Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalidation of API key's fails using service token #380

Closed
blakerouse opened this issue May 20, 2021 · 1 comment · Fixed by #381
Closed

Invalidation of API key's fails using service token #380

blakerouse opened this issue May 20, 2021 · 1 comment · Fixed by #381
Assignees
@blakerouse
Labels
blocker Team:Elastic-Agent Label for the Agent team v7.13.0 v7.13.1

Comments

@blakerouse
Copy link
Contributor

At the moment the invalidation of API keys from the UNENROLL ACK fails only when using the service token for authentication with elasticsearch.

The client.Security.InvalidateAPIKey needs to send owner: true in the request body, or elasticsearch will response with a permission error.

This relates to elastic/beats#25773 and elastic/elasticsearch#73278
@blakerouse blakerouse added the Team:Elastic-Agent Label for the Agent team label May 20, 2021
@blakerouse blakerouse self-assigned this May 20, 2021
@ph ph mentioned this issue May 20, 2021
Closed
@blakerouse blakerouse mentioned this issue May 20, 2021
Merged
2 tasks
@ph
Copy link
Contributor

ph commented May 20, 2021
edited
Loading

Adding more context, we have been testing initially with the fleet_enroll user which has different permissions than the service token. The major difference is manage_api_key vs manage_own_api_key used by the service token. When this permission is used you absolutely need to send owner: true when doing the invalidation call if not Elasticsearch will refuse to do the operation.

We initially thought it was more a flakiness than a permission issue, but when investigating more we have found that the problem was actually when invalidating the key.

We also need to understand why this is not caugh in our end 2 end testing environment.

@blakerouse blakerouse mentioned this issue May 20, 2021
Closed
@dedemorton dedemorton mentioned this issue May 26, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@blakerouse blakerouse

Labels
blocker Team:Elastic-Agent Label for the Agent team v7.13.0 v7.13.1
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Send owner: true on API call to invalid API keys. blakerouse/fleet-server
3 participants
@ph @blakerouse @EricDavisX