1
0
Эх сурвалжийг харах

Expose more authentication info to ingest pipeline (#51305)

The changes add more granularity for identiying the data ingestion user.
The ingest pipeline can now be configure to record authentication realm and
type. It can also record API key name and ID when one is in use. 
This improves traceability when data are being ingested from multiple agents
and will become more relevant with the incoming support of required
pipelines (#46847)

Resolves: #49106
Yang Wang 5 жил өмнө
parent
commit
5c9f79534f

+ 12 - 5
docs/reference/ingest/processors/set-security-user.asciidoc

@@ -1,8 +1,15 @@
 [[ingest-node-set-security-user-processor]]
 [[ingest-node-set-security-user-processor]]
 === Set Security User Processor
 === Set Security User Processor
-Sets user-related details (such as `username`,  `roles`, `email`, `full_name`
-and `metadata` ) from the current
+Sets user-related details (such as `username`,  `roles`, `email`, `full_name`,
+`metadata`, `api_key`, `realm` and `authentication_type`) from the current
 authenticated user to the current document by pre-processing the ingest.
 authenticated user to the current document by pre-processing the ingest.
+The `api_key` property exists only if the user authenticates with an
+API key. It is an object containing the `id` and `name` fields of the API key.
+The `realm` property is also an object with two fields, `name` and `type`.
+When using API key authentication, the `realm` property refers to the realm
+from which the API key is created.
+The `authentication_type` property is a string that can take value from
+`REALM`, `API_KEY`, `TOKEN` and `ANONYMOUS`.
 
 
 IMPORTANT: Requires an authenticated user for the index request.
 IMPORTANT: Requires an authenticated user for the index request.
 
 
@@ -10,9 +17,9 @@ IMPORTANT: Requires an authenticated user for the index request.
 .Set Security User Options
 .Set Security User Options
 [options="header"]
 [options="header"]
 |======
 |======
-| Name          | Required  | Default                                                   | Description
-| `field`       | yes       | -                                                         | The field to store the user information into.
-| `properties`  | no        | [`username`, `roles`, `email`, `full_name`, `metadata`]   | Controls what user related properties are added to the `field`.
+| Name          | Required  | Default                                                                                              | Description
+| `field`       | yes       | -                                                                                                    | The field to store the user information into.
+| `properties`  | no        | [`username`, `roles`, `email`, `full_name`, `metadata`, `api_key`, `realm`, `authentication_type`]   | Controls what user related properties are added to the `field`.
 include::common-options.asciidoc[]
 include::common-options.asciidoc[]
 |======
 |======
 
 

+ 4 - 0
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/Authentication.java

@@ -76,6 +76,10 @@ public class Authentication implements ToXContentObject {
         return lookedUpBy;
         return lookedUpBy;
     }
     }
 
 
+    public RealmRef getSourceRealm() {
+        return lookedUpBy == null ? authenticatedBy : lookedUpBy;
+    }
+
     public Version getVersion() {
     public Version getVersion() {
         return version;
         return version;
     }
     }

+ 3 - 0
x-pack/plugin/core/src/main/resources/security-index-template-7.json

@@ -194,6 +194,9 @@
             },
             },
             "realm" : {
             "realm" : {
               "type" : "keyword"
               "type" : "keyword"
+            },
+            "realm_type" : {
+              "type" : "keyword"
             }
             }
           }
           }
         },
         },

+ 33 - 0
x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/AuthenticationTests.java

@@ -0,0 +1,33 @@
+/*
+ *
+ *  * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ *  * or more contributor license agreements. Licensed under the Elastic License;
+ *  * you may not use this file except in compliance with the Elastic License.
+ *
+ */
+
+package org.elasticsearch.xpack.core.security.authc;
+
+import org.elasticsearch.test.ESTestCase;
+import org.elasticsearch.xpack.core.security.user.User;
+
+public class AuthenticationTests extends ESTestCase {
+
+    public void testWillGetLookedUpByWhenItExists() {
+        final Authentication.RealmRef authenticatedBy = new Authentication.RealmRef("auth_by", "auth_by_type", "node");
+        final Authentication.RealmRef lookedUpBy = new Authentication.RealmRef("lookup_by", "lookup_by_type", "node");
+        final Authentication authentication = new Authentication(
+            new User("user"), authenticatedBy, lookedUpBy);
+
+        assertEquals(lookedUpBy, authentication.getSourceRealm());
+    }
+
+    public void testWillGetAuthenticateByWhenLookupIsNull() {
+        final Authentication.RealmRef authenticatedBy = new Authentication.RealmRef("auth_by", "auth_by_type", "node");
+        final Authentication authentication = new Authentication(
+            new User("user"), authenticatedBy, null);
+
+        assertEquals(authenticatedBy, authentication.getSourceRealm());
+    }
+
+}

+ 9 - 5
x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java

@@ -106,9 +106,11 @@ public class ApiKeyService {
     private static final Logger logger = LogManager.getLogger(ApiKeyService.class);
     private static final Logger logger = LogManager.getLogger(ApiKeyService.class);
     private static final DeprecationLogger deprecationLogger = new DeprecationLogger(logger);
     private static final DeprecationLogger deprecationLogger = new DeprecationLogger(logger);
     public static final String API_KEY_ID_KEY = "_security_api_key_id";
     public static final String API_KEY_ID_KEY = "_security_api_key_id";
+    public static final String API_KEY_NAME_KEY = "_security_api_key_name";
     public static final String API_KEY_REALM_NAME = "_es_api_key";
     public static final String API_KEY_REALM_NAME = "_es_api_key";
     public static final String API_KEY_REALM_TYPE = "_es_api_key";
     public static final String API_KEY_REALM_TYPE = "_es_api_key";
-    public static final String API_KEY_CREATOR_REALM = "_security_api_key_creator_realm";
+    public static final String API_KEY_CREATOR_REALM_NAME = "_security_api_key_creator_realm_name";
+    public static final String API_KEY_CREATOR_REALM_TYPE = "_security_api_key_creator_realm_type";
     static final String API_KEY_ROLE_DESCRIPTORS_KEY = "_security_api_key_role_descriptors";
     static final String API_KEY_ROLE_DESCRIPTORS_KEY = "_security_api_key_role_descriptors";
     static final String API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY = "_security_api_key_limited_by_role_descriptors";
     static final String API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY = "_security_api_key_limited_by_role_descriptors";
 
 
@@ -271,8 +273,8 @@ public class ApiKeyService {
             .startObject("creator")
             .startObject("creator")
             .field("principal", authentication.getUser().principal())
             .field("principal", authentication.getUser().principal())
             .field("metadata", authentication.getUser().metadata())
             .field("metadata", authentication.getUser().metadata())
-            .field("realm", authentication.getLookedUpBy() == null ?
-                authentication.getAuthenticatedBy().getName() : authentication.getLookedUpBy().getName())
+            .field("realm", authentication.getSourceRealm().getName())
+            .field("realm_type", authentication.getSourceRealm().getType())
             .endObject()
             .endObject()
             .endObject();
             .endObject();
 
