Store API key owner on Notification Policy

[kdelemme]

Summary

Adds API key support to the notification policy saved object, following the same ESO pattern as alerting v1 rules.

• Stores ES API key (encrypted) OR UIAM API key on the notification policy SO
• Stores owner and createdByUser as AAD fields
• Creates/rotates API keys on policy create and update
• Strips apiKey from all API responses
• Adds encryptedSavedObjects plugin dependency

Resolves https://github.com/elastic/rna-program/issues/141

Out of scope

• API key invalidation lifecycle (follow-up)
• Dispatcher integration to use decrypted keys for workflow dispatch (follow-up, after dispatcher PR merges)

Made with Cursor

[kdelemme]

/ci

[jasonrhodes]

I'm reviewing this now FWIW 🍿

[jasonrhodes]

I did manual testing locally, ran against a CCS edge cluster with ESO encryption key configured (--xpack.encryptedSavedObjects.encryptionKey="abcdefghijklmnopqrstuvwxyz123456")

Auth method	Code path	apiKeyCreatedByUser
API key header	Reuse (extracts from header)	true
Session cookie	Grant (grantAsInternalUser)	false
Basic auth	Grant (grantAsInternalUser)	false

CRUD verified

• Create with auto-generated and custom IDs work. apiKeyOwner and apiKeyCreatedByUser present in responses; apiKey and uiamApiKey correctly stripped
• GET requests return cleanly, secrets absent
• Update preserves unmodified fields, bumps version (optimistic concurrency working).
• Delete works.

Key rotation confirmed (grant path)

Queried _security/_query/api_key filtering on metadata.kibana.type: notification_policy. After creating a policy via basic auth and then updating it, a new ES API key was created with the updated policy name — 3 keys total, confirming grantAsInternalUser is called on every update (no other way to confirm real rotation except by counting keys created). Old keys remain invalidated: false, consistent with the PR noting invalidation as a follow-up.

ESO encryption confirmed

Raw SO in .kibana_alerting_cases shows apiKey as encrypted ciphertext, uiamApiKey as null (non-serverless), and apiKeyOwner/apiKeyCreatedByUser as plaintext AAD fields.

Will approve PR after I finish reading through code.

[jasonrhodes]

Please correct me if I'm off-base here, but is this schema shape mostly borrowed from v1 alerting? This "two optional sibling keys" situation stood out to me, neither is required, does that mean both can be stored? Why do we need both in v2 alerting?

Could a discriminated union work for v2 if we don't have backward-compatibility concerns on this front?

{
  auth: {
    key: schema.string(),
    type: schema.oneOf(['ES_API_KEY', 'UIAM_API_KEY']),
    owner: schema.string(),
    createdByUser: schema.boolean(),
  }
}

More context from my conversation with the agent on this idea...

...

Yes, both keys are actively stored today in v1, in one specific scenario: the grant path in serverless environments. This is not a legacy
artifact — it's current behavior.
Here's exactly what happens in each v1 code path:

Grant path (password/token auth)

In createAPIKey in rules_client_factory.ts:

1. Check shouldGrantUiam (which is !!core.security.authc.apiKeys.uiam — true only when UIAM is available, i.e. serverless)
2. If serverless: grant a UIAM key first, then grant an ES key. Store both on the SO.
3. If non-serverless: grant only an ES key. uiamApiKey is not set.

Reuse path (API key auth)

In getAuthenticationAPIKey: the user's own key is extracted from the header. If it's a UIAM credential, it goes into uiamResult only (no result).
If it's a regular ES key, it goes into result only. The apiKeyAsAlertAttributes function then stores it in the appropriate field. Only one key
is stored.

Why does the grant path store both?

Because in v1, the write-time decision (which keys to create) and the read-time decision (which key to use) are controlled by two different
config flags:
• Write time: shouldGrantUiam — determined by whether the UIAM API is available at all
• Read time: context.apiKeyType — a separate kibana.yml config (xpack.alerting.rules.apiKeyType) that defaults to 'es' and can be set to 'uiam'

So in serverless, UIAM is available (so both keys get created), but the task runner might still be configured to use the ES key (apiKeyType:
'es'). The system stores both so that operators can flip apiKeyType from es to uiam without having to re-grant every rule's API key. The task
runner then picks whichever one the config says to use:

x-pack/platform/plugins/shared/alerting/server/task_runner/rule_loader.ts lines 161-171

const shouldUseUiamApiKey = context.shouldGrantUiam && context.apiKeyType === ApiKeyType.UIAM;
if (shouldUseUiamApiKey) {
  if (!uiamApiKey) {
    requestHeaders.authorization = `ApiKey ${apiKey}`;
    // ... fallback warning
  } else {
    // ... use uiamApiKey
  }
} else if (apiKey) {
  requestHeaders.authorization = `ApiKey ${apiKey}`;
}

So is this relevant to v2?

The reason v1 needs both is that there are potentially millions of existing rules, and rotating keys on all of them just because an operator
flipped a config flag is operationally expensive. Storing both is a pragmatic optimization to avoid mass re-keying.
In v2, this concern doesn't exist:
• There are zero existing notification policies (new system)
• Keys are already rotated on every update
• The dispatcher is a single system-level process, not per-rule — it doesn't need the same flexibility to switch key types without re-granting

So the "store both to allow config-driven switching" rationale from v1 doesn't carry over to v2. The v2 dispatcher will know at startup whether
it's running in serverless or not, and can just use the right key type. There's no need to hedge by storing both.
This further supports the discriminated union approach — v2 can just store whichever key type is appropriate for the environment and be explicit
about what it stored.

[kdelemme]

Is UIAM enabled currently on serverless?

[jasonrhodes]

Confirmed with Mike Cote it's being rolled out this week or so.

[jasonrhodes]

OK mostly LGTM, I just want to confirm on the multi-key situation before approving. Thanks!

[jasonrhodes]

nit: does it make sense to use a static method on the class, or just a function outside the class, to handle the omit logic so if we need to extend it or change it, it just happens in one place? Tests will catch it if we miss it so not a big deal, reject this as over-optimization if you like :D

[kdelemme]

sure thing

[jasonrhodes]

ah ok, this behavior also seems to be borrowed from v1 alerting ... if it's necessary then I guess you can ignore my schema / discriminated union idea, but I wonder if we really need this (storing both) if we don't need to migrate or worry about existing objects?

[kdelemme]

We probably don't need both if uiam is already enabled on serverless.

[jasonrhodes]

LGTM

[kdelemme]

/ci

[elasticmachine]

💔 Build Failed

• Buildkite Build
• Commit: 0ebdc28

Failed CI Steps

• Linting
• Check Types
• Check changes in Saved Objects

Metrics [docs]

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id	before	after	diff
@kbn/alerting-v2-schemas	44	45	+1

Unknown metric groups

API count

id	before	after	diff
@kbn/alerting-v2-schemas	52	53	+1

History

• 💔 Build #404468 failed f6c16f3
• 💔 Build #404455 failed 1fd3547
• 💔 Build #404106 failed 3849b8f
• 💔 Build #404042 failed e09911a

cc @kdelemme