Add new optional request option, `with_profile_uid`,
to the Get and Query API Key Information endpoints,
to return the API keys owner users' profile uid.
Closes#98939
Defines new inference_user and inference_admin roles with the
related cluster privileges manage_inference and monitor_inference.
inference_user can list the models and preform inference,
inference_admin can do the same plus create and delete models
When querying or getting API key information, ES returns the key owner's
username and realm (i.e. the realm name that authenticated the username
that last updated the API key).
This PR adds the realm_type to the information on the key's owner.
Adds support for the aggs request body parameter to the Query API Key Information API.
This parameter works identically to the well known eponymous parameter of the _search endpoint,
but the set of allowed aggregation types as well as the field names allowed is restricted.
This adds support for the `match` query type to the Query API key Information API.
Note that since string values associated to API Keys are mapped as `keywords`,
a `match` query with no analyzer parameter is effectively equivalent to a `term` query
for such fields (e.g. `name`, `username`, `realm_name`).
Relates: #101691
- Introduce new internal system index called .connector-secrets
- Add GET and POST requests for connector secrets
- Add permission sets for read and write connector secrets
- Introduce new internal system index called .connector-secrets
- Add GET and POST requests for connector secrets
- Create read_connector_secrets and write_connector_secrets role permissions
This adds support for the simple_query_string query type to the Query API key Information API.
In addition, this also adds support for querying all the API Key metadata fields simultaneously,
rather than requiring each to be specified, such as metadata.x, metadata.y, etc.
Relates: #101691
This adds support for the type parameter to the Query API key API.
The type for an API Key can currently be either rest or cross_cluster.
Relates: #101691
Introduces support for JWTs to the grant API Key API.
Callers can now pass-in a JWT in the request, like:
POST /_security/api_key/grant
{
"grant_type": "access_token",
"access_token" : "some.signed.JWT",
"client_authentication": { // optional
"scheme": "SharedSecret",
"value": "ES-Client-Authentication header value after scheme"
}
}
The JWT will be authenticated by a backing JWT realm and
a new API Key will be returned for the authenticated user.
With this commit we remove the `auto_configure` privilege for the Fleet
service account that targets profiling-related indices. This privilege
was needed to automatically create indices and data streams in the past
but as this managed by the Elasticsearch plugin, there is no need to
grant this privilege to Fleet-managed components.
This change introduces a new privilege monitor_enrich. Users are
required to have this privilege in order to use the enrich functionality
in ESQL. Additionally, it eliminates the need to use the enrich_origin
when executing enrich lookups. The enrich_origin will only be used when
resolving enrich policies to prevent warnings when accessing system
indices directly.
Closes#98482
**Problem:**
For historical reasons, source files for the Elasticsearch Guide's security, watcher, and Logstash API docs are housed in the `x-pack/docs` directory. This can confuse new contributors who expect Elasticsearch Guide docs to be located in `docs/reference`.
**Solution:**
- Move the security, watcher, and Logstash API doc source files to the `docs/reference` directory
- Update doc snippet tests to use security
Rel: https://github.com/elastic/platform-docs-team/issues/208
Albert Zaharovits
David Kyle
István Zoltán Szabó
Johannes Fredén
Navarone Feekery
Fabio Busatto
Daniel Mitterdorfer
Nhat Nguyen
James Rodewig