 
@@ -501,10 +503,12 @@ public class ApiKeyService {
                 : limitedByRoleDescriptors.keySet().toArray(Strings.EMPTY_ARRAY);
                 : limitedByRoleDescriptors.keySet().toArray(Strings.EMPTY_ARRAY);
             final User apiKeyUser = new User(principal, roleNames, null, null, metadata, true);
             final User apiKeyUser = new User(principal, roleNames, null, null, metadata, true);
             final Map<String, Object> authResultMetadata = new HashMap<>();
             final Map<String, Object> authResultMetadata = new HashMap<>();
-            authResultMetadata.put(API_KEY_CREATOR_REALM, creator.get("realm"));
+            authResultMetadata.put(API_KEY_CREATOR_REALM_NAME, creator.get("realm"));
+            authResultMetadata.put(API_KEY_CREATOR_REALM_TYPE, creator.get("realm_type"));
             authResultMetadata.put(API_KEY_ROLE_DESCRIPTORS_KEY, roleDescriptors);
             authResultMetadata.put(API_KEY_ROLE_DESCRIPTORS_KEY, roleDescriptors);
             authResultMetadata.put(API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY, limitedByRoleDescriptors);
             authResultMetadata.put(API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY, limitedByRoleDescriptors);
             authResultMetadata.put(API_KEY_ID_KEY, credentials.getId());
             authResultMetadata.put(API_KEY_ID_KEY, credentials.getId());
+            authResultMetadata.put(API_KEY_NAME_KEY, source.get("name"));
             listener.onResponse(AuthenticationResult.success(apiKeyUser, authResultMetadata));
             listener.onResponse(AuthenticationResult.success(apiKeyUser, authResultMetadata));
         } else {
         } else {
             listener.onResponse(AuthenticationResult.unsuccessful("api key is expired", null));
             listener.onResponse(AuthenticationResult.unsuccessful("api key is expired", null));
@@ -878,7 +882,7 @@ public class ApiKeyService {
      */
      */
     public static String getCreatorRealmName(final Authentication authentication) {
     public static String getCreatorRealmName(final Authentication authentication) {
         if (authentication.getAuthenticatedBy().getType().equals(API_KEY_REALM_TYPE)) {
         if (authentication.getAuthenticatedBy().getType().equals(API_KEY_REALM_TYPE)) {
-            return (String) authentication.getMetadata().get(API_KEY_CREATOR_REALM);
+            return (String) authentication.getMetadata().get(API_KEY_CREATOR_REALM_NAME);
         } else {
         } else {
             return authentication.getAuthenticatedBy().getName();
             return authentication.getAuthenticatedBy().getName();
         }
         }

+ 53 - 1
x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/ingest/SetSecurityUserProcessor.java

@@ -11,6 +11,7 @@ import org.elasticsearch.ingest.IngestDocument;
 import org.elasticsearch.ingest.Processor;
 import org.elasticsearch.ingest.Processor;
 import org.elasticsearch.xpack.core.security.authc.Authentication;
 import org.elasticsearch.xpack.core.security.authc.Authentication;
 import org.elasticsearch.xpack.core.security.user.User;
 import org.elasticsearch.xpack.core.security.user.User;
+import org.elasticsearch.xpack.security.authc.ApiKeyService;
 
