From bf8d295b608fdf6b6ba9de0d085ff9ae2ac224b7 Mon Sep 17 00:00:00 2001 From: Quentin Pradet Date: Mon, 23 Sep 2024 13:08:19 +0400 Subject: [PATCH] Add remote_indices to Create or update roles API (#2915) --- output/openapi/elasticsearch-openapi.json | 40 ++++++ output/schema/schema-serverless.json | 12 +- output/schema/schema.json | 128 ++++++++++++++++-- output/typescript/types.ts | 10 ++ specification/security/_types/Privileges.ts | 34 ++++- .../put_role/SecurityPutRoleRequest.ts | 9 +- 6 files changed, 214 insertions(+), 19 deletions(-) diff --git a/output/openapi/elasticsearch-openapi.json b/output/openapi/elasticsearch-openapi.json index cecf20f210..9d555f9007 100644 --- a/output/openapi/elasticsearch-openapi.json +++ b/output/openapi/elasticsearch-openapi.json @@ -84029,6 +84029,39 @@ "created" ] }, + "security._types:RemoteIndicesPrivileges": { + "type": "object", + "properties": { + "clusters": { + "$ref": "#/components/schemas/_types:Names" + }, + "field_security": { + "$ref": "#/components/schemas/security._types:FieldSecurity" + }, + "names": { + "$ref": "#/components/schemas/_types:Indices" + }, + "privileges": { + "description": "The index level privileges that owners of the role have on the specified indices.", + "type": "array", + "items": { + "$ref": "#/components/schemas/security._types:IndexPrivilege" + } + }, + "query": { + "$ref": "#/components/schemas/security._types:IndicesPrivilegesQuery" + }, + "allow_restricted_indices": { + "description": "Set to `true` if using wildcard or regular expressions for patterns that cover restricted indices. Implicitly, restricted indices have limited privileges that can cause pattern tests to fail. If restricted indices are explicitly included in the `names` list, Elasticsearch checks privileges against these indices regardless of the value set for `allow_restricted_indices`.", + "type": "boolean" + } + }, + "required": [ + "clusters", + "names", + "privileges" + ] + }, "security.query_api_keys:ApiKeyAggregationContainer": { "allOf": [ { @@ -104849,6 +104882,13 @@ "$ref": "#/components/schemas/security._types:IndicesPrivileges" } }, + "remote_indices": { + "description": "A list of remote indices permissions entries.", + "type": "array", + "items": { + "$ref": "#/components/schemas/security._types:RemoteIndicesPrivileges" + } + }, "metadata": { "$ref": "#/components/schemas/_types:Metadata" }, diff --git a/output/schema/schema-serverless.json b/output/schema/schema-serverless.json index 405bf4baa1..b42888459f 100644 --- a/output/schema/schema-serverless.json +++ b/output/schema/schema-serverless.json @@ -101691,7 +101691,7 @@ "name": "IndexPrivilege", "namespace": "security._types" }, - "specLocation": "security/_types/Privileges.ts#L292-L334" + "specLocation": "security/_types/Privileges.ts#L325-L367" }, { "codegenNames": [ @@ -101705,7 +101705,7 @@ "name": "IndicesPrivilegesQuery", "namespace": "security._types" }, - "specLocation": "security/_types/Privileges.ts#L247-L255", + "specLocation": "security/_types/Privileges.ts#L280-L288", "type": { "items": [ { @@ -101755,7 +101755,7 @@ } } ], - "specLocation": "security/_types/Privileges.ts#L257-L267" + "specLocation": "security/_types/Privileges.ts#L290-L300" }, { "kind": "interface", @@ -101843,7 +101843,7 @@ } ], "shortcutProperty": "source", - "specLocation": "security/_types/Privileges.ts#L269-L287" + "specLocation": "security/_types/Privileges.ts#L302-L320" }, { "codegenNames": [ @@ -101855,7 +101855,7 @@ "name": "RoleTemplateInlineQuery", "namespace": "security._types" }, - "specLocation": "security/_types/Privileges.ts#L289-L290", + "specLocation": "security/_types/Privileges.ts#L322-L323", "type": { "items": [ { @@ -137827,7 +137827,7 @@ } } ], - "specLocation": "security/_types/Privileges.ts#L197-L221" + "specLocation": "security/_types/Privileges.ts#L198-L222" }, { "kind": "interface", diff --git a/output/schema/schema.json b/output/schema/schema.json index 28a3234af0..c85214f2fc 100644 --- a/output/schema/schema.json +++ b/output/schema/schema.json @@ -184304,7 +184304,7 @@ } } ], - "specLocation": "security/_types/Privileges.ts#L340-L342" + "specLocation": "security/_types/Privileges.ts#L373-L375" }, { "kind": "interface", @@ -184821,7 +184821,7 @@ } } ], - "specLocation": "security/_types/Privileges.ts#L336-L338" + "specLocation": "security/_types/Privileges.ts#L369-L371" }, { "kind": "enum", @@ -184934,7 +184934,7 @@ "name": "IndexPrivilege", "namespace": "security._types" }, - "specLocation": "security/_types/Privileges.ts#L292-L334" + "specLocation": "security/_types/Privileges.ts#L325-L367" }, { "kind": "interface", @@ -185013,7 +185013,7 @@ } } ], - "specLocation": "security/_types/Privileges.ts#L197-L221" + "specLocation": "security/_types/Privileges.ts#L198-L222" }, { "kind": "type_alias", @@ -185027,7 +185027,7 @@ "name": "IndicesPrivilegesQuery", "namespace": "security._types" }, - "specLocation": "security/_types/Privileges.ts#L247-L255", + "specLocation": "security/_types/Privileges.ts#L280-L288", "type": { "kind": "union_of", "items": [ @@ -185077,7 +185077,7 @@ } } ], - "specLocation": "security/_types/Privileges.ts#L344-L346" + "specLocation": "security/_types/Privileges.ts#L377-L379" }, { "kind": "interface", @@ -185111,6 +185111,97 @@ ], "specLocation": "security/_types/RealmInfo.ts#L22-L25" }, + { + "kind": "interface", + "name": { + "name": "RemoteIndicesPrivileges", + "namespace": "security._types" + }, + "properties": [ + { + "description": "A list of cluster aliases to which the permissions in this entry apply.", + "name": "clusters", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "Names", + "namespace": "_types" + } + } + }, + { + "description": "The document fields that the owners of the role have read access to.", + "docId": "field-and-document-access-control", + "docUrl": "https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/field-and-document-access-control.html", + "name": "field_security", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "FieldSecurity", + "namespace": "security._types" + } + } + }, + { + "description": "A list of indices (or index name patterns) to which the permissions in this entry apply.", + "name": "names", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "Indices", + "namespace": "_types" + } + } + }, + { + "description": "The index level privileges that owners of the role have on the specified indices.", + "name": "privileges", + "required": true, + "type": { + "kind": "array_of", + "value": { + "kind": "instance_of", + "type": { + "name": "IndexPrivilege", + "namespace": "security._types" + } + } + } + }, + { + "description": "A search query that defines the documents the owners of the role have access to. A document within the specified indices must match this query for it to be accessible by the owners of the role.", + "name": "query", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "IndicesPrivilegesQuery", + "namespace": "security._types" + } + } + }, + { + "availability": { + "stack": {} + }, + "description": "Set to `true` if using wildcard or regular expressions for patterns that cover restricted indices. Implicitly, restricted indices have limited privileges that can cause pattern tests to fail. If restricted indices are explicitly included in the `names` list, Elasticsearch checks privileges against these indices regardless of the value set for `allow_restricted_indices`.", + "name": "allow_restricted_indices", + "required": false, + "serverDefault": false, + "type": { + "kind": "instance_of", + "type": { + "name": "boolean", + "namespace": "_builtins" + } + } + } + ], + "specLocation": "security/_types/Privileges.ts#L226-L254" + }, { "kind": "interface", "name": { @@ -185601,7 +185692,7 @@ "name": "RoleTemplateInlineQuery", "namespace": "security._types" }, - "specLocation": "security/_types/Privileges.ts#L289-L290", + "specLocation": "security/_types/Privileges.ts#L322-L323", "type": { "kind": "union_of", "items": [ @@ -185644,7 +185735,7 @@ } } ], - "specLocation": "security/_types/Privileges.ts#L257-L267" + "specLocation": "security/_types/Privileges.ts#L290-L300" }, { "kind": "interface", @@ -185732,7 +185823,7 @@ } ], "shortcutProperty": "source", - "specLocation": "security/_types/Privileges.ts#L269-L287" + "specLocation": "security/_types/Privileges.ts#L302-L320" }, { "kind": "enum", @@ -185943,7 +186034,7 @@ } } ], - "specLocation": "security/_types/Privileges.ts#L223-L245" + "specLocation": "security/_types/Privileges.ts#L256-L278" }, { "kind": "interface", @@ -191567,6 +191658,21 @@ } } }, + { + "description": "A list of remote indices permissions entries.", + "name": "remote_indices", + "required": false, + "type": { + "kind": "array_of", + "value": { + "kind": "instance_of", + "type": { + "name": "RemoteIndicesPrivileges", + "namespace": "security._types" + } + } + } + }, { "description": "Optional metadata. Within the metadata object, keys that begin with an underscore (`_`) are reserved for system