From dac7201aa2a52228954f70195c478647caeae7c1 Mon Sep 17 00:00:00 2001 From: Jake Landis Date: Thu, 14 Nov 2024 13:40:44 -0600 Subject: [PATCH] Support for security remote_cluster and associated privileges (#3125) This commit adds support for the remote_cluster in the role and role descriptors. Additionally: * adds missing references to remote_indices * add new cluster privilege monitor_stats * adds related version information where applicable * updates references to cluster from string[] to proper enumeration --- output/schema/schema.json | 269 ++++++++++++++++-- output/typescript/types.ts | 21 +- package.json | 2 +- specification/security/_types/Privileges.ts | 36 +++ .../security/_types/RoleDescriptor.ts | 28 +- .../SecurityGetBuiltinPrivilegesResponse.ts | 10 +- specification/security/get_role/types.ts | 15 +- .../put_role/SecurityPutRoleRequest.ts | 7 + 8 files changed, 357 insertions(+), 31 deletions(-) diff --git a/output/schema/schema.json b/output/schema/schema.json index 7395844be7..dee25fcbb2 100644 --- a/output/schema/schema.json +++ b/output/schema/schema.json @@ -187017,7 +187017,7 @@ } } ], - "specLocation": "security/_types/Privileges.ts#L372-L374" + "specLocation": "security/_types/Privileges.ts#L408-L410" }, { "kind": "interface", @@ -187339,6 +187339,12 @@ }, "name": "monitor_snapshot" }, + { + "availability": { + "stack": {} + }, + "name": "monitor_stats" + }, { "availability": { "stack": {} @@ -187413,7 +187419,7 @@ "name": "ClusterPrivilege", "namespace": "security._types" }, - "specLocation": "security/_types/Privileges.ts#L42-L195" + "specLocation": "security/_types/Privileges.ts#L42-L199" }, { "kind": "interface", @@ -187534,7 +187540,7 @@ } } ], - "specLocation": "security/_types/Privileges.ts#L368-L370" + "specLocation": "security/_types/Privileges.ts#L404-L406" }, { "kind": "enum", @@ -187647,7 +187653,7 @@ "name": "IndexPrivilege", "namespace": "security._types" }, - "specLocation": "security/_types/Privileges.ts#L324-L366" + "specLocation": "security/_types/Privileges.ts#L360-L402" }, { "kind": "interface", @@ -187729,7 +187735,7 @@ } } ], - "specLocation": "security/_types/Privileges.ts#L198-L222" + "specLocation": "security/_types/Privileges.ts#L217-L241" }, { "kind": "type_alias", @@ -187743,7 +187749,7 @@ "name": "IndicesPrivilegesQuery", "namespace": "security._types" }, - "specLocation": "security/_types/Privileges.ts#L279-L287", + "specLocation": "security/_types/Privileges.ts#L315-L323", "type": { "kind": "union_of", "items": [ @@ -187793,7 +187799,7 @@ } } ], - "specLocation": "security/_types/Privileges.ts#L376-L378" + "specLocation": "security/_types/Privileges.ts#L412-L414" }, { "kind": "interface", @@ -187827,8 +187833,73 @@ ], "specLocation": "security/_types/RealmInfo.ts#L22-L25" }, + { + "kind": "enum", + "members": [ + { + "availability": { + "stack": { + "since": "8.14.0" + } + }, + "name": "monitor_enrich" + }, + { + "availability": { + "stack": { + "since": "8.17.0" + } + }, + "name": "monitor_stats" + } + ], + "name": { + "name": "RemoteClusterPrivilege", + "namespace": "security._types" + }, + "specLocation": "security/_types/Privileges.ts#L201-L214" + }, + { + "kind": "interface", + "description": "The subset of cluster level privileges that can be defined for remote clusters.", + "name": { + "name": "RemoteClusterPrivileges", + "namespace": "security._types" + }, + "properties": [ + { + "description": "A list of cluster aliases to which the permissions in this entry apply.", + "name": "clusters", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "Names", + "namespace": "_types" + } + } + }, + { + "description": "The cluster