Ana Sayfa Keşfet Yardım
Üye Ol Giriş Yap
lqb
/
elasticsearch
şunun yansıması https://gitee.com/mirrors/elasticsearch.git
1
0
Çatalla 0
Dosyalar Sorunlar 0 Wiki
Ağaç: 442fc1f3b6
Dallar Biçim İmleri
elasticsearch
/
docs
/
reference
/
rest-api
/
security
/
update-cross-cluster-api-key.asciidoc

update-cross-cluster-api-key.asciidoc 8.5 KB
Geçmiş Ham

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285 
  1. [role="xpack"]
    2. 

  2. [[security-api-update-cross-cluster-api-key]]
    3. 

  3. === Update Cross-Cluster API key API
    4. 

  4. 

  5. ++++
    6. 

  6. <titleabbrev>Update Cross-Cluster API key</titleabbrev>
    7. 

  7. ++++
    8. 

  8. 

  9. .New API reference
    10. 

  10. [sidebar]
    11. 

  11. --
    12. 

  12. For the most up-to-date API details, refer to {api-es}/group/endpoint-security[Security APIs].
    13. 

  13. --
    14. 

  14. 

  15. Update an existing cross-cluster API Key that is used for <<remote-clusters-api-key,API key based remote cluster>> access.
    16. 

  16. 

  17. 

  18. [[security-api-update-cross-cluster-api-key-request]]
    19. 

  19. ==== {api-request-title}
    20. 

  20. 

  21. `PUT /_security/cross_cluster/api_key/<id>`
    22. 

  22. 

  23. [[security-api-update-cross-cluster-api-key-prereqs]]
    24. 

  24. ==== {api-prereq-title}
    25. 

  25. 

  26. * To use this API, you must have at least the `manage_security` cluster privilege.
    27. 

  27. Users can only update API keys that they created.
    28. 

  28. To update another user's API key, use the <<run-as-privilege,`run_as` feature>>
    29. 

  29. to submit a request on behalf of another user.
    30. 

  30. 

  31. IMPORTANT: It's not possible to use an API key as the authentication credential for this API.
    32. 

  32. To update an API key, the owner user's credentials are required.
    33. 

  33. 

  34. [[security-api-update-cross-cluster-api-key-desc]]
    35. 

  35. ==== {api-description-title}
    36. 

  36. 

  37. Use this API to update cross-cluster API keys created by the <<security-api-create-cross-cluster-api-key,Create Cross-Cluster API key API>>.
    38. 

  38. It's not possible to update expired API keys, or API keys that have been invalidated by
    39. 

  39. <<security-api-invalidate-api-key,invalidate API Key>>.
    40. 

  40. 

  41. This API supports updates to an API key's access scope, metadata and expiration.
    42. 

  42. The owner user's information, e.g. `username`, `realm`, is also updated automatically on every call.
    43. 

  43. 

  44. NOTE: This API cannot update <<security-api-create-api-key,REST API keys>>, which should be updated by
    45. 

  45. either <<security-api-update-api-key>> or <<security-api-bulk-update-api-keys>> API.
    46. 

  46. 

  47. [[security-api-update-cross-cluster-api-key-path-params]]
    48. 

  48. ==== {api-path-parms-title}
    49. 

  49. 

  50. `id`::
    51. 

  51. (Required, string) The ID of the API key to update.
    52. 

  52. 

  53. [[security-api-update-cross-cluster-api-key-request-body]]
    54. 

  54. ==== {api-request-body-title}
    55. 

  55. 

  56. You can specify the following parameters in the request body. The parameters are optional. But they cannot all be absent.
    57. 

  57. 

  58. [[security-api-update-cross-cluster-api-key-api-key-role-descriptors]]
    59. 

  59. `access`::
    60. 

  60. (Optional, object) The access to be granted to this API key. The access is
    61. 

  61. composed of permissions for cross cluster search and cross cluster replication.
    62. 

  62. At least one of them must be specified.
    63. 

  63. When specified, the new access assignment fully replaces the previously assigned access.
    64. 

  64. Refer to the <<cross-cluster-api-key-access,parameter of the same of the Create Cross-Cluster API key API>>
    65. 

  65. for the field's structure.
    66. 

  66. 

  67. `metadata`::
    68. 

  68. (Optional, object) Arbitrary metadata that you want to associate with the API key.
    69. 

  69. It supports nested data structure.
    70. 

  70. Within the `metadata` object, top-level keys beginning with `_` are reserved for system usage.
    71. 

  71. When specified, this fully replaces metadata previously associated with the API key.
    72. 

  72. 

  73. `expiration`::
    74. 

  74. (Optional, string) Expiration time for the API key. By default, API keys never expire. Can be omitted to leave unchanged.
    75. 

