In my previous post “Elastic: Using Postman to access Elastic Stack” I showed you how to access Elasticsearch in your application. There, we used Basic Basic Authentication to access Elasticsearch. The downside of this approach is that all requests from each user are authenticated the same: the Base64 encoding of the same username and password is used. In today’s article, we’ll show you how to create an API key to provide access to Elasticsearch. With this approach, a user can dynamically generate access to countless API keys. Official documentation can be found at the link.

Create an API key interface to access Elasticsearch

interface

Its interface is very simple:

POST /_security/api_key
PUT /_security/api_key
Copy the code

The API Key is created by the Elasticsearch API Key service, which is automatically enabled when you configure TLS on the HTTP interface. See Encrypting HTTP client communication. Alternatively, you can explicitly enable the xpack.security.authc.API_key. enabled setting. When running in production mode, boot checks prevent you from enabling the API key service unless you also enable TLS on the HTTP interface.

The SUCCESSFUL API key creation API call returns a JSON structure containing the API key, its unique ID, and name. It also returns the expiration of the API key in milliseconds, if applicable.

One caveat: by default, API keys never expire. You can specify expiration information when creating the API key.

Request for example

The following example creates an API key:

POST /_security/api_key
{
  "name": "my-api-key",
  "expiration": "1d", 
  "role_descriptors": { 
    "role-a": {
      "cluster": ["all"],
      "index": [
        {
          "names": ["index-a*"],
          "privileges": ["read"]
        }
      ]
    },
    "role-b": {
      "cluster": ["all"],
      "index": [
        {
          "names": ["index-b*"],
          "privileges": ["all"]
        }
      ]
    }
  }
}
Copy the code

Note that the expiration and role_descriptors fields above are optional. If you do not select it, it means it is always valid and applies to all roles.

Next, let’s demonstrate this functionality with a concrete example.

The installation

For this test, see my previous article “Elastic: Enabling HTTPS Access for Elasticsearch” for the configuration that requires us to enable TLS. In that article, I detailed how to configure to enable TLS. If your configuration is successful, our Elasticsearch will now run on port https://localhost:9200. I won’t bother here.

test

Let’s first open Kibana and type the following command:

POST /_security/api_key
{
  "name": "liuxg-api-key",
  "expiration": "1d"
}
Copy the code

In this case, we set the API key to expire for 1 day. We also gave a name liuxg-apI-key. After executing the above command, we can see the following response:

{
  "id" : "gBcXKHMB53qZFLAQ52-j",
  "name" : "liuxg-api-key",
  "expiration" : 1594191922072,
  "api_key" : "sJYv3VMLRaaeaoUec2XfsA"
}
Copy the code

Here, expiration is expressed as a value. It represents the second counted from 1970-01-01 00:00:00 UTC. See the article for detailed descriptions.

We can produce this ApiKey in two ways:

Method one:

What we care most about is the id and api_key returned. These two values are not directly available to us. We open the website: www.base64encode.org/ and separate the id from the API_key with a semicolon:

Please pay attention to the value returned Z0JjWEtITUI1M3FaRkxBUTUyLWo6c0pZdjNWTUxSYWFlYW9VZWMyWGZzQQ = =. This will be the final ApiKey we need to access Elasticsearch.

Method 2:

We open a terminal and create the following file called Response, which has the following contents:

{
  "id" : "gBcXKHMB53qZFLAQ52-j",
  "name" : "liuxg-api-key",
  "expiration" : 1594191922072,
  "api_key" : "sJYv3VMLRaaeaoUec2XfsA"
}
Copy the code

$ cat response 
{
  "id" : "gBcXKHMB53qZFLAQ52-j",
  "name" : "liuxg-api-key",
  "expiration" : 1594191922072,
  "api_key" : "sJYv3VMLRaaeaoUec2XfsA"
}
Copy the code

Then we type the following command in the path of the response file:

$ echo -n $(cat response | jq -r .id):$(cat response | jq -r .api_key) | base64
Copy the code

The command above shows the result:

$ ls response 
response
liuxg:tmp liuxg$ echo -n $(cat response | jq -r .id):$(cat response | jq -r .api_key) | base64
Z0JjWEtITUI1M3FaRkxBUTUyLWo6c0pZdjNWTUxSYWFlYW9VZWMyWGZzQQ==
Copy the code

With this method, we can see the same effect as method 1.

Using ApiKey

An example of the interface we used to access Elasticsearch is:

curl -k -H “Authorization: ApiKey Z0JjWEtITUI1M3FaRkxBUTUyLWo6c0pZdjNWTUxSYWFlYW9VZWMyWGZzQQ==” https://localhost:9200/_cluster/health

Run the command above:

Let’s run another example:

curl -k -H “Authorization: ApiKey Z0JjWEtITUI1M3FaRkxBUTUyLWo6c0pZdjNWTUxSYWFlYW9VZWMyWGZzQQ==” https://localhost:9200/_cat/indices? pretty

mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.

Elasticsearch: Create an API key interface to access Elasticsearch

interface

Request for example

The installation

test

Method one:

Method 2:

Using ApiKey

Elasticsearch: Create an API key interface to access Elasticsearch

interface

Request for example

The installation

test

Method one:

Method 2:

Using ApiKey

Related Posts

In-depth understanding of object oriented, object oriented three features, seven principles and six relationships

EMQ Million level MQTT Messaging Service (ACL Authentication)

Operating system that often meets test questions