diff --git a/output/openapi/elasticsearch-openapi.json b/output/openapi/elasticsearch-openapi.json index 0594e29035..5f04a1f90e 100644 --- a/output/openapi/elasticsearch-openapi.json +++ b/output/openapi/elasticsearch-openapi.json @@ -81909,6 +81909,9 @@ "description": "Optional description of the role descriptor", "type": "string" }, + "restriction": { + "$ref": "#/components/schemas/security._types:Restriction" + }, "transient_metadata": { "type": "object", "additionalProperties": { @@ -82266,6 +82269,33 @@ "resources" ] }, + "security._types:Restriction": { + "type": "object", + "properties": { + "workflows": { + "type": "array", + "items": { + "$ref": "#/components/schemas/security._types:RestrictionWorkflow" + } + } + }, + "required": [ + "workflows" + ] + }, + "security._types:RestrictionWorkflow": { + "anyOf": [ + { + "type": "string", + "enum": [ + "search_application_query" + ] + }, + { + "type": "string" + } + ] + }, "security._types:RealmInfo": { "type": "object", "properties": { @@ -82721,6 +82751,9 @@ "description": "Optional description of the role descriptor", "type": "string" }, + "restriction": { + "$ref": "#/components/schemas/security._types:Restriction" + }, "transient_metadata": { "type": "object", "additionalProperties": { diff --git a/output/openapi/elasticsearch-serverless-openapi.json b/output/openapi/elasticsearch-serverless-openapi.json index 207ff5cf20..ec208a92b6 100644 --- a/output/openapi/elasticsearch-serverless-openapi.json +++ b/output/openapi/elasticsearch-serverless-openapi.json @@ -53667,6 +53667,9 @@ "description": "Optional description of the role descriptor", "type": "string" }, + "restriction": { + "$ref": "#/components/schemas/security._types:Restriction" + }, "transient_metadata": { "type": "object", "additionalProperties": { @@ -53876,6 +53879,33 @@ "resources" ] }, + "security._types:Restriction": { + "type": "object", + "properties": { + "workflows": { + "type": "array", + "items": { + "$ref": "#/components/schemas/security._types:RestrictionWorkflow" + } + } + }, + "required": [ + "workflows" + ] + }, + "security._types:RestrictionWorkflow": { + "anyOf": [ + { + "type": "string", + "enum": [ + "search_application_query" + ] + }, + { + "type": "string" + } + ] + }, "security._types:RealmInfo": { "type": "object", "properties": { diff --git a/output/schema/schema-serverless.json b/output/schema/schema-serverless.json index ce8606ead2..1482bad4dd 100644 --- a/output/schema/schema-serverless.json +++ b/output/schema/schema-serverless.json @@ -103260,6 +103260,20 @@ }, "specLocation": "security/_types/Privileges.ts#L201-L214" }, + { + "isOpen": true, + "kind": "enum", + "members": [ + { + "name": "search_application_query" + } + ], + "name": { + "name": "RestrictionWorkflow", + "namespace": "security._types" + }, + "specLocation": "security/_types/RoleDescriptor.ts#L134-L137" + }, { "kind": "enum", "members": [ @@ -139676,6 +139690,18 @@ } } }, + { + "description": "Restriction for when the role descriptor is allowed to be effective.", + "name": "restriction", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "Restriction", + "namespace": "security._types" + } + } + }, { "name": "transient_metadata", "required": false, @@ -139695,7 +139721,7 @@ } } ], - "specLocation": "security/_types/RoleDescriptor.ts#L33-L79" + "specLocation": "security/_types/RoleDescriptor.ts#L33-L80" }, { "kind": "interface", @@ -139859,6 +139885,30 @@ ], "specLocation": "security/_types/Privileges.ts#L27-L40" }, + { + "kind": "interface", + "name": { + "name": "Restriction", + "namespace": "security._types" + }, + "properties": [ + { + "name": "workflows", + "required": true, + "type": { + "kind": "array_of", + "value": { + "kind": "instance_of", + "type": { + "name": "RestrictionWorkflow", + "namespace": "security._types" + } + } + } + } + ], + "specLocation": "security/_types/RoleDescriptor.ts#L130-L132" + }, { "kind": "interface", "name": { diff --git a/output/schema/schema.json b/output/schema/schema.json index 19883250b5..5dd8078cee 100644 --- a/output/schema/schema.json +++ b/output/schema/schema.json @@ -188213,6 +188213,44 @@ ], "specLocation": "security/_types/Privileges.ts#L418-L428" }, + { + "kind": "interface", + "name": { + "name": "Restriction", + "namespace": "security._types" + }, + "properties": [ + { + "name": "workflows", + "required": true, + "type": { + "kind": "array_of", + "value": { + "kind": "instance_of", + "type": { + "name": "RestrictionWorkflow", + "namespace": "security._types" + } + } + } + } + ], + "specLocation": "security/_types/RoleDescriptor.ts#L130-L132" + }, + { + "kind": "enum", + "isOpen": true, + "members": [ + { + "name": "search_application_query" + } + ], + "name": { + "name": "RestrictionWorkflow", + "namespace": "security._types" + }, + "specLocation": "security/_types/RoleDescriptor.ts#L134-L137" + }, { "kind": "interface", "name": { @@ -188379,6 +188417,18 @@ } } }, + { + "description": "Restriction for when the role descriptor is allowed to be effective.", + "name": "restriction", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "Restriction", + "namespace": "security._types" + } + } + }, { "name": "transient_metadata", "required": false, @@ -188398,7 +188448,7 @@ } } ], - "specLocation": "security/_types/RoleDescriptor.ts#L33-L79" + "specLocation": "security/_types/RoleDescriptor.ts#L33-L80" }, { "kind": "interface", @@ -188586,6 +188636,18 @@ } } }, + { + "description": "Restriction for when the role descriptor is allowed to be effective.", + "name": "restriction", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "Restriction", + "namespace": "security._types" + } + } + }, { "name": "transient_metadata", "required": false, @@ -188605,7 +188667,7 @@ } } ], - "specLocation": "security/_types/RoleDescriptor.ts#L81-L124" + "specLocation": "security/_types/RoleDescriptor.ts#L82-L128" }, { "kind": "interface", diff --git a/output/typescript/types.ts b/output/typescript/types.ts index 0b40137e2c..b3f56a005a 100644 --- a/output/typescript/types.ts +++ b/output/typescript/types.ts @@ -17706,6 +17706,12 @@ export interface SecurityReplicationAccess { allow_restricted_indices?: boolean } +export interface SecurityRestriction { + workflows: SecurityRestrictionWorkflow[] +} + +export type SecurityRestrictionWorkflow = 'search_application_query'| string + export interface SecurityRoleDescriptor { cluster?: SecurityClusterPrivilege[] indices?: SecurityIndicesPrivileges[] @@ -17717,6 +17723,7 @@ export interface SecurityRoleDescriptor { metadata?: Metadata run_as?: string[] description?: string + restriction?: SecurityRestriction transient_metadata?: Record } @@ -17731,6 +17738,7 @@ export interface SecurityRoleDescriptorRead { metadata?: Metadata run_as?: string[] description?: string + restriction?: SecurityRestriction transient_metadata?: Record } diff --git a/specification/security/_types/RoleDescriptor.ts b/specification/security/_types/RoleDescriptor.ts index ad8afe33a5..57ea1ac0ab 100644 --- a/specification/security/_types/RoleDescriptor.ts +++ b/specification/security/_types/RoleDescriptor.ts @@ -40,19 +40,16 @@ export class RoleDescriptor { * @aliases index */ indices?: IndicesPrivileges[] - /** * A list of indices permissions for remote clusters. * @availability stack since=8.14.0 */ remote_indices?: RemoteIndicesPrivileges[] - /** * A list of cluster permissions for remote clusters. Note - this is limited a subset of the cluster permissions. * @availability stack since=8.15.0 */ remote_cluster?: RemoteClusterPrivileges[] - /** * An object defining global privileges. A global privilege is a form of cluster privilege that is request-aware. Support for global privileges is currently limited to the management of application privileges. * @availability stack @@ -75,6 +72,10 @@ export class RoleDescriptor { * Optional description of the role descriptor */ description?: string + /** + * Restriction for when the role descriptor is allowed to be effective. + */ + restriction?: Restriction transient_metadata?: Dictionary } @@ -93,7 +94,6 @@ export class RoleDescriptorRead implements OverloadOf { * @availability stack since=8.14.0 */ remote_indices?: RemoteIndicesPrivileges[] - /** * A list of cluster permissions for remote clusters. Note - this is limited a subset of the cluster permissions. * @availability stack since=8.15.0 @@ -120,5 +120,18 @@ export class RoleDescriptorRead implements OverloadOf { * Optional description of the role descriptor */ description?: string + /** + * Restriction for when the role descriptor is allowed to be effective. + */ + restriction?: Restriction transient_metadata?: Dictionary } + +export class Restriction { + workflows: RestrictionWorkflow[] +} + +/** @non_exhaustive */ +export enum RestrictionWorkflow { + search_application_query +}