According to the Security docs, API keys are deleted after the retention period, which is an Elasticsearch setting. Based on that, we should confirm the following after deletion:
Does the API key document still exist in the security index?
Does the API key document still exist in .fleet-enrollment-api-keys? If not, should we implement a cleanup task?
The aim of this issue is to capture the open discussion raised during the implementation of https://github.com/elastic/kibana/issues/155550.
1. Consider lifting the existing constraint that the token name must be unique.
This constraint was put in place in https://github.com/elastic/kibana/issues/85118. Considering the UUID of the token is appended to the name, it is not clear whether the uniqueness of the name itself needs to be enforced. https://github.com/elastic/kibana/issues/155550 suggests that this could be a small improvement for some users.
2. Review token deletion flow
Related to https://github.com/elastic/kibana/issues/190708.
We should clarify the expected flow of enrollement token deletion (
DELETE kbn:/api/fleet/enrollment_api_keys/{id}
). Revoking a Fleet token marks the document in.fleet-enrollment-api-keys
as inactive: https://github.com/elastic/kibana/blob/230d2748e6968fa74078408ae90b3c94ec9ddd9b/x-pack/plugins/fleet/server/services/api_keys/enrollment_api_key.ts#L162-L179According to the Security docs, API keys are deleted after the retention period, which is an Elasticsearch setting. Based on that, we should confirm the following after deletion:
.fleet-enrollment-api-keys
? If not, should we implement a cleanup task?