an API key. It throws a 400 error if the name is missing. However, when using the grant API key action, it is possible to create a key without a name. This is because the name field is nested under api_key field for the input of grant API key action, i.e.:

{ 
    "...": "...",
    "api_key": {"name": "key-1"}
}

Although the name field is still mandatory, the parent api_key field is optional. Thus allow keys be created without names.
@ywangd ywangd added >bug :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) labels Jul 14, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (:Security/Authentication)

@elasticmachine elasticmachine added the Team:Security Meta label for security team label Jul 14, 2020
@ywangd ywangd changed the title Grant API key should mandate same information as create API key action Grant API key should mandate key name as create API key action Jul 14, 2020
This was referenced Jul 14, 2020
Merged
Closed
ywangd added a commit that referenced this issue Jul 14, 2020
@ywangd
Allow null name when deserialising API key document (#59485)
c0fc9d0 
API keys can be created without names using grant API key action. This is considered as a bug (#59484). Since the feature has already been released, we need to accomodate existing keys that are created with null names. This PR relaxes the parser logic so that a null name is accepted.
ywangd added a commit to ywangd/elasticsearch that referenced this issue Jul 14, 2020
@ywangd
Allow null name when deserialising API key document (elastic#59485)
2a07b57 
API keys can be created without names using grant API key action. This is considered as a bug (elastic#59484). Since the feature has already been released, we need to accomodate existing keys that are created with null names. This PR relaxes the parser logic so that a null name is accepted.
@ywangd ywangd mentioned this issue Jul 14, 2020
Merged
ywangd added a commit that referenced this issue Jul 14, 2020
@ywangd
Allow null name when deserialising API key document (#59485) (#59496)
4350add 
API keys can be created without names using grant API key action. This is considered as a bug (#59484). Since the feature has already been released, we need to accomodate existing keys that are created with null names. This PR relaxes the parser logic so that a null name is accepted.
@albertzaharovits albertzaharovits mentioned this issue Jul 14, 2020
Merged
albertzaharovits added a commit that referenced this issue Jul 14, 2020
@albertzaharovits
Fix auditing of nameless API Keys (#59531)
cf35669 
API keys can be created nameless using the grant endpoint (it is a bug, see #59484).
This change ensures auditing doesn't throw when such an API Key is used for authentication.
albertzaharovits added a commit to albertzaharovits/elasticsearch that referenced this issue Jul 14, 2020
@albertzaharovits
Fix auditing of nameless API Keys (elastic#59531)
eb16d52 
API keys can be created nameless using the grant endpoint (it is a bug, see elastic#59484).
This change ensures auditing doesn't throw when such an API Key is used for authentication.
@albertzaharovits albertzaharovits mentioned this issue Jul 14, 2020
Merged
albertzaharovits added a commit that referenced this issue Jul 14, 2020
@albertzaharovits
Fix auditing of nameless API Keys (#59531)
6d6d565 
API keys can be created nameless using the grant endpoint (it is a bug, see #59484).
This change ensures auditing doesn't throw when such an API Key is used for authn.
@ywangd ywangd mentioned this issue Jul 20, 2020
Merged
@justincr-elastic justincr-elastic mentioned this issue Oct 25, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
>bug :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) Team:Security Meta label for security team
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

API key name should always be required for creation ywangd/elasticsearch
2 participants
@ywangd @elasticmachine