Domů Procházet Nápověda
Registrovat se Přihlásit se
lqb
/
elasticsearch
zrcadlo https://gitee.com/mirrors/elasticsearch.git
1
0
Rozštěpit 0
Soubory Úkoly 0 Wiki
Strom: 442fc1f3b6
Větve Značky
elasticsearch
/
docs
/
reference
/
rest-api
/
security
/
update-api-key.asciidoc

update-api-key.asciidoc 8.1 KB
Historie Surový

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286 
  1. [role="xpack"]
    2. 

  2. [[security-api-update-api-key]]
    3. 

  3. === Update API key API
    4. 

  4. 

  5. ++++
    6. 

  6. <titleabbrev>Update API key</titleabbrev>
    7. 

  7. ++++
    8. 

  8. 

  9. .New API reference
    10. 

  10. [sidebar]
    11. 

  11. --
    12. 

  12. For the most up-to-date API details, refer to {api-es}/group/endpoint-security[Security APIs].
    13. 

  13. --
    14. 

  14. 

  15. [[security-api-update-api-key-request]]
    16. 

  16. ==== {api-request-title}
    17. 

  17. 

  18. `PUT /_security/api_key/<id>`
    19. 

  19. 

  20. [[security-api-update-api-key-prereqs]]
    21. 

  21. ==== {api-prereq-title}
    22. 

  22. 

  23. * To use this API, you must have at least the `manage_own_api_key` cluster privilege.
    24. 

  24. Users can only update API keys that they created or that were granted to them.
    25. 

  25. To update another user's API key, use the <<run-as-privilege,`run_as` feature>>
    26. 

  26. to submit a request on behalf of another user.
    27. 

  27. 

  28. IMPORTANT: It's not possible to use an API key as the authentication credential for this API.
    29. 

  29. To update an API key, the owner user's credentials are required.
    30. 

  30. 

  31. [[security-api-update-api-key-desc]]
    32. 

  32. ==== {api-description-title}
    33. 

  33. 

  34. Use this API to update API keys created by the <<security-api-create-api-key,create API Key>> or <<security-api-grant-api-key,grant API Key>> APIs.
    35. 

  35. If you need to apply the same update to many API keys, you can use <<security-api-bulk-update-api-keys,bulk update API Keys>> to reduce overhead.
    36. 

  36. 

  37. It's not possible to update expired API keys, or API keys that have been invalidated by <<security-api-invalidate-api-key,invalidate API Key>>.
    38. 

  38. 

  39. This API supports updates to an API key's access scope, metadata and expiration.
    40. 

  40. The access scope of an API key is derived from the <<security-api-update-api-key-api-key-role-descriptors,`role_descriptors`>> you specify in the request, and a snapshot of the owner user's permissions at the time of the request.
    41. 

  41. The snapshot of the owner's permissions is updated automatically on every call.
    42. 

  42. 

  43. [IMPORTANT]
    44. 

  44. ====
    45. 

  45. If you don't specify <<security-api-update-api-key-api-key-role-descriptors,`role_descriptors`>> in the request, a call to this API might still change the API key's access scope.
    46. 

  46. This change can occur if the owner user's permissions have changed since the API key was created or last modified.
    47. 

  47. ====
    48. 

  48. 

  49. [[security-api-update-api-key-path-params]]
    50. 

  50. ==== {api-path-parms-title}
    51. 

  51. 

  52. `id`::
    53. 

  53. (Required, string) The ID of the API key to update.
    54. 

  54. 

  55. [[security-api-update-api-key-request-body]]
    56. 

  56. ==== {api-request-body-title}
    57. 

  57. 

  58. You can specify the following parameters in the request body, which is optional.
    59. 

  59. 

  60. [[security-api-update-api-key-api-key-role-descriptors]]
    61. 

  61. `role_descriptors`::
    62. 

  62. (Optional, object) The role descriptors to assign to this API key.
    63. 

  63. The API key's effective permissions are an intersection of its assigned privileges and the point in time snapshot of permissions of the owner user.
    64. 

  64. You can assign new privileges by specifying them in this parameter.
    65. 

  65. To remove assigned privileges, you can supply an empty `role_descriptors` parameter, i.e., an empty object `{}`.
    66. 

  66. If an API key has no assigned privileges, it inherits the owner user's full permissions.
    67. 

  67. The snapshot of the owner's permissions is always updated, whether you supply the `role_descriptors` parameter or not.
    68. 

  68. The structure of a role descriptor is the same as the request for the <<api-key-role-descriptors, create API keys API>>.
    69. 

  69. 

  70. `metadata`::
    71. 