 
 import java.util.Arrays;
 import java.util.Arrays;
 import java.util.EnumSet;
 import java.util.EnumSet;
@@ -85,6 +86,54 @@ public final class SetSecurityUserProcessor extends AbstractProcessor {
                         userObject.put("metadata", user.metadata());
                         userObject.put("metadata", user.metadata());
                     }
                     }
                     break;
                     break;
+                case API_KEY:
+                    final String apiKey = "api_key";
+                    final Object existingApiKeyField = userObject.get(apiKey);
+                    @SuppressWarnings("unchecked")
+                    final Map<String, Object> apiKeyField =
+                        existingApiKeyField instanceof Map ? (Map<String, Object>) existingApiKeyField : new HashMap<>();
+                    Object apiKeyName = authentication.getMetadata().get(ApiKeyService.API_KEY_NAME_KEY);
+                    if (apiKeyName != null) {
+                        apiKeyField.put("name", apiKeyName);
+                    }
+                    Object apiKeyId = authentication.getMetadata().get(ApiKeyService.API_KEY_ID_KEY);
+                    if (apiKeyId != null) {
+                        apiKeyField.put("id", apiKeyId);
+                    }
+                    if (false == apiKeyField.isEmpty()) {
+                        userObject.put(apiKey, apiKeyField);
+                    }
+                    break;
+                case REALM:
+                    final String realmKey = "realm";
+                    final Object existingRealmField = userObject.get(realmKey);
+                    @SuppressWarnings("unchecked")
+                    final Map<String, Object> realmField =
+                        existingRealmField instanceof Map ? (Map<String, Object>) existingRealmField : new HashMap<>();
+
+                    final Object realmName, realmType;
+                    if (Authentication.AuthenticationType.API_KEY == authentication.getAuthenticationType()) {
+                        realmName = authentication.getMetadata().get(ApiKeyService.API_KEY_CREATOR_REALM_NAME);
+                        realmType = authentication.getMetadata().get(ApiKeyService.API_KEY_CREATOR_REALM_TYPE);
+                    } else {
+                        realmName = authentication.getSourceRealm().getName();
+                        realmType = authentication.getSourceRealm().getType();
+                    }
+                    if (realmName != null) {
+                        realmField.put("name", realmName);
+                    }
+                    if (realmType != null) {
+                        realmField.put("type", realmType);
+                    }
+                    if (false == realmField.isEmpty()) {
+                        userObject.put(realmKey, realmField);
+                    }
+                    break;
+                case AUTHENTICATION_TYPE:
+                    if (authentication.getAuthenticationType() != null) {
+                        userObject.put("authentication_type", authentication.getAuthenticationType().toString());
+                    }
+                    break;
                 default:
                 default:
                     throw new UnsupportedOperationException("unsupported property [" + property + "]");
                     throw new UnsupportedOperationException("unsupported property [" + property + "]");
             }
             }
@@ -138,7 +187,10 @@ public final class SetSecurityUserProcessor extends AbstractProcessor {
         FULL_NAME,
         FULL_NAME,
         EMAIL,
         EMAIL,
         ROLES,
         ROLES,
-        METADATA;
+        METADATA,
+        API_KEY,
+        REALM,
+        AUTHENTICATION_TYPE;
 
 
         static Property parse(String tag, String value) {
         static Property parse(String tag, String value) {
             try {
             try {

+ 15 - 2
x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java

@@ -148,6 +148,10 @@ public class ApiKeyServiceTests extends ESTestCase {
         assertThat(auth.getStatus(), is(AuthenticationResult.Status.SUCCESS));
         assertThat(auth.getStatus(), is(AuthenticationResult.Status.SUCCESS));
         assertThat(auth.getUser(), notNullValue());
         assertThat(auth.getUser(), notNullValue());
         assertThat(auth.getUser().principal(), is("hulk"));
         assertThat(auth.getUser().principal(), is("hulk"));
+        assertThat(auth.getMetadata().get(ApiKeyService.API_KEY_CREATOR_REALM_NAME), is("realm1"));
+        assertThat(auth.getMetadata().get(ApiKeyService.API_KEY_CREATOR_REALM_TYPE), is("native"));
+        assertThat(auth.getMetadata().get(ApiKeyService.API_KEY_ID_KEY), is(id));
+        assertThat(auth.getMetadata().get(ApiKeyService.API_KEY_NAME_KEY), is("test"));
     }
     }
 
 
     public void testAuthenticationIsSkippedIfLicenseDoesNotAllowIt() throws Exception {
     public void testAuthenticationIsSkippedIfLicenseDoesNotAllowIt() throws Exception {
@@ -284,6 +288,7 @@ public class ApiKeyServiceTests extends ESTestCase {
         Map<String, Object> creatorMap = new HashMap<>();
         Map<String, Object> creatorMap = new HashMap<>();
         creatorMap.put("principal", "test_user");
         creatorMap.put("principal", "test_user");
         creatorMap.put("realm", "realm1");
         creatorMap.put("realm", "realm1");
+        creatorMap.put("realm_type", "realm_type1");
         creatorMap.put("metadata", Collections.emptyMap());
         creatorMap.put("metadata", Collections.emptyMap());
         sourceMap.put("creator", creatorMap);
         sourceMap.put("creator", creatorMap);
         sourceMap.put("api_key_invalidated", false);
         sourceMap.put("api_key_invalidated", false);
@@ -302,7 +307,7 @@ public class ApiKeyServiceTests extends ESTestCase {
         assertThat(result.getMetadata().get(ApiKeyService.API_KEY_ROLE_DESCRIPTORS_KEY), equalTo(sourceMap.get("role_descriptors")));
         assertThat(result.getMetadata().get(ApiKeyService.API_KEY_ROLE_DESCRIPTORS_KEY), equalTo(sourceMap.get("role_descriptors")));
         assertThat(result.getMetadata().get(ApiKeyService.API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY),
         assertThat(result.getMetadata().get(ApiKeyService.API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY),
             equalTo(sourceMap.get("limited_by_role_descriptors")));
             equalTo(sourceMap.get("limited_by_role_descriptors")));
-        assertThat(result.getMetadata().get(ApiKeyService.API_KEY_CREATOR_REALM), is("realm1"));
+        assertThat(result.getMetadata().get(ApiKeyService.API_KEY_CREATOR_REALM_NAME), is("realm1"));
 
