diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/Authentication.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/Authentication.java index c21233436bd4a..3f2fa385845ad 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/Authentication.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/Authentication.java @@ -696,43 +696,39 @@ private static Map maybeRewriteMetadataForApiKeyRoleDescriptors( Map metadata = authentication.getMetadata(); // If authentication type is API key, regardless whether it has run-as, the metadata must contain API key role descriptors if (authentication.isAuthenticatedWithApiKey()) { + assert metadata.containsKey(AuthenticationField.API_KEY_ROLE_DESCRIPTORS_KEY) + : "metadata must contain role descriptor for API key authentication"; + assert metadata.containsKey(AuthenticationField.API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY) + : "metadata must contain limited role descriptor for API key authentication"; if (authentication.getVersion().onOrAfter(VERSION_API_KEY_ROLES_AS_BYTES) && streamVersion.before(VERSION_API_KEY_ROLES_AS_BYTES)) { metadata = new HashMap<>(metadata); - if (metadata.containsKey(AuthenticationField.API_KEY_ROLE_DESCRIPTORS_KEY)) { + metadata.put( + AuthenticationField.API_KEY_ROLE_DESCRIPTORS_KEY, + convertRoleDescriptorsBytesToMap((BytesReference) metadata.get(AuthenticationField.API_KEY_ROLE_DESCRIPTORS_KEY)) + ); + metadata.put( + AuthenticationField.API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY, + convertRoleDescriptorsBytesToMap( + (BytesReference) metadata.get(AuthenticationField.API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY) + ) + ); + } else if (authentication.getVersion().before(VERSION_API_KEY_ROLES_AS_BYTES) + && streamVersion.onOrAfter(VERSION_API_KEY_ROLES_AS_BYTES)) { + metadata = new HashMap<>(metadata); metadata.put( AuthenticationField.API_KEY_ROLE_DESCRIPTORS_KEY, - convertRoleDescriptorsBytesToMap((BytesReference) metadata.get(AuthenticationField.API_KEY_ROLE_DESCRIPTORS_KEY)) + convertRoleDescriptorsMapToBytes( + (Map) metadata.get(AuthenticationField.API_KEY_ROLE_DESCRIPTORS_KEY) + ) ); - } - if (metadata.containsKey(AuthenticationField.API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY)) { metadata.put( AuthenticationField.API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY, - convertRoleDescriptorsBytesToMap( - (BytesReference) metadata.get(AuthenticationField.API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY) + convertRoleDescriptorsMapToBytes( + (Map) metadata.get(AuthenticationField.API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY) ) ); } - } else if (authentication.getVersion().before(VERSION_API_KEY_ROLES_AS_BYTES) - && streamVersion.onOrAfter(VERSION_API_KEY_ROLES_AS_BYTES)) { - metadata = new HashMap<>(metadata); - if (metadata.containsKey(AuthenticationField.API_KEY_ROLE_DESCRIPTORS_KEY)) { - metadata.put( - AuthenticationField.API_KEY_ROLE_DESCRIPTORS_KEY, - convertRoleDescriptorsMapToBytes( - (Map) metadata.get(AuthenticationField.API_KEY_ROLE_DESCRIPTORS_KEY) - ) - ); - } - if (metadata.containsKey(AuthenticationField.API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY)) { - metadata.put( - AuthenticationField.API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY, - convertRoleDescriptorsMapToBytes( - (Map) metadata.get(AuthenticationField.API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY) - ) - ); - } - } } return metadata; } diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/AuthenticationTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/AuthenticationTests.java index e4358a484566d..5ac45a8f41ef9 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/AuthenticationTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/AuthenticationTests.java @@ -8,6 +8,7 @@ package org.elasticsearch.xpack.core.security.authc; import org.elasticsearch.Version; +import org.elasticsearch.common.bytes.BytesArray; import org.elasticsearch.common.io.stream.BytesStreamOutput; import org.elasticsearch.common.io.stream.StreamInput; import org.elasticsearch.common.settings.Settings; @@ -414,6 +415,9 @@ public static Authentication randomApiKeyAuthentication(User user, String apiKey final HashMap metadata = new HashMap<>(); metadata.put(AuthenticationField.API_KEY_ID_KEY, apiKeyId); metadata.put(AuthenticationField.API_KEY_NAME_KEY, randomBoolean() ? null : randomAlphaOfLengthBetween(1, 16)); + metadata.put(AuthenticationField.API_KEY_ROLE_DESCRIPTORS_KEY, new BytesArray("{}")); + metadata.put(AuthenticationField.API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY, new BytesArray(""" + {"x":{"cluster":["all"],"indices":[{"names":["index*"],"privileges":["all"]}]}}""")); return Authentication.newApiKeyAuthentication(AuthenticationResult.success(user, metadata), randomAlphaOfLengthBetween(3, 8)) .maybeRewriteForOlderVersion(version); }