From 3628298ca01d4f2d3dfd6d0dfc85d158272f6363 Mon Sep 17 00:00:00 2001 From: Quentin Pradet Date: Fri, 22 Nov 2024 14:14:56 +0400 Subject: [PATCH] Fix security.get_api_key and security.query_api_keys APIs (#3146) * Fix security.get_api_key API * Use specific APIKey type for authenticate API This allows remove a number of optional fields from APIKey itself. * Use more EpochTime (cherry picked from commit 986d9dba35768389938eb9801846668682138734) --- output/openapi/elasticsearch-openapi.json | 224 ++++--- .../elasticsearch-serverless-openapi.json | 221 +++++-- output/schema/schema-serverless.json | 617 +++++++++++++----- output/schema/schema.json | 206 ++++-- output/typescript/types.ts | 26 +- specification/security/_types/ApiKey.ts | 72 +- .../SecurityAuthenticateResponse.ts | 10 +- 7 files changed, 987 insertions(+), 389 deletions(-) diff --git a/output/openapi/elasticsearch-openapi.json b/output/openapi/elasticsearch-openapi.json index 71beffbd86..848ee00289 100644 --- a/output/openapi/elasticsearch-openapi.json +++ b/output/openapi/elasticsearch-openapi.json @@ -27100,7 +27100,7 @@ "type": "object", "properties": { "api_key": { - "$ref": "#/components/schemas/security._types:ApiKey" + "$ref": "#/components/schemas/security.authenticate:AuthenticateApiKey" }, "authentication_realm": { "$ref": "#/components/schemas/security._types:RealmInfo" @@ -81780,69 +81780,67 @@ "username" ] }, - "security._types:ApiKey": { + "security.authenticate:AuthenticateApiKey": { "type": "object", "properties": { - "creation": { - "description": "Creation time for the API key in milliseconds.", - "type": "number" - }, - "expiration": { - "description": "Expiration time for the API key in milliseconds.", - "type": "number" - }, "id": { "$ref": "#/components/schemas/_types:Id" }, - "invalidated": { - "description": "Invalidation status for the API key.\nIf the key has been invalidated, it has a value of `true`. Otherwise, it is `false`.", - "type": "boolean" - }, + "name": { + "$ref": "#/components/schemas/_types:Name" + } + }, + "required": [ + "id" + ] + }, + "security._types:RealmInfo": { + "type": "object", + "properties": { "name": { "$ref": "#/components/schemas/_types:Name" }, - "realm": { - "description": "Realm name of the principal for which this API key was created.", - "type": "string" - }, - "realm_type": { - "description": "Realm type of the principal for which this API key was created", + "type": { "type": "string" + } + }, + "required": [ + "name", + "type" + ] + }, + "security.authenticate:Token": { + "type": "object", + "properties": { + "name": { + "$ref": "#/components/schemas/_types:Name" }, - "username": { - "$ref": "#/components/schemas/_types:Username" - }, - "profile_uid": { - "description": "The profile uid for the API key owner principal, if requested and if it exists", + "type": { "type": "string" + } + }, + "required": [ + "name" + ] + }, + "security._types:BulkError": { + "type": "object", + "properties": { + "count": { + "description": "The number of errors", + "type": "number" }, - "metadata": { - "$ref": "#/components/schemas/_types:Metadata" - }, - "role_descriptors": { - "description": "The role descriptors assigned to this API key when it was created or last updated.\nAn empty role descriptor means the API key inherits the owner user’s permissions.", + "details": { + "description": "Details about the errors, keyed by role name", "type": "object", "additionalProperties": { - "$ref": "#/components/schemas/security._types:RoleDescriptor" - } - }, - "limited_by": { - "description": "The owner user’s permissions associated with the API key.\nIt is a point-in-time snapshot captured at creation and subsequent updates.