level privileges that owners of the role have on the remote cluster.", + "name": "privileges", + "required": true, + "type": { + "kind": "array_of", + "value": { + "kind": "instance_of", + "type": { + "name": "RemoteClusterPrivilege", + "namespace": "security._types" + } + } + } + } + ], + "specLocation": "security/_types/Privileges.ts#L277-L289" + }, { "kind": "interface", + "description": "The subset of index level privileges that can be defined for remote clusters.", "name": { "name": "RemoteIndicesPrivileges", "namespace": "security._types" @@ -187919,7 +187990,7 @@ } } ], - "specLocation": "security/_types/Privileges.ts#L225-L253" + "specLocation": "security/_types/Privileges.ts#L243-L275" }, { "kind": "interface", @@ -187944,7 +188015,7 @@ } } ], - "specLocation": "security/_types/Privileges.ts#L380-L385" + "specLocation": "security/_types/Privileges.ts#L416-L421" }, { "kind": "interface", @@ -187986,6 +188057,46 @@ } } }, + { + "availability": { + "stack": { + "since": "8.14.0" + } + }, + "description": "A list of indices permissions for remote clusters.", + "name": "remote_indices", + "required": false, + "type": { + "kind": "array_of", + "value": { + "kind": "instance_of", + "type": { + "name": "RemoteIndicesPrivileges", + "namespace": "security._types" + } + } + } + }, + { + "availability": { + "stack": { + "since": "8.15.0" + } + }, + "description": "A list of cluster permissions for remote clusters. Note - this is limited a subset of the cluster permissions.", + "name": "remote_cluster", + "required": false, + "type": { + "kind": "array_of", + "value": { + "kind": "instance_of", + "type": { + "name": "RemoteClusterPrivileges", + "namespace": "security._types" + } + } + } + }, { "availability": { "stack": {} @@ -188091,7 +188202,7 @@ } } ], - "specLocation": "security/_types/RoleDescriptor.ts#L31-L64" + "specLocation": "security/_types/RoleDescriptor.ts#L33-L79" }, { "kind": "interface", @@ -188153,6 +188264,46 @@ } } }, + { + "availability": { + "stack": { + "since": "8.14.0" + } + }, + "description": "A list of indices permissions for remote clusters.", + "name": "remote_indices", + "required": false, + "type": { + "kind": "array_of", + "value": { + "kind": "instance_of", + "type": { + "name": "RemoteIndicesPrivileges", + "namespace": "security._types" + } + } + } + }, + { + "availability": { + "stack": { + "since": "8.15.0" + } + }, + "description": "A list of cluster permissions for remote clusters. Note - this is limited a subset of the cluster permissions.", + "name": "remote_cluster", + "required": false, + "type": { + "kind": "array_of", + "value": { + "kind": "instance_of", + "type": { + "name": "RemoteClusterPrivileges", + "namespace": "security._types" + } + } + } + }, { "availability": { "stack": {} @@ -188258,7 +188409,7 @@ } } ], - "specLocation": "security/_types/RoleDescriptor.ts#L66-L98" + "specLocation": "security/_types/RoleDescriptor.ts#L81-L124" }, { "kind": "interface", @@ -188436,7 +188587,7 @@ "name": "RoleTemplateInlineQuery", "namespace": "security._types" }, - "specLocation": "security/_types/Privileges.ts#L321-L322", + "specLocation": "security/_types/Privileges.ts#L357-L358", "type": { "kind": "union_of", "items": [ @@ -188479,7 +188630,7 @@ } } ], - "specLocation": "security/_types/Privileges.ts#L289-L299" + "specLocation": "security/_types/Privileges.ts#L325-L335" }, { "kind": "interface", @@ -188567,7 +188718,7 @@ } ], "shortcutProperty": "source", - "specLocation": "security/_types/Privileges.ts#L301-L319" + "specLocation": "security/_types/Privileges.ts#L337-L355" }, { "kind": "interface", @@ -188634,7 +188785,7 @@ } } ], - "specLocation": "security/_types/Privileges.ts#L387-L407" + "specLocation": "security/_types/Privileges.ts#L423-L443" }, { "kind": "enum", @@ -188848,7 +188999,7 @@ } } ], - "specLocation": "security/_types/Privileges.ts#L255-L277" + "specLocation": "security/_types/Privileges.ts#L291-L313" }, { "kind": "interface", @@ -191843,8 +191994,8 @@ "value": { "kind": "instance_of", "type": { - "name": "string", - "namespace": "_builtins" + "name": "ClusterPrivilege", + "namespace": "security._types" } } } @@ -191862,6 +192013,20 @@ } } } + }, + { + "name": "remote_cluster", + "required": true, + "type": { + "kind": "array_of", + "value": { + "kind": "instance_of", + "type": { + "name": "RemoteClusterPrivilege", + "namespace": "security._types" + } + } + } } ] }, @@ -191869,7 +192034,7 @@ "name": "Response", "namespace": "security.get_builtin_privileges" }, - "specLocation": "security/get_builtin_privileges/SecurityGetBuiltinPrivilegesResponse.ts#L22-L24" + "specLocation": "security/get_builtin_privileges/SecurityGetBuiltinPrivilegesResponse.ts#L26-L32" }, { "kind": "request", @@ -192039,8 +192204,8 @@ "value": { "kind": "instance_of", "type": { - "name": "string", - "namespace": "_builtins" + "name": "ClusterPrivilege", + "namespace": "security._types" } } } @@ -192059,6 +192224,44 @@ } } }, + { + "availability": { + "stack": { + "since": "8.14.0" + } + }, + "name": "remote_indices", + "required": false, + "type": { + "kind": "array_of", + "value": { + "kind": "instance_of", + "type": { + "name": "RemoteIndicesPrivileges", + "namespace": "security._types" + } + } + } + }, + { + "availability": { + "stack": { + "since": "8.15.0" + } + }, + "name": "remote_cluster", + "required": false, + "type": { + "kind": "array_of", + "value": { + "kind": "instance_of", + "type": { + "name": "RemoteClusterPrivileges", + "namespace": "security._types" + } + } + } + }, { "name": "metadata", "required": true, @@ -192184,7 +192387,7 @@ } } ], - "specLocation": "security/get_role/types.ts#L29-L42" + "specLocation": "security/get_role/types.ts#L32-L53" }, { "kind": "request", @@ -194650,6 +194853,26 @@ } } }, + { + "availability": { + "stack": { + "since": "8.15.0" + } + }, + "description": "A list of remote cluster permissions entries.", + "name": "remote_cluster", + "required": false, + "type": { + "kind": "array_of", + "value": { + "kind": "instance_of", + "type": { + "name": "RemoteClusterPrivileges", + "namespace": "security._types" + } + } + } + }, { "description": "Optional metadata. Within the metadata object, keys that begin with an underscore (`_`) are reserved for system use.", "name": "metadata", @@ -194751,7 +194974,7 @@ } } ], - "specLocation": "security/put_role/SecurityPutRoleRequest.ts#L31-L95" + "specLocation": "security/put_role/SecurityPutRoleRequest.ts#L32-L102" }, { "kind": "response", diff --git a/output/typescript/types.ts b/output/typescript/types.ts index 4e1be9944d..beb214d697 100644 --- a/output/typescript/types.ts +++ b/output/typescript/types.ts @@ -17638,7 +17638,7 @@ export interface SecurityClusterNode { name: Name } -export type SecurityClusterPrivilege = 'all' | 'cancel_task' | 'create_snapshot' | 'cross_cluster_replication' | 'cross_cluster_search' | 'delegate_pki' | 'grant_api_key' | 'manage' | 'manage_api_key' | 'manage_autoscaling' | 'manage_behavioral_analytics' | 'manage_ccr' | 'manage_data_frame_transforms' | 'manage_data_stream_global_retention' | 'manage_enrich' | 'manage_ilm' | 'manage_index_templates' | 'manage_inference' | 'manage_ingest_pipelines' | 'manage_logstash_pipelines' | 'manage_ml' | 'manage_oidc' | 'manage_own_api_key' | 'manage_pipeline' | 'manage_rollup' | 