Home Verkennen Help
Registreren Inloggen
lqb
/
elasticsearch
spiegel van https://gitee.com/mirrors/elasticsearch.git
1
0
Vork 0
Bestanden Issues 0 Wiki
Boom: b2e626e7df
Aftakkingen Labels
elasticsearch
/
docs
/
reference
/
rest-api
/
security
/
grant-api-keys.asciidoc

grant-api-keys.asciidoc 6.2 KB
Geschiedenis Ruwe

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186 
  1. [role="xpack"]
    2. 

  2. [[security-api-grant-api-key]]
    3. 

  3. === Grant API key API
    4. 

  4. ++++
    5. 

  5. <titleabbrev>Grant API keys</titleabbrev>
    6. 

  6. ++++
    7. 

  7. 

  8. Creates an API key on behalf of another user.
    9. 

  9. 

  10. [[security-api-grant-api-key-request]]
    11. 

  11. ==== {api-request-title}
    12. 

  12. 

  13. `POST /_security/api_key/grant`
    14. 

  14. 

  15. [[security-api-grant-api-key-prereqs]]
    16. 

  16. ==== {api-prereq-title}
    17. 

  17. 

  18. * To use this API, you must have the `grant_api_key` or the `manage_api_key` cluster privilege.
    19. 

  19. 

  20. [[security-api-grant-api-key-desc]]
    21. 

  21. ==== {api-description-title}
    22. 

  22. 

  23. This API is similar to <<security-api-create-api-key>>, however it creates the
    24. 

  24. API key for a user that is different than the user that runs the API.
    25. 

  25. 

  26. The caller must have authentication credentials for the user on whose behalf
    27. 

  27. the API key will be created. It is not possible to use this API to create an
    28. 

  28. API key without that user's credentials.
    29. 

  29. The supported user authentication credentials types are:
    30. 

  30.  * username and password
    31. 

  31.  * <<security-api-get-token, {es} access tokens>>
    32. 

  32.  * <<jwt-auth-realm, JWTs>>
    33. 

  33. 

  34. The user, for whom the authentication credentials is provided,
    35. 

  35. can optionally <<run-as-privilege,"run as">> (impersonate) another user.
    36. 

  36. In this case, the API key will be created on behalf of the impersonated user.
    37. 

  37. 

  38. This API is intended be used by applications that need to create and manage
    39. 

  39. API keys for end users, but cannot guarantee that those users have permission
    40. 

  40. to create API keys on their own behalf (see <<security-api-create-api-key-prereqs>>).
    41. 

  41. The API keys are created by the {es} API key service, which is automatically
    42. 

  42. enabled.
    43. 

  43. 

  44. A successful grant API key API call returns a JSON structure that contains the
    45. 

  45. API key, its unique id, and its name. If applicable, it also returns expiration
    46. 

  46. information for the API key in milliseconds.
    47. 

  47. 

  48. NOTE: By default, API keys never expire. You can specify expiration information
    49. 

  49. when you create the API keys.
    50. 

  50. 

  51. See <<api-key-service-settings>> for configuration settings related to API key
    52. 

  52. service.
    53. 

  53. 

  54. [[security-api-grant-api-key-request-body]]
    55. 

  55. ==== {api-request-body-title}
    56. 

  56. 

  57. The following parameters can be specified in the body of a POST request:
    58. 

  58. 

  59. `access_token`::
    60. 

  60. (Required*, string)
    61. 

  61. The user's <<security-api-get-token, {es} access token>>, or JWT. Both <<jwt-realm-oauth2, access>> and
    62. 

  62. <<jwt-realm-oidc, id>> JWT token types are supported, and they depend on the underlying JWT realm configuration.
    63. 

  63. The created API key will have a point in time snapshot of permissions of the user authenticated with this token
    64. 

  64. (or even more restricted permissions, see the `role_descriptors` parameter).
    65. 

  65. If you specify the `access_token` grant type, this parameter is required. It is not valid with other grant types.
    66. 

  66. 

  67. `api_key`::
    68. 

  68. (Required, object)
    69. 

  69. Defines the API key.
    70. 

  70. 

  71. `expiration`:::
    72. 

  72. (Optional, string) Expiration time for the API key. By default, API keys never
    73. 

  73. expire.
    74. 

  74. 

  75. `name`:::
    76. 

  76. (Required, string) Specifies the name for this API key.
    77. 

  77. 

  78. `role_descriptors`:::
    79. 

  79. (Optional, object) The role descriptors for this API
    80. 

  80. key. This parameter is optional. When it is not specified or is an empty array,
    81. 

  81. the API key has a point in time snapshot of permissions of the specified user or
    82. 

  82. access token. If you supply role descriptors, the resultant permissions are an
    83. 

