elastic · jdconrad · Oct 3, 2025 · Oct 2, 2025 · Oct 2, 2025 · Oct 2, 2025
diff --git a/server/src/main/java/org/elasticsearch/TransportVersions.java b/server/src/main/java/org/elasticsearch/TransportVersions.java
@@ -53,7 +53,6 @@ static TransportVersion def(int id) {
     }
 
     // TODO: ES-10337 we can remove all transport versions earlier than 8.18
-    public static final TransportVersion V_7_0_0 = def(7_00_00_99);
     public static final TransportVersion V_7_1_0 = def(7_01_00_99);
     public static final TransportVersion V_7_2_0 = def(7_02_00_99);
     public static final TransportVersion V_7_3_0 = def(7_03_00_99);

diff --git a/...st/java/org/elasticsearch/xpack/core/security/authc/AuthenticationSerializationTests.java b/...st/java/org/elasticsearch/xpack/core/security/authc/AuthenticationSerializationTests.java
@@ -13,21 +13,17 @@
 import org.elasticsearch.test.ESTestCase;
 import org.elasticsearch.test.TransportVersionUtils;
 import org.elasticsearch.transport.RemoteClusterPortSettings;
-import org.elasticsearch.xpack.core.security.authc.support.AuthenticationContextSerializer;
 import org.elasticsearch.xpack.core.security.user.ElasticUser;
 import org.elasticsearch.xpack.core.security.user.InternalUsers;
 import org.elasticsearch.xpack.core.security.user.KibanaSystemUser;
 import org.elasticsearch.xpack.core.security.user.KibanaUser;
 import org.elasticsearch.xpack.core.security.user.User;
 
-import java.io.IOException;
 import java.util.Arrays;
 import java.util.Map;
 
 import static org.elasticsearch.xpack.core.security.authc.Authentication.AuthenticationSerializationHelper;
-import static org.hamcrest.Matchers.arrayContaining;
 import static org.hamcrest.Matchers.containsString;
-import static org.hamcrest.Matchers.emptyArray;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.is;
 import static org.hamcrest.Matchers.not;
@@ -232,47 +228,4 @@ public void testReservedUserSerialization() throws Exception {
 
         assertEquals(kibanaSystemUser, readFrom);
     }
-
-    public void testRolesRemovedFromUserForLegacyApiKeys() throws IOException {
-        TransportVersion transportVersion = TransportVersionUtils.randomVersionBetween(
-            random(),
-            TransportVersions.V_7_0_0,
-            TransportVersions.V_7_8_0
-        );
-        Subject authenticatingSubject = new Subject(
-            new User("foo", "role"),
-            new Authentication.RealmRef(AuthenticationField.API_KEY_REALM_NAME, AuthenticationField.API_KEY_REALM_TYPE, "node"),
-            transportVersion,
-            Map.of(AuthenticationField.API_KEY_ID_KEY, "abc")
-        );
-        Subject effectiveSubject = new Subject(
-            new User("bar", "role"),
-            new Authentication.RealmRef("native", "native", "node"),
-            transportVersion,
-            Map.of()
-        );
-
-        {
-            Authentication actual = AuthenticationContextSerializer.decode(
-                Authentication.doEncode(authenticatingSubject, authenticatingSubject, Authentication.AuthenticationType.API_KEY)
-            );
-            assertThat(actual.getAuthenticatingSubject().getUser().roles(), is(emptyArray()));
-        }
-
-        {
-            Authentication actual = AuthenticationContextSerializer.decode(
-                Authentication.doEncode(effectiveSubject, authenticatingSubject, Authentication.AuthenticationType.API_KEY)
-            );
-            assertThat(actual.getAuthenticatingSubject().getUser().roles(), is(emptyArray()));
-            assertThat(actual.getEffectiveSubject().getUser().roles(), is(arrayContaining("role")));
-        }
-
-        {
-            // do not strip roles for authentication methods other than API key
-            Authentication actual = AuthenticationContextSerializer.decode(
-                Authentication.doEncode(effectiveSubject, effectiveSubject, Authentication.AuthenticationType.REALM)
-            );
-            assertThat(actual.getAuthenticatingSubject().getUser().roles(), is(arrayContaining("role")));
-        }
-    }
 }
diff --git a/...n/core/src/test/java/org/elasticsearch/xpack/core/security/authc/AuthenticationTests.java b/...n/core/src/test/java/org/elasticsearch/xpack/core/security/authc/AuthenticationTests.java
@@ -1321,9 +1321,7 @@ public static Authentication randomAuthentication(User user, RealmRef realmRef,
         if (realmRef == null) {
             realmRef = randomRealmRef(false);
         }
-        // If the realm is expected to have a domain, we need a version that's at least compatible with domains
-        final TransportVersion minVersion = realmRef.getDomain() != null ? Authentication.VERSION_REALM_DOMAINS : TransportVersions.V_7_0_0;
-        final TransportVersion version = TransportVersionUtils.randomVersionBetween(random(), minVersion, TransportVersion.current());
+        final TransportVersion version = TransportVersionUtils.randomCompatibleVersion(random());
         final Map<String, Object> metadata;
         if (randomBoolean()) {
             metadata = Map.of(randomAlphaOfLengthBetween(3, 8), randomAlphaOfLengthBetween(3, 8));
@@ -1336,11 +1334,7 @@ public static Authentication randomAuthentication(User user, RealmRef realmRef,
     }
 
