Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: Add required privileges for using API Keys #4130

Merged
merged 10 commits into from
Sep 9, 2020
Merged

docs: Add required privileges for using API Keys #4130

merged 10 commits into from
Sep 9, 2020

Conversation

bmorelli25
Copy link
Member

@bmorelli25 bmorelli25 commented Sep 1, 2020
edited
Loading

Motivation/summary

  • This PR adds the required privileges for using API keys. Previously, we didn't do a good job of calling out the manage_api_cluster privilege, or of providing an example of how to set apm application privileges.

  • This PR adds an example workflow for creating an API key using the ES create API key API. The process used is these docs was originally documented here.

Server CLI tested with:

PUT _security/role/apm_api_key
{
  "cluster": [
    "manage_api_key"
  ],
  "applications": [
    {
      "application": "apm",
      "privileges": [
        "sourcemap:write",
        "event:write",
        "config_agent:read"
      ],
      "resources": [
        "*"
      ]
    }
  ]
}

./apm-server apikey create --name java-001

PUT _security/role/apm_api_key_sm
{
  "cluster": [
    "manage_api_key"
  ],
  "applications": [
    {
      "application": "apm",
      "privileges": [
        "sourcemap:write"
      ],
      "resources": [
        "*"
      ]
    }
  ]
}

./apm-server apikey create --sourcemap --name java-002

PUT _security/role/apm_api_key_ev
{
  "cluster": [
    "manage_api_key"
  ],
  "applications": [
    {
      "application": "apm",
      "privileges": [
        "event:write"
      ],
      "resources": [
        "*"
      ]
    }
  ]
}

./apm-server apikey create --ingest --name java-003

PUT _security/role/apm_api_key_cf
{
  "cluster": [
    "manage_api_key"
  ],
  "applications": [
    {
      "application": "apm",
      "privileges": [
        "config_agent:read"
      ],
      "resources": [
        "*"
      ]
    }
  ]
}

./apm-server apikey create --agent-config --name java-004

ES version tested with:

POST /_security/api_key
{
  "name": "java-002",
  "expiration": "1d", 
  "role_descriptors": { 
    "apm": {
      "applications": [
        {
          "application": "apm",
          "privileges": ["sourcemap:write", "event:write", "config_agent:read"],
          "resources": ["*"]
        }
      ]
    }
  }
}

echo -n GnrUT3QB7yZbSNxKET6d:RhHKisTmQ1aPCHC_TPwOvw | base64

apm-server apikey verify --credentials R25yVVQzUUI3eVpiU054S0VUNmQ6UmhIS2lzVG1RMWFQQ0hDX1RQd092dw==

Related issues

Closes #3566.
Closes #4135.

Additional work

After this PR is approved, a separate PR will need to be opened in the Beats repo to persist these changes: elastic/beats#20911

@bmorelli25 bmorelli25 requested a review from simitt September 1, 2020 23:02
@bmorelli25 bmorelli25 self-assigned this Sep 1, 2020
@apmmachine
Copy link
Contributor

apmmachine commented Sep 1, 2020
edited
Loading

💚 Build Succeeded

Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: [Pull request #4130 updated]

  • Start Time: 2020-09-09T02:13:45.373+0000

  • Duration: 4 min 2 sec

@bmorelli25 bmorelli25 mentioned this pull request Sep 1, 2020
Merged
@bmorelli25 bmorelli25 mentioned this pull request Sep 2, 2020
Closed
@bmorelli25 bmorelli25 requested review from a team and removed request for simitt September 2, 2020 17:24
axw
axw approved these changes Sep 3, 2020
View reviewed changes
Copy link
Member

@axw axw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! Just a few minor things.

docs/feature-roles.asciidoc Outdated Show resolved Hide resolved
docs/secure-communication-agents.asciidoc Outdated Show resolved Hide resolved
docs/secure-communication-agents.asciidoc Show resolved Hide resolved
axw
axw reviewed Sep 9, 2020
View reviewed changes
docs/secure-communication-agents.asciidoc
By default, `enabled` is set to `false`, and API key support is disabled.

TIP: Not using Elastic APM agents?
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice 👍

@bmorelli25 bmorelli25 merged commit a44ccdf into elastic:master Sep 9, 2020
@bmorelli25 bmorelli25 deleted the docs-api-key-privs branch September 9, 2020 02:28
@bmorelli25 bmorelli25 mentioned this pull request Sep 9, 2020
Merged
bmorelli25 added a commit to bmorelli25/apm-server that referenced this pull request Sep 9, 2020
@bmorelli25 @axw
docs: Add required privileges for using API Keys (elastic#4130)
a8b113c 
Co-authored-by: Andrew Wilkins <[email protected]>
bmorelli25 added a commit to bmorelli25/apm-server that referenced this pull request Sep 9, 2020
@bmorelli25 @axw
docs: Add required privileges for using API Keys (elastic#4130)
12f95f0 
Co-authored-by: Andrew Wilkins <[email protected]>
@bmorelli25 bmorelli25 mentioned this pull request Sep 9, 2020
Merged
bmorelli25 added a commit that referenced this pull request Sep 9, 2020
@bmorelli25 @axw
docs: Add required privileges for using API Keys (#4130) (#4179)
b3ac803 
Co-authored-by: Andrew Wilkins <[email protected]>
bmorelli25 added a commit that referenced this pull request Sep 9, 2020
@bmorelli25 @axw
docs: Add required privileges for using API Keys (#4130) (#4178)
6ed32f1 
Co-authored-by: Andrew Wilkins <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@axw axw axw approved these changes

Assignees

@bmorelli25 bmorelli25

Labels
docs v7.9.0
Projects
None yet
Milestone
No milestone
3 participants
@bmorelli25 @apmmachine @axw