Prior to 8.1, run-as is only supported for realm authenticated users. The audit log has the following fields for the authenticated user and the effective user:
user.run_by.nameuser.run_as.nameuser.run_by.realmuser.run_as.realm
Since #79809 (8.2), an API key can also perform run-as. An API key has extra information like its ID and name. It also has both its own sythetic realm (_es_api_key) and the ower's name and realm. In #84325, we mapped the API key owner's name to user.run_by.name and the synthetic realm to user.run_by.realm. But we still need extra fields to map the API key's ID and name as well as its owner's realm.
We should revisit and improve how auditing is done for the authenticated user and the effective user. The service account's name and type are logged under its own section (authentication) separated from the user fields. This was intentional because the intention is to have a separate section for authentication information. This is a potential candidate for expansion to accomodate the extra information for the API key.
Prior to 8.1, run-as is only supported for realm authenticated users. The audit log has the following fields for the authenticated user and the effective user:
user.run_by.nameuser.run_as.nameuser.run_by.realmuser.run_as.realmSince #79809 (8.2), an API key can also perform run-as. An API key has extra information like its ID and name. It also has both its own sythetic realm (
_es_api_key) and the ower's name and realm. In #84325, we mapped the API key owner's name touser.run_by.nameand the synthetic realm touser.run_by.realm. But we still need extra fields to map the API key's ID and name as well as its owner's realm.We should revisit and improve how auditing is done for the authenticated user and the effective user. The service account's name and type are logged under its own section (
authentication) separated from theuserfields. This was intentional because the intention is to have a separate section for authentication information. This is a potential candidate for expansion to accomodate the extra information for the API key.