 
         sourceMap.put("expiration_time", Clock.systemUTC().instant().plus(1L, ChronoUnit.HOURS).toEpochMilli());
         sourceMap.put("expiration_time", Clock.systemUTC().instant().plus(1L, ChronoUnit.HOURS).toEpochMilli());
         future = new PlainActionFuture<>();
         future = new PlainActionFuture<>();
@@ -316,7 +321,7 @@ public class ApiKeyServiceTests extends ESTestCase {
         assertThat(result.getMetadata().get(ApiKeyService.API_KEY_ROLE_DESCRIPTORS_KEY), equalTo(sourceMap.get("role_descriptors")));
         assertThat(result.getMetadata().get(ApiKeyService.API_KEY_ROLE_DESCRIPTORS_KEY), equalTo(sourceMap.get("role_descriptors")));
         assertThat(result.getMetadata().get(ApiKeyService.API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY),
         assertThat(result.getMetadata().get(ApiKeyService.API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY),
             equalTo(sourceMap.get("limited_by_role_descriptors")));
             equalTo(sourceMap.get("limited_by_role_descriptors")));
-        assertThat(result.getMetadata().get(ApiKeyService.API_KEY_CREATOR_REALM), is("realm1"));
+        assertThat(result.getMetadata().get(ApiKeyService.API_KEY_CREATOR_REALM_NAME), is("realm1"));
 
 
         sourceMap.put("expiration_time", Clock.systemUTC().instant().minus(1L, ChronoUnit.HOURS).toEpochMilli());
         sourceMap.put("expiration_time", Clock.systemUTC().instant().minus(1L, ChronoUnit.HOURS).toEpochMilli());
         future = new PlainActionFuture<>();
         future = new PlainActionFuture<>();
@@ -561,6 +566,14 @@ public class ApiKeyServiceTests extends ESTestCase {
         assertNull(cachedApiKeyHashResult);
         assertNull(cachedApiKeyHashResult);
     }
     }
 
 
+    public void testWillAlwaysGetAuthenticationRealmName() {
+        final Authentication.RealmRef authenticatedBy = new Authentication.RealmRef("auth_by", "auth_by_type", "node");
+        final Authentication.RealmRef lookedUpBy = new Authentication.RealmRef("lookup_by", "lookup_by_type", "node");
+        final Authentication authentication = new Authentication(
+            new User("user"), authenticatedBy, lookedUpBy);
+        assertEquals("auth_by", ApiKeyService.getCreatorRealmName(authentication));
+    }
+
     private ApiKeyService createApiKeyService(Settings baseSettings) {
     private ApiKeyService createApiKeyService(Settings baseSettings) {
         final Settings settings = Settings.builder()
         final Settings settings = Settings.builder()
             .put(XPackSettings.API_KEY_SERVICE_ENABLED_SETTING.getKey(), true)
             .put(XPackSettings.API_KEY_SERVICE_ENABLED_SETTING.getKey(), true)

+ 95 - 4
x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/ingest/SetSecurityUserProcessorTests.java

@@ -5,17 +5,21 @@
  */
  */
 package org.elasticsearch.xpack.security.ingest;
 package org.elasticsearch.xpack.security.ingest;
 
 
+import org.elasticsearch.Version;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
 import org.elasticsearch.ingest.IngestDocument;
 import org.elasticsearch.ingest.IngestDocument;
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.xpack.core.security.authc.Authentication;
 import org.elasticsearch.xpack.core.security.authc.Authentication;
+import org.elasticsearch.xpack.core.security.authc.Authentication.AuthenticationType;
 import org.elasticsearch.xpack.core.security.authc.AuthenticationField;
 import org.elasticsearch.xpack.core.security.authc.AuthenticationField;
 import org.elasticsearch.xpack.core.security.user.User;
 import org.elasticsearch.xpack.core.security.user.User;
+import org.elasticsearch.xpack.security.authc.ApiKeyService;
 import org.elasticsearch.xpack.security.ingest.SetSecurityUserProcessor.Property;
 import org.elasticsearch.xpack.security.ingest.SetSecurityUserProcessor.Property;
 import org.mockito.Mockito;
 import org.mockito.Mockito;
 
 
 import java.util.Arrays;
 import java.util.Arrays;
+import java.util.Collections;
 import java.util.EnumSet;
 import java.util.EnumSet;
 import java.util.HashMap;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Map;
@@ -29,20 +33,23 @@ public class SetSecurityUserProcessorTests extends ESTestCase {
                 Map.of("key", "value"), true);
                 Map.of("key", "value"), true);
         Authentication.RealmRef realmRef = new Authentication.RealmRef("_name", "_type", "_node_name");
         Authentication.RealmRef realmRef = new Authentication.RealmRef("_name", "_type", "_node_name");
         ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
         ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
-        threadContext.putTransient(AuthenticationField.AUTHENTICATION_KEY, new Authentication(user, realmRef, null));
+        threadContext.putTransient(AuthenticationField.AUTHENTICATION_KEY, new Authentication(user, realmRef, null, Version.CURRENT));
 
 
         IngestDocument ingestDocument = new IngestDocument(new HashMap<>(), new HashMap<>());
         IngestDocument ingestDocument = new IngestDocument(new HashMap<>(), new HashMap<>());
         SetSecurityUserProcessor processor = new SetSecurityUserProcessor("_tag", threadContext, "_field", EnumSet.allOf(Property.class));
         SetSecurityUserProcessor processor = new SetSecurityUserProcessor("_tag", threadContext, "_field", EnumSet.allOf(Property.class));
         processor.execute(ingestDocument);
         processor.execute(ingestDocument);
 
 
         Map<String, Object> result = ingestDocument.getFieldValue("_field", Map.class);
         Map<String, Object> result = ingestDocument.getFieldValue("_field", Map.class);
-        assertThat(result.size(), equalTo(5));
+        assertThat(result.size(), equalTo(7));
         assertThat(result.get("username"), equalTo("_username"));
         assertThat(result.get("username"), equalTo("_username"));
         assertThat(result.get("roles"), equalTo(Arrays.asList("role1", "role2")));
         assertThat(result.get("roles"), equalTo(Arrays.asList("role1", "role2")));
         assertThat(result.get("full_name"), equalTo("firstname lastname"));
         assertThat(result.get("full_name"), equalTo("firstname lastname"));
         assertThat(result.get("email"), equalTo("_email"));
         assertThat(result.get("email"), equalTo("_email"));
         assertThat(((Map) result.get("metadata")).size(), equalTo(1));
         assertThat(((Map) result.get("metadata")).size(), equalTo(1));
         assertThat(((Map) result.get("metadata")).get("key"), equalTo("value"));
         assertThat(((Map) result.get("metadata")).get("key"), equalTo("value"));
+        assertThat(((Map) result.get("realm")).get("name"), equalTo("_name"));
+        assertThat(((Map) result.get("realm")).get("type"), equalTo("_type"));
+        assertThat(result.get("authentication_type"), equalTo("REALM"));
     }
     }
 
