make run-as unsupported for cloud api keys

slobodanadamovic · slobodanadamovic · commit 532e8ff424d0 · 2025-06-20T18:05:40.000+02:00
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/Authentication.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/Authentication.java
@@ -571,6 +571,11 @@ public boolean supportsRunAs(@Nullable AnonymousUser anonymousUser) {
             return false;
         }
 
+        // We may allow cloud API keys to run-as in the future, but for now there is no requirement
+        if (isCloudApiKey()) {
+            return false;
+        }
+
         // There is no reason for internal users to run-as. This check prevents either internal user itself
         // or a token created for it (though no such thing in current code) to run-as.
         if (getEffectiveSubject().getUser() instanceof InternalUser) {
diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/AuthenticationTestHelper.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/AuthenticationTestHelper.java
@@ -244,6 +244,10 @@ public static String randomInternalRoleName() {
         );
     }
 
+    public static Authentication randomCloudApiKeyAuthentication() {
+        return randomCloudApiKeyAuthentication(null, null);
+    }
+
     public static Authentication randomCloudApiKeyAuthentication(String apiKeyId) {
         return randomCloudApiKeyAuthentication(null, apiKeyId);
     }
diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/AuthenticationTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/AuthenticationTests.java
@@ -768,6 +768,9 @@ public void testSupportsRunAs() {
 
         // Remote access cannot run-as
         assertThat(AuthenticationTestHelper.builder().crossClusterAccess().build().supportsRunAs(anonymousUser), is(false));
+
+        // Cloud API key cannot run-as
+        assertThat(AuthenticationTestHelper.randomCloudApiKeyAuthentication().supportsRunAs(anonymousUser), is(false));
     }
 
     private void assertCanAccessResources(Authentication authentication0, Authentication authentication1) {

Original file line number	Diff line number	Diff line change
`@@ -244,6 +244,10 @@ public static String randomInternalRoleName() {`
`244`	`244`	`);`
`245`	`245`	`}`
`246`	`246`
	`247`	`+ public static Authentication randomCloudApiKeyAuthentication() {`
	`248`	`+ return randomCloudApiKeyAuthentication(null, null);`
	`249`	`+ }`
	`250`	`+`
`247`	`251`	`public static Authentication randomCloudApiKeyAuthentication(String apiKeyId) {`
`248`	`252`	`return randomCloudApiKeyAuthentication(null, apiKeyId);`
`249`	`253`	`}`
Original file line number	Diff line number	Diff line change
`@@ -768,6 +768,9 @@ public void testSupportsRunAs() {`
`768`	`768`
`769`	`769`	`// Remote access cannot run-as`
`770`	`770`	`assertThat(AuthenticationTestHelper.builder().crossClusterAccess().build().supportsRunAs(anonymousUser), is(false));`
	`771`	`+`
	`772`	`+ // Cloud API key cannot run-as`
	`773`	`+ assertThat(AuthenticationTestHelper.randomCloudApiKeyAuthentication().supportsRunAs(anonymousUser), is(false));`
`771`	`774`	`}`
`772`	`775`
`773`	`776`	`private void assertCanAccessResources(Authentication authentication0, Authentication authentication1) {`