Update API key permissions for Search Applications (#153446)

Search applications backed by the ES module use read permissions on the search application alias rather than application specific privileges. Example call to create the API key: ``` curl -H 'Content-Type: application/json' -XPOST 'http://localhost:5601/inl/internal/enterprise_search/engines/puggles/api_key' --data-raw '{ "keyName": "puggles-key"}' ``` You can then verify that you can search the application alias using a command like: ``` curl -XGET 'http://localhost:9200/puggles/_search' -H 'Authorization:ApiKey <yourKey>' -H 'Content-Type: application/json' ``` --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
elastic · Mar 22, 2023 · 8433928 · 8433928
1 parent c269481
commit 8433928
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 10 deletions.
diff --git a/x-pack/plugins/enterprise_search/server/lib/engines/create_api_key.test.ts b/x-pack/plugins/enterprise_search/server/lib/engines/create_api_key.test.ts
@@ -11,7 +11,7 @@ import { createApiKey } from './create_api_key';
 
 describe('createApiKey lib function', () => {
   const engineName = 'my-index';
-  const keyName = 'Engine read only key';
+  const keyName = 'Search alias read only key';
 
   const createResponse = {
     api_key: 'ui2lp2axTNmsyakw9tvNnw',
@@ -38,14 +38,14 @@ describe('createApiKey lib function', () => {
     ).resolves.toEqual(createResponse);
 
     expect(mockClient.asCurrentUser.security.createApiKey).toHaveBeenCalledWith({
-      name: 'Engine read only key',
+      name: 'Search alias read only key',
       role_descriptors: {
         'my-index-key-role': {
-          applications: [
+          cluster: [],
+          indices: [
             {
-              application: 'enterprise-search',
-              privileges: ['engine:read'],
-              resources: ['engine:my-index'],
+              names: [`${engineName}`],
+              privileges: ['read'],
             },
           ],
         },

diff --git a/x-pack/plugins/enterprise_search/server/lib/engines/create_api_key.ts b/x-pack/plugins/enterprise_search/server/lib/engines/create_api_key.ts
@@ -16,11 +16,11 @@ export const createApiKey = async (
     name: keyName,
     role_descriptors: {
       [`${engineName}-key-role`]: {
-        applications: [
+        cluster: [],
+        indices: [
           {
-            application: 'enterprise-search',
-            privileges: ['engine:read'],
-            resources: [`engine:${engineName}`],
+            names: [`${engineName}`],
+            privileges: ['read'],
           },
         ],
       },