From d478ca0851c421b128874f0370305f7c2257b03c Mon Sep 17 00:00:00 2001 From: Quentin Pradet Date: Fri, 22 Nov 2024 14:14:56 +0400 Subject: [PATCH] Fix security.get_api_key and security.query_api_keys APIs (#3146) * Fix security.get_api_key API * Use specific APIKey type for authenticate API This allows remove a number of optional fields from APIKey itself. * Use more EpochTime (cherry picked from commit 986d9dba35768389938eb9801846668682138734) --- output/openapi/elasticsearch-openapi.json | 224 ++++--- .../elasticsearch-serverless-openapi.json | 207 ++++-- output/schema/schema-serverless.json | 591 +++++++++++++----- output/schema/schema.json | 206 ++++-- output/typescript/types.ts | 26 +- specification/security/_types/ApiKey.ts | 72 ++- .../SecurityAuthenticateResponse.ts | 10 +- 7 files changed, 948 insertions(+), 388 deletions(-) diff --git a/output/openapi/elasticsearch-openapi.json b/output/openapi/elasticsearch-openapi.json index cc077c25d3..90f6b4ac3e 100644 --- a/output/openapi/elasticsearch-openapi.json +++ b/output/openapi/elasticsearch-openapi.json @@ -27100,7 +27100,7 @@ "type": "object", "properties": { "api_key": { - "$ref": "#/components/schemas/security._types:ApiKey" + "$ref": "#/components/schemas/security.authenticate:AuthenticateApiKey" }, "authentication_realm": { "$ref": "#/components/schemas/security._types:RealmInfo" @@ -81735,69 +81735,67 @@ "username" ] }, - "security._types:ApiKey": { + "security.authenticate:AuthenticateApiKey": { "type": "object", "properties": { - "creation": { - "description": "Creation time for the API key in milliseconds.", - "type": "number" - }, - "expiration": { - "description": "Expiration time for the API key in milliseconds.", - "type": "number" - }, "id": { "$ref": "#/components/schemas/_types:Id" }, - "invalidated": { - "description": "Invalidation status for the API key.\nIf the key has been invalidated, it has a value of `true`. Otherwise, it is `false`.", - "type": "boolean" - }, + "name": { + "$ref": "#/components/schemas/_types:Name" + } + }, + "required": [ + "id" + ] + }, + "security._types:RealmInfo": { + "type": "object", + "properties": { "name": { "$ref": "#/components/schemas/_types:Name" }, - "realm": { - "description": "Realm name of the principal for which this API key was created.", - "type": "string" - }, - "realm_type": { - "description": "Realm type of the principal for which this API key was created", + "type": { "type": "string" + } + }, + "required": [ + "name", + "type" + ] + }, + "security.authenticate:Token": { + "type": "object", + "properties": { + "name": { + "$ref": "#/components/schemas/_types:Name" }, - "username": { - "$ref": "#/components/schemas/_types:Username" - }, - "profile_uid": { - "description": "The profile uid for the API key owner principal, if requested and if it exists", + "type": { "type": "string" + } + }, + "required": [ + "name" + ] + }, + "security._types:BulkError": { + "type": "object", + "properties": { + "count": { + "description": "The number of errors", + "type": "number" }, - "metadata": { - "$ref": "#/components/schemas/_types:Metadata" - }, - "role_descriptors": { - "description": "The role descriptors assigned to this API key when it was created or last updated.\nAn empty role descriptor means the API key inherits the owner user’s permissions.", + "details": { + "description": "Details about the errors, keyed by role name", "type": "object", "additionalProperties": { - "$ref": "#/components/schemas/security._types:RoleDescriptor" - } - }, - "limited_by": { - "description": "The owner user’s permissions associated with the API key.\nIt is a point-in-time snapshot captured at creation and subsequent updates.\nAn API key’s effective permissions are an intersection of its assigned privileges and the owner user’s permissions.", - "type": "array", - "items": { - "type": "object", - "additionalProperties": { - "$ref": "#/components/schemas/security._types:RoleDescriptor" - } + "$ref": "#/components/schemas/_types:ErrorCause" } - }, - "_sort": { - "$ref": "#/components/schemas/_types:SortResults" } }, "required": [ - "id", - "name" + "count", + "details" ] }, "security._types:RoleDescriptor": { @@ -82127,55 +82125,6 @@ "resources" ] }, - "security._types:RealmInfo": { - "type": "object", - "properties": { - "name": { - "$ref": "#/components/schemas/_types:Name" - }, - "type": { - "type": "string" - } - }, - "required": [ - "name", - "type" - ] - }, - "security.authenticate:Token": { - "type": "object", - "properties": { - "name": { - "$ref": "#/components/schemas/_types:Name" - }, - "type": { - "type": "string" - } - }, - "required": [ - "name" - ] - }, - "security._types:BulkError": { - "type": "object", - "properties": { - "count": { - "description": "The number of errors", - "type": "number" - }, - "details": { - "description": "Details about the errors, keyed by role name", - "type": "object", - "additionalProperties": { - "$ref": "#/components/schemas/_types:ErrorCause" - } - } - }, - "required": [ - "count", - "details" - ] - }, "security._types:ClusterNode": { "type": "object", "properties": { @@ -82297,6 +82246,91 @@ "value" ] }, + "security._types:ApiKey": { + "type": "object", + "properties": { + "id": { + "$ref": "#/components/schemas/_types:Id" + }, + "name": { + "$ref": "#/components/schemas/_types:Name" + }, + "type": { + "$ref": "#/components/schemas/security._types:ApiKeyType" + }, + "creation": { + "$ref": "#/components/schemas/_types:EpochTimeUnitMillis" + }, + "expiration": { + "$ref": "#/components/schemas/_types:EpochTimeUnitMillis" + }, + "invalidated": { + "description": "Invalidation status for the API key.