-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
API Key Management #25729
Comments
Pinging @elastic/kibana-security |
I think this is a great idea. Expanding on this, I see two potential views (depending on user privileges):
Somewhat unrelated, we expect to use long-lived tokens as a Kibana auth mechanism, right? I wonder if we will want/need a way to invalidate these tokens if roles end up changing. For example, if an admin wants to revoke |
Elasticsearch merged support for long-lived tokens (called api keys) in elastic/elasticsearch#38291 supporting the following:
Retrieving API Keys requires us to specify at least one of:
It'll be easy enough for us to create a UI showing tokens for the currently logged in user, or all tokens for the An update on my question above:
When you create a token via this API, you are asked to specify a role definition which explains the privileges this token should be granted. You don't necessarily tie this to an existing role, but grant privileges "on the fly" when the token is created. So revoking access across all tokens for a specific user isn't something we'll support (for now), if I understand correctly. The
|
If this UI is specific to the current user, we should make it accessible through the user dropdown (where change password is) instead of in the management app |
We're tracking that functionality here: #34820 |
Pinging @elastic/es-ui |
@legrego Can we either close this issue or relabel it for the Security team? |
Yep let's close. We have more specific issues for tracking enhancements to API Key management |
When Elasticsearch introduces long-lived tokens, they're going to be a snapshot of the user's effective privileges at the time that the token was created. Relatedly, when a user is deleted their long-lived token won't be automatically invalidated.
We'd like to add a section to the user management screens in Kibana that will list the user's long-lived tokens and allow these to be invalidated, and potentially prompt the user if they'd like to invalidate the tokens when the user is deleted.
The text was updated successfully, but these errors were encountered: