Skip to content

Introduce API Tokens with cluster_permissions and index_permissions directly associated with the token#5443

Open
cwperks wants to merge 45 commits intoopensearch-project:mainfrom
cwperks:feature/api-tokens-cwperx
Open

Introduce API Tokens with cluster_permissions and index_permissions directly associated with the token#5443
cwperks wants to merge 45 commits intoopensearch-project:mainfrom
cwperks:feature/api-tokens-cwperx

Conversation

@cwperks
Copy link
Copy Markdown
Member

@cwperks cwperks commented Jun 25, 2025
edited
Loading

Description

Re-basing #5225 with the latest changes from main.

This PR introduces API Tokens — a new capability in the Security plugin that allows security admins to issue long-lived, scoped tokens and associate permissions directly with the token.

How it works

API Tokens are opaque tokens with the format os_<random>. When a token is created, a SHA-256 hash of the plaintext token is stored in a system index, .opensearch_security_api_tokens. The plaintext token is returned once at creation time and never stored. On each request, the incoming token is hashed and looked up in an in-memory cache populated from the index.

Tokens are authenticated via the Authorization: ApiKey <token> header.

What is novel about this approach compared to OBO tokens is that permissions are scoped directly to the token rather than derived from the issuing user's roles. An admin can issue a token with only the permissions it needs — for example, read-only access to a single index — regardless of the admin's own permissions. This enforces the principle of least privilege and is a key building block toward deprecating Roles Injection, the current practice for how plugins run async jobs with user-scoped permissions.

Revocation model

Tokens use a soft-delete revocation model. When a token is revoked via DELETE /_plugins/_security/api/apitokens/{id}, the document in the index is updated with a revoked_at timestamp rather than being deleted. This means:

  • Revoked tokens remain visible in the list endpoint with a revoked_at field, enabling UIs to display revocation history and audit trails.
  • Revocation is synchronous — the cache refresh is broadcast to all nodes and confirmed before the response is returned, so the token is immediately unusable cluster-wide.
  • During cache reload, tokens with revoked_at set are excluded from the in-memory authentication maps, so they cannot be used to authenticate.

API Reference

Create API Token

POST /_plugins/_security/api/apitokens

Request:

{
  "name": "my-token",
  "cluster_permissions": ["cluster:monitor/health"],
  "index_permissions": [
    {
      "index_pattern": ["logs-*"],
      "allowed_actions": ["indices:data/read/search"]
    }
  ],
  "expiration": 1800000
}

Response:

{
  "id": "Nd_pMRWeAC93ZGMhRa5CxX",
  "token": "os_abc123..."
}

The id is used to manage the token, such as listing or revoking it. The plaintext token is returned once and never stored — save it immediately.

List API Tokens

GET /_plugins/_security/api/apitokens

Returns all tokens, including revoked ones. Revoked tokens include a revoked_at field (epoch millis).

Response:

[
  {
    "id": "Nd_pMRWeAC93ZGMhRa5CxX",
    "name": "my-token",
    "iat": 1742000000000,
    "expiration": 1800000,
    "cluster_permissions": ["cluster:monitor/health"],
    "index_permissions": [
      {
        "index_pattern": ["logs-*"],
        "allowed_actions": ["indices:data/read/search"]
      }
    ]
  },
  {
    "id": "Xf_qNSZeBC04AHNiSb6DyY",
    "name": "old-token",
    "iat": 1741000000000,
    "expiration": 1800000,
    "revoked_at": 1741500000000,
    "cluster_permissions": ["cluster:monitor/health"],
    "index_permissions": []
  }
]
Revoke API Token

DELETE /_plugins/_security/api/apitokens/{id}

Response:

{
  "message": "Token Nd_pMRWeAC93ZGMhRa5CxX revoked successfully."
}

Revocation is a soft-delete — the token metadata is retained with a revoked_at timestamp. The token is immediately unusable after the response is returned. The cache refresh is broadcast synchronously to all nodes before the response is sent.

Using a Token

Pass the token in the Authorization header using the ApiKey scheme:

Authorization: ApiKey os_abc123...

Example — search a permitted index:

GET /logs-2025/_search
Authorization: ApiKey os_abc123...

Response:

{
  "hits": {
    "total": { "value": 3, "relation": "eq" },
    "hits": [ ... ]
  }
}

Example — attempt a forbidden action:

DELETE /logs-2025
Authorization: ApiKey os_abc123...

Response:

{
  "error": {
    "type": "security_exception",
    "reason": "no permissions for [indices:admin/delete]"
  },
  "status": 403
}

Issues Resolved

Partially resolves #4009, limited to security admins in the initial release.

Check List

  • New functionality includes testing
  • New functionality has been documented
  • New Roles/Permissions have a corresponding security dashboards plugin PR
  • API changes companion pull request created
  • Commits are signed per the DCO using --signoff

derek-ho and others added 23 commits November 14, 2024 10:47
@derek-ho
Merge branch 'main' of github.com:opensearch-project/security into HEAD
6ae7090
@derek-ho
Scaffolding for POST/DELETE/GET api tokens calls (opensearch-project#…
3177c34 
…4921)

Signed-off-by: Derek Ho <dxho@amazon.com>
@derek-ho
Adds JTI and expiration field support for API Tokens (opensearch-proj…
dacdae5 
…ect#4967)

Signed-off-by: Derek Ho <dxho@amazon.com>
@derek-ho
Merge branch 'main' of github.com:opensearch-project/security into HEAD
e255e14 
Signed-off-by: Derek Ho <dxho@amazon.com>
@derek-ho
Merge branch 'main' of github.com:opensearch-project/security into HEAD
190bfec
@derek-ho
Api token authc/z implementation with Cache (opensearch-project#4992)
79f0c46 
Signed-off-by: Derek Ho <dxho@amazon.com>
@derek-ho
Subset of permissions check on creation (opensearch-project#5012)
a8b4ac1 
Signed-off-by: Derek Ho <dxho@amazon.com>
@derek-ho
Merge branch 'main' of github.com:opensearch-project/security into HEAD
3776667
@derek-ho
Change API token index actions to use action listeners and limit to 1…
8750e8b 
…00 tokens outstanding (opensearch-project#5147)

Signed-off-by: Derek Ho <dxho@amazon.com>
@cwperks
Merge branch 'main' into feature/api-tokens-cwperx
7b8b069
@cwperks
Fix naming
12c0f9c 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@cwperks
Use one PrivilegesEvaluatorContext
896e9e2 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@cwperks
Handle authz
97db90d 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@cwperks
fix unit tests
362e67f 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@cwperks
Fix tests
fa98ae2 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@cwperks
Merge branch 'main' into feature/api-tokens-cwperx
f3cd485
@cwperks
Add integrationTests for API Token
68107ff 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@cwperks
Add more integration tests
f5b965a 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@cwperks
Add token prefix
ba93aa3 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@cwperks
Merge branch 'main' into feature/api-tokens-cwperx
e35d3ef
@cwperks
Rebase with main
c028420 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@cwperks
Merge branch 'main' into feature/api-tokens-cwperx
109c1ef
@cwperks
Fix compilation issues
3a71078 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@DarshitChanpura DarshitChanpura mentioned this pull request Jun 26, 2025
Closed
5 tasks
DarshitChanpura
DarshitChanpura reviewed Jun 26, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@DarshitChanpura DarshitChanpura left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @cwperks for taking this over. Left some comments around testing and general usage.

src/main/java/org/opensearch/security/action/apitokens/ApiTokenRepository.java Outdated
private final List<TokenListener> tokenListener = new ArrayList<>();
private static final Logger log = LogManager.getLogger(ApiTokenRepository.class);

private final Map<String, RoleV7> jtis = new ConcurrentHashMap<>();
Copy link
Copy Markdown
Member

@DarshitChanpura DarshitChanpura Jun 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1. It might not be straightforward since JTIs seem to be populated on getTokenMetadata request and there doesn't seem to be a way to pass flattenedActionGroups to that call. I may be seeing the complete picture here, but something like updateJTIs(FlattenedAGs) from PrivilegeEvaluator to update jtis and then use that to populate pluginIdToActionPrivileges which will then be used to create PrivilegeEvalContext?

src/integrationTest/java/org/opensearch/test/framework/ApiTokenConfig.java Outdated
public XContentBuilder toXContent(XContentBuilder xContentBuilder, Params params) throws IOException {
xContentBuilder.startObject();
xContentBuilder.field("enabled", enabled);
xContentBuilder.field("signing_key", signing_key);
Copy link
Copy Markdown
Member

@DarshitChanpura DarshitChanpura Jun 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i think it fails in ApiTokenAuthenticator if it is anything lower than 512 bits.