\nIf the key has been invalidated, it has a value of `true`. Otherwise, it is `false`.", + "type": "boolean" + }, + "invalidation": { + "$ref": "#/components/schemas/_types:EpochTimeUnitMillis" + }, + "username": { + "$ref": "#/components/schemas/_types:Username" + }, + "realm": { + "description": "Realm name of the principal for which this API key was created.", + "type": "string" + }, + "realm_type": { + "description": "Realm type of the principal for which this API key was created", + "type": "string" + }, + "metadata": { + "$ref": "#/components/schemas/_types:Metadata" + }, + "role_descriptors": { + "description": "The role descriptors assigned to this API key when it was created or last updated.\nAn empty role descriptor means the API key inherits the owner user’s permissions.", + "type": "object", + "additionalProperties": { + "$ref": "#/components/schemas/security._types:RoleDescriptor" + } + }, + "limited_by": { + "description": "The owner user’s permissions associated with the API key.\nIt is a point-in-time snapshot captured at creation and subsequent updates.\nAn API key’s effective permissions are an intersection of its assigned privileges and the owner user’s permissions.", + "type": "array", + "items": { + "type": "object", + "additionalProperties": { + "$ref": "#/components/schemas/security._types:RoleDescriptor" + } + } + }, + "access": { + "$ref": "#/components/schemas/security._types:Access" + }, + "profile_uid": { + "description": "The profile uid for the API key owner principal, if requested and if it exists", + "type": "string" + }, + "_sort": { + "$ref": "#/components/schemas/_types:SortResults" + } + }, + "required": [ + "id", + "name", + "type", + "creation", + "invalidated", + "username", + "realm", + "metadata" + ] + }, + "security._types:ApiKeyType": { + "type": "string", + "enum": [ + "rest", + "cross_cluster" + ] + }, "security.put_privileges:Actions": { "type": "object", "properties": { diff --git a/output/openapi/elasticsearch-serverless-openapi.json b/output/openapi/elasticsearch-serverless-openapi.json index d7e293e9a1..7754d83a45 100644 --- a/output/openapi/elasticsearch-serverless-openapi.json +++ b/output/openapi/elasticsearch-serverless-openapi.json @@ -16932,7 +16932,7 @@ "type": "object", "properties": { "api_key": { - "$ref": "#/components/schemas/security._types:ApiKey" + "$ref": "#/components/schemas/security.authenticate:AuthenticateApiKey" }, "authentication_realm": { "$ref": "#/components/schemas/security._types:RealmInfo" @@ -53744,68 +53744,46 @@ "_types:MapboxVectorTiles": { "type": "object" }, - "security._types:ApiKey": { + "security.authenticate:AuthenticateApiKey": { "type": "object", "properties": { - "creation": { - "description": "Creation time for the API key in milliseconds.", - "type": "number" - }, - "expiration": { - "description": "Expiration time for the API key in milliseconds.", - "type": "number" - }, "id": { "$ref": "#/components/schemas/_types:Id" }, - "invalidated": { - "description": "Invalidation status for the API key.\nIf the key has been invalidated, it has a value of `true`. Otherwise, it is `false`.", - "type": "boolean" - }, + "name": { + "$ref": "#/components/schemas/_types:Name" + } + }, + "required": [ + "id" + ] + }, + "security._types:RealmInfo": { + "type": "object", + "properties": { "name": { "$ref": "#/components/schemas/_types:Name" }, - "realm": { - "description": "Realm name of the principal for which this API key was created.", - "type": "string" - }, - "realm_type": { - "description": "Realm type of the principal for which this API key was created", + "type": { "type": "string" + } + }, + "required": [ + "name", + "type" + ] + }, + "security.authenticate:Token": { + "type": "object", + "properties": { + "name": { + "$ref": "#/components/schemas/_types:Name" }, - "username": { - "$ref": "#/components/schemas/_types:Username" - }, - "profile_uid": { - "description": "The profile uid for the API key owner principal, if requested and if it exists", + "type": { "type": "string" - }, - "metadata": { - "$ref": "#/components/schemas/_types:Metadata" - }, - "role_descriptors": { - "description": "The role descriptors assigned to this API key when it was created or last updated.\nAn empty role descriptor means the API key inherits the owner user’s permissions.", - "type": "object", - "additionalProperties": { - "$ref": "#/components/schemas/security._types:RoleDescriptor" - } - }, - "limited_by": { - "description": "The owner user’s permissions associated with the API key.\nIt is a point-in-time snapshot captured at creation and subsequent updates.