     public static Authentication randomApiKeyAuthentication(User user, String apiKeyId) {
-        return randomApiKeyAuthentication(
-            user,
-            apiKeyId,
-            TransportVersionUtils.randomVersionBetween(random(), TransportVersions.V_7_0_0, TransportVersion.current())
-        );
+        return randomApiKeyAuthentication(user, apiKeyId, TransportVersionUtils.randomCompatibleVersion(random()));
     }
 
     public static Authentication randomApiKeyAuthentication(User user, String apiKeyId, TransportVersion version) {

diff --git a/...k/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/SubjectTests.java b/...k/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authc/SubjectTests.java
@@ -8,21 +8,18 @@
 package org.elasticsearch.xpack.core.security.authc;
 
 import org.elasticsearch.TransportVersion;
-import org.elasticsearch.TransportVersions;
 import org.elasticsearch.common.Strings;
 import org.elasticsearch.common.bytes.BytesArray;
 import org.elasticsearch.common.bytes.BytesReference;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.ArrayUtils;
 import org.elasticsearch.test.ESTestCase;
-import org.elasticsearch.test.TransportVersionUtils;
 import org.elasticsearch.xpack.core.security.action.apikey.ApiKey;
 import org.elasticsearch.xpack.core.security.authc.service.ServiceAccountSettings;
 import org.elasticsearch.xpack.core.security.authz.RoleDescriptorsIntersection;
 import org.elasticsearch.xpack.core.security.authz.store.RoleKey;
 import org.elasticsearch.xpack.core.security.authz.store.RoleReference;
 import org.elasticsearch.xpack.core.security.authz.store.RoleReference.ApiKeyRoleReference;
-import org.elasticsearch.xpack.core.security.authz.store.RoleReference.BwcApiKeyRoleReference;
 import org.elasticsearch.xpack.core.security.authz.store.RoleReference.FixedRoleReference;
 import org.elasticsearch.xpack.core.security.authz.store.RoleReference.NamedRoleReference;
 import org.elasticsearch.xpack.core.security.authz.store.RoleReference.ServiceAccountRoleReference;
@@ -32,7 +29,6 @@
 import org.elasticsearch.xpack.core.security.user.User;
 
 import java.util.Arrays;
-import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -287,50 +283,6 @@ private static void expectFixedReferenceAtIndex(int index, List<RoleReference> r
         assertThat(fixedRoleReference.id(), equalTo(expectedKey));
     }
 
-    public void testGetRoleReferencesForApiKeyBwc() {
-        Map<String, Object> authMetadata = new HashMap<>();
-        final String apiKeyId = randomAlphaOfLength(12);
-        authMetadata.put(AuthenticationField.API_KEY_ID_KEY, apiKeyId);
-        authMetadata.put(AuthenticationField.API_KEY_NAME_KEY, randomBoolean() ? null : randomAlphaOfLength(12));
-        boolean emptyApiKeyRoleDescriptor = randomBoolean();
-        Map<String, Object> roleARDMap = Map.of("cluster", List.of("monitor"));
-        authMetadata.put(
-            API_KEY_ROLE_DESCRIPTORS_KEY,
-            (emptyApiKeyRoleDescriptor)
-                ? randomFrom(Arrays.asList(null, Collections.emptyMap()))
-                : Collections.singletonMap("a role", roleARDMap)
-        );
-
-        Map<String, Object> limitedRdMap = Map.of("cluster", List.of("all"));
-        authMetadata.put(API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY, Collections.singletonMap("limited role", limitedRdMap));
-
-        final Subject subject = new Subject(
-            new User("joe"),
-            new Authentication.RealmRef(API_KEY_REALM_NAME, API_KEY_REALM_TYPE, "node"),
-            TransportVersionUtils.randomVersionBetween(random(), TransportVersions.V_7_0_0, TransportVersions.V_7_8_1),
-            authMetadata
-        );
-
-        final RoleReferenceIntersection roleReferenceIntersection = subject.getRoleReferenceIntersection(getAnonymousUser());
-        final List<RoleReference> roleReferences = roleReferenceIntersection.getRoleReferences();
-
-        if (emptyApiKeyRoleDescriptor) {
-            assertThat(roleReferences, contains(isA(BwcApiKeyRoleReference.class)));
-            final BwcApiKeyRoleReference limitedByRoleReference = (BwcApiKeyRoleReference) roleReferences.get(0);
-            assertThat(limitedByRoleReference.getApiKeyId(), equalTo(apiKeyId));
-            assertThat(limitedByRoleReference.getRoleDescriptorsMap(), equalTo(authMetadata.get(API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY)));
-        } else {
-            assertThat(roleReferences, contains(isA(BwcApiKeyRoleReference.class), isA(BwcApiKeyRoleReference.class)));
-            final BwcApiKeyRoleReference roleReference = (BwcApiKeyRoleReference) roleReferences.get(0);
-            assertThat(roleReference.getApiKeyId(), equalTo(apiKeyId));
-            assertThat(roleReference.getRoleDescriptorsMap(), equalTo(authMetadata.get(API_KEY_ROLE_DESCRIPTORS_KEY)));
-
-            final BwcApiKeyRoleReference limitedByRoleReference = (BwcApiKeyRoleReference) roleReferences.get(1);
-            assertThat(limitedByRoleReference.getApiKeyId(), equalTo(apiKeyId));
-            assertThat(limitedByRoleReference.getRoleDescriptorsMap(), equalTo(authMetadata.get(API_KEY_LIMITED_ROLE_DESCRIPTORS_KEY)));
-        }
-    }
-
     public void testGetFleetApiKeyRoleReferenceBwcBugFix() {
         final BytesReference roleBytes = new BytesArray("{\"a role\": {\"cluster\": [\"all\"]}}");
         final BytesReference limitedByRoleBytes = new BytesArray("{}");

diff --git a/...ugin/security/src/test/java/org/elasticsearch/xpack/security/authc/TokenServiceTests.java b/...ugin/security/src/test/java/org/elasticsearch/xpack/security/authc/TokenServiceTests.java
@@ -243,16 +243,7 @@ public void setupClient() {
     }
 
     private static DiscoveryNode addAnother7071DataNode(ClusterService clusterService) {
-        Version version;
-        TransportVersion transportVersion;
-        if (randomBoolean()) {
-            version = Version.V_7_0_0;
-            transportVersion = TransportVersions.V_7_0_0;
-        } else {
-            version = Version.V_7_1_0;
-            transportVersion = TransportVersions.V_7_1_0;
-        }
-        return addAnotherDataNodeWithVersion(clusterService, version, transportVersion);
+        return addAnotherDataNodeWithVersion(clusterService, Version.V_7_1_0, TransportVersions.V_7_1_0);
     }
 
     private static DiscoveryNode addAnotherPre8500DataNode(ClusterService clusterService) {