Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow forcing a limit on api keys #65658

Open
wolframhaussig opened this issue Dec 1, 2020 · 2 comments
Open

Allow forcing a limit on api keys #65658

wolframhaussig opened this issue Dec 1, 2020 · 2 comments
Labels
>enhancement :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) Team:Security Meta label for security team

Comments

@wolframhaussig
Copy link

Currently, the expiration of api keys can be provided at creation time. If the expiration is not provided the api key will never expire:

By default, API keys never expire. You can specify expiration information when you create the API keys.

Similiar to this password strength issue and the token setting xpack.security.authc.token.timeout I would like to have the option to specify the maximum lifetime of an api key:
If the administrator sets xpack.security.authc.api_key.expiration to 180d and the user does not provide an expiration date when creating the api key the resulting api key will expire after 180 days.
If the administrator sets xpack.security.authc.api_key.expiration to 180d and the user provides an expiration date of 30d when creating the api key the resulting api key will expire after 30 days.
If the administrator sets xpack.security.authc.api_key.expiration to 180d and the user provides an expiration date of 365d when creating the api key the creation should fail with an error.
@wolframhaussig wolframhaussig added >enhancement needs:triage Requires assignment of a team area label labels Dec 1, 2020
@tvernum tvernum added the :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) label Dec 2, 2020
@elasticmachine elasticmachine added the Team:Security Meta label for security team label Dec 2, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

@tvernum tvernum removed the needs:triage Requires assignment of a team area label label Dec 2, 2020
@tvernum
Copy link
Contributor

tvernum commented Dec 2, 2020

It is unlikely that we will do this with a global setting.
Features such as Kibana Alerting and Actions and Fleet depend on API Keys and would be significantly complicated if they needed to accommodate such local policies.

We might at some future time, expand the existing RBAC model to support individual restrictions on API Key expiry, but it's not on our roadmap right now.

@tvernum tvernum mentioned this issue Sep 21, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
>enhancement :Security/Authentication Logging in, Usernames/passwords, Realms (Native/LDAP/AD/SAML/PKI/etc) Team:Security Meta label for security team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tvernum @wolframhaussig @elasticmachine