Skip to content

docs: Add required privileges for using API Keys#4130

Merged
bmorelli25 merged 10 commits intoelastic:masterfrom
bmorelli25:docs-api-key-privs
Sep 9, 2020
Merged

docs: Add required privileges for using API Keys#4130
bmorelli25 merged 10 commits intoelastic:masterfrom
bmorelli25:docs-api-key-privs

Conversation

@bmorelli25
Copy link
Copy Markdown
Member

@bmorelli25 bmorelli25 commented Sep 1, 2020
edited
Loading

Motivation/summary

  • This PR adds the required privileges for using API keys. Previously, we didn't do a good job of calling out the manage_api_cluster privilege, or of providing an example of how to set apm application privileges.

  • This PR adds an example workflow for creating an API key using the ES create API key API. The process used is these docs was originally documented here.

Server CLI tested with:

PUT _security/role/apm_api_key
{
  "cluster": [
    "manage_api_key"
  ],
  "applications": [
    {
      "application": "apm",
      "privileges": [
        "sourcemap:write",
        "event:write",
        "config_agent:read"
      ],
      "resources": [
        "*"
      ]
    }
  ]
}

./apm-server apikey create --name java-001

PUT _security/role/apm_api_key_sm
{
  "cluster": [
    "manage_api_key"
  ],
  "applications": [
    {
      "application": "apm",
      "privileges": [
        "sourcemap:write"
      ],
      "resources": [
        "*"
      ]
    }
  ]
}

./apm-server apikey create --sourcemap --name java-002

PUT _security/role/apm_api_key_ev
{
  "cluster": [
    "manage_api_key"
  ],
  "applications": [
    {
      "application": "apm",
      "privileges": [
        "event:write"
      ],
      "resources": [
        "*"
      ]
    }
  ]
}

./apm-server apikey create --ingest --name java-003

PUT _security/role/apm_api_key_cf
{
  "cluster": [
    "manage_api_key"
  ],
  "applications": [
    {
      "application": "apm",
      "privileges": [
        "config_agent:read"
      ],
      "resources": [
        "*"
      ]
    }
  ]
}

./apm-server apikey create --agent-config --name java-004

ES version tested with:

POST /_security/api_key
{
  "name": "java-002",
  "expiration": "1d", 
  "role_descriptors": { 
    "apm": {
      "applications": [
        {
          "application": "apm",
          "privileges": ["sourcemap:write", "event:write", "config_agent:read"],
          "resources": ["*"]
        }
      ]
    }
  }
}

echo -n GnrUT3QB7yZbSNxKET6d:RhHKisTmQ1aPCHC_TPwOvw | base64

apm-server apikey verify --credentials R25yVVQzUUI3eVpiU054S0VUNmQ6UmhIS2lzVG1RMWFQQ0hDX1RQd092dw==

Related issues

Closes #3566.
Closes #4135.

Additional work

After this PR is approved, a separate PR will need to be opened in the Beats repo to persist these changes: elastic/beats#20911

@bmorelli25 bmorelli25 requested a review from simitt September 1, 2020 23:02
@bmorelli25 bmorelli25 self-assigned this Sep 1, 2020
@ghost
Copy link
Copy Markdown

ghost commented Sep 1, 2020
edited by ghost
Loading

💚 Build Succeeded

Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: [Pull request #4130 updated]

  • Start Time: 2020-09-09T02:13:45.373+0000

  • Duration: 4 min 2 sec

@bmorelli25 bmorelli25 mentioned this pull request Sep 1, 2020
Merged
@bmorelli25 bmorelli25 mentioned this pull request Sep 2, 2020
Closed
@bmorelli25 bmorelli25 requested review from a team and removed request for simitt September 2, 2020 17:24
axw
axw approved these changes Sep 3, 2020
View reviewed changes
Copy link
Copy Markdown
Member

@axw axw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! Just a few minor things.

@bmorelli25 @axw
Update docs/feature-roles.asciidoc
c7722e5 
Co-authored-by: Andrew Wilkins <axwalk@gmail.com>
bmorelli25
bmorelli25 commented Sep 3, 2020
View reviewed changes
axw
axw reviewed Sep 9, 2020
View reviewed changes
docs/secure-communication-agents.asciidoc
The key must be the base64 encoded representation of the API key's `id:name`.
By default, `enabled` is set to `false`, and API key support is disabled.

TIP: Not using Elastic APM agents?
Copy link
Copy Markdown
Member

@axw axw Sep 9, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice 👍

@bmorelli25 bmorelli25 merged commit a44ccdf into elastic:master Sep 9, 2020
@bmorelli25 bmorelli25 deleted the docs-api-key-privs branch September 9, 2020 02:28
@bmorelli25 bmorelli25 mentioned this pull request Sep 9, 2020
Merged
bmorelli25 added a commit to bmorelli25/apm-server that referenced this pull request Sep 9, 2020
@bmorelli25 @axw
docs: Add required privileges for using API Keys (elastic#4130)
a8b113c 
Co-authored-by: Andrew Wilkins <axwalk@gmail.com>
bmorelli25 added a commit to bmorelli25/apm-server that referenced this pull request Sep 9, 2020
@bmorelli25 @axw
docs: Add required privileges for using API Keys (elastic#4130)
12f95f0 
Co-authored-by: Andrew Wilkins <axwalk@gmail.com>
@bmorelli25 bmorelli25 mentioned this pull request Sep 9, 2020
Merged
bmorelli25 added a commit that referenced this pull request Sep 9, 2020
@bmorelli25 @axw
docs: Add required privileges for using API Keys (#4130) (#4179)
b3ac803 
Co-authored-by: Andrew Wilkins <axwalk@gmail.com>
bmorelli25 added a commit that referenced this pull request Sep 9, 2020
@bmorelli25 @axw
docs: Add required privileges for using API Keys (#4130) (#4178)
6ed32f1 
Co-authored-by: Andrew Wilkins <axwalk@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@axw axw axw approved these changes

Assignees

@bmorelli25 bmorelli25

Labels

docs v7.9.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Document how to create API Keys for Agent auth using the ES REST API [docs] Add required privileges for using API Keys

2 participants

@bmorelli25 @axw