 
     public void testProcessorWithEmptyUserData() throws Exception {
     public void testProcessorWithEmptyUserData() throws Exception {
@@ -50,6 +57,8 @@ public class SetSecurityUserProcessorTests extends ESTestCase {
         User user = Mockito.mock(User.class);
         User user = Mockito.mock(User.class);
         Authentication authentication = Mockito.mock(Authentication.class);
         Authentication authentication = Mockito.mock(Authentication.class);
         Mockito.when(authentication.getUser()).thenReturn(user);
         Mockito.when(authentication.getUser()).thenReturn(user);
+        Mockito.when(authentication.getSourceRealm()).thenReturn(new Authentication.RealmRef("_name", "_type", "_node_name"));
+        Mockito.when(authentication.getAuthenticationType()).thenReturn(AuthenticationType.REALM);
 
 
         ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
         ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
         threadContext.putTransient(AuthenticationField.AUTHENTICATION_KEY, authentication);
         threadContext.putTransient(AuthenticationField.AUTHENTICATION_KEY, authentication);
@@ -57,8 +66,12 @@ public class SetSecurityUserProcessorTests extends ESTestCase {
         IngestDocument ingestDocument = new IngestDocument(new HashMap<>(), new HashMap<>());
         IngestDocument ingestDocument = new IngestDocument(new HashMap<>(), new HashMap<>());
         SetSecurityUserProcessor processor = new SetSecurityUserProcessor("_tag", threadContext, "_field", EnumSet.allOf(Property.class));
         SetSecurityUserProcessor processor = new SetSecurityUserProcessor("_tag", threadContext, "_field", EnumSet.allOf(Property.class));
         processor.execute(ingestDocument);
         processor.execute(ingestDocument);
-        Map result = ingestDocument.getFieldValue("_field", Map.class);
-        assertThat(result.size(), equalTo(0));
+        Map<String, Object> result = ingestDocument.getFieldValue("_field", Map.class);
+        // Still holds data for realm and authentication type
+        assertThat(result.size(), equalTo(2));
+        assertThat(((Map) result.get("realm")).get("name"), equalTo("_name"));
+        assertThat(((Map) result.get("realm")).get("type"), equalTo("_type"));
+        assertThat(result.get("authentication_type"), equalTo("REALM"));
     }
     }
 
 
     public void testNoCurrentUser() throws Exception {
     public void testNoCurrentUser() throws Exception {
@@ -179,4 +192,82 @@ public class SetSecurityUserProcessorTests extends ESTestCase {
         assertThat(result2.get("other"), equalTo("test"));
         assertThat(result2.get("other"), equalTo("test"));
     }
     }
 
