mirror of
https://github.com/honeymoose/OpenSearch.git
synced 2025-02-16 09:54:55 +00:00
7b6246ec67
The existing privilege model for API keys with privileges like `manage_api_key`, `manage_security` etc. are too permissive and we would want finer-grained control over the cluster privileges for API keys. Previously APIs created would also need these privileges to get its own information. This commit adds support for `manage_own_api_key` cluster privilege which only allows api key cluster actions on API keys owned by the currently authenticated user. Also adds support for retrieval of the API key self-information when authenticating via API key without the need for the additional API key privileges. To support this privilege, we are introducing additional authentication context along with the request context such that it can be used to authorize cluster actions based on the current user authentication. The API key get and invalidate APIs introduce an `owner` flag that can be set to true if the API key request (Get or Invalidate) is for the API keys owned by the currently authenticated user only. In that case, `realm` and `username` cannot be set as they are assumed to be the currently authenticated ones. The changes cover HLRC changes, documentation for the API changes. Closes #40031
76 lines
2.6 KiB
Plaintext
76 lines
2.6 KiB
Plaintext
--
|
|
:api: get-api-key
|
|
:request: GetApiKeyRequest
|
|
:response: GetApiKeyResponse
|
|
--
|
|
|
|
[id="{upid}-{api}"]
|
|
=== Get API Key information API
|
|
|
|
API Key(s) information can be retrieved using this API.
|
|
|
|
[id="{upid}-{api}-request"]
|
|
==== Get API Key Request
|
|
The +{request}+ supports retrieving API key information for
|
|
|
|
. A specific API key
|
|
|
|
. All API keys for a specific realm
|
|
|
|
. All API keys for a specific user
|
|
|
|
. All API keys for a specific user in a specific realm
|
|
|
|
. A specific key or all API keys owned by the current authenticated user
|
|
|
|
===== Retrieve a specific API key by its id
|
|
["source","java",subs="attributes,callouts,macros"]
|
|
--------------------------------------------------
|
|
include-tagged::{doc-tests-file}[get-api-key-id-request]
|
|
--------------------------------------------------
|
|
|
|
===== Retrieve a specific API key by its name
|
|
["source","java",subs="attributes,callouts,macros"]
|
|
--------------------------------------------------
|
|
include-tagged::{doc-tests-file}[get-api-key-name-request]
|
|
--------------------------------------------------
|
|
|
|
===== Retrieve all API keys for given realm
|
|
["source","java",subs="attributes,callouts,macros"]
|
|
--------------------------------------------------
|
|
include-tagged::{doc-tests-file}[get-realm-api-keys-request]
|
|
--------------------------------------------------
|
|
|
|
===== Retrieve all API keys for a given user
|
|
["source","java",subs="attributes,callouts,macros"]
|
|
--------------------------------------------------
|
|
include-tagged::{doc-tests-file}[get-user-api-keys-request]
|
|
--------------------------------------------------
|
|
|
|
===== Retrieve all API keys for given user in a realm
|
|
["source","java",subs="attributes,callouts,macros"]
|
|
--------------------------------------------------
|
|
include-tagged::{doc-tests-file}[get-user-realm-api-keys-request]
|
|
--------------------------------------------------
|
|
|
|
===== Retrieve all API keys for the current authenticated user
|
|
["source","java",subs="attributes,callouts,macros"]
|
|
--------------------------------------------------
|
|
include-tagged::{doc-tests-file}[get-api-keys-owned-by-authenticated-user-request]
|
|
--------------------------------------------------
|
|
|
|
include::../execution.asciidoc[]
|
|
|
|
[id="{upid}-{api}-response"]
|
|
==== Get API Key information API Response
|
|
|
|
The returned +{response}+ contains the information regarding the API keys that were
|
|
requested.
|
|
|
|
`api_keys`:: Available using `getApiKeyInfos`, contains list of API keys that were retrieved for this request.
|
|
|
|
["source","java",subs="attributes,callouts,macros"]
|
|
--------------------------------------------------
|
|
include-tagged::{doc-tests-file}[{api}-response]
|
|
--------------------------------------------------
|