  75. 

  76. [[security-api-update-cross-cluster-api-key-response-body]]
    77. 

  77. ==== {api-response-body-title}
    78. 

  78. 

  79. `updated`::
    80. 

  80. (boolean) If `true`, the API key was updated.
    81. 

  81. If `false`, the API key didn't change because no change was detected.
    82. 

  82. 

  83. [[security-api-update-cross-cluster-api-key-example]]
    84. 

  84. ==== {api-examples-title}
    85. 

  85. 

  86. If you create a cross-cluster API key as follows:
    87. 

  87. 

  88. [source,console]
    89. 

  89. ------------------------------------------------------------
    90. 

  90. POST /_security/cross_cluster/api_key
    91. 

  91. {
    92. 

  92.   "name": "my-cross-cluster-api-key",
    93. 

  93.   "access": {
    94. 

  94.     "search": [
    95. 

  95.       {
    96. 

  96.         "names": ["logs*"]
    97. 

  97.       }
    98. 

  98.     ]
    99. 

  99.   },
    100. 

  100.   "metadata": {
    101. 

  101.     "application": "search"
    102. 

  102.   }
    103. 

  103. }
    104. 

  104. ------------------------------------------------------------
    105. 

  105. 

  106. A successful call returns a JSON structure that provides API key information.
    107. 

  107. For example:
    108. 

  108. 

  109. [source,console-result]
    110. 

  110. --------------------------------------------------
    111. 

  111. {
    112. 

  112.   "id": "VuaCfGcBCdbkQm-e5aOx",
    113. 

  113.   "name": "my-cross-cluster-api-key",
    114. 

  114.   "api_key": "ui2lp2axTNmsyakw9tvNnw",
    115. 

  115.   "encoded": "VnVhQ2ZHY0JDZGJrUW0tZTVhT3g6dWkybHAyYXhUTm1zeWFrdzl0dk5udw=="
    116. 

  116. }
    117. 

  117. --------------------------------------------------
    118. 

  118. // TESTRESPONSE[s/VuaCfGcBCdbkQm-e5aOx/$body.id/]
    119. 

  119. // TESTRESPONSE[s/ui2lp2axTNmsyakw9tvNnw/$body.api_key/]
    120. 

  120. // TESTRESPONSE[s/VnVhQ2ZHY0JDZGJrUW0tZTVhT3g6dWkybHAyYXhUTm1zeWFrdzl0dk5udw==/$body.encoded/]
    121. 

  121. 

  122. Information of the API key, including its exact role descriptor can be inspected with
    123. 

  123. the <<security-api-get-api-key,Get API key API>>
    124. 

  124. 

  125. [source,console]
    126. 

  126. --------------------------------------------------
    127. 

  127. GET /_security/api_key?id=VuaCfGcBCdbkQm-e5aOx
    128. 

  128. --------------------------------------------------
    129. 

  129. // TEST[s/VuaCfGcBCdbkQm-e5aOx/$body.id/]
    130. 

  130. // TEST[continued]
    131. 

  131. 

  132. A successful call returns a JSON structure that contains the information of the API key:
    133. 

  133. 

  134. [source,js]
    135. 

  135. --------------------------------------------------
    136. 

  136. {
    137. 

  137.   "api_keys": [
    138. 

  138.     {
    139. 

  139.       "id": "VuaCfGcBCdbkQm-e5aOx",
    140. 

  140.       "name": "my-cross-cluster-api-key",
    141. 

  141.       "type": "cross_cluster",
    142. 

  142.       "creation": 1548550550158,
    143. 

  143.       "expiration": null,
    144. 

  144.       "invalidated": false,
    145. 

  145.       "username": "myuser",
    146. 

  146.       "realm": "native1",
    147. 

  147.       "metadata": {
    148. 

  148.         "application": "search"
    149. 

  149.       },
    150. 

  150.       "role_descriptors": {
    151. 

  151.         "cross_cluster": {  <1>
    152. 

  152.           "cluster": [
    153. 

  153.               "cross_cluster_search"
    154. 

  154.           ],
    155. 

  155.           "indices": [
    156. 

  156.             {
    157. 

  157.               "names": [
    158. 

  158.                 "logs*"
    159. 

  159.               ],
    160. 

  160.               "privileges": [
    161. 

  161.                 "read", "read_cross_cluster", "view_index_metadata"
    162. 

  162.               ],
    163. 

  163.               "allow_restricted_indices": false
    164. 

  164.             }
    165. 

  165.           ],
    166. 

  166.           "applications": [ ],
    167. 

  167.           "run_as": [ ],
    168. 

  168.           "metadata": { },
    169. 

  169.           "transient_metadata": {
    170. 

  170.             "enabled": true
    171. 

  171.           }
    172. 

