We were testing out migration to APIKeys for application-level API access and I noticed something strange I can't find documented anywhere, this is under a ELK stack running 7.15.1
I created a new user and role, and forgot to add a specific cluster privilege before creating the API key for the user. Some actions on the cluster fail and a specific _search
is valid but returns 0 docs.
I update the role for the user to be correct now, if I call into the _search
with authorization Basic username:password
, it returns a result. If I make the same query with the Authorization ApiKey <user's Base64 string>
, the query returns 0 results.
If I create a second ApiKey while the user role has the correct privileges, and send this to _search
it returns the correct results.
It almost seems that the ApiKey holds the privileges at the time it was created and not current to user who holds the ApiKey. Is this the intended behavior? I can understand arguments for this either way.
Thanks,
Roger