Support Elastic Cloud API keys in the api_key option#215
Open
arenard wants to merge 1 commit into
Open
Conversation
arenard
force-pushed
the
feature/cloud-api-key-support
branch
2 times, most recently
from
f854fe8 to
20d2ffc
Compare
arenard
force-pushed
the
feature/cloud-api-key-support
branch
from
20d2ffc to
a481bf2
Compare
Elastic Cloud API keys (including the unified Serverless keys prefixed with `essu_`) are opaque tokens that must be passed verbatim in the `Authorization: ApiKey` header. The existing logic base64-encoded any value that was not already valid standard base64, which double-encoded `essu_` keys (the prefix contains `_`, outside the base64 alphabet) and produced an Authorization header rejected by Elasticsearch. Detect the `essu_` prefix and pass such keys through unchanged, while keeping the existing handling for raw `id:api_key` pairs and their base64-encoded form. Updates the `api_key` option documentation and adds a unit test covering the cloud key case.
arenard
force-pushed
the
feature/cloud-api-key-support
branch
from
a481bf2 to
6d4daa6
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Allows an Elastic Cloud API key (the
essu_-prefixed keys, including the unified Serverless keys) to be used in theapi_keyoption. These keys are not in theid:api_keyform and cannot currently be used with this filter.Background
The
api_keyvalue is turned into anAuthorization: ApiKey <value>header. The existing logic base64-encodes any value that is not already valid standard base64. Anessu_key is neither anid:api_keypair nor valid standard base64 (theessu_prefix contains_, which is outside the standard base64 alphabet), so it ends up being base64-encoded a second time and Elasticsearch rejects the resulting header.Elasticsearch accepts these keys directly as
Authorization: ApiKey <key>(Cloud API key authentication, available since Elasticsearch 9.1), so the gap is only on the Logstash side.Change
setup_api_keynow recognises theessu_prefix and forwards such keys unchanged. Rawid:api_keypairs and their base64-encoded form keep their previous behaviour, so existing configurations are unaffected.Tests
Added a unit test that asserts an
essu_key is sent verbatim, with no re-encoding. The existing raw and already-encoded api-key tests still pass.Docs
Updated
docs/index.asciidocand the inlineapi_keyoption documentation to list the three accepted forms.Related
The same fix is applied to the other two Elasticsearch plugins so the behaviour is consistent:
api_keyoption logstash-output-elasticsearch#1274api_keyoption logstash-input-elasticsearch#274