  172.         }
    173. 

  173.       },
    174. 

  174.       "access": {  <2>
    175. 

  175.         "search": [
    176. 

  176.           {
    177. 

  177.             "names": [
    178. 

  178.               "logs*"
    179. 

  179.             ],
    180. 

  180.             "allow_restricted_indices": false
    181. 

  181.           }
    182. 

  182.         ]
    183. 

  183.       }
    184. 

  184.     }
    185. 

  185.   ]
    186. 

  186. }
    187. 

  187. --------------------------------------------------
    188. 

  188. // NOTCONSOLE
    189. 

  189. <1> Role descriptor corresponding to the specified `access` scope at creation time.
    190. 

  190. In this example, it grants cross cluster search permission for the `logs*` index pattern.
    191. 

  191. <2> The `access` corresponds to the value specified at API key creation time.
    192. 

  192. 

  193. 

  194. The following example updates the API key created above, assigning it new access scope and metadata:
    195. 

  195. 

  196. [source,console]
    197. 

  197. ----
    198. 

  198. PUT /_security/cross_cluster/api_key/VuaCfGcBCdbkQm-e5aOx
    199. 

  199. {
    200. 

  200.   "access": {
    201. 

  201.     "replication": [
    202. 

  202.       {
    203. 

  203.         "names": ["archive"]
    204. 

  204.       }
    205. 

  205.     ]
    206. 

  206.   },
    207. 

  207.   "metadata": {
    208. 

  208.     "application": "replication"
    209. 

  209.   }
    210. 

  210. }
    211. 

  211. ----
    212. 

  212. // TEST[s/VuaCfGcBCdbkQm-e5aOx/\${body.api_keys.0.id}/]
    213. 

  213. // TEST[continued]
    214. 

  214. 

  215. A successful call returns a JSON structure indicating that the API key was updated:
    216. 

  216. 

  217. [source,console-result]
    218. 

  218. ----
    219. 

  219. {
    220. 

  220.   "updated": true
    221. 

  221. }
    222. 

  222. ----
    223. 

  223. 

  224. The API key's permissions after the update can be inspected again with the <<security-api-get-api-key,Get API key API>>
    225. 

  225. and it will be:
    226. 

  226. 

  227. [source,js]
    228. 

  228. --------------------------------------------------
    229. 

  229. {
    230. 

  230.   "api_keys": [
    231. 

  231.     {
    232. 

  232.       "id": "VuaCfGcBCdbkQm-e5aOx",
    233. 

  233.       "name": "my-cross-cluster-api-key",
    234. 

  234.       "type": "cross_cluster",
    235. 

  235.       "creation": 1548550550158,
    236. 

  236.       "expiration": null,
    237. 

  237.       "invalidated": false,
    238. 

  238.       "username": "myuser",
    239. 

  239.       "realm": "native1",
    240. 

  240.       "metadata": {
    241. 

  241.         "application": "replication"
    242. 

  242.       },
    243. 

  243.       "role_descriptors": {
    244. 

  244.         "cross_cluster": {  <1>
    245. 

  245.           "cluster": [
    246. 

  246.               "cross_cluster_replication"
    247. 

  247.           ],
    248. 

  248.           "indices": [
    249. 

  249.             {
    250. 

  250.               "names": [
    251. 

  251.                 "archive*"
    252. 

  252.               ],
    253. 

  253.               "privileges": [
    254. 

  254.                 "cross_cluster_replication", "cross_cluster_replication_internal"
    255. 

  255.               ],
    256. 

  256.               "allow_restricted_indices": false
    257. 

  257.             }
    258. 

  258.           ],
    259. 

  259.           "applications": [ ],
    260. 

  260.           "run_as": [ ],
    261. 

  261.           "metadata": { },
    262. 

  262.           "transient_metadata": {
    263. 

  263.             "enabled": true
    264. 

  264.           }
    265. 

  265.         }
    266. 

  266.       },
    267. 

  267.       "access": {  <2>
    268. 

  268.         "replication": [
    269. 

  269.           {
    270. 

  270.             "names": [
    271. 

  271.               "archive*"
    272. 

  272.             ],
    273. 

  273.             "allow_restricted_indices": false
    274. 

  274.           }
    275. 

  275.         ]
    276. 

  276.       }
    277. 

  277.     }
    278. 

  278.   ]
    279. 

  279. }
    280. 

  280. --------------------------------------------------
    281. 

  281. // NOTCONSOLE
    282. 

  282. <1> Role descriptor is updated to be the `access` scope specified at update time.
    283. 

  283. In this example, it is updated to grant the cross cluster replication permission
    284. 

  284. for the `archive*` index pattern.
    285. 

  285. <2> The `access` corresponds to the value specified at API key update time.
    286.