Create Cross-Cluster API key API

edit

Create Cross-Cluster API key API

edit

This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.

Creates an API key of the cross_cluster type for the API key based remote cluster access. A cross_cluster API key cannot be used to authenticate through the REST interface. On the contrary, a REST API key is meant to be used through the REST interface and cannot be used for the API key based remote cluster access.

Request

edit

POST /_security/cross_cluster/api_key

Prerequisites

edit
  • To use this API, you must have at least the manage_security cluster privilege.

To authenticate this request you must use a credential that is not an API key. Even if you use an API key that has the required privilege, the API returns an error.

Description

edit

Cross-cluster API keys are created by the Elasticsearch API key service, which is automatically enabled. For instructions on disabling the API key service, refer to API key service settings.

A successful request returns a JSON structure that contains the API key, its unique ID, and its name. If applicable, it also returns expiration information for the API key in milliseconds.

By default, API keys never expire. You can specify expiration information when you create the API keys.

Refer to API key service settings for configuration settings related to API key service.

Cross-cluster API keys can only be updated with the Update Cross-Cluster API key API. Attempting to update them with the Update REST API key API or the Bulk Update REST API Keys API will result into an error. They can be retrieved and invalidated using Get API keys API, Query API keys API and Invalidate API keys API.

Request body

edit

The following parameters can be specified in the body of a POST request:

name
(Required, string) Specifies the name for this API key.
access

(required, object) The access to be granted to this API key. The access is composed of permissions for cross-cluster search and cross-cluster replication. At least one of them must be specified.

search

(optional, list) A list of indices permission entries for cross-cluster search.

names
(required, list) A list of indices or name patterns to which the permissions in this entry apply.
field_security
(optional, object) The document fields that the owners of the role have read access to. For more information, check Setting up field and document level security.
query
(optional) A search query that defines the documents the owners of the role have read access to. A document within the specified indices must match this query to be accessible by the owners of the role. For more information, check Setting up field and document level security.
allow_restricted_indices
(optional, boolean) This needs to be set to true (default is false) if the patterns in the names field should cover system indices.
replication

(optional, list) A list of indices permission entries for cross-cluster replication.

names
(required, list) A list of indices or name patterns to which the permissions in this entry apply.

No explicit privileges should be specified for either search or replication access. The creation process automatically converts the access specification to a role descriptor which has relevant privileges assigned accordingly. The access value as well as its corresponding role_descriptors are returned in responses of Get API keys API and Query API keys API.

Unlike REST API keys, a cross-cluster API key does not capture permissions of the authenticated user. The API key’s effective permission is exactly as specified with the access parameter.

expiration
(optional, string) Expiration time for the API key. By default, API keys never expire.
metadata
(optional, object) Arbitrary metadata that you want to associate with the API key. It supports nested data structure. Within the metadata object, keys beginning with _ are reserved for system usage.

Examples

edit

The following example creates a cross-cluster API key:

POST /_security/cross_cluster/api_key
{
  "name": "my-cross-cluster-api-key",
  "expiration": "1d",   
  "access": {
    "search": [  
      {
        "names": ["logs*"]
      }
    ],
    "replication": [  
      {
        "names": ["archive*"]
      }
    ]
  },
  "metadata": {
    "description": "phase one",
    "environment": {
       "level": 1,
       "trusted": true,
       "tags": ["dev", "staging"]
    }
  }
}

Optional expiration for the API key being generated. If expiration is not provided then the API key does not expire.

Cross-cluster search access to be granted to the API key.

Cross-cluster replication access to be granted to the API key.

A successful call returns a JSON structure that provides API key information.

{
  "id": "VuaCfGcBCdbkQm-e5aOx",        
  "name": "my-cross-cluster-api-key",
  "expiration": 1544068612110,         
  "api_key": "ui2lp2axTNmsyakw9tvNnw", 
  "encoded": "VnVhQ2ZHY0JDZGJrUW0tZTVhT3g6dWkybHAyYXhUTm1zeWFrdzl0dk5udw=="  
}

Unique id for this API key

Optional expiration in milliseconds for this API key

Generated API key secret

API key credentials which is the Base64-encoding of the UTF-8 representation of the id and api_key joined by a colon (:)

The API key information can be retrieved with the Get API key API.

GET /_security/api_key?id=VuaCfGcBCdbkQm-e5aOx

A successful call returns a JSON structure that contains the information of the API key:

{
  "api_keys": [
    {
      "id": "VuaCfGcBCdbkQm-e5aOx", 
      "name": "my-cross-cluster-api-key", 
      "type": "cross_cluster", 
      "creation": 1548550550158,
      "expiration": 1548551550158,
      "invalidated": false,
      "username": "myuser",
      "realm": "native1",
      "metadata": {
        "description": "phase one",
          "environment": {
             "level": 1,
             "trusted": true,
             "tags": ["dev", "staging"]
          }
      },
      "role_descriptors": {  
        "cross_cluster": {
          "cluster": [  
              "cross_cluster_search", "cross_cluster_replication"
          ],
          "indices": [
            {  
              "names": [
                "logs*"
              ],
              "privileges": [
                "read", "read_cross_cluster", "view_index_metadata"
              ],
              "allow_restricted_indices": false
            },
            {  
              "names": [
                "archive*"
              ],
              "privileges": [
                "cross_cluster_replication", "cross_cluster_replication_internal"
              ],
              "allow_restricted_indices": false
            }
          ],
          "applications": [ ],
          "run_as": [ ],
          "metadata": { },
          "transient_metadata": {
            "enabled": true
          }
        }
      },
      "access": {  
        "search": [
          {
            "names": [
              "logs*"
            ],
            "allow_restricted_indices": false
          }
        ],
        "replication": [
          {
            "names": [
              "archive*"
            ],
            "allow_restricted_indices": false
          }
        ]
      }
    }
  ]
}

ID for the API key

Name of the API key

Type of the API key

The role descriptors generated for the cross-cluster API key. It always contains exactly one role descriptor named cross_cluster. A cross-cluster API key has no limited-by role descriptors.

The cluster privileges necessary for the required cross-cluster access. The value is cross_cluster_search if only cross-cluster search is required. It is cross_cluster_replication if only cross-cluster replication is required. Or both, if search and replication are required.

The indices privileges corresponding to the required cross-cluster search access.

The indices privileges corresponding to the required cross-cluster replication access.

The access corresponds to the value specified at API key creation time.

To use the generated API key, configure it as the cluster credential as part of an API key based remote cluster configuration.