Enhance API Key Querying #103192
Enhance API Key Querying #103192
Conversation
|
Hi @albertzaharovits, I've created a changelog YAML for you. |
| ApiKeyAggregationsBuilder.verifyRequested(aggsBuilder, filteringAuthentication); | ||
| searchSourceBuilder.aggregationsBuilder(aggsBuilder); |
There was a problem hiding this comment.
The above verifies & modifies the requested aggregation to:
- prohib scripts that can directly access the API Key docs
- rewrite the field names (because the query & agg use different field names from the document ones, in order to reflect the terminology that we use in the returned API Keys)
- rewrite queries to scope them to API Key docs only (and sometimes to the keys owned by the calling user only)
| @@ -209,7 +208,6 @@ protected ValuesSourceAggregationBuilder( | |||
| this.format = clone.format; | |||
| this.missing = clone.missing; | |||
| this.timeZone = clone.timeZone; | |||
| this.config = clone.config; | |||
There was a problem hiding this comment.
Removed this unused bit, as it looked like one way to change the value source for the agg, and the point of this PR is to restrict that for API Keys aggs.
| @@ -61,7 +61,7 @@ public abstract class FiltersAggregator extends BucketsAggregator { | |||
|
|
|||
| public static class KeyedFilter implements Writeable, ToXContentFragment { | |||
| private final String key; | |||
| private final QueryBuilder filter; | |||
There was a problem hiding this comment.
Unfortunately, I had to make the filter here mutable, because the query for API Key aggs has to be modified to go only over API Key docs, and also optionally of a single user.
| @@ -41,7 +41,7 @@ | |||
| public class FilterAggregationBuilder extends AbstractAggregationBuilder<FilterAggregationBuilder> { | |||
| public static final String NAME = "filter"; | |||
|
|
|||
| private final QueryBuilder filter; | |||
There was a problem hiding this comment.
| public static final String API_KEY_TYPE_RUNTIME_MAPPING_FIELD = "runtime_key_type"; | ||
| private static final Map<String, Object> API_KEY_TYPE_RUNTIME_MAPPING = Map.of( | ||
| API_KEY_TYPE_RUNTIME_MAPPING_FIELD, | ||
| Map.of("type", "keyword", "script", Map.of("source", "emit(doc['type'].value ?: \"rest\");")) | ||
| ); |
There was a problem hiding this comment.
Keys created before 8.9 (#95714) don't have a type field and they effectively work as "rest" types do post 8.9.
Adds support for the following to the Query API Key API:
typeas an allowed field to be queried (whose value can be set to eitherrestorcross_cluster)Closes: #101691