  83. intersection of API keys permissions and the permissions of the user or access
    84. 

  84. token. The structure of a role descriptor is the same as the request for <<api-key-role-descriptors, create API keys API>>.
    85. 

  85. 

  86. `metadata`:::
    87. 

  87. (Optional, object) Arbitrary metadata that you want to associate with the API key.
    88. 

  88. It supports nested data structure.
    89. 

  89. Within the `metadata` object, keys beginning with `_` are reserved for
    90. 

  90. system usage.
    91. 

  91. 

  92. include::client-authentication.asciidoc[]
    93. 

  93. 

  94. `grant_type`::
    95. 

  95. (Required, string)
    96. 

  96. The type of grant. Supported grant types are: `access_token`,`password`.
    97. 

  97. 

  98. `access_token`:::
    99. 

  99. In this type of grant, you must supply either an access token, that was created by the
    100. 

  100. {es} token service (see <<security-api-get-token>> and <<encrypt-http-communication>>),
    101. 

  101. or a <<jwt-auth-realm, JWT>> (either a JWT `access_token` or a JWT `id_token`).
    102. 

  102. 

  103. `password`:::
    104. 

  104. In this type of grant, you must supply the user ID and password for which you
    105. 

  105. want to create the API key.
    106. 

  106. 

  107. `password`::
    108. 

  108. (Required*, string)
    109. 

  109. The user's password. If you specify the `password` grant type, this parameter is
    110. 

  110. required. It is not valid with other grant types.
    111. 

  111. 

  112. `username`::
    113. 

  113. (Required*, string)
    114. 

  114. The user name that identifies the user. If you specify the `password` grant type,
    115. 

  115. this parameter is required. It is not valid with other grant types.
    116. 

  116. 

  117. `run_as`::
    118. 

  118. (Optional, string)
    119. 

  119. The name of the user to be <<run-as-privilege,impersonated>>.
    120. 

  120. 

  121. *Indicates that the setting is required in some, but not all situations.
    122. 

  122. 

  123. [[security-api-grant-api-key-example]]
    124. 

  124. ==== {api-examples-title}
    125. 

  125. 

  126. [source,console]
    127. 

  127. ------------------------------------------------------------
    128. 

  128. POST /_security/api_key/grant
    129. 

  129. {
    130. 

  130.   "grant_type": "password",
    131. 

  131.   "username" : "test_admin",
    132. 

  132.   "password" : "x-pack-test-password",
    133. 

  133.   "api_key" : {
    134. 

  134.     "name": "my-api-key",
    135. 

  135.     "expiration": "1d",
    136. 

  136.     "role_descriptors": {
    137. 

  137.       "role-a": {
    138. 

  138.         "cluster": ["all"],
    139. 

  139.         "indices": [
    140. 

  140.           {
    141. 

  141.           "names": ["index-a*"],
    142. 

  142.           "privileges": ["read"]
    143. 

  143.           }
    144. 

  144.         ]
    145. 

  145.       },
    146. 

  146.       "role-b": {
    147. 

  147.         "cluster": ["all"],
    148. 

  148.         "indices": [
    149. 

  149.           {
    150. 

  150.           "names": ["index-b*"],
    151. 

  151.           "privileges": ["all"]
    152. 

  152.           }
    153. 

  153.         ]
    154. 

  154.       }
    155. 

  155.     },
    156. 

  156.     "metadata": {
    157. 

  157.       "application": "my-application",
    158. 

  158.       "environment": {
    159. 

  159.          "level": 1,
    160. 

  160.          "trusted": true,
    161. 

  161.          "tags": ["dev", "staging"]
    162. 

  162.       }
    163. 

  163.     }
    164. 

  164.   }
    165. 

  165. }
    166. 

  166. ------------------------------------------------------------
    167. 

  167. 

  168. The user (`test_admin`) whose credentials are provided can "run as" another user (`test_user`).
    169. 

  169. The API key will be granted to the impersonated user (`test_user`).
    170. 

  170. 

  171. [source,console]
    172. 

  172. ------------------------------------------------------------
    173. 

  173. POST /_security/api_key/grant
    174. 

  174. {
    175. 

  175.   "grant_type": "password",
    176. 

  176.   "username" : "test_admin",  <1>
    177. 

  177.   "password" : "x-pack-test-password",  <2>
    178. 

  178.   "run_as": "test_user",  <3>
    179. 

  179.   "api_key" : {
    180. 

  180.     "name": "another-api-key"
    181. 

  181.   }
    182. 

  182. }
    183. 

  183. ------------------------------------------------------------
    184. 

  184. <1> The user for which the credential is provided and performs "run as".
    185. 

  185. <2> Credential for the above user
    186. 

  186. <3> The impersonated user for whom the API key will be created for.
    187.