Commit Graph

38 Commits

Author SHA1 Message Date
George Wallace b6e9860919
Update role-mapping-resources.asciidoc (#110441)
made it clear that some characters need to be escaped properly

Co-authored-by: Jan Doberstein <jan.doberstein@elastic.co>
2024-07-03 13:00:52 -06:00
Johannes Fredén 89cd966b24
Add bulk delete roles API (#110383)
* Add bulk delete roles API
2024-07-03 11:04:53 +02:00
Johannes Fredén 55476041d9
Add BulkPutRoles API (#109339)
* Add BulkPutRoles API
2024-07-02 15:45:39 +02:00
Jedr Blaszyk 3b827f6a8c
Create `manage_connector` privilege (#110128)
* Create manage_seaech_connector privilege

* `manage_search_connector` -> `manage_connector` and exclude connector secrets patterns from this privilege

* Add `monitor_connector` privilege

* Update Kibana system privilege to monitor_connector for telemetry

* Rename privilege to 'manage_connector_state'

Since privilege names are often namespaced and used with globs, we want to ensure that if there's a future privilege like `manage_connector_secrets`, that it is not implicitly included in this new privileg's <name>*. By extending the privilege name to include "_state", we better namespace this distinct from any "_secrets" namespace.

* Revert "Rename privilege to 'manage_connector_state'"

This reverts commit 70b89eee76.
After further discussion with the security team, this name change is not needed after all
since the secret management privileges aren't currently prefixed with "manage_"

---------

Co-authored-by: Sean Story <sean.j.story@gmail.com>
2024-07-01 12:41:28 -05:00
Nikolaj Volgushev 78c812f845
Fix security index settings docs (#110126)
Docs tweak with a typo fix and a clarification on how the two available
settings interact (essentially
https://github.com/elastic/elasticsearch/issues/27871). I'm also open to
including this info in the more generic settings API but feels like a
simple enough callout to add to the security API.
2024-07-01 18:07:15 +10:00
Albert Zaharovits 0e4888bdec
Refactor field name translator of query endpoints for security entities (#109559)
This is a refactoring of the internal logic that's used to translate
query-level into index-level field names for query APIs for
security entities (i.e. users, API Keys, and soon, roles).
The objective here is to have and reuse a single class to handle
all the translations for different security query APIs.
2024-06-13 14:12:19 +03:00
Jake Landis 7504fed0b3
remote_cluster role documentation and expose to built in privs API (#108840)
This commit introduces the documentation for remote_clusters which is used to help
 express the monitor_enrich privilege needed to use the ENRICH keyword across clusters 
when using the API key based CCS security model.

This commit also adds "remote_clusters" to the built in privs API to for easier consumption
 in Kibana.
2024-05-28 13:51:21 -05:00
Jake Landis ff92296217
[docs] Prevent DLS/FLS if replication is assigned (#108839)
This commit adds documentation for the DLS/FLS restriction for RCS 2.0 API keys 
where both access and replication are defined and access has DSL/FLS.
This commit also fixes a few misleading variable names.
related: #108600
2024-05-22 12:05:34 -05:00
Slobodan Adamović 77ce60530c
[docs] Document new role description field (#108422)
This commit updates Role API docs to include new description field 
(introduced in #107088) and adds descriptions for all built-in roles.
2024-05-14 10:16:55 +02:00
Nikolaj Volgushev 31afff92f8
Invalidate cross cluster API key docs (#108297)
This PR documents privilege requirements for cross-cluster API key
invalidation, which were updated in
https://github.com/elastic/elasticsearch/pull/107411.
2024-05-06 10:02:14 -04:00
florent-leborgne 0c500e5264
Remove Beta label for RCS2.0 from 8.14 (#108030) 2024-05-02 15:43:21 +02:00
Liam Thompson 33a71e3289
[DOCS] Refactor book-scoped variables in `docs/reference/index.asciidoc` (#107413)
* Remove `es-test-dir` book-scoped variable

* Remove `plugins-examples-dir` book-scoped variable

* Remove `:dependencies-dir:` and `:xes-repo-dir:` book-scoped variables

- In `index.asciidoc`, two variables (`:dependencies-dir:` and `:xes-repo-dir:`) were removed.
- In `sql/index.asciidoc`, the `:sql-tests:` path was updated to fuller path
- In `esql/index.asciidoc`, the `:esql-tests:` path was updated idem

* Replace `es-repo-dir` with `es-ref-dir`

* Move `:include-xpack: true` to few files that use it, remove from index.asciidoc
2024-04-17 14:37:07 +02:00
Albert Zaharovits 36bcb6b398
Query API Keys support for both `aggs` and `aggregations` keywords (#107054)
The Query API Key Information endpoint supports aggs since #104895.
But some lang clients actually use the `aggregations` keyword in requests,
as the preferred synonym to `aggs`.
This PR adds support for the `aggregations` request keyword as a synonym
for the existing `aggs` term.

