Почетна Преглед Помоћ
Регистрација Пријавите се
lqb
/
elasticsearch
огледало од https://gitee.com/mirrors/elasticsearch.git
1
0
Креирај огранак 0
Датотеке Дискусије 0 Вики
Дрво: e8a6d4a3fb
Гране Ознаке
elasticsearch
/
x-pack
/
docs
/
en
/
rest-api
/
security
/
create-api-keys.asciidoc

create-api-keys.asciidoc 4.2 KB
Историја Датотека

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129 
  1. [role="xpack"]
    2. 

  2. [[security-api-create-api-key]]
    3. 

  3. === Create API key API
    4. 

  4. ++++
    5. 

  5. <titleabbrev>Create API keys</titleabbrev>
    6. 

  6. ++++
    7. 

  7. 

  8. Creates an API key for access without requiring basic authentication.
    9. 

  9. 

  10. [[security-api-create-api-key-request]]
    11. 

  11. ==== {api-request-title}
    12. 

  12. 

  13. `POST /_security/api_key`
    14. 

  14. `PUT /_security/api_key`
    15. 

  15. 

  16. [[security-api-create-api-key-prereqs]]
    17. 

  17. ==== {api-prereq-title}
    18. 

  18. 

  19. * To use this API, you must have at least the `manage_api_key` cluster privilege.
    20. 

  20. 

  21. [[security-api-create-api-key-desc]]
    22. 

  22. ==== {api-description-title}
    23. 

  23. 

  24. The API keys are created by the {es} API key service, which is automatically enabled
    25. 

  25. when you configure TLS on the HTTP interface. See <<tls-http>>. Alternatively,
    26. 

  26. you can explicitly enable the `xpack.security.authc.api_key.enabled` setting. When 
    27. 

  27. you are running in production mode, a bootstrap check prevents you from enabling 
    28. 

  28. the API key service unless you also enable TLS on the HTTP interface. 
    29. 

  29. 

  30. A successful create API key API call returns a JSON structure that contains the
    31. 

  31. API key, its unique id, and its name. If applicable, it also returns expiration
    32. 

  32. information for the API key in milliseconds. 
    33. 

  33. 

  34. NOTE: By default, API keys never expire. You can specify expiration information
    35. 

  35. when you create the API keys. 
    36. 

  36. 

  37. See <<api-key-service-settings>> for configuration settings related to API key
    38. 

  38. service.
    39. 

  39. 

  40. 

  41. [[security-api-create-api-key-request-body]]
    42. 

  42. ==== {api-request-body-title}
    43. 

  43. 

  44. The following parameters can be specified in the body of a POST or PUT request:
    45. 

  45. 

  46. `name`::
    47. 

  47. (Optional, string) Specifies the name for this API key.
    48. 

  48. 

  49. `role_descriptors`::
    50. 

  50. (Optional, array-of-role-descriptor) An array of role descriptors for this API
    51. 

  51. key. This parameter is optional. When it is not specified or is an empty array,
    52. 

  52. then the API key will have a _point in time snapshot of permissions of the 
    53. 

  53. authenticated user_. If you supply role descriptors then the resultant permissions
    54. 

  54. would be an intersection of API keys permissions and authenticated user's permissions
    55. 

  55. thereby limiting the access scope for API keys.
    56. 

  56. The structure of role descriptor is the same as the request for create role API.
    57. 

  57. For more details, see <<security-api-put-role, create or update roles API>>.
    58. 

  58. 

  59. `expiration`::
    60. 

  60. (Optional, string) Expiration time for the API key. By default, API keys never
    61. 

  61. expire.
    62. 

  62. 

  63. 

  64. [[security-api-create-api-key-example]]
    65. 

  65. ==== {api-examples-title}
    66. 

  66. 

  67. The following example creates an API key:
    68. 

  68. 

  69. [source,console]
    70. 

  70. ------------------------------------------------------------
    71. 

  71. POST /_security/api_key
    72. 

  72. {
    73. 

  73.   "name": "my-api-key",
    74. 

  74.   "expiration": "1d", <1>
    75. 

  75.   "role_descriptors": { <2>
    76. 

  76.     "role-a": {
    77. 

  77.       "cluster": ["all"],
    78. 

  78.       "index": [
    79. 

  79.         {
    80. 

  80.           "names": ["index-a*"],
    81. 

  81.           "privileges": ["read"]
    82. 

  82.         }
    83. 

  83.       ]
    84. 

  84.     },
    85. 

  85.     "role-b": {
    86. 

  86.       "cluster": ["all"],
    87. 

  87.       "index": [
    88. 

  88.         {
    89. 

  89.           "names": ["index-b*"],
    90. 

  90.           "privileges": ["all"]
    91. 

  91.         }
    92. 

  92.       ]
    93. 

  93.     }
    94. 

  94.   }
    95. 

  95. }
    96. 

  96. ------------------------------------------------------------
    97. 

  97. <1> optional expiration for the API key being generated. If expiration is not
    98. 

  98.  provided then the API keys do not expire.
    99. 

  99. <2> optional role descriptors for this API key, if not provided then permissions
    100. 

  100.  of authenticated user are applied.
    101. 

  101. 

  102. A successful call returns a JSON structure that provides
    103. 

  103. API key information.
    104. 

  104. 

  105. [source,console-result]
    106. 

  106. --------------------------------------------------
    107. 

  107. {
    108. 

  108.   "id":"VuaCfGcBCdbkQm-e5aOx", <1>
    109. 

  109.   "name":"my-api-key",
    110. 

  110.   "expiration":1544068612110, <2>
    111. 

  111.   "api_key":"ui2lp2axTNmsyakw9tvNnw" <3>
    112. 

  112. }
    113. 

  113. --------------------------------------------------
    114. 

  114. // TESTRESPONSE[s/VuaCfGcBCdbkQm-e5aOx/$body.id/]
    115. 

  115. // TESTRESPONSE[s/1544068612110/$body.expiration/]
    116. 

  116. // TESTRESPONSE[s/ui2lp2axTNmsyakw9tvNnw/$body.api_key/]
    117. 

  117. <1> unique id for this API key
    118. 

  118. <2> optional expiration in milliseconds for this API key
    119. 

  119. <3> generated API key
    120. 

  120. 

  121. The API key returned by this API can then be used by sending a request with an
    122. 

  122. `Authorization` header with a value having the prefix `ApiKey` followed
    123. 

  123. by the _credentials_, where _credentials_ are the base64 encoding of `id` and `api_key` joined by a colon.
    124. 

  124. 

  125. [source,shell]
    126. 

  126. --------------------------------------------------
    127. 

  127. curl -H "Authorization: ApiKey VnVhQ2ZHY0JDZGJrUW0tZTVhT3g6dWkybHAyYXhUTm1zeWFrdzl0dk5udw==" http://localhost:9200/_cluster/health
    128. 

  128. --------------------------------------------------
    129. 

  129. // NOTCONSOLE
    130.