Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updatable API keys - logging audit trail event #88276

Merged
merged 203 commits into from
Jul 12, 2022

Conversation

n1v0lg
Copy link
Contributor

@n1v0lg n1v0lg commented Jul 5, 2022

This PR adds a new audit trail event for when API keys are updated.

@n1v0lg n1v0lg added the :Security/Audit X-Pack Audit logging label Jul 7, 2022
@n1v0lg n1v0lg marked this pull request as ready for review July 7, 2022 10:51
@elasticmachine elasticmachine added the Team:Security Meta label for security team label Jul 7, 2022
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

@elasticsearchmachine
Copy link
Collaborator

Hi @n1v0lg, I've created a changelog YAML for you.

@n1v0lg n1v0lg changed the title Update API keys - logging audit trail event Updatable API keys - logging audit trail event Jul 7, 2022
@n1v0lg n1v0lg requested a review from ywangd July 7, 2022 10:55
Copy link
Member

@ywangd ywangd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We document all events belongs to the security_config_change event type. Do you plan to have it as a separate PR? I think we can have it here since it is a relative small change and does not belong to the main API doc.

withRoleDescriptor(builder, roleDescriptor);
}
builder.endArray();
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's an oversight that metadata is not included in the auditing message because metadata support was added after audit for security-config-change. Our view has contiuned to be that audit message should be as complete as possible. It can get very verbose. But we generally consider the leaving out information without clear context is more risky. Taking the API key metadata as an example, Fleet uses it to identify the host where an agent runs on and this is actually an important piece of information.

That said, I am happy for it to be a separate PR. In fact, I can take this one so that you can focus on the main tasks.

@n1v0lg
Copy link
Contributor Author

n1v0lg commented Jul 8, 2022

@ywangd

We document all events belongs to the security_config_change event type. Do you plan to have it as a separate PR?

Happy to add in this PR 👍

That said, I am happy for it to be a separate PR. In fact, I can take this one so that you can focus on the main tasks.

Awesome, appreciated!

["read","maintenance"]},{"names":["in*","alias*"],"privileges":["read"],
"field_security":{"grant":["field1*","@timestamp"],"except":["field11"]}}],
"applications":[],"run_as":[]},{"cluster":["all"],"indices":[{"names":
["index-b*"],"privileges":["all"]}],"applications":[],"run_as":[]}]}}}
Copy link
Contributor Author

@n1v0lg n1v0lg Jul 8, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note: no metadata here - will need to add it when we add metadata to the actual event.

@n1v0lg n1v0lg requested a review from ywangd July 8, 2022 09:41
Copy link
Member

@ywangd ywangd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

x-pack/docs/en/security/auditing/event-types.asciidoc Outdated Show resolved Hide resolved
@@ -1228,6 +1244,18 @@ private void withRequestBody(XContentBuilder builder, CreateApiKeyRequest create
.endObject(); // apikey
}

private void withRequestBody(final XContentBuilder builder, final UpdateApiKeyRequest updateApiKeyRequest) throws IOException {
builder.startObject("apikey").field("id", updateApiKeyRequest.getId());
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am thinking how this should play when we have the bulk update API. My intuition would be having a separate apikeys schema to avoid having both id and ids in the same schema. What do you think?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yup separate schema makes sense. The apikeys schema already exists for invalidation so we could re-use that for instance.

@n1v0lg n1v0lg merged commit c56715f into elastic:master Jul 12, 2022
@n1v0lg n1v0lg deleted the update-api-keys-audit-trail branch July 12, 2022 12:16
weizijun added a commit to weizijun/elasticsearch that referenced this pull request Jul 13, 2022
* upstream/master: (38 commits)
  Simplify map copying (elastic#88432)
  Make DiffableUtils.diff implementation agnostic (elastic#88403)
  Ingest: Start separating Metadata from IngestSourceAndMetadata (elastic#88401)
  Move runtime fields base scripts out of scripting fields api package. (elastic#88488)
  Enable TRACE Logging for test and increase timeout (elastic#88477)
  Mute ReactiveStorageIT#testScaleDuringSplitOrClone (elastic#88480)
  Track the count of failed invocations since last successful policy snapshot (elastic#88398)
  Avoid noisy exceptions on data nodes when aborting snapshots (elastic#88476)
  Fix ReactiveStorageDeciderServiceTests testNodeSizeForDataBelowLowWatermark (elastic#88452)
  INFO logging of snapshot restore and completion (elastic#88257)
  unmute test (elastic#88454)
  Updatable API keys - noop check (elastic#88346)
  Corrected an incomplete sentence. (elastic#86542)
  Use consistent shard map type in IndexService (elastic#88465)
  Stop registering TestGeoShapeFieldMapperPlugin in ESIntegTestCase (elastic#88460)
  TSDB: RollupShardIndexer logging improvements (elastic#88416)
  Audit API key ID when create or grant API keys (elastic#88456)
  Bound random negative size test in SearchSourceBuilderTests#testNegativeSizeErrors (elastic#88457)
  Updatable API keys - logging audit trail event (elastic#88276)
  Polish reworked LoggedExec task (elastic#88424)
  ...

# Conflicts:
#	x-pack/plugin/rollup/src/main/java/org/elasticsearch/xpack/rollup/v2/RollupShardIndexer.java
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
>enhancement :Security/Audit X-Pack Audit logging Team:Security Meta label for security team v8.4.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants