Don't require `cluster:admin/xpack/security/token/create` privilege when `client_credentials` grant is used

[azasypkin]

As per Token Management API docs client_credentials grant type should allows us to create a token simply as the authenticated user (e.g. for Kerberos users when request to create a token would include Authorization: Negotiate **spnego-token** HTTP header), but currently Elasticsearch complains if user is not granted a cluster:admin/xpack/security/token/create cluster privilege.

Is it expected that all Kerberos users should be granted cluster:admin/xpack/security/token/create cluster privilege?

/cc @jkakavas @bizybot @kobelb

[elasticmachine]

Pinging @elastic/es-security

[jkakavas]

A comment here for the required permissions with the current situation is that manage_token is not required, cluster:admin/xpack/security/token/create should be enough.

[azasypkin]

Thanks @jkakavas! Updated title and description.

[tvernum]

We discussed this and reached a general consensus that it would be better to introduce a kerberos-aware grant type that worked in the same manner as the password grant type (i.e. it runs under the kibana user & provides both access+refresh tokens), rather than trying to make client_credentials work for this use case.

@jkakavas & @bizybot will come up with a concrete proposal for that (at which point we can close this issue).

[azasypkin]

Thanks for the update!

provides both access+refresh tokens

When we'll try to refresh such a token, will Elasticsearch check that Kerberos Ticket used to retrieve this access/refresh token pair is still valid as well?

[jkakavas]

When we'll try to refresh such a token, will Elasticsearch check that Kerberos Ticket used to retrieve this access/refresh token pair is still valid as well?

This needs to be discussed. Currently we do not support something similar in the TokenService and for SAML i.e. we do not take the time constraints that the IDP sets for the session into consideration after initial authentication.