define managed_by under api_key field

slobodanadamovic · slobodanadamovic · commit e7967699bac9 · 2025-06-17T15:43:37.000+02:00
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/Authentication.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/Authentication.java
@@ -792,11 +792,6 @@ public void toXContentFragment(XContentBuilder builder) throws IOException {
         builder.endObject();
         builder.field(User.Fields.AUTHENTICATION_TYPE.getPreferredName(), getAuthenticationType().name().toLowerCase(Locale.ROOT));
 
-        final String managedBy = (String) metadata.get(AuthenticationField.MANAGED_BY_KEY);
-        if (managedBy != null) {
-            builder.field("managed_by", managedBy);
-        }
-
         if (isApiKey() || isCrossClusterAccess() || isCloudApiKey()) {
             final String apiKeyId = (String) metadata.get(AuthenticationField.API_KEY_ID_KEY);
             final String apiKeyName = (String) metadata.get(AuthenticationField.API_KEY_NAME_KEY);
@@ -809,6 +804,12 @@ public void toXContentFragment(XContentBuilder builder) throws IOException {
                 final boolean internal = (boolean) metadata.get(AuthenticationField.API_KEY_INTERNAL_KEY);
                 apiKeyField.put("internal", internal);
             }
+            final String managedBy = (String) metadata.get(AuthenticationField.API_KEY_MANAGED_BY_KEY);
+            if (managedBy != null) {
+                apiKeyField.put("managed_by", managedBy);
+            } else {
+                apiKeyField.put("managed_by", isCloudApiKey() ? ManagedBy.CLOUD.getDisplayName() : ManagedBy.ELASTICSEARCH.getDisplayName());
+            }
             builder.field("api_key", Collections.unmodifiableMap(apiKeyField));
         }
     }
@@ -1662,11 +1663,17 @@ public enum AuthenticationType {
     }
 
     /**
-     *  Indicates if the credentials are managed by Elasticsearch or by the cloud.
+     *  Indicates if credentials are managed by Elasticsearch or by the Cloud.
      */
     public enum ManagedBy {
+
         CLOUD,
-        ELASTICSEARCH
+
+        ELASTICSEARCH;
+
+        public String getDisplayName() {
+            return name().toLowerCase(Locale.ROOT);
+        }
     }
 
     public static class AuthenticationSerializationHelper {
diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/AuthenticationField.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authc/AuthenticationField.java
@@ -23,12 +23,12 @@ public final class AuthenticationField {
     public static final String API_KEY_CREATOR_REALM_TYPE = "_security_api_key_creator_realm_type";
     public static final String API_KEY_ID_KEY = "_security_api_key_id";
     public static final String API_KEY_NAME_KEY = "_security_api_key_name";
+    public static final String API_KEY_MANAGED_BY_KEY = "_security_api_key_managed_by";
     public static final String API_KEY_INTERNAL_KEY = "_security_api_key_internal";
     public static final String API_KEY_TYPE_KEY = "_security_api_key_type";
     public static final String API_KEY_METADATA_KEY = "_security_api_key_metadata";
     public static final String API_KEY_ROLE_DESCRIPTORS_KEY = "_security_api_key_role_descriptors";
     public static final String API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY = "_security_api_key_limited_by_role_descriptors";
-    public static final String MANAGED_BY_KEY = "_security_managed_by";
 
     public static final String ANONYMOUS_REALM_NAME = "__anonymous";
     public static final String ANONYMOUS_REALM_TYPE = "__anonymous";
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/ApiKeyService.java
@@ -1429,6 +1429,7 @@ static void validateApiKeyTypeAndExpiration(
             authResultMetadata.put(AuthenticationField.API_KEY_ID_KEY, credentials.getId());
             authResultMetadata.put(AuthenticationField.API_KEY_NAME_KEY, apiKeyDoc.name);
             authResultMetadata.put(AuthenticationField.API_KEY_TYPE_KEY, apiKeyDoc.type.value());
+            authResultMetadata.put(AuthenticationField.API_KEY_MANAGED_BY_KEY, Authentication.ManagedBy.ELASTICSEARCH.getDisplayName());
             if (apiKeyDoc.metadataFlattened != null) {
                 authResultMetadata.put(AuthenticationField.API_KEY_METADATA_KEY, apiKeyDoc.metadataFlattened);
             }

Original file line number	Diff line number	Diff line change
`@@ -1429,6 +1429,7 @@ static void validateApiKeyTypeAndExpiration(`
`1429`	`1429`	`authResultMetadata.put(AuthenticationField.API_KEY_ID_KEY, credentials.getId());`
`1430`	`1430`	`authResultMetadata.put(AuthenticationField.API_KEY_NAME_KEY, apiKeyDoc.name);`
`1431`	`1431`	`authResultMetadata.put(AuthenticationField.API_KEY_TYPE_KEY, apiKeyDoc.type.value());`
	`1432`	`+ authResultMetadata.put(AuthenticationField.API_KEY_MANAGED_BY_KEY, Authentication.ManagedBy.ELASTICSEARCH.getDisplayName());`
`1432`	`1433`	`if (apiKeyDoc.metadataFlattened != null) {`
`1433`	`1434`	`authResultMetadata.put(AuthenticationField.API_KEY_METADATA_KEY, apiKeyDoc.metadataFlattened);`
`1434`	`1435`	`}`