Add restriction to RoleDescriptor #3142

pquentin · 2024-11-18T13:17:48Z

This allows representing the following YAML test:

// Test file: /test/platinum/entsearch/search/56_search_application_search_with_apikey.yml
// Test name: Query Search Application with API key

import { expectAssignable } from 'tsd'
import * as T from '../types'

expectAssignable<T.SecurityCreateApiKeyRequest>({
  "body": {
    "name": "search-application-1-api-key",
    "role_descriptors": {
      "role": {
        "index": [
          {
            "names": [
              "test-search-application-1"
            ],
            "privileges": [
              "read"
            ]
          }
        ],
        "restriction": {
          "workflows": [
            "search_application_query"
          ]
        }
      }
    }
  }
})

github-actions · 2024-11-18T13:20:44Z

Following you can find the validation results for the APIs you have changed.

API	Status	Request	Response
`security.activate_user_profile`	🟢	9/9	9/9
`security.authenticate`	🟢	30/30	30/30
`security.bulk_delete_role`	🟢	1/1	1/1
`security.bulk_put_role`	🟢	1/1	1/1
`security.bulk_update_api_keys`	🟠	Missing type	Missing type
`security.change_password`	🟢	9/9	9/9
`security.clear_api_key_cache`	🟢	13/13	13/13
`security.clear_cached_privileges`	🟢	3/3	3/3
`security.clear_cached_realms`	🟢	1/1	1/1
`security.clear_cached_roles`	🟢	2/2	2/2
`security.clear_cached_service_tokens`	🟢	4/4	4/4
`security.create_api_key`	🟢	68/68	59/59
`security.create_cross_cluster_api_key`	🟢	3/3	3/3
`security.create_service_token`	🟢	3/3	3/3
`security.delete_privileges`	🟢	6/6	6/6
`security.delete_role_mapping`	🟢	9/9	9/9
`security.delete_role`	🟢	8/8	8/8
`security.delete_service_token`	⚪	Missing test	Missing test
`security.delete_user`	🟢	9/9	9/9
`security.disable_user_profile`	🟢	1/1	1/1
`security.disable_user`	🟢	3/3	3/3
`security.enable_user_profile`	🟢	1/1	1/1
`security.enable_user`	🟢	4/4	4/4
`security.enroll_kibana`	⚪	Missing test	Missing test
`security.enroll_node`	⚪	Missing test	Missing test
`security.get_api_key`	🔴	38/38	15/38
`security.get_builtin_privileges`	🟢	1/1	1/1
`security.get_privileges`	🟢	12/12	12/12
`security.get_role_mapping`	🔴	18/18	10/18
`security.get_role`	🔴	24/24	22/24
`security.get_service_accounts`	⚪	Missing test	Missing test
`security.get_service_credentials`	🟢	1/1	1/1
`security.get_settings`	🟠	Missing type	Missing type
`security.get_token`	🟢	25/25	24/24
`security.get_user_privileges`	🔴	8/8	7/8
`security.get_user_profile`	🟢	8/8	8/8
`security.get_user`	🟢	25/25	25/25
`security.grant_api_key`	🟢	7/7	7/7
`security.has_privileges_user_profile`	🟢	3/3	3/3
`security.has_privileges`	🟢	24/24	24/24
`security.invalidate_api_key`	🟢	12/12	12/12
`security.invalidate_token`	🟢	11/11	11/11
`security.oidc_authenticate`	🟠	Missing type	Missing type
`security.oidc_logout`	🟠	Missing type	Missing type
`security.oidc_prepare_authentication`	🟠	Missing type	Missing type
`security.put_privileges`	🟢	10/10	10/10
`security.put_role_mapping`	🔴	2/11	11/11
`security.put_role`	🟢	39/39	38/38
`security.put_user`	🟢	48/48	47/47
`security.query_api_keys`	🔴	14/14	1/14
`security.query_role`	🟢	2/2	2/2
`security.query_user`	🟢	4/4	4/4
`security.saml_authenticate`	⚪	Missing test	Missing test
`security.saml_complete_logout`	⚪	Missing test	Missing test
`security.saml_invalidate`	⚪	Missing test	Missing test
`security.saml_logout`	⚪	Missing test	Missing test
`security.saml_prepare_authentication`	⚪	Missing test	Missing test
`security.saml_service_provider_metadata`	⚪	Missing test	Missing test
`security.suggest_user_profiles`	🟢	1/1	1/1
`security.update_api_key`	🟢	5/5	5/5
`security.update_cross_cluster_api_key`	🟢	2/2	2/2
`security.update_settings`	🟠	Missing type	Missing type
`security.update_user_profile_data`	🟢	1/1	1/1

You can validate these APIs yourself by using the make validate target.

jakelandis

LGTM

github-actions · 2024-11-19T07:42:49Z

The backport to 8.x failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-8.x 8.x
# Navigate to the new working tree
cd .worktrees/backport-8.x
# Create a new branch
git switch --create backport-3142-to-8.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 496e0b85f4e9550789ad8db8d33bc6daa00a7b89
# Push it to GitHub
git push --set-upstream origin backport-3142-to-8.x
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-8.x

Then, create a pull request where the base branch is 8.x and the compare/head branch is backport-3142-to-8.x.

(cherry picked from commit 496e0b8)

Add restriction to RoleDescriptor

922f26e

pquentin added the backport 8.x label Nov 18, 2024

pquentin requested review from flobernd, l-trotta and a team November 18, 2024 13:17

github-actions bot added the specification label Nov 18, 2024

jakelandis approved these changes Nov 18, 2024

View reviewed changes

pquentin merged commit 496e0b8 into main Nov 19, 2024
8 checks passed

pquentin deleted the security-role-restriction branch November 19, 2024 07:42

pquentin added a commit that referenced this pull request Nov 19, 2024

Add restriction to RoleDescriptor (#3142)

6fc99a3

(cherry picked from commit 496e0b8)

pquentin added a commit that referenced this pull request Nov 19, 2024

[8.x] Add restriction to RoleDescriptor (#3142) (#3147)

879785d

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add restriction to RoleDescriptor #3142

Add restriction to RoleDescriptor #3142

pquentin commented Nov 18, 2024

github-actions bot commented Nov 18, 2024

jakelandis left a comment

github-actions bot commented Nov 19, 2024

Add restriction to RoleDescriptor #3142

Add restriction to RoleDescriptor #3142

Conversation

pquentin commented Nov 18, 2024

github-actions bot commented Nov 18, 2024

jakelandis left a comment

Choose a reason for hiding this comment

github-actions bot commented Nov 19, 2024