ApiKey: Add ApiKey authentication.

[andre-dialpad]

SUMMARY

This PR adds "api_key" authentication for elastic search clusters. This is a necessary feature for when Elasticsearch is not managed via user/password combination.

ISSUE TYPE

• Feature Pull Request

COMPONENT NAME

• elastic/plugins/module_utils/elastic_common.py

ADDITIONAL INFORMATION

It adds api_key as a auth_method but also a value.

- name: Update ElasticSearch cluster settings
  hosts: localhost
  tasks:
    - name: "Updating {{ zone }} cluster settings"
      community.elastic.elastic_cluster_settings:
        persistent: true
        login_hosts: "some_host"
        login_port: 443
        auth_method: api_key
        api_key: "some_key"
        auth_scheme: "https"
        settings:
          action.auto_create_index: "-dp*,+*"

[rhysmeister]

Hi @andre-dialpad,

See output from sanity tests... minor documentation stuff. I guess it would make sense to add no_log as mentioned.

It would be a good idea to add a test for this feature.

Cheers,

Rhys

[rhysmeister]

Needs a test before commit. If/when I get time I might do something based on...

https://opster.com/guides/elasticsearch/security/elasticsearch-api-authentication/#API-Key-Based-Authentication

[andre-dialpad]

@rhysmeister I understand. I didn't add such test as it feels that in order to do so it would also be required to build a sort of a "elastic_api_key" module and by that point it would make these changes very large.

So it has to be something like the:

• create an "elastic_api_key" module so that Api Keys can be created
• use the api key

There is also the problem that the API key is only exposed at the moment of it's creation.

[rhysmeister]

Hi @andre-dialpad,

I did also think of an elastic_api_key module. That would be cool however I think a bash command, to create an api key, would suffice for a test. We just need to make sure that this method of auth is functional.

Rhys

[rhysmeister]

It seems there are differences in the way the api_key is used in different versions of the Python api https://www.elastic.co/guide/en/elasticsearch/client/python-api/7.17/connecting.html#auth-apikey

[rhysmeister]

Hello @andre-dialpad,

I don't think this change will work with v7 of the python driver. It doesn't appear to work with 8 either...

https://github.com/ansible-collections/community.elastic/actions/runs/11195688398/job/31123655379?pr=103

The error message is not helpful...

TASK [elastic_index : Create an index using the api key] ***********************
fatal: [testhost]: FAILED! => {"changed": false, "msg": "Elastic error: AuthenticationException(401, 'None')"}

I don't currently know why.

UPDATE

It appears the api_key needs to be base64 encoded to work...

This run worked - https://github.com/ansible-collections/community.elastic/actions/runs/11195839763/job/31123984166?pr=103

This should probably be handled in some way to avoid this confusion.

Rhys

[rhysmeister]

Hi @andre-dialpad,

I guess to wrap this up we should either...

1. base64 encode the api_key in the code.
2. Rename api_key to something like api_key_base64 and require the encoded version.
3. Something else?

In all cases we should add a few notes to the documentation for api_key.

Rhys

UPDATE I renamed it api_key_encoded and updated the documentation.

[rhysmeister]

@andre-dialpad,

I also created a issue for an elastic_api_key module. Feel free to take it if you're time-rich (I'm not).

Cheers,

Rhys