APIKey retains the cluster privileges at the time is was created

We were testing out migration to APIKeys for application-level API access and I noticed something strange I can't find documented anywhere, this is under a ELK stack running 7.15.1

I created a new user and role, and forgot to add a specific cluster privilege before creating the API key for the user. Some actions on the cluster fail and a specific _search is valid but returns 0 docs.

I update the role for the user to be correct now, if I call into the _search with authorization Basic username:password, it returns a result. If I make the same query with the Authorization ApiKey <user's Base64 string>, the query returns 0 results.

If I create a second ApiKey while the user role has the correct privileges, and send this to _search it returns the correct results.

It almost seems that the ApiKey holds the privileges at the time it was created and not current to user who holds the ApiKey. Is this the intended behavior? I can understand arguments for this either way.


It is worded kind of weirdly in the API Key created docs.

When it is not specified or is an empty array, then the API key will have a point in time snapshot of permissions of the authenticated user.

Since the API Key is created with a point in time snapshot, the permissions will not be updated if you update the backing user.

Thanks, yeah, I guess that's kinda clear. I had created it through Kibana and left the restrict privileges off thinking it would apply to the user/role under which it was created, but created the empty array and activating the point-in-time effect.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.