Closes #106839
2024-04-03 18:33:14 +03:00
Albert Zaharovits b4938e1645
Query API Key Information API support for the `typed_keys` request parameter (#106873)
The typed_keys request parameter is the canonical parameter,
that's also used in the regular index _search enpoint, in order to
return the types of aggregations in the response.
This is required by typed language clients of the _security/_query/api_key
endpoint that are using aggregations.

Closes #106817
2024-03-29 09:24:52 +02:00
Mary Gouseti 2122da31cd
[DSL] Introduce data stream global retention - Part 3 (#105682)
In this PR we introduce the API that will expose the global retention configuration and will allow users to take advantage of it.

These APIs are protected by the dedicated introduced privileges:

`manage_data_stream_global_retention` or higher, which allows all operations on the global retention configuration
`monitor_data_stream_retention` or higher, which allows the retrieval of the global retention configuration.

This PR is the final PR that makes the global retention available for our users.
2024-03-28 10:40:33 +02:00
Albert Zaharovits 3e0a0f6291
Get and Query API Key with profile uid (#106531)
Add new optional request option, `with_profile_uid`,
to the Get and Query API Key Information endpoints,
to return the API keys owner users' profile uid.

Closes #98939
2024-03-28 10:26:22 +02:00
David Kyle 2087b65523
[ML] Create inference_user and inference_admin roles (#106371)
Defines new inference_user and inference_admin roles with the 
related cluster privileges manage_inference and monitor_inference.
inference_user can list the models and preform inference, 
inference_admin can do the same plus create and delete models
2024-03-20 11:15:21 +00:00
István Zoltán Szabó 2d4a49af53
[DOCS] Fixes get settings and update settings security API docs (#105686)
* [DOCS] Fixes get settings and update settings security API docs.

* [DOCS] Further edits.
2024-02-21 15:06:32 +01:00
Albert Zaharovits 065158e222
Expose owner realm_type in the returned API key information (#105629)
When querying or getting API key information, ES returns the key owner's
username and realm (i.e. the realm name that authenticated the username
that last updated the API key).
This PR adds the realm_type to the information on the key's owner.
2024-02-20 20:55:27 +02:00
Albert Zaharovits 6fec837e32
[Doc] API Key deletion settings (#105392)
This documents API Key delete settings.
2024-02-18 17:38:56 +02:00
Albert Zaharovits b2e626e7df
Support Profile Activate with JWTs with client authn (#105439)
Adds support for JWTs with client authentication
to the activate user profile API.

Closes #105342
2024-02-18 17:37:28 +02:00
Albert Zaharovits 9ee76c6b26
Aggs support for Query API Key Information API (#104895)
Adds support for the aggs request body parameter to the Query API Key Information API.
This parameter works identically to the well known eponymous parameter of the _search endpoint,
but the set of allowed aggregation types as well as the field names allowed is restricted.
2024-02-12 14:22:34 +02:00
Johannes Fredén 334aa1bc8d
Add support for fetching user profileId in Query Users (#104923)
Add support for fetching user profileId in Query Users
2024-02-07 08:49:39 +01:00
Albert Zaharovits 111a69d15f
Support `match` for the Query API Key API (#104594)
This adds support for the `match` query type to the Query API key Information API.
Note that since string values associated to API Keys are mapped as `keywords`,
a `match` query with no analyzer parameter is effectively equivalent to a `term` query
for such fields (e.g. `name`, `username`, `realm_name`).

Relates: #101691
2024-01-30 19:09:08 +02:00
István Zoltán Szabó 79d6c3e70d
[DOCS] Adds get setting and update settings asciidoc files to security API index (#104916)
* [DOCS] Adds get setting and update settings asciidoc files to security API index.

* [DOCS] Fixes references in docs.
2024-01-30 15:39:34 +01:00
Johannes Fredén 666774a865
Add documentation for Query User API (#104255)
* Add documentation for Query User API

Co-authored-by: Nikolaj Volgushev <n1v0lg@users.noreply.github.com>
2024-01-30 11:27:24 +01:00
Navarone Feekery bed59ba84f
[Enterprise Search] Add .connector-secrets system index (#104766)
- Introduce new internal system index called .connector-secrets
- Add GET and POST requests for connector secrets
- Add permission sets for read and write connector secrets
2024-01-26 11:20:32 +01:00
Navarone Feekery 05ea8c7a0f
Revert "[Enterprise Search] Add `.connector-secrets` system index and GET/POST requests (#103683)" (#104760)
This reverts commit b4345d9d91.
2024-01-25 14:33:33 +01:00
Navarone Feekery b4345d9d91
[Enterprise Search] Add `.connector-secrets` system index and GET/POST requests (#103683)
- Introduce new internal system index called .connector-secrets
- Add GET and POST requests for connector secrets
- Create read_connector_secrets and write_connector_secrets role permissions
2024-01-25 13:56:07 +01:00
Albert Zaharovits aeb2b77c3c
Add support for the `simple_query_string` to the Query API Key API (#104132)
This adds support for the simple_query_string query type to the Query API key Information API.
In addition, this also adds support for querying all the API Key metadata fields simultaneously,
rather than requiring each to be specified, such as metadata.x, metadata.y, etc.

Relates: #101691
2024-01-19 14:51:12 +02:00
Albert Zaharovits f4aaa20f28
Add support for the `type` parameter to the Query API Key API (#103695)
This adds support for the type parameter to the Query API key API.
The type for an API Key can currently be either rest or cross_cluster.

Relates: #101691
2024-01-11 10:53:50 +02:00
Johannes Fredén f6a305afd7
Add expiration time to update api key api (#103453)
* Add expiration time to update api key api
2024-01-04 10:31:42 +01:00
Johannes Fredén 6aad7f4e9f
Add support for invalidation timestamp in QueryApiKey (#102590)
This is a follow up PR from
https://github.com/elastic/elasticsearch/pull/102472. This adds the
ability to use `invalidation` timestamp as a valid [query
value](https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-query-api-key.html#security-api-query-api-key-request-body)
in the QueryApiKey API.
2023-11-27 04:10:51 -05:00
Fabio Busatto 9f1875ee2c
[DOCS] Fix docs for user profiles (#102452)
* [DOCS] Fix docs for user profiles
2023-11-23 10:38:17 +01:00
Albert Zaharovits bd10775b02
Grant API Key API with JWTs (#101904)
Introduces support for JWTs to the grant API Key API.
Callers can now pass-in a JWT in the request, like:
POST /_security/api_key/grant
{
  "grant_type": "access_token",
  "access_token" : "some.signed.JWT",
  "client_authentication": { // optional
    "scheme": "SharedSecret",
    "value": "ES-Client-Authentication header value after scheme"
  }
}
The JWT will be authenticated by a backing JWT realm and
a new API Key will be returned for the authenticated user.
2023-11-21 14:11:08 +02:00
Daniel Mitterdorfer a579504e11
Remove auto_configure privilege for profiling (#101026)
With this commit we remove the `auto_configure` privilege for the Fleet
service account that targets profiling-related indices. This privilege
was needed to automatically create indices and data streams in the past
but as this managed by the Elasticsearch plugin, there is no need to
grant this privilege to Fleet-managed components.
2023-10-23 13:14:14 +02:00
Nhat Nguyen ae17505557
Introduce authorization for enrich in ESQL (#99646)
This change introduces a new privilege monitor_enrich. Users are 
required to have this privilege in order to use the enrich functionality
in ESQL. Additionally, it eliminates the need to use the enrich_origin
when executing enrich lookups. The enrich_origin will only be used when
resolving enrich policies to prevent warnings when accessing system
indices directly.

Closes #98482
2023-09-27 12:45:39 -07:00
James Rodewig 255c9a7f95
[DOCS] Move x-pack docs to `docs/reference` dir (#99209)
**Problem:**
For historical reasons, source files for the Elasticsearch Guide's security, watcher, and Logstash API docs are housed in the `x-pack/docs` directory. This can confuse new contributors who expect Elasticsearch Guide docs to be located in `docs/reference`. 

**Solution:**
- Move the security, watcher, and Logstash API doc source files to the `docs/reference` directory
- Update doc snippet tests to use security

Rel: https://github.com/elastic/platform-docs-team/issues/208
2023-09-12 14:53:41 -04:00