 
+    public void testApiKeyPopulation() throws Exception {
+        User user = new User(randomAlphaOfLengthBetween(4, 12), null, null);
+        Authentication.RealmRef realmRef = new Authentication.RealmRef(
+            ApiKeyService.API_KEY_REALM_NAME, ApiKeyService.API_KEY_REALM_TYPE, "_node_name");
+        ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
+
+        threadContext.putTransient(AuthenticationField.AUTHENTICATION_KEY, new Authentication(user, realmRef, null, Version.CURRENT,
+            AuthenticationType.API_KEY,
+            Map.of(
+                ApiKeyService.API_KEY_ID_KEY, "api_key_id",
+                ApiKeyService.API_KEY_NAME_KEY, "api_key_name",
+                ApiKeyService.API_KEY_CREATOR_REALM_NAME, "creator_realm_name",
+                ApiKeyService.API_KEY_CREATOR_REALM_TYPE, "creator_realm_type"
+            )));
+
+        IngestDocument ingestDocument = new IngestDocument(new HashMap<>(), new HashMap<>());
+        SetSecurityUserProcessor processor = new SetSecurityUserProcessor("_tag", threadContext, "_field", EnumSet.allOf(Property.class));
+        processor.execute(ingestDocument);
+
+        Map<String, Object> result = ingestDocument.getFieldValue("_field", Map.class);
+        assertThat(result.size(), equalTo(4));
+        assertThat(((Map) result.get("api_key")).get("name"), equalTo("api_key_name"));
+        assertThat(((Map) result.get("api_key")).get("id"), equalTo("api_key_id"));
+        assertThat(((Map) result.get("realm")).get("name"), equalTo("creator_realm_name"));
+        assertThat(((Map) result.get("realm")).get("type"), equalTo("creator_realm_type"));
+        assertThat(result.get("authentication_type"), equalTo("API_KEY"));
+    }
+
+    public void testWillNotOverwriteExistingApiKeyAndRealm() throws Exception {
+        User user = new User(randomAlphaOfLengthBetween(4, 12), null, null);
+        Authentication.RealmRef realmRef = new Authentication.RealmRef(
+            ApiKeyService.API_KEY_REALM_NAME, ApiKeyService.API_KEY_REALM_TYPE, "_node_name");
+        ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
+
+        threadContext.putTransient(AuthenticationField.AUTHENTICATION_KEY, new Authentication(user, realmRef, null, Version.CURRENT,
+            AuthenticationType.API_KEY,
+            Map.of(
+                ApiKeyService.API_KEY_ID_KEY, "api_key_id",
+                ApiKeyService.API_KEY_NAME_KEY, "api_key_name",
+                ApiKeyService.API_KEY_CREATOR_REALM_NAME, "creator_realm_name",
+                ApiKeyService.API_KEY_CREATOR_REALM_TYPE, "creator_realm_type"
+            )));
+
+        IngestDocument ingestDocument = new IngestDocument(IngestDocument.deepCopyMap(Map.of(
+            "_field", Map.of("api_key", Map.of("version", 42), "realm", Map.of("id", 7))
+        )), new HashMap<>());
+        SetSecurityUserProcessor processor = new SetSecurityUserProcessor("_tag", threadContext, "_field", EnumSet.allOf(Property.class));
+        processor.execute(ingestDocument);
+
+        Map<String, Object> result = ingestDocument.getFieldValue("_field", Map.class);
+        assertThat(result.size(), equalTo(4));
+        assertThat(((Map) result.get("api_key")).get("version"), equalTo(42));
+        assertThat(((Map) result.get("realm")).get("id"), equalTo(7));
+    }
+
+    public void testWillSetRunAsRealmForNonApiAuth() throws Exception {
+        User user = new User(randomAlphaOfLengthBetween(4, 12), null, null);
+        Authentication.RealmRef authRealmRef = new Authentication.RealmRef(
+            randomAlphaOfLengthBetween(4, 12), randomAlphaOfLengthBetween(4, 12), randomAlphaOfLengthBetween(4, 12));
+        Authentication.RealmRef lookedUpRealmRef = new Authentication.RealmRef(
+            randomAlphaOfLengthBetween(4, 12), randomAlphaOfLengthBetween(4, 12), randomAlphaOfLengthBetween(4, 12));
+        ThreadContext threadContext = new ThreadContext(Settings.EMPTY);
+
+        threadContext.putTransient(AuthenticationField.AUTHENTICATION_KEY,
+            new Authentication(user, authRealmRef, lookedUpRealmRef, Version.CURRENT,
+                randomFrom(AuthenticationType.REALM, AuthenticationType.TOKEN, AuthenticationType.INTERNAL),
+                Collections.emptyMap()));
+
+        IngestDocument ingestDocument = new IngestDocument(new HashMap<>(), new HashMap<>());
+        SetSecurityUserProcessor processor = new SetSecurityUserProcessor("_tag", threadContext, "_field", EnumSet.allOf(Property.class));
+        processor.execute(ingestDocument);
+
+        Map<String, Object> result = ingestDocument.getFieldValue("_field", Map.class);
+        assertThat(result.size(), equalTo(3));
+        assertThat(((Map) result.get("realm")).get("name"), equalTo(lookedUpRealmRef.getName()));
+        assertThat(((Map) result.get("realm")).get("type"), equalTo(lookedUpRealmRef.getType()));
+    }
+
 }
 }