\nAn API key’s effective permissions are an intersection of its assigned privileges and the owner user’s permissions.", - "type": "array", - "items": { - "type": "object", - "additionalProperties": { - "$ref": "#/components/schemas/security._types:RoleDescriptor" - } - } - }, - "_sort": { - "$ref": "#/components/schemas/_types:SortResults" } }, "required": [ - "id", "name" ] }, @@ -54045,33 +54023,148 @@ "resources" ] }, - "security._types:RealmInfo": { + "security._types:ApiKey": { "type": "object", "properties": { + "id": { + "$ref": "#/components/schemas/_types:Id" + }, "name": { "$ref": "#/components/schemas/_types:Name" }, "type": { + "$ref": "#/components/schemas/security._types:ApiKeyType" + }, + "creation": { + "$ref": "#/components/schemas/_types:EpochTimeUnitMillis" + }, + "expiration": { + "$ref": "#/components/schemas/_types:EpochTimeUnitMillis" + }, + "invalidated": { + "description": "Invalidation status for the API key.\nIf the key has been invalidated, it has a value of `true`. Otherwise, it is `false`.", + "type": "boolean" + }, + "invalidation": { + "$ref": "#/components/schemas/_types:EpochTimeUnitMillis" + }, + "username": { + "$ref": "#/components/schemas/_types:Username" + }, + "realm": { + "description": "Realm name of the principal for which this API key was created.", + "type": "string" + }, + "realm_type": { + "description": "Realm type of the principal for which this API key was created", "type": "string" + }, + "metadata": { + "$ref": "#/components/schemas/_types:Metadata" + }, + "role_descriptors": { + "description": "The role descriptors assigned to this API key when it was created or last updated.\nAn empty role descriptor means the API key inherits the owner user’s permissions.", + "type": "object", + "additionalProperties": { + "$ref": "#/components/schemas/security._types:RoleDescriptor" + } + }, + "limited_by": { + "description": "The owner user’s permissions associated with the API key.\nIt is a point-in-time snapshot captured at creation and subsequent updates.\nAn API key’s effective permissions are an intersection of its assigned privileges and the owner user’s permissions.", + "type": "array", + "items": { + "type": "object", + "additionalProperties": { + "$ref": "#/components/schemas/security._types:RoleDescriptor" + } + } + }, + "access": { + "$ref": "#/components/schemas/security._types:Access" + }, + "profile_uid": { + "description": "The profile uid for the API key owner principal, if requested and if it exists", + "type": "string" + }, + "_sort": { + "$ref": "#/components/schemas/_types:SortResults" } }, "required": [ + "id", "name", - "type" + "type", + "creation", + "invalidated", + "username", + "realm", + "metadata" ] }, - "security.authenticate:Token": { + "security._types:ApiKeyType": { + "type": "string", + "enum": [ + "rest", + "cross_cluster" + ] + }, + "security._types:Access": { "type": "object", "properties": { - "name": { - "$ref": "#/components/schemas/_types:Name" + "replication": { + "description": "A list of indices permission entries for cross-cluster replication.", + "type": "array", + "items": { + "$ref": "#/components/schemas/security._types:ReplicationAccess" + } }, - "type": { - "type": "string" + "search": { + "description": "A list of indices permission entries for cross-cluster search.", + "type": "array", + "items": { + "$ref": "#/components/schemas/security._types:SearchAccess" + } + } + } + }, + "security._types:ReplicationAccess": { + "type": "object", + "properties": { + "names": { + "description": "A list of indices (or index name patterns) to which the permissions in this entry apply.", + "type": "array", + "items": { + "$ref": "#/components/schemas/_types:IndexName" + } + }, + "allow_restricted_indices": { + "description": "This needs to be set to true if the patterns in the names field should cover system indices.", + "type": "boolean" } }, "required": [ - "name" + "names" + ] + }, + "security._types:SearchAccess": { + "type": "object", + "properties": { + "field_security": { + "$ref": "#/components/schemas/security._types:FieldSecurity" + }, + "names": { + "description": "A list of indices (or index name patterns) to which the permissions in this entry apply.", + "type": "array", + "items": { + "$ref": "#/components/schemas/_types:IndexName" + } + }, + "query": { + "$ref": "#/components/schemas/security._types:IndicesPrivilegesQuery" + } + }, + "required": [ + "names" ] }, "security.has_privileges:ApplicationPrivilegesCheck": { diff --git a/output/schema/schema-serverless.json b/output/schema/schema-serverless.json index db10c84148..c950d26754 100644 --- a/output/schema/schema-serverless.json +++ b/output/schema/schema-serverless.json @@ -39092,8 +39092,8 @@ "type": { "kind": "instance_of", "type": { - "name": "ApiKey", - "namespace": "security._types" + "name": "AuthenticateApiKey", + "namespace": "security.authenticate" } } }, @@ -39247,7 +39247,7 @@ "name": "Response", "namespace": "security.authenticate" }, - "specLocation": "security/authenticate/SecurityAuthenticateResponse.ts#L25-L43" + "specLocation": "security/authenticate/SecurityAuthenticateResponse.ts#L24-L42" }, { "attachedBehaviors": [ @@ -102978,6 +102978,22 @@ }, "specLocation": "searchable_snapshots/_types/stats.ts#L20-L24" }, + { + "kind": "enum", + "members": [ + { + "name": "rest" + }, + { + "name": "cross_cluster" + } + ], + "name": { + "name": "ApiKeyType", + "namespace": "security._types" + }, + "specLocation": "security/_types/ApiKey.ts#L115-L118" + }, { "isOpen": true, "kind": "enum", @@ -139711,36 +139727,11 @@ { "kind": "interface", "name": { - "name": "ApiKey", - "namespace": "security._types" + "name": "AuthenticateApiKey", + "namespace": "security.authenticate" }, "properties": [ { - "description": "Creation time for the API key in milliseconds.", - "name": "creation", - "required": false, - "type": { - "kind": "instance_of", - "type": { - "name": "long", - "namespace": "_types" - } - } - }, - { - "description": "Expiration time for the API key in milliseconds.", - "name": "expiration", - "required": false, - "type": { - "kind": "instance_of", - "type": { - "name": "long", - "namespace": "_types" - } - } - }, - { - "description": "Id for the API key", "name": "id", "required": true, "type": { @@ -139752,19 +139743,27 @@ } }, { - "description": "Invalidation status for the API key.\nIf the key has been invalidated, it has a value of `true`. Otherwise, it is `false`.", - "name": "invalidated", + "name": "name", "required": false, "type": { "kind": "instance_of", "type": { - "name": "boolean", - "namespace": "_builtins" + "name": "Name", + "namespace": "_types" } } - }, + } + ], + "specLocation": "security/authenticate/SecurityAuthenticateResponse.ts#L44-L47" + }, + { + "kind": "interface", + "name": { + "name": "RealmInfo", + "namespace": "security._types" + }, + "properties": [ { - "description": "Name of the API key.", "name": "name", "required": true, "type": { @@ -139776,27 +139775,8 @@ } }, { - "description": "Realm name of the principal for which this API key was created.", - "name": "realm", - "required": false, - "type": { - "kind": "instance_of", - "type": { - "name": "string", - "namespace": "_builtins" - } - } - }, - { - "availability": { - "serverless": {}, - "stack": { - "since": "8.14.0" - } - }, - "description": "Realm type of the principal for which this API key was created", - "name": "realm_type", - "required": false, + "name": "type", + "required": true, "type": { "kind": "instance_of", "type": { @@ -139804,15 +139784,24 @@ "namespace": "_builtins" } } - }, + } + ], + "specLocation": "security/_types/RealmInfo.ts#L22-L25" + }, + { + "kind": "interface", + "name": { + "name": "Token", + "namespace": "security.authenticate" + }, + "properties": [ { - "description": "Principal for which this API key was created", - "name": "username", - "required": false, + "name": "name", + "required": true, "type": { "kind": "instance_of", "type": { - "name": "Username", + "name": "Name", "namespace": "_types" } } @@ -139821,11 +139810,10 @@ "availability": { "serverless": {}, "stack": { - "since": "8.14.0" + "since": "7.14.0" } }, - "description": "The profile uid for the API key owner principal, if requested and if it exists", - "name": "profile_uid", + "name": "type", "required": false, "type": { "kind": "instance_of", @@ -139834,93 +139822,9 @@ "namespace": "_builtins" } } - }, - { - "availability": { - "serverless": {}, - "stack": { - "since": "7.13.0" - } - }, - "description": "Metadata of the API key", - "name": "metadata", - "required": false, - "type": { - "kind": "instance_of", - "type": { - "name": "Metadata", - "namespace": "_types" - } - } - }, - { - "description": "The role descriptors assigned to this API key when it was created or last updated.\nAn empty role descriptor means the API key inherits the owner user’s permissions.", - "name": "role_descriptors", - "required": false, - "type": { - "key": { - "kind": "instance_of", - "type": { - "name": "string", - "namespace": "_builtins" - } - }, - "kind": "dictionary_of", - "singleKey": false, - "value": { - "kind": "instance_of", - "type": { - "name": "RoleDescriptor", - "namespace": "security._types" - } - } - } - }, - { - "availability": { - "serverless": {}, - "stack": { - "since": "8.5.0" - } - }, - "description": "The owner user’s permissions associated with the API key.\nIt is a point-in-time snapshot captured at creation and subsequent updates.\nAn API key’s effective permissions are an intersection of its assigned privileges and the owner user’s permissions.", - "name": "limited_by", - "required": false, - "type": { - "kind": "array_of", - "value": { - "key": { - "kind": "instance_of", - "type": { - "name": "string", - "namespace": "_builtins" - } - }, - "kind": "dictionary_of", - "singleKey": false, - "value": { - "kind": "instance_of", - "type": { - "name": "RoleDescriptor", - "namespace": "security._types" - } - } - } - } - }, - { - "name": "_sort", - "required": false, - "type": { - "kind": "instance_of", - "type": { - "name": "SortResults", - "namespace": "_types" - } - } } ], - "specLocation": "security/_types/ApiKey.ts#L26-L88" + "specLocation": "security/authenticate/types.ts#L22-L29" }, { "kind": "interface", @@ -140189,11 +140093,24 @@ { "kind": "interface", "name": { - "name": "RealmInfo", + "name": "ApiKey", "namespace": "security._types" }, "properties": [ { + "description": "Id for the API