use.", "name": "metadata", @@ -191668,7 +191774,7 @@ } } ], - "specLocation": "security/put_role/SecurityPutRoleRequest.ts#L30-L84" + "specLocation": "security/put_role/SecurityPutRoleRequest.ts#L31-L89" }, { "kind": "response", diff --git a/output/typescript/types.ts b/output/typescript/types.ts index c87a3ad2ea..695b0a230e 100644 --- a/output/typescript/types.ts +++ b/output/typescript/types.ts @@ -17477,6 +17477,15 @@ export interface SecurityRealmInfo { type: string } +export interface SecurityRemoteIndicesPrivileges { + clusters: Names + field_security?: SecurityFieldSecurity + names: Indices + privileges: SecurityIndexPrivilege[] + query?: SecurityIndicesPrivilegesQuery + allow_restricted_indices?: boolean +} + export interface SecurityRoleDescriptor { cluster?: SecurityClusterPrivilege[] indices?: SecurityIndicesPrivileges[] @@ -18152,6 +18161,7 @@ export interface SecurityPutRoleRequest extends RequestBase { cluster?: SecurityClusterPrivilege[] global?: Record indices?: SecurityIndicesPrivileges[] + remote_indices?: SecurityRemoteIndicesPrivileges[] metadata?: Metadata run_as?: string[] description?: string diff --git a/specification/security/_types/Privileges.ts b/specification/security/_types/Privileges.ts index 137bf81105..abfafbdef2 100644 --- a/specification/security/_types/Privileges.ts +++ b/specification/security/_types/Privileges.ts @@ -19,7 +19,7 @@ import { Dictionary } from '@spec_utils/Dictionary' import { UserDefinedValue } from '@spec_utils/UserDefinedValue' -import { Id, Indices } from '@_types/common' +import { Id, Indices, Names } from '@_types/common' import { QueryContainer } from '@_types/query_dsl/abstractions' import { ScriptLanguage } from '@_types/Scripting' import { FieldSecurity } from './FieldSecurity' @@ -194,6 +194,7 @@ export enum ClusterPrivilege { write_fleet_secrets } +// Keep in sync with RemoteIndicesPrivileges export class IndicesPrivileges { /** * The document fields that the owners of the role have read access to. @@ -220,6 +221,37 @@ export class IndicesPrivileges { allow_restricted_indices?: boolean } +// Keep in sync with IndicesPrivileges +export class RemoteIndicesPrivileges { + /** + * A list of cluster aliases to which the permissions in this entry apply. + */ + clusters: Names + /** + * The document fields that the owners of the role have read access to. + * @doc_id field-and-document-access-control + */ + field_security?: FieldSecurity + /** + * A list of indices (or index name patterns) to which the permissions in this entry apply. + */ + names: Indices + /** + * The index level privileges that owners of the role have on the specified indices. + */ + privileges: IndexPrivilege[] + /** + * A search query that defines the documents the owners of the role have access to. A document within the specified indices must match this query for it to be accessible by the owners of the role. + */ + query?: IndicesPrivilegesQuery + /** + * Set to `true` if using wildcard or regular expressions for patterns that cover restricted indices. Implicitly, restricted indices have limited privileges that can cause pattern tests to fail. If restricted indices are explicitly included in the `names` list, Elasticsearch checks privileges against these indices regardless of the value set for `allow_restricted_indices`. + * @server_default false + * @availability stack + */ + allow_restricted_indices?: boolean +} + export class UserIndicesPrivileges { /** * The document fields that the owners of the role have read access to. diff --git a/specification/security/put_role/SecurityPutRoleRequest.ts b/specification/security/put_role/SecurityPutRoleRequest.ts index af4e3d723b..bfe818361f 100644 --- a/specification/security/put_role/SecurityPutRoleRequest.ts +++ b/specification/security/put_role/SecurityPutRoleRequest.ts @@ -20,7 +20,8 @@ import { ApplicationPrivileges, ClusterPrivilege, - IndicesPrivileges + IndicesPrivileges, + RemoteIndicesPrivileges } from '@security/_types/Privileges' import { Dictionary } from '@spec_utils/Dictionary' import { UserDefinedValue } from '@spec_utils/UserDefinedValue' @@ -63,6 +64,12 @@ export interface Request extends RequestBase { * A list of indices permissions entries. */ indices?: IndicesPrivileges[] + /** + * A list of remote indices permissions entries. + * @availability stack since=8.14.0 + * + */ + remote_indices?: RemoteIndicesPrivileges[] /** * Optional metadata. Within the metadata object, keys that begin with an underscore (`_`) are reserved for system use. */