'manage_saml' | 'manage_search_application' | 'manage_search_query_rules' | 'manage_search_synonyms' | 'manage_security' | 'manage_service_account' | 'manage_slm' | 'manage_token' | 'manage_transform' | 'manage_user_profile' | 'manage_watcher' | 'monitor' | 'monitor_data_frame_transforms' | 'monitor_data_stream_global_retention' | 'monitor_enrich' | 'monitor_inference' | 'monitor_ml' | 'monitor_rollup' | 'monitor_snapshot' | 'monitor_text_structure' | 'monitor_transform' | 'monitor_watcher' | 'none' | 'post_behavioral_analytics_event' | 'read_ccr' | 'read_fleet_secrets' | 'read_ilm' | 'read_pipeline' | 'read_security' | 'read_slm' | 'transport_client' | 'write_connector_secrets' | 'write_fleet_secrets'| string +export type SecurityClusterPrivilege = 'all' | 'cancel_task' | 'create_snapshot' | 'cross_cluster_replication' | 'cross_cluster_search' | 'delegate_pki' | 'grant_api_key' | 'manage' | 'manage_api_key' | 'manage_autoscaling' | 'manage_behavioral_analytics' | 'manage_ccr' | 'manage_data_frame_transforms' | 'manage_data_stream_global_retention' | 'manage_enrich' | 'manage_ilm' | 'manage_index_templates' | 'manage_inference' | 'manage_ingest_pipelines' | 'manage_logstash_pipelines' | 'manage_ml' | 'manage_oidc' | 'manage_own_api_key' | 'manage_pipeline' | 'manage_rollup' | 'manage_saml' | 'manage_search_application' | 'manage_search_query_rules' | 'manage_search_synonyms' | 'manage_security' | 'manage_service_account' | 'manage_slm' | 'manage_token' | 'manage_transform' | 'manage_user_profile' | 'manage_watcher' | 'monitor' | 'monitor_data_frame_transforms' | 'monitor_data_stream_global_retention' | 'monitor_enrich' | 'monitor_inference' | 'monitor_ml' | 'monitor_rollup' | 'monitor_snapshot' | 'monitor_stats' | 'monitor_text_structure' | 'monitor_transform' | 'monitor_watcher' | 'none' | 'post_behavioral_analytics_event' | 'read_ccr' | 'read_fleet_secrets' | 'read_ilm' | 'read_pipeline' | 'read_security' | 'read_slm' | 'transport_client' | 'write_connector_secrets' | 'write_fleet_secrets'| string export interface SecurityCreatedStatus { created: boolean @@ -17682,6 +17682,13 @@ export interface SecurityRealmInfo { type: string } +export type SecurityRemoteClusterPrivilege = 'monitor_enrich' | 'monitor_stats' + +export interface SecurityRemoteClusterPrivileges { + clusters: Names + privileges: SecurityRemoteClusterPrivilege[] +} + export interface SecurityRemoteIndicesPrivileges { clusters: Names field_security?: SecurityFieldSecurity @@ -17699,6 +17706,8 @@ export interface SecurityRoleDescriptor { cluster?: SecurityClusterPrivilege[] indices?: SecurityIndicesPrivileges[] index?: SecurityIndicesPrivileges[] + remote_indices?: SecurityRemoteIndicesPrivileges[] + remote_cluster?: SecurityRemoteClusterPrivileges[] global?: SecurityGlobalPrivilege[] | SecurityGlobalPrivilege applications?: SecurityApplicationPrivileges[] metadata?: Metadata @@ -17711,6 +17720,8 @@ export interface SecurityRoleDescriptorRead { cluster: SecurityClusterPrivilege[] indices: SecurityIndicesPrivileges[] index: SecurityIndicesPrivileges[] + remote_indices?: SecurityRemoteIndicesPrivileges[] + remote_cluster?: SecurityRemoteClusterPrivileges[] global?: SecurityGlobalPrivilege[] | SecurityGlobalPrivilege applications?: SecurityApplicationPrivileges[] metadata?: Metadata @@ -18110,8 +18121,9 @@ export interface SecurityGetBuiltinPrivilegesRequest extends RequestBase { } export interface SecurityGetBuiltinPrivilegesResponse { - cluster: string[] + cluster: SecurityClusterPrivilege[] index: IndexName[] + remote_cluster: SecurityRemoteClusterPrivilege[] } export interface SecurityGetPrivilegesRequest extends