key", + "name": "id", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "Id", + "namespace": "_types" + } + } + }, + { + "description": "Name of the API key.", "name": "name", "required": true, "type": { @@ -140205,8 +140122,120 @@ } }, { + "availability": { + "serverless": {}, + "stack": { + "since": "8.10.0" + } + }, + "description": "The type of the API key (e.g. `rest` or `cross_cluster`).", "name": "type", "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "ApiKeyType", + "namespace": "security._types" + } + } + }, + { + "description": "Creation time for the API key in milliseconds.", + "name": "creation", + "required": true, + "type": { + "generics": [ + { + "kind": "instance_of", + "type": { + "name": "UnitMillis", + "namespace": "_types" + } + } + ], + "kind": "instance_of", + "type": { + "name": "EpochTime", + "namespace": "_types" + } + } + }, + { + "description": "Expiration time for the API key in milliseconds.", + "name": "expiration", + "required": false, + "type": { + "generics": [ + { + "kind": "instance_of", + "type": { + "name": "UnitMillis", + "namespace": "_types" + } + } + ], + "kind": "instance_of", + "type": { + "name": "EpochTime", + "namespace": "_types" + } + } + }, + { + "description": "Invalidation status for the API key.\nIf the key has been invalidated, it has a value of `true`. Otherwise, it is `false`.", + "name": "invalidated", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "boolean", + "namespace": "_builtins" + } + } + }, + { + "availability": { + "serverless": {}, + "stack": { + "since": "8.12.0" + } + }, + "description": "If the key has been invalidated, invalidation time in milliseconds.", + "name": "invalidation", + "required": false, + "type": { + "generics": [ + { + "kind": "instance_of", + "type": { + "name": "UnitMillis", + "namespace": "_types" + } + } + ], + "kind": "instance_of", + "type": { + "name": "EpochTime", + "namespace": "_types" + } + } + }, + { + "description": "Principal for which this API key was created", + "name": "username", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "Username", + "namespace": "_types" + } + } + }, + { + "description": "Realm name of the principal for which this API key was created.", + "name": "realm", + "required": true, "type": { "kind": "instance_of", "type": { @@ -140214,47 +140243,277 @@ "namespace": "_builtins" } } + }, + { + "availability": { + "serverless": {}, + "stack": { + "since": "8.14.0" + } + }, + "description": "Realm type of the principal for which this API key was created", + "name": "realm_type", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + }, + { + "availability": { + "serverless": {}, + "stack": { + "since": "7.13.0" + } + }, + "description": "Metadata of the API key", + "name": "metadata", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "Metadata", + "namespace": "_types" + } + } + }, + { + "description": "The role descriptors assigned to this API key when it was created or last updated.\nAn empty role descriptor means the API key inherits the owner user’s permissions.", + "name": "role_descriptors", + "required": false, + "type": { + "key": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + }, + "kind": "dictionary_of", + "singleKey": false, + "value": { + "kind": "instance_of", + "type": { + "name": "RoleDescriptor", + "namespace": "security._types" + } + } + } + }, + { + "availability": { + "serverless": {}, + "stack": { + "since": "8.5.0" + } + }, + "description": "The owner user’s permissions associated with the API key.\nIt is a point-in-time snapshot captured at creation and subsequent updates.\nAn API key’s effective permissions are an intersection of its assigned privileges and the owner user’s permissions.", + "name": "limited_by", + "required": false, + "type": { + "kind": "array_of", + "value": { + "key": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + }, + "kind": "dictionary_of", + "singleKey": false, + "value": { + "kind": "instance_of", + "type": { + "name": "RoleDescriptor", + "namespace": "security._types" + } + } + } + } + }, + { + "availability": { + "serverless": {}, + "stack": { + "since": "8.10.0" + } + }, + "description": "The access granted to cross-cluster API keys.\nThe access is composed of permissions for cross cluster search and cross cluster replication.\nAt least one of them must be specified.\nWhen specified, the new access assignment fully replaces the previously assigned access.", + "name": "access", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "Access", + "namespace": "security._types" + } + } + }, + { + "availability": { + "serverless": {}, + "stack": { + "since": "8.14.0" + } + }, + "description": "The profile uid for the API key owner principal, if requested and if it exists", + "name": "profile_uid", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + }, + { + "description": "Sorting values when using the `sort` parameter with the `security.query_api_keys` API.", + "name": "_sort", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "SortResults", + "namespace": "_types" + } + } } ], - "specLocation": "security/_types/RealmInfo.ts#L22-L25" + "specLocation": "security/_types/ApiKey.ts#L27-L113" }, { "kind": "interface", "name": { - "name": "Token", - "namespace": "security.authenticate" + "name": "Access", + "namespace": "security._types" }, "properties": [ { - "name": "name", + "description": "A list of indices permission entries for cross-cluster replication.", + "name": "replication", + "required": false, + "type": { + "kind": "array_of", + "value": { + "kind": "instance_of", + "type": { + "name": "ReplicationAccess", + "namespace": "security._types" + } + } + } + }, + { + "description": "A list of indices permission entries for cross-cluster search.", + "name": "search", + "required": false, + "type": { + "kind": "array_of", + "value": { + "kind": "instance_of", + "type": { + "name": "SearchAccess", + "namespace": "security._types" + } + } + } + } + ], + "specLocation": "security/_types/Access.ts#L22-L31" + }, + { + "kind": "interface", + "name": { + "name": "ReplicationAccess", + "namespace": "security._types" + }, + "properties": [ + { + "description": "A list of indices (or index name patterns) to which the permissions in this entry apply.", + "name": "names", "required": true, + "type": { + "kind": "array_of", + "value": { + "kind": "instance_of", + "type": { + "name": "IndexName", + "namespace": "_types" + } + } + } + }, + { + "description": "This needs to be set to true if the patterns in the names field should cover system indices.", + "name": "allow_restricted_indices", + "required": false, + "serverDefault": false, "type": { "kind": "instance_of", "type": { - "name": "Name", - "namespace": "_types" + "name": "boolean", + "namespace": "_builtins" + } + } + } + ], + "specLocation": "security/_types/Privileges.ts#L380-L390" + }, + { + "kind": "interface", + "name": { + "name": "SearchAccess", + "namespace": "security._types" + }, + "properties": [ + { + "description": "The document fields that the owners of the role have read access to.", + "docId": "field-and-document-access-control", + "docUrl": "https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/field-and-document-access-control.html", + "name": "field_security", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "FieldSecurity", + "namespace": "security._types" } } }, { - "availability": { - "serverless": {}, - "stack": { - "since": "7.14.0" + "description": "A list of indices (or index name patterns) to which the permissions in this entry apply.", + "name": "names", + "required": true, + "type": { + "kind": "array_of", + "value": { + "kind": "instance_of", + "type": { + "name": "IndexName", + "namespace": "_types" + } } - }, - "name": "type", + } + }, + { + "description": "A search query that defines the documents the owners of the role have access to. A document within the specified indices must match this query for it to be accessible by the owners of the role.", + "name": "query", "required": false, "type": { "kind": "instance_of", "type": { - "name": "string", - "namespace": "_builtins" + "name": "IndicesPrivilegesQuery", + "namespace": "security._types" } } } ], - "specLocation": "security/authenticate/types.ts#L22-L29" + "specLocation": "security/_types/Privileges.ts#L392-L412" }, { "kind": "interface", diff --git a/output/schema/schema.json b/output/schema/schema.json index eb7d30a8a0..f6cf034138 100644 --- a/output/schema/schema.json +++ b/output/schema/schema.json @@ -186800,73 +186800,97 @@ }, "properties": [ { - "description": "Creation time for the API key in milliseconds.", - "name": "creation", - "required": false, + "description": "Id for the API key", + "name": "id", + "required": true, "type": { "kind": "instance_of", "type": { - "name": "long", + "name": "Id", "namespace": "_types" } } }, { - "description": "Expiration time for the API key in milliseconds.", - "name": "expiration", - "required": false, + "description": "Name of the API key.", + "name": "name", + "required": true, "type": { "kind": "instance_of", "type": { - "name": "long", + "name": "Name", "namespace": "_types" } } }, { - "description": "Id for the API key", - "name": "id", + "availability": { + "serverless": {}, + "stack": { + "since": "8.10.0" + } + }, + "description": "The type of the API key (e.g. `rest` or `cross_cluster`).", + "name": "type", "required": true, "type": { "kind": "instance_of", "type": { - "name": "Id", - "namespace": "_types" + "name": "ApiKeyType", + "namespace": "security._types" } } }, { - "description": "Invalidation status for the API key.\nIf the key has been invalidated, it has a value of `true`. Otherwise, it is `false`.", - "name": "invalidated", - "required": false, + "description": "Creation time for the API key in milliseconds.", + "name": "creation", + "required": true, "type": { "kind": "instance_of", + "generics": [ + { + "kind": "instance_of", + "type": { + "name": "UnitMillis", + "namespace": "_types" + } + } + ], "type": { - "name": "boolean", - "namespace": "_builtins" + "name": "EpochTime", + "namespace": "_types" } } }, { - "description": "Name of the API key.", - "name": "name", - "required": true, + "description": "Expiration time for the API key in milliseconds.", + "name": "expiration", + "required": false, "type": { "kind": "instance_of", + "generics": [ + { + "kind": "instance_of", + "type": { + "name": "UnitMillis", + "namespace": "_types" + } + } + ], "type": { - "name": "Name", + "name": "EpochTime", "namespace": "_types" } } }, { - "description": "Realm name of the principal for which this API key was created.", - "name": "realm", - "required": false, + "description": "Invalidation status for the API key.