\nAn API key’s effective permissions are an intersection of its assigned privileges and the owner user’s permissions.", - "type": "array", - "items": { - "type": "object", - "additionalProperties": { - "$ref": "#/components/schemas/security._types:RoleDescriptor" - } + "$ref": "#/components/schemas/_types:ErrorCause" } - }, - "_sort": { - "$ref": "#/components/schemas/_types:SortResults" } }, "required": [ - "id", - "name" + "count", + "details" ] }, "security._types:RoleDescriptor": { @@ -82298,55 +82296,6 @@ } ] }, - "security._types:RealmInfo": { - "type": "object", - "properties": { - "name": { - "$ref": "#/components/schemas/_types:Name" - }, - "type": { - "type": "string" - } - }, - "required": [ - "name", - "type" - ] - }, - "security.authenticate:Token": { - "type": "object", - "properties": { - "name": { - "$ref": "#/components/schemas/_types:Name" - }, - "type": { - "type": "string" - } - }, - "required": [ - "name" - ] - }, - "security._types:BulkError": { - "type": "object", - "properties": { - "count": { - "description": "The number of errors", - "type": "number" - }, - "details": { - "description": "Details about the errors, keyed by role name", - "type": "object", - "additionalProperties": { - "$ref": "#/components/schemas/_types:ErrorCause" - } - } - }, - "required": [ - "count", - "details" - ] - }, "security._types:ClusterNode": { "type": "object", "properties": { @@ -82482,6 +82431,91 @@ "value" ] }, + "security._types:ApiKey": { + "type": "object", + "properties": { + "id": { + "$ref": "#/components/schemas/_types:Id" + }, + "name": { + "$ref": "#/components/schemas/_types:Name" + }, + "type": { + "$ref": "#/components/schemas/security._types:ApiKeyType" + }, + "creation": { + "$ref": "#/components/schemas/_types:EpochTimeUnitMillis" + }, + "expiration": { + "$ref": "#/components/schemas/_types:EpochTimeUnitMillis" + }, + "invalidated": { + "description": "Invalidation status for the API key.\nIf the key has been invalidated, it has a value of `true`. Otherwise, it is `false`.", + "type": "boolean" + }, + "invalidation": { + "$ref": "#/components/schemas/_types:EpochTimeUnitMillis" + }, + "username": { + "$ref": "#/components/schemas/_types:Username" + }, + "realm": { + "description": "Realm name of the principal for which this API key was created.", + "type": "string" + }, + "realm_type": { + "description": "Realm type of the principal for which this API key was created", + "type": "string" + }, + "metadata": { + "$ref": "#/components/schemas/_types:Metadata" + }, + "role_descriptors": { + "description": "The role descriptors assigned to this API key when it was created or last updated.\nAn empty role descriptor means the API key inherits the owner user’s permissions.", + "type": "object", + "additionalProperties": { + "$ref": "#/components/schemas/security._types:RoleDescriptor" + } + }, + "limited_by": { + "description": "The owner user’s permissions associated with the API key.\nIt is a point-in-time snapshot captured at creation and subsequent updates.\nAn API key’s effective permissions are an intersection of its assigned privileges and the owner user’s permissions.", + "type": "array", + "items": { + "type": "object", + "additionalProperties": { + "$ref": "#/components/schemas/security._types:RoleDescriptor" + } + } + }, + "access": { + "$ref": "#/components/schemas/security._types:Access" + }, + "profile_uid": { + "description": "The profile uid for the API key owner principal, if requested and if it exists", + "type": "string" + }, + "_sort": { + "$ref": "#/components/schemas/_types:SortResults" + } + }, + "required": [ + "id", + "name", + "type", + "creation", + "invalidated", + "username", + "realm", + "metadata" + ] + }, + "security._types:ApiKeyType": { + "type": "string", + "enum": [ + "rest", + "cross_cluster" + ] + }, "security.put_privileges:Actions": { "type": "object", "properties": { diff --git a/output/openapi/elasticsearch-serverless-openapi.json b/output/openapi/elasticsearch-serverless-openapi.json index 88abdf2c96..7d27be1485 100644 --- a/output/openapi/elasticsearch-serverless-openapi.json +++ b/output/openapi/elasticsearch-serverless-openapi.json @@ -16932,7 +16932,7 @@ "type": "object", "properties": { "api_key": { - "$ref": "#/components/schemas/security._types:ApiKey" + "$ref": "#/components/schemas/security.authenticate:AuthenticateApiKey" }, "authentication_realm": { "$ref": "#/components/schemas/security._types:RealmInfo" @@ -53782,68 +53782,46 @@ "_types:MapboxVectorTiles": { "type": "object" }, - "security._types:ApiKey": { + "security.authenticate:AuthenticateApiKey": { "type": "object", "properties": { - "creation": { - "description": "Creation time for the API key in milliseconds.", - "type": "number" - }, - "expiration": { - "description": "Expiration time for the API key in milliseconds.", - "type": "number" - }, "id": { "$ref": "#/components/schemas/_types:Id" }, - "invalidated": { - "description": "Invalidation status for the API key.\nIf the key has been invalidated, it has a value of `true`. Otherwise, it is `false`.", - "type": "boolean" - }, + "name": { + "$ref": "#/components/schemas/_types:Name" + } + }, + "required": [ + "id" + ] + }, + "security._types:RealmInfo": { + "type": "object", + "properties": { "name": { "$ref": "#/components/schemas/_types:Name" }, - "realm": { - "description": "Realm name of the principal for which this API key was created.", - "type": "string" - }, - "realm_type": { - "description": "Realm type of the principal for which this API key was created", + "type": { "type": "string" + } + }, + "required": [ + "name", + "type" + ] + }, + "security.authenticate:Token": { + "type": "object", + "properties": { + "name": { + "$ref": "#/components/schemas/_types:Name" }, - "username": { - "$ref": "#/components/schemas/_types:Username" - }, - "profile_uid": { - "description": "The profile uid for the API key owner principal, if requested and if it exists", + "type": { "type": "string" - }, - "metadata": { - "$ref": "#/components/schemas/_types:Metadata" - }, - "role_descriptors": { - "description": "The role descriptors assigned to this API key when it was created or last updated.\nAn empty role descriptor means the API key inherits the owner user’s permissions.", - "type": "object", - "additionalProperties": { - "$ref": "#/components/schemas/security._types:RoleDescriptor" - } - }, - "limited_by": { - "description": "The owner user’s permissions associated with the API key.\nIt is a point-in-time snapshot captured at creation and subsequent updates.\nAn API key’s effective permissions are an intersection of its assigned privileges and the owner user’s permissions.", - "type": "array", - "items": { - "type": "object", - "additionalProperties": { - "$ref": "#/components/schemas/security._types:RoleDescriptor" - } - } - }, - "_sort": { - "$ref": "#/components/schemas/_types:SortResults" } }, "required": [ - "id", "name" ] }, @@ -54124,33 +54102,162 @@ } ] }, - "security._types:RealmInfo": { + "security._types:ApiKey": { "type": "object", "properties": { + "id": { + "$ref": "#/components/schemas/_types:Id" + }, "name": { "$ref": "#/components/schemas/_types:Name" }, "type": { + "$ref": "#/components/schemas/security._types:ApiKeyType" + }, + "creation": { + "$ref": "#/components/schemas/_types:EpochTimeUnitMillis" + }, + "expiration": { + "$ref": "#/components/schemas/_types:EpochTimeUnitMillis" + }, + "invalidated": { + "description": "Invalidation status for the API key.\nIf the key has been invalidated, it has a value of `true`. Otherwise, it is `false`.", + "type": "boolean" + }, + "invalidation": { + "$ref": "#/components/schemas/_types:EpochTimeUnitMillis" + }, + "username": { + "$ref": "#/components/schemas/_types:Username" + }, + "realm": { + "description": "Realm name of the principal for which this API key was created.", + "type": "string" + }, + "realm_type": { + "description": "Realm type of the principal for which this API key was created", "type": "string" + }, + "metadata": { + "$ref": "#/components/schemas/_types:Metadata" + }, + "role_descriptors": { + "description": "The