@nibix nibix mentioned this pull request Jul 17, 2025
Merged
3 tasks
@ztomaszewska
Copy link
Copy Markdown

ztomaszewska commented Nov 21, 2025

Hi @cwperks ! First I wanted to thank you for your work on this PR. Really appreciate effort you put it in to move forward with this feature! Just wanted to ask whether is there any plan to soon merge your changes? Is there any blocking issues/ any help you would need? It would be really cool to have API tokens feature working :)

@cwperks
Copy link
Copy Markdown
Member Author

cwperks commented Nov 25, 2025

I'll resolve the conflicts ASAP and try to push this forward for V1.

Its important to know that this PR will still have a lot of limitations, but paves the way for expansion. For instance, in this PR only the admin can issue tokens.

@cwperks
Attempt to resolve conflicts
93a0e4f 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@cwperks
Fix unit test
bdd7d7f 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
DarshitChanpura
DarshitChanpura reviewed Nov 26, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@DarshitChanpura DarshitChanpura left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you for picking this up @cwperks . Left a few comments. Main comment is addition of e2e test which checks authn+authz with API token,

src/main/java/org/opensearch/security/action/apitokens/ApiTokenAction.java Outdated
updateRequest,
ActionListener.wrap(
updateResponse -> listener.onResponse(response),
exception -> listener.onFailure(new ApiTokenException("Failed to refresh cache", exception))
Copy link
Copy Markdown
Member

@DarshitChanpura DarshitChanpura Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this message should be "Failed to update API token"

cwperks added 10 commits March 16, 2026 21:15
@cwperks
Merge branch 'main' into feature/api-tokens-cwperx
6c45459
@cwperks
Address PR feedback
51c086f 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@cwperks
Address comments
cd47c36 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@cwperks
Use XContent parsing
2780872 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@cwperks
Address comments
720f72f 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@cwperks
Fix test
c86b305 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@cwperks
Make API Tokens Opaque Strings
64bee5f 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@cwperks
Update delete
a0876e4 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@cwperks
Merge branch 'main' into feature/api-tokens-cwperx
78b5cbb
@cwperks
Implement soft-delete for token revocation
0d867ed 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
cwperks added 2 commits March 25, 2026 15:13
@cwperks
spotlessApply
eacd135 
Signed-off-by: Craig Perkins <cwperx@amazon.com>
@cwperks
Modify dashboards-info endpoint to include whether API tokens are ena…
eb1b7cd 
…bled

Signed-off-by: Craig Perkins <cwperx@amazon.com>
@cwperks cwperks mentioned this pull request Mar 27, 2026
Open
3 tasks
@cwperks cwperks mentioned this pull request Mar 27, 2026
Draft
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nibix nibix nibix left review comments

@DarshitChanpura DarshitChanpura DarshitChanpura left review comments

@derek-ho derek-ho Awaiting requested review from derek-ho derek-ho is a code owner

@peternied peternied Awaiting requested review from peternied

@RyanL1997 RyanL1997 Awaiting requested review from RyanL1997 RyanL1997 is a code owner

@reta reta Awaiting requested review from reta reta is a code owner

@shikharj05 shikharj05 Awaiting requested review from shikharj05 shikharj05 is a code owner

@willyborankin willyborankin Awaiting requested review from willyborankin willyborankin is a code owner

@finnegancarroll finnegancarroll Awaiting requested review from finnegancarroll finnegancarroll is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[RFC] Support for API Keys in OpenSearch Security Plugin

5 participants

@cwperks @ztomaszewska @nibix @DarshitChanpura @derek-ho