OpenSearch/docs/java-rest/high-level/security
Yogesh Gaikwad fe36861ada
Add support for API keys to access Elasticsearch (#38291)
X-Pack security supports built-in authentication service
`token-service` that allows access tokens to be used to 
access Elasticsearch without using Basic authentication.
The tokens are generated by `token-service` based on
OAuth2 spec. The access token is a short-lived token
(defaults to 20m) and refresh token with a lifetime of 24 hours,
making them unsuitable for long-lived or recurring tasks where
the system might go offline thereby failing refresh of tokens.

This commit introduces a built-in authentication service
`api-key-service` that adds support for long-lived tokens aka API
keys to access Elasticsearch. The `api-key-service` is consulted
after `token-service` in the authentication chain. By default,
if TLS is enabled then `api-key-service` is also enabled.
The service can be disabled using the configuration setting.

The API keys:-
- by default do not have an expiration but expiration can be
  configured where the API keys need to be expired after a
  certain amount of time.
- when generated will keep authentication information of the user that
   generated them.
- can be defined with a role describing the privileges for accessing
   Elasticsearch and will be limited by the role of the user that
   generated them
- can be invalidated via invalidation API
- information can be retrieved via a get API
- that have been expired or invalidated will be retained for 1 week
  before being deleted. The expired API keys remover task handles this.

Following are the API key management APIs:-
1. Create API Key - `PUT/POST /_security/api_key`
2. Get API key(s) - `GET /_security/api_key`
3. Invalidate API Key(s) `DELETE /_security/api_key`

The API keys can be used to access Elasticsearch using `Authorization`
header, where the auth scheme is `ApiKey` and the credentials, is the 
base64 encoding of API key Id and API key separated by a colon.
Example:-
```
curl -H "Authorization: ApiKey YXBpLWtleS1pZDphcGkta2V5" http://localhost:9200/_cluster/health
```

Closes #34383
2019-02-05 14:21:57 +11:00
..
authenticate.asciidoc Add realm information for Authenticate API (#35648) 2018-11-27 23:35:42 +02:00
change-password.asciidoc Deprecate HLRC EmptyResponse used by security (#37540) 2019-01-23 22:13:16 -06:00
clear-realm-cache.asciidoc HLRC: add support for the clear realm cache API (#35163) 2018-11-06 13:12:24 -07:00
clear-roles-cache.asciidoc
create-api-key.asciidoc Add support for API keys to access Elasticsearch (#38291) 2019-02-05 14:21:57 +11:00
create-token.asciidoc HLRC: Add security Create Token API (#34791) 2018-10-29 17:17:56 +11:00
delete-privileges.asciidoc Add Delete Privileges API to HLRC (#35454) 2018-11-14 14:04:30 +01:00
delete-role-mapping.asciidoc
delete-role.asciidoc
delete-user.asciidoc HLRC: Add delete user action (#35294) 2018-11-29 07:52:56 +01:00
disable-user.asciidoc Deprecate HLRC EmptyResponse used by security (#37540) 2019-01-23 22:13:16 -06:00
enable-user.asciidoc Deprecate HLRC EmptyResponse used by security (#37540) 2019-01-23 22:13:16 -06:00
get-api-key.asciidoc Add support for API keys to access Elasticsearch (#38291) 2019-02-05 14:21:57 +11:00
get-certificates.asciidoc Fix get certificates HLRC API (#36198) 2018-12-06 12:44:51 +02:00
get-privileges.asciidoc [DOCS] Various spelling corrections (#37046) 2019-01-07 14:44:12 +01:00
get-role-mappings.asciidoc [HLRC] Add support for get role mappings API (#34637) 2018-10-29 10:12:13 +11:00
get-roles.asciidoc [DOCS] Various spelling corrections (#37046) 2019-01-07 14:44:12 +01:00
get-user-privileges.asciidoc HLRC: Implement get-user-privileges API (#36292) 2018-12-12 15:12:49 +11:00
get-users.asciidoc [DOCS] Various spelling corrections (#37046) 2019-01-07 14:44:12 +01:00
has-privileges.asciidoc HLRC: Add "_has_privileges" API to Security Client (#35479) 2018-11-16 13:52:06 +11:00
invalidate-api-key.asciidoc Add support for API keys to access Elasticsearch (#38291) 2019-02-05 14:21:57 +11:00
invalidate-token.asciidoc Invalidate Token API enhancements - HLRC (#36362) 2018-12-18 16:12:43 +02:00
put-privileges.asciidoc [HLRC] Add support for put privileges API (#35679) 2018-12-09 16:03:28 +11:00
put-role-mapping.asciidoc
put-role.asciidoc [HLRC] Put Role (#36209) 2018-12-10 09:41:31 +02:00
put-user.asciidoc HLRC: Add ability to put user with a password hash (#35844) 2018-11-27 15:07:24 +11:00