From bff0d319784d6c4d623f56b9ab25f5fb0b33794c Mon Sep 17 00:00:00 2001 From: Quentin Pradet Date: Thu, 19 Sep 2024 11:52:56 +0400 Subject: [PATCH] Add remote_indices to Create or update roles API --- output/openapi/elasticsearch-openapi.json | 40 ++++++ output/schema/schema-serverless.json | 12 +- output/schema/schema.json | 128 ++++++++++++++++-- output/typescript/types.ts | 10 ++ specification/security/_types/Privileges.ts | 34 ++++- .../put_role/SecurityPutRoleRequest.ts | 9 +- 6 files changed, 214 insertions(+), 19 deletions(-) diff --git a/output/openapi/elasticsearch-openapi.json b/output/openapi/elasticsearch-openapi.json index 6e5f885d27..f789d8c45d 100644 --- a/output/openapi/elasticsearch-openapi.json +++ b/output/openapi/elasticsearch-openapi.json @@ -83971,6 +83971,39 @@ "created" ] }, + "security._types:RemoteIndicesPrivileges": { + "type": "object", + "properties": { + "clusters": { + "$ref": "#/components/schemas/_types:Names" + }, + "field_security": { + "$ref": "#/components/schemas/security._types:FieldSecurity" + }, + "names": { + "$ref": "#/components/schemas/_types:Indices" + }, + "privileges": { + "description": "The index level privileges that owners of the role have on the specified indices.", + "type": "array", + "items": { + "$ref": "#/components/schemas/security._types:IndexPrivilege" + } + }, + "query": { + "$ref": "#/components/schemas/security._types:IndicesPrivilegesQuery" + }, + "allow_restricted_indices": { + "description": "Set to `true` if using wildcard or regular expressions for patterns that cover restricted indices. Implicitly, restricted indices have limited privileges that can cause pattern tests to fail. If restricted indices are explicitly included in the `names` list, Elasticsearch checks privileges against these indices regardless of the value set for `allow_restricted_indices`.", + "type": "boolean" + } + }, + "required": [ + "clusters", + "names", + "privileges" + ] + }, "security.query_api_keys:ApiKeyAggregationContainer": { "allOf": [ { @@ -104771,6 +104804,13 @@ "$ref": "#/components/schemas/security._types:IndicesPrivileges" } }, + "remote_indices": { + "description": "A list of remote indices permissions entries.", + "type": "array", + "items": { + "$ref": "#/components/schemas/security._types:RemoteIndicesPrivileges" + } + }, "metadata": { "$ref": "#/components/schemas/_types:Metadata" }, diff --git a/output/schema/schema-serverless.json b/output/schema/schema-serverless.json index 442cc4606d..81ad3bb707 100644 --- a/output/schema/schema-serverless.json +++ b/output/schema/schema-serverless.json @@ -101609,7 +101609,7 @@ "name": "IndexPrivilege", "namespace": "security._types" }, - "specLocation": "security/_types/Privileges.ts#L292-L334" + "specLocation": "security/_types/Privileges.ts#L325-L367" }, { "codegenNames": [ @@ -101623,7 +101623,7 @@ "name": "IndicesPrivilegesQuery", "namespace": "security._types" }, - "specLocation": "security/_types/Privileges.ts#L247-L255", + "specLocation": "security/_types/Privileges.ts#L280-L288", "type": { "items": [ { @@ -101673,7 +101673,7 @@ } } ], - "specLocation": "security/_types/Privileges.ts#L257-L267" + "specLocation": "security/_types/Privileges.ts#L290-L300" }, { "kind": "interface", @@ -101761,7 +101761,7 @@ } ], "shortcutProperty": "source", - "specLocation": "security/_types/Privileges.ts#L269-L287" + "specLocation": "security/_types/Privileges.ts#L302-L320" }, { "codegenNames": [ @@ -101773,7 +101773,7 @@ "name": "RoleTemplateInlineQuery", "namespace": "security._types" }, - "specLocation": "security/_types/Privileges.ts#L289-L290", + "specLocation": "security/_types/Privileges.ts#L322-L323", "type": { "items": [ { @@ -137657,7 +137657,7 @@ } } ], - "specLocation": "security/_types/Privileges.ts#L197-L221" + "specLocation": "security/_types/Privileges.ts#L198-L222" }, { "kind": "interface", diff --git a/output/schema/schema.json b/output/schema/schema.json index bdbe479489..0ae6c4d076 100644 --- a/output/schema/schema.json +++ b/output/schema/schema.json @@ -184184,7 +184184,7 @@ } } ], - "specLocation": "security/_types/Privileges.ts#L340-L342" + "specLocation": "security/_types/Privileges.ts#L373-L375" }, { "kind": "interface", @@ -184701,7 +184701,7 @@ } } ], - "specLocation": "security/_types/Privileges.ts#L336-L338" + "specLocation": "security/_types/Privileges.ts#L369-L371" }, { "kind": "enum", @@ -184814,7 +184814,7 @@ "name": "IndexPrivilege", "namespace": "security._types" }, - "specLocation": "security/_types/Privileges.ts#L292-L334" + "specLocation": "security/_types/Privileges.ts#L325-L367" }, { "kind": "interface", @@ -184893,7 +184893,7 @@ } } ], - "specLocation": "security/_types/Privileges.ts#L197-L221" + "specLocation": "security/_types/Privileges.ts#L198-L222" }, { "kind": "type_alias", @@ -184907,7 +184907,7 @@ "name": "IndicesPrivilegesQuery", "namespace": "security._types" }, - "specLocation": "security/_types/Privileges.ts#L247-L255", + "specLocation": "security/_types/Privileges.ts#L280-L288", "type": { "kind": "union_of", "items": [ @@ -184957,7 +184957,7 @@ } } ], - "specLocation": "security/_types/Privileges.ts#L344-L346" + "specLocation": "security/_types/Privileges.ts#L377-L379" }, { "kind": "interface", @@ -184991,6 +184991,97 @@ ], "specLocation": "security/_types/RealmInfo.ts#L22-L25" }, + { + "kind": "interface", + "name": { + "name": "RemoteIndicesPrivileges", + "namespace": "security._types" + }, + "properties": [ + { + "description": "A list of cluster aliases to which the permissions in this entry apply.", + "name": "clusters", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "Names", + "namespace": "_types" + } + } + }, + { + "description": "The document fields that the owners of the role have read access to.", + "docId": "field-and-document-access-control", + "docUrl": "https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/field-and-document-access-control.html", + "name": "field_security", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "FieldSecurity", + "namespace": "security._types" + } + } + }, + { + "description": "A list of indices (or index name patterns) to which the permissions in this entry apply.", + "name": "names", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "Indices", + "namespace": "_types" + } + } + }, + { + "description": "The index level privileges that owners of the role have on the specified indices.", + "name": "privileges", + "required": true, + "type": { + "kind": "array_of", + "value": { + "kind": "instance_of", + "type": { + "name": "IndexPrivilege", + "namespace": "security._types" + } + } + } + }, + { + "description": "A search query that defines the documents the owners of the role have access to. A document within the specified indices must match this query for it to be accessible by the owners of the role.", + "name": "query", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "IndicesPrivilegesQuery", + "namespace": "security._types" + } + } + }, + { + "availability": { + "stack": {} + }, + "description": "Set to `true` if using wildcard or regular expressions for patterns that cover restricted indices. Implicitly, restricted indices have limited privileges that can cause pattern tests to fail. If restricted indices are explicitly included in the `names` list, Elasticsearch checks privileges against these indices regardless of the value set for `allow_restricted_indices`.", + "name": "allow_restricted_indices", + "required": false, + "serverDefault": false, + "type": { + "kind": "instance_of", + "type": { + "name": "boolean", + "namespace": "_builtins" + } + } + } + ], + "specLocation": "security/_types/Privileges.ts#L226-L254" + }, { "kind": "interface", "name": { @@ -185481,7 +185572,7 @@ "name": "RoleTemplateInlineQuery", "namespace": "security._types" }, - "specLocation": "security/_types/Privileges.ts#L289-L290", + "specLocation": "security/_types/Privileges.ts#L322-L323", "type": { "kind": "union_of", "items": [ @@ -185524,7 +185615,7 @@ } } ], - "specLocation": "security/_types/Privileges.ts#L257-L267" + "specLocation": "security/_types/Privileges.ts#L290-L300" }, { "kind": "interface", @@ -185612,7 +185703,7 @@ } ], "shortcutProperty": "source", - "specLocation": "security/_types/Privileges.ts#L269-L287" + "specLocation": "security/_types/Privileges.ts#L302-L320" }, { "kind": "enum", @@ -185823,7 +185914,7 @@ } } ], - "specLocation": "security/_types/Privileges.ts#L223-L245" + "specLocation": "security/_types/Privileges.ts#L256-L278" }, { "kind": "interface", @@ -191447,6 +191538,21 @@ } } }, + { + "description": "A list of remote indices permissions entries.", + "name": "remote_indices", + "required": false, + "type": { + "kind": "array_of", + "value": { + "kind": "instance_of", + "type": { + "name": "RemoteIndicesPrivileges", + "namespace": "security._types" + } + } + } + }, { "description": "Optional metadata. Within the metadata object, keys that begin with an underscore (`_`) are reserved for system use.", "name": "metadata", @@ -191548,7 +191654,7 @@ } } ], - "specLocation": "security/put_role/SecurityPutRoleRequest.ts#L30-L84" + "specLocation": "security/put_role/SecurityPutRoleRequest.ts#L31-L89" }, { "kind": "response", diff --git a/output/typescript/types.ts b/output/typescript/types.ts index eaf9b4c0e8..e0a10eb0f7 100644 --- a/output/typescript/types.ts +++ b/output/typescript/types.ts @@ -17472,6 +17472,15 @@ export interface SecurityRealmInfo { type: string } +export interface SecurityRemoteIndicesPrivileges { + clusters: Names + field_security?: SecurityFieldSecurity + names: Indices + privileges: SecurityIndexPrivilege[] + query?: SecurityIndicesPrivilegesQuery + allow_restricted_indices?: boolean +} + export interface SecurityRoleDescriptor { cluster?: SecurityClusterPrivilege[] indices?: SecurityIndicesPrivileges[] @@ -18147,6 +18156,7 @@ export interface SecurityPutRoleRequest extends RequestBase { cluster?: SecurityClusterPrivilege[] global?: Record indices?: SecurityIndicesPrivileges[] + remote_indices?: SecurityRemoteIndicesPrivileges[] metadata?: Metadata run_as?: string[] description?: string diff --git a/specification/security/_types/Privileges.ts b/specification/security/_types/Privileges.ts index 137bf81105..abfafbdef2 100644 --- a/specification/security/_types/Privileges.ts +++ b/specification/security/_types/Privileges.ts @@ -19,7 +19,7 @@ import { Dictionary } from '@spec_utils/Dictionary' import { UserDefinedValue } from '@spec_utils/UserDefinedValue' -import { Id, Indices } from '@_types/common' +import { Id, Indices, Names } from '@_types/common' import { QueryContainer } from '@_types/query_dsl/abstractions' import { ScriptLanguage } from '@_types/Scripting' import { FieldSecurity } from './FieldSecurity' @@ -194,6 +194,7 @@ export enum ClusterPrivilege { write_fleet_secrets } +// Keep in sync with RemoteIndicesPrivileges export class IndicesPrivileges { /** * The document fields that the owners of the role have read access to. @@ -220,6 +221,37 @@ export class IndicesPrivileges { allow_restricted_indices?: boolean } +// Keep in sync with IndicesPrivileges +export class RemoteIndicesPrivileges { + /** + * A list of cluster aliases to which the permissions in this entry apply. + */ + clusters: Names + /** + * The document fields that the owners of the role have read access to. + * @doc_id field-and-document-access-control + */ + field_security?: FieldSecurity + /** + * A list of indices (or index name patterns) to which the permissions in this entry apply. + */ + names: Indices + /** + * The index level privileges that owners of the role have on the specified indices. + */ + privileges: IndexPrivilege[] + /** + * A search query that defines the documents the owners of the role have access to. A document within the specified indices must match this query for it to be accessible by the owners of the role. + */ + query?: IndicesPrivilegesQuery + /** + * Set to `true` if using wildcard or regular expressions for patterns that cover restricted indices. Implicitly, restricted indices have limited privileges that can cause pattern tests to fail. If restricted indices are explicitly included in the `names` list, Elasticsearch checks privileges against these indices regardless of the value set for `allow_restricted_indices`. + * @server_default false + * @availability stack + */ + allow_restricted_indices?: boolean +} + export class UserIndicesPrivileges { /** * The document fields that the owners of the role have read access to. diff --git a/specification/security/put_role/SecurityPutRoleRequest.ts b/specification/security/put_role/SecurityPutRoleRequest.ts index af4e3d723b..bfe818361f 100644 --- a/specification/security/put_role/SecurityPutRoleRequest.ts +++ b/specification/security/put_role/SecurityPutRoleRequest.ts @@ -20,7 +20,8 @@ import { ApplicationPrivileges, ClusterPrivilege, - IndicesPrivileges + IndicesPrivileges, + RemoteIndicesPrivileges } from '@security/_types/Privileges' import { Dictionary } from '@spec_utils/Dictionary' import { UserDefinedValue } from '@spec_utils/UserDefinedValue' @@ -63,6 +64,12 @@ export interface Request extends RequestBase { * A list of indices permissions entries. */ indices?: IndicesPrivileges[] + /** + * A list of remote indices permissions entries. + * @availability stack since=8.14.0 + * + */ + remote_indices?: RemoteIndicesPrivileges[] /** * Optional metadata. Within the metadata object, keys that begin with an underscore (`_`) are reserved for system use. */