ES Version: 7.15.2 and prior
The /_security/api_key
api returns a 200 response code even when the requested key does not exists.
Example:
curl -X GET "https://172.19.18.17:9200/_security/api_key?name=bobs_key" -u elastic:changeme --insecure
{"api_keys":[]}
curl -i -X GET "https://172.19.18.17:9200/_security/api_key?name=bobs_key" -u elastic:changeme --insecure
HTTP/1.1 200 OK
X-elastic-product: Elasticsearch
content-type: application/json; charset=UTF-8
content-length: 15
{"api_keys":[]}
This prevents programmatic determination if a key exists as all queries for implicit or explicit keys by their name return a 200 status code. It should be possible to determine if a key exists by the status code when requesting via the API for a key by name and not relying on parsing a null set.
After the key is created, the response code is the same:
curl -X GET "https://172.19.18.17:9200/_security/api_key?name=bobs_key" -u elastic:changeme --insecure
{"api_keys":[{"id":"VTRudn0Bwr2FyyO2_JlK","name":"bobs_key","creation":1638369524771,"invalidated":false,"username":"elastic","realm":"reserved","metadata":{}}]}
curl -i -X GET "https://172.19.18.17:9200/_security/api_key?name=bobs_key" -u elastic:changeme --insecure
HTTP/1.1 200 OK
X-elastic-product: Elasticsearch
content-type: application/json; charset=UTF-8
content-length: 161
{"api_keys":[{"id":"VTRudn0blahhh2F2_JlK","name":"bobs_key","creation":1638369524771,"invalidated":false,"username":"elastic","realm":"reserved","metadata":{}}]}[