\nIf the key has been invalidated, it has a value of `true`. Otherwise, it is `false`.", + "name": "invalidated", + "required": true, "type": { "kind": "instance_of", "type": { - "name": "string", + "name": "boolean", "namespace": "_builtins" } } @@ -186875,24 +186899,33 @@ "availability": { "serverless": {}, "stack": { - "since": "8.14.0" + "since": "8.12.0" } }, - "description": "Realm type of the principal for which this API key was created", - "name": "realm_type", + "description": "If the key has been invalidated, invalidation time in milliseconds.", + "name": "invalidation", "required": false, "type": { "kind": "instance_of", + "generics": [ + { + "kind": "instance_of", + "type": { + "name": "UnitMillis", + "namespace": "_types" + } + } + ], "type": { - "name": "string", - "namespace": "_builtins" + "name": "EpochTime", + "namespace": "_types" } } }, { "description": "Principal for which this API key was created", "name": "username", - "required": false, + "required": true, "type": { "kind": "instance_of", "type": { @@ -186901,6 +186934,18 @@ } } }, + { + "description": "Realm name of the principal for which this API key was created.", + "name": "realm", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + }, { "availability": { "serverless": {}, @@ -186908,8 +186953,8 @@ "since": "8.14.0" } }, - "description": "The profile uid for the API key owner principal, if requested and if it exists", - "name": "profile_uid", + "description": "Realm type of the principal for which this API key was created", + "name": "realm_type", "required": false, "type": { "kind": "instance_of", @@ -186928,7 +186973,7 @@ }, "description": "Metadata of the API key", "name": "metadata", - "required": false, + "required": true, "type": { "kind": "instance_of", "type": { @@ -186993,6 +187038,43 @@ } }, { + "availability": { + "serverless": {}, + "stack": { + "since": "8.10.0" + } + }, + "description": "The access granted to cross-cluster API keys.\nThe access is composed of permissions for cross cluster search and cross cluster replication.\nAt least one of them must be specified.\nWhen specified, the new access assignment fully replaces the previously assigned access.", + "name": "access", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "Access", + "namespace": "security._types" + } + } + }, + { + "availability": { + "serverless": {}, + "stack": { + "since": "8.14.0" + } + }, + "description": "The profile uid for the API key owner principal, if requested and if it exists", + "name": "profile_uid", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + }, + { + "description": "Sorting values when using the `sort` parameter with the `security.query_api_keys` API.", "name": "_sort", "required": false, "type": { @@ -187004,7 +187086,23 @@ } } ], - "specLocation": "security/_types/ApiKey.ts#L26-L88" + "specLocation": "security/_types/ApiKey.ts#L27-L113" + }, + { + "kind": "enum", + "members": [ + { + "name": "rest" + }, + { + "name": "cross_cluster" + } + ], + "name": { + "name": "ApiKeyType", + "namespace": "security._types" + }, + "specLocation": "security/_types/ApiKey.ts#L115-L118" }, { "kind": "interface", @@ -189216,6 +189314,38 @@ }, "specLocation": "security/activate_user_profile/Response.ts#L22-L24" }, + { + "kind": "interface", + "name": { + "name": "AuthenticateApiKey", + "namespace": "security.authenticate" + }, + "properties": [ + { + "name": "id", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "Id", + "namespace": "_types" + } + } + }, + { + "name": "name", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "Name", + "namespace": "_types" + } + } + } + ], + "specLocation": "security/authenticate/SecurityAuthenticateResponse.ts#L44-L47" + }, { "kind": "request", "attachedBehaviors": [ @@ -189250,8 +189380,8 @@ "type": { "kind": "instance_of", "type": { - "name": "ApiKey", - "namespace": "security._types" + "name": "AuthenticateApiKey", + "namespace": "security.authenticate" } } }, @@ -189404,7 +189534,7 @@ "name": "Response", "namespace": "security.authenticate" }, - "specLocation": "security/authenticate/SecurityAuthenticateResponse.ts#L25-L43" + "specLocation": "security/authenticate/SecurityAuthenticateResponse.ts#L24-L42" }, { "kind": "interface", diff --git a/output/typescript/types.ts b/output/typescript/types.ts index 2fd14219ce..71edde2dac 100644 --- a/output/typescript/types.ts +++ b/output/typescript/types.ts @@ -17599,21 +17599,26 @@ export interface SecurityAccess { } export interface SecurityApiKey { - creation?: long - expiration?: long id: Id - invalidated?: boolean name: Name - realm?: string + type: SecurityApiKeyType + creation: EpochTime + expiration?: EpochTime + invalidated: boolean + invalidation?: EpochTime + username: Username + realm: string realm_type?: string - username?: Username - profile_uid?: string - metadata?: Metadata + metadata: Metadata role_descriptors?: Record limited_by?: Record[] + access?: SecurityAccess + profile_uid?: string _sort?: SortResults } +export type SecurityApiKeyType = 'rest' | 'cross_cluster' + export interface SecurityApplicationGlobalUserPrivileges { manage: SecurityManageUserPrivileges } @@ -17816,11 +17821,16 @@ export interface SecurityActivateUserProfileRequest extends RequestBase { export type SecurityActivateUserProfileResponse = SecurityUserProfileWithMetadata +export interface SecurityAuthenticateAuthenticateApiKey { + id: Id + name?: Name +} + export interface SecurityAuthenticateRequest extends RequestBase { } export interface SecurityAuthenticateResponse { - api_key?: SecurityApiKey + api_key?: SecurityAuthenticateAuthenticateApiKey authentication_realm: SecurityRealmInfo email?: string | null full_name?: Name | null diff --git a/specification/security/_types/ApiKey.ts b/specification/security/_types/ApiKey.ts index 9d7135c25b..d5ea6b9798 100644 --- a/specification/security/_types/ApiKey.ts +++ b/specification/security/_types/ApiKey.ts @@ -19,58 +19,65 @@ import { Dictionary } from '@spec_utils/Dictionary' import { Id, Metadata, Name, Username } from '@_types/common' -import { long } from '@_types/Numeric' import { SortResults } from '@_types/sort' +import { EpochTime, UnitMillis } from '@_types/Time' +import { Access } from './Access' import { RoleDescriptor } from './RoleDescriptor' export class ApiKey { /** - * Creation time for the API key in milliseconds. + * Id for the API key */ - creation?: long + id: Id /** - * Expiration time for the API key in milliseconds. + * Name of the API key. */ - expiration?: long + name: Name /** - * Id for the API key + * The type of the API key (e.g. `rest` or `cross_cluster`). + * @availability stack since=8.10.0 + * @availability serverless */ - id: Id + type: ApiKeyType /** - * Invalidation status for the API key. - * If the key has been invalidated, it has a value of `true`. Otherwise, it is `false`. + * Creation time for the API key in milliseconds. */ - invalidated?: boolean + creation: EpochTime /** - * Name of the API key. + * Expiration time for the API key in milliseconds. */ - name: Name + expiration?: EpochTime /** - * Realm name of the principal for which this API key was created. + * Invalidation status for the API key. + * If the key has been invalidated, it has a value of `true`. Otherwise, it is `false`. */ - realm?: string + invalidated: boolean /** - * Realm type of the principal for which this API key was created - * @availability stack since=8.14.0 + * If the key has been invalidated, invalidation time in milliseconds. + * @availability stack since=8.12.0 * @availability serverless */ - realm_type?: string + invalidation?: EpochTime /** * Principal for which this API key was created */ - username?: Username + username: Username /** - * The profile uid for the API key owner principal, if requested and if it exists + * Realm name of the principal for which this API key was created. + */ + realm: string + /** + * Realm type of the principal for which this API key was created * @availability stack since=8.14.0 * @availability serverless */ - profile_uid?: string + realm_type?: string /** * Metadata of the API key * @availability stack since=7.13.0 * @availability serverless */ - metadata?: Metadata + metadata: Metadata /** * The role descriptors assigned to this API key when it was created or last updated. * An empty role descriptor means the API key inherits the owner user’s permissions. @@ -84,5 +91,28 @@ export class ApiKey { * @availability serverless */ limited_by?: Array> + /** + * The access granted to cross-cluster API keys. + * The access is composed of permissions for cross cluster search and cross cluster replication. + * At least one of them must be specified. + * When specified, the new access assignment fully replaces the previously assigned access. + * @availability stack since=8.10.0 + * @availability serverless + */ + access?: Access + /** + * The profile uid for the API key owner principal, if requested and if it exists + * @availability stack since=8.14.0 + * @availability serverless + */ + profile_uid?: string + /** + * Sorting values when using the `sort` parameter with the `security.query_api_keys` API. + */ _sort?: SortResults } + +export enum ApiKeyType { + rest, + cross_cluster +} diff --git a/specification/security/authenticate/SecurityAuthenticateResponse.ts b/specification/security/authenticate/SecurityAuthenticateResponse.ts index a6716f45c9..75bfb082b8 100644 --- a/specification/security/authenticate/SecurityAuthenticateResponse.ts +++ b/specification/security/authenticate/SecurityAuthenticateResponse.ts @@ -17,14 +17,13 @@ * under the License. */ -import { ApiKey } from '@security/_types/ApiKey' import { RealmInfo } from '@security/_types/RealmInfo' -import { Metadata, Name, Username } from '@_types/common' +import { Id, Metadata, Name, Username } from '@_types/common' import { Token } from './types' export class Response { body: { - api_key?: ApiKey + api_key?: AuthenticateApiKey authentication_realm: RealmInfo email?: string | null full_name?: Name | null @@ -41,3 +40,8 @@ export class Response { token?: Token } } + +export class AuthenticateApiKey { + id: Id + name?: Name +}