RequestBase { @@ -18128,8 +18140,10 @@ export interface SecurityGetRoleRequest extends RequestBase { export type SecurityGetRoleResponse = Record export interface SecurityGetRoleRole { - cluster: string[] + cluster: SecurityClusterPrivilege[] indices: SecurityIndicesPrivileges[] + remote_indices?: SecurityRemoteIndicesPrivileges[] + remote_cluster?: SecurityRemoteClusterPrivileges[] metadata: Metadata run_as: string[] transient_metadata?: Record @@ -18395,6 +18409,7 @@ export interface SecurityPutRoleRequest extends RequestBase { global?: Record indices?: SecurityIndicesPrivileges[] remote_indices?: SecurityRemoteIndicesPrivileges[] + remote_cluster?: SecurityRemoteClusterPrivileges[] metadata?: Metadata run_as?: string[] description?: string diff --git a/package.json b/package.json index 0d26b9a7ed..24cce74a45 100644 --- a/package.json +++ b/package.json @@ -1,5 +1,5 @@ { "dependencies": { - "@stoplight/spectral-cli": "^6.13.1" + "@stoplight/spectral-cli": "^6.14.1" } } diff --git a/specification/security/_types/Privileges.ts b/specification/security/_types/Privileges.ts index 14f2977557..d3d6c7c319 100644 --- a/specification/security/_types/Privileges.ts +++ b/specification/security/_types/Privileges.ts @@ -151,6 +151,10 @@ export enum ClusterPrivilege { * @availability stack */ monitor_snapshot, + /** + * @availability stack since=8.17.0 + */ + monitor_stats, /** * @availability stack */ @@ -194,6 +198,21 @@ export enum ClusterPrivilege { write_fleet_secrets } +/** + * The subset of cluster level privileges that can be defined for remote clusters. + * @availability stack + */ +export enum RemoteClusterPrivilege { + /** + * @availability stack since=8.14.0 + */ + monitor_enrich, + /** + * @availability stack since=8.17.0 + */ + monitor_stats +} + // Keep in sync with RemoteIndicesPrivileges export class IndicesPrivileges { /** @@ -221,6 +240,9 @@ export class IndicesPrivileges { allow_restricted_indices?: boolean } +/** + * The subset of index level privileges that can be defined for remote clusters. + */ // Keep in sync with IndicesPrivileges export class RemoteIndicesPrivileges { /** @@ -252,6 +274,20 @@ export class RemoteIndicesPrivileges { allow_restricted_indices?: boolean } +/** + * The subset of cluster level privileges that can be defined for remote clusters. + */ +export class RemoteClusterPrivileges { + /** + * A list of cluster aliases to which the permissions in this entry apply. + */ + clusters: Names + /** + * The cluster level privileges that owners of the role have on the remote cluster. + */ + privileges: RemoteClusterPrivilege[] +} + export class UserIndicesPrivileges { /** * The document fields that the owners of the role have read access to. diff --git a/specification/security/_types/RoleDescriptor.ts b/specification/security/_types/RoleDescriptor.ts index 6c8130860b..ad8afe33a5 100644 --- a/specification/security/_types/RoleDescriptor.ts +++ b/specification/security/_types/RoleDescriptor.ts @@ -25,7 +25,9 @@ import { ApplicationPrivileges, ClusterPrivilege, GlobalPrivilege, - IndicesPrivileges + IndicesPrivileges, + RemoteClusterPrivileges, + RemoteIndicesPrivileges } from './Privileges' export class RoleDescriptor { @@ -38,6 +40,19 @@ export class RoleDescriptor { * @aliases index */ indices?: IndicesPrivileges[] + + /** + * A list of indices permissions for remote clusters. + * @availability stack since=8.14.0 + */ + remote_indices?: RemoteIndicesPrivileges[] + + /** + * A list of cluster permissions for remote clusters. Note - this is limited a subset of the cluster permissions. + * @availability stack since=8.15.0 + */ + remote_cluster?: RemoteClusterPrivileges[] + /** * An object defining global privileges. A global privilege is a form of cluster privilege that is request-aware. Support for global privileges is currently limited to the management of application privileges. * @availability stack @@ -73,6 +88,17 @@ export class RoleDescriptorRead implements OverloadOf { * @aliases index */ indices: IndicesPrivileges[] + /** + * A list of indices permissions for remote clusters. + * @availability stack since=8.14.0 + */ + remote_indices?: RemoteIndicesPrivileges[] + + /** + * A list of cluster permissions for remote clusters. Note - this is limited a subset of the cluster permissions. + * @availability stack since=8.15.0 + */ + remote_cluster?: RemoteClusterPrivileges[] /** * An object defining global privileges. A global privilege is a form of cluster privilege that is request-aware. Support for global privileges is currently limited to the management of application privileges. */ diff --git a/specification/security/get_builtin_privileges/SecurityGetBuiltinPrivilegesResponse.ts b/specification/security/get_builtin_privileges/SecurityGetBuiltinPrivilegesResponse.ts index eaf9009d13..a1f81e913e 100644 --- a/specification/security/get_builtin_privileges/SecurityGetBuiltinPrivilegesResponse.ts +++ b/specification/security/get_builtin_privileges/SecurityGetBuiltinPrivilegesResponse.ts @@ -17,8 +17,16 @@ * under the License. */ +import { + ClusterPrivilege, + RemoteClusterPrivilege +} from '@security/_types/Privileges' import { IndexName } from '@_types/common' export class Response { - body: { cluster: string[]; index: IndexName[] } + body: { + cluster: ClusterPrivilege[] + index: IndexName[] + remote_cluster: RemoteClusterPrivilege[] + } } diff --git a/specification/security/get_role/types.ts b/specification/security/get_role/types.ts index 1ba672b074..122b993380 100644 --- a/specification/security/get_role/types.ts +++ b/specification/security/get_role/types.ts @@ -19,7 +19,10 @@ import { ApplicationPrivileges, - IndicesPrivileges + ClusterPrivilege, + IndicesPrivileges, + RemoteClusterPrivileges, + RemoteIndicesPrivileges } from '@security/_types/Privileges' import { RoleTemplate } from '@security/_types/RoleTemplate' import { Dictionary } from '@spec_utils/Dictionary' @@ -27,8 +30,16 @@ import { UserDefinedValue } from '@spec_utils/UserDefinedValue' import { Metadata } from '@_types/common' export class Role { - cluster: string[] + cluster: ClusterPrivilege[] indices: IndicesPrivileges[] + /** + * @availability stack since=8.14.0 + */ + remote_indices?: RemoteIndicesPrivileges[] + /** + * @availability stack since=8.15.0 + */ + remote_cluster?: RemoteClusterPrivileges[] metadata: Metadata run_as: string[] transient_metadata?: Dictionary diff --git a/specification/security/put_role/SecurityPutRoleRequest.ts b/specification/security/put_role/SecurityPutRoleRequest.ts index e8ada073d5..00726f27b8 100644 --- a/specification/security/put_role/SecurityPutRoleRequest.ts +++ b/specification/security/put_role/SecurityPutRoleRequest.ts @@ -21,6 +21,7 @@ import { ApplicationPrivileges, ClusterPrivilege, IndicesPrivileges, + RemoteClusterPrivileges, RemoteIndicesPrivileges } from '@security/_types/Privileges' import { Dictionary } from '@spec_utils/Dictionary' @@ -74,6 +75,12 @@ export interface Request extends RequestBase { * */ remote_indices?: RemoteIndicesPrivileges[] + /** + * A list of remote cluster permissions entries. + * @availability stack since=8.15.0 + * + */ + remote_cluster?: RemoteClusterPrivileges[] /** * Optional metadata. Within the metadata object, keys that begin with an underscore (`_`) are reserved for system use. */