  71. (Optional, object) Arbitrary metadata that you want to associate with the API key.
    72. 

  72. It supports nested data structure.
    73. 

  73. Within the `metadata` object, top-level keys beginning with `_` are reserved for system usage.
    74. 

  74. When specified, this fully replaces metadata previously associated with the API key.
    75. 

  75. 

  76. `expiration`::
    77. 

  77. (Optional, string) Expiration time for the API key. By default, API keys never expire. Can be omitted to leave unchanged.
    78. 

  78. 

  79. [[security-api-update-api-key-response-body]]
    80. 

  80. ==== {api-response-body-title}
    81. 

  81. 

  82. `updated`::
    83. 

  83. (boolean) If `true`, the API key was updated.
    84. 

  84. If `false`, the API key didn't change because no change was detected.
    85. 

  85. 

  86. [[security-api-update-api-key-example]]
    87. 

  87. ==== {api-examples-title}
    88. 

  88. 

  89. If you create an API key as follows:
    90. 

  90. 

  91. [source,console]
    92. 

  92. ------------------------------------------------------------
    93. 

  93. POST /_security/api_key
    94. 

  94. {
    95. 

  95.   "name": "my-api-key",
    96. 

  96.   "role_descriptors": {
    97. 

  97.     "role-a": {
    98. 

  98.       "cluster": ["all"],
    99. 

  99.       "indices": [
    100. 

  100.         {
    101. 

  101.           "names": ["index-a*"],
    102. 

  102.           "privileges": ["read"]
    103. 

  103.         }
    104. 

  104.       ]
    105. 

  105.     }
    106. 

  106.   },
    107. 

  107.   "metadata": {
    108. 

  108.     "application": "my-application",
    109. 

  109.     "environment": {
    110. 

  110.        "level": 1,
    111. 

  111.        "trusted": true,
    112. 

  112.        "tags": ["dev", "staging"]
    113. 

  113.     }
    114. 

  114.   }
    115. 

  115. }
    116. 

  116. ------------------------------------------------------------
    117. 

  117. 

  118. A successful call returns a JSON structure that provides API key information.
    119. 

  119. For example:
    120. 

  120. 

  121. [source,console-result]
    122. 

  122. --------------------------------------------------
    123. 

  123. {
    124. 

  124.   "id": "VuaCfGcBCdbkQm-e5aOx",
    125. 

  125.   "name": "my-api-key",
    126. 

  126.   "api_key": "ui2lp2axTNmsyakw9tvNnw",
    127. 

  127.   "encoded": "VnVhQ2ZHY0JDZGJrUW0tZTVhT3g6dWkybHAyYXhUTm1zeWFrdzl0dk5udw=="
    128. 

  128. }
    129. 

  129. --------------------------------------------------
    130. 

  130. // TESTRESPONSE[s/VuaCfGcBCdbkQm-e5aOx/$body.id/]
    131. 

  131. // TESTRESPONSE[s/ui2lp2axTNmsyakw9tvNnw/$body.api_key/]
    132. 

  132. // TESTRESPONSE[s/VnVhQ2ZHY0JDZGJrUW0tZTVhT3g6dWkybHAyYXhUTm1zeWFrdzl0dk5udw==/$body.encoded/]
    133. 

  133. 

  134. For the examples below, assume that the owner user's permissions are:
    135. 

  135. 

  136. [[security-api-update-api-key-examples-user-permissions]]
    137. 

  137. [source,js]
    138. 

  138. --------------------------------------------------
    139. 

  139. {
    140. 

  140.   "cluster": ["all"],
    141. 

  141.   "indices": [
    142. 

  142.     {
    143. 

  143.       "names": ["*"],
    144. 

  144.       "privileges": ["all"]
    145. 

  145.     }
    146. 

  146.   ]
    147. 

  147. }
    148. 

  148. --------------------------------------------------
    149. 

  149. // NOTCONSOLE
    150. 

  150. 

  151. The following example updates the API key created above, assigning it new role descriptors and metadata:
    152. 

  152. 

  153. [source,console]
    154. 

  154. ----
    155. 

  155. PUT /_security/api_key/VuaCfGcBCdbkQm-e5aOx
    156. 

  156. {
    157. 

  157.   "role_descriptors": {
    158. 

  158.     "role-a": {
    159. 

  159.       "indices": [
    160. 

  160.         {
    161. 

  161.           "names": ["*"],
    162. 

  162.           "privileges": ["write"]
    163. 

  163.         }
    164. 

  164.       ]
    165. 

  165.     }
    166. 

  166.   },
    167. 

  167.   "metadata": {
    168. 

  168.     "environment": {
    169. 

  169.        "level": 2,
    170. 

  170.        "trusted": true,
    171. 

  171.        "tags": ["production"]
    172. 

  172.     }
    173. 

  173.   }
    174. 

  174. }
    175. 

  175. ----
    176. 

  176. // TEST[s/VuaCfGcBCdbkQm-e5aOx/\${body.id}/]
    177. 

  177. // TEST[continued]
    178. 

  178. 

  179. A successful call returns a JSON structure indicating that the API key was updated:
    180. 

  180. 

  181. [source,console-result]
    182. 

  182. ----
    183. 

  183. {
    184. 

  184.   "updated": true
    185. 

  185. }
    186. 

  186. ----
    187. 

  187. 

  188. The API key's effective permissions after the update will be the intersection of the supplied role descriptors and the <<security-api-update-api-key-examples-user-permissions, owner user's permissions>>:
    189. 

  189. 

  190. [source,js]
    191. 

  191. --------------------------------------------------
    192. 

  192. {
    193. 

  193.   "indices": [
    194. 

  194.     {
    195. 

  195.       "names": ["*"],
    196. 

  196.       "privileges": ["write"]
    197. 

  197.     }
    198. 

  198.   ]
    199. 

  199. }
    200. 

  200. --------------------------------------------------
    201. 

  201. // NOTCONSOLE
    202. 

  202. 

  203. The following example removes the API key's previously assigned permissions, making it inherit the owner user's full permissions.
    204. 

  204. 

  205. [source,console]
    206. 

  206. ----
    207. 

  207. PUT /_security/api_key/VuaCfGcBCdbkQm-e5aOx
    208. 

  208. {
    209. 

  209.   "role_descriptors": {}
    210. 

  210. }
    211. 

  211. ----
    212. 

  212. // TEST[skip:api key id not available anymore]
    213. 

  213. 

  214. Which returns the response:
    215. 

  215. 

  216. [source,console-result]
    217. 

  217. ----
    218. 

  218. {
    219. 

  219.   "updated": true
    220. 

  220. }
    221. 

  221. ----
    222. 

  222. 

  223. The API key's effective permissions after the update will be the same as the owner user's:
    224. 

  224. 

  225. [source,js]
    226. 

  226. --------------------------------------------------
    227. 

  227. {
    228. 

  228.   "cluster": ["all"],
    229. 

  229.   "indices": [
    230. 

  230.     {
    231. 

  231.       "names": ["*"],
    232. 

  232.       "privileges": ["all"]
    233. 

  233.     }
    234. 

  234.   ]
    235. 

  235. }
    236. 

  236. --------------------------------------------------
    237. 

  237. // NOTCONSOLE
    238. 

  238. 

  239. For the next example, assume that the owner user's permissions have changed from <<security-api-update-api-key-examples-user-permissions, the original permissions>> to:
    240. 

  240. 

  241. [source,js]
    242. 

  242. --------------------------------------------------
    243. 

  243. {
    244. 

  244.   "cluster": ["manage_security"],
    245. 

  245.   "indices": [
    246. 

  246.     {
    247. 

  247.       "names": ["*"],
    248. 

  248.       "privileges": ["read"]
    249. 

  249.     }
    250. 

  250.   ]
    251. 

  251. }
    252. 

  252. --------------------------------------------------
    253. 

  253. // NOTCONSOLE
    254. 

  254. 

  255. The following request auto-updates the snapshot of the user's permissions associated with the API key:
    256. 

  256. 

  257. [source,console]
    258. 

  258. ----
    259. 

  259. PUT /_security/api_key/VuaCfGcBCdbkQm-e5aOx
    260. 

  260. ----
    261. 

  261. // TEST[skip:api key id not available anymore]
    262. 

  262. 

  263. Which returns the response:
    264. 

  264. 

  265. [source,console-result]
    266. 

  266. ----
    267. 

  267. {
    268. 

  268.   "updated": true
    269. 

  269. }
    270. 

  270. ----
    271. 

  271. 

  272. Resulting in the following effective permissions for the API key:
    273. 

  273. 

  274. [source,js]
    275. 

  275. --------------------------------------------------
    276. 

  276. {
    277. 

  277.   "cluster": ["manage_security"],
    278. 

  278.   "indices": [
    279. 

  279.     {
    280. 

  280.       "names": ["*"],
    281. 

  281.       "privileges": ["read"]
    282. 

  282.     }
    283. 

  283.   ]
    284. 

  284. }
    285. 

  285. --------------------------------------------------
    286. 

  286. // NOTCONSOLE
    287.