diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java index 5e1d4deca2857..11b4ee7c3116c 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java @@ -510,9 +510,7 @@ private void validateApiKeyExpiration(Map source, ApiKeyCredenti final Map metadata = (Map) creator.get("metadata"); final Map roleDescriptors = (Map) source.get("role_descriptors"); final Map limitedByRoleDescriptors = (Map) source.get("limited_by_role_descriptors"); - final String[] roleNames = (roleDescriptors != null) ? roleDescriptors.keySet().toArray(Strings.EMPTY_ARRAY) - : limitedByRoleDescriptors.keySet().toArray(Strings.EMPTY_ARRAY); - final User apiKeyUser = new User(principal, roleNames, null, null, metadata, true); + final User apiKeyUser = new User(principal, Strings.EMPTY_ARRAY, null, null, metadata, true); final Map authResultMetadata = new HashMap<>(); authResultMetadata.put(API_KEY_CREATOR_REALM_NAME, creator.get("realm")); authResultMetadata.put(API_KEY_CREATOR_REALM_TYPE, creator.get("realm_type")); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java index 064047bf0279d..d24cde657b43a 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/ApiKeyServiceTests.java @@ -63,9 +63,9 @@ import static org.elasticsearch.test.TestMatchers.throwableWithMessage; import static org.elasticsearch.xpack.core.security.authz.store.ReservedRolesStore.SUPERUSER_ROLE_DESCRIPTOR; -import static org.hamcrest.Matchers.arrayContaining; import static org.hamcrest.Matchers.contains; import static org.hamcrest.Matchers.containsString; +import static org.hamcrest.Matchers.emptyArray; import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.instanceOf; import static org.hamcrest.Matchers.is; @@ -306,7 +306,7 @@ public void testValidateApiKey() throws Exception { assertNotNull(result); assertTrue(result.isAuthenticated()); assertThat(result.getUser().principal(), is("test_user")); - assertThat(result.getUser().roles(), arrayContaining("a role")); + assertThat(result.getUser().roles(), is(emptyArray())); assertThat(result.getUser().metadata(), is(Collections.emptyMap())); assertThat(result.getMetadata().get(ApiKeyService.API_KEY_ROLE_DESCRIPTORS_KEY), equalTo(sourceMap.get("role_descriptors"))); assertThat(result.getMetadata().get(ApiKeyService.API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY), @@ -320,7 +320,7 @@ public void testValidateApiKey() throws Exception { assertNotNull(result); assertTrue(result.isAuthenticated()); assertThat(result.getUser().principal(), is("test_user")); - assertThat(result.getUser().roles(), arrayContaining("a role")); + assertThat(result.getUser().roles(), is(emptyArray())); assertThat(result.getUser().metadata(), is(Collections.emptyMap())); assertThat(result.getMetadata().get(ApiKeyService.API_KEY_ROLE_DESCRIPTORS_KEY), equalTo(sourceMap.get("role_descriptors"))); assertThat(result.getMetadata().get(ApiKeyService.API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY), diff --git a/x-pack/plugin/src/test/resources/rest-api-spec/test/api_key/10_basic.yml b/x-pack/plugin/src/test/resources/rest-api-spec/test/api_key/10_basic.yml index dbdf22c69c90c..f58e62b1c20cb 100644 --- a/x-pack/plugin/src/test/resources/rest-api-spec/test/api_key/10_basic.yml +++ b/x-pack/plugin/src/test/resources/rest-api-spec/test/api_key/10_basic.yml @@ -119,8 +119,7 @@ teardown: security.authenticate: {} - match: { username: "api_key_user" } - - match: { roles.0: "role-b" } - - match: { roles.1: "role-a" } + - length: { roles: 0 } - match: { authentication_realm.name: "_es_api_key" } - match: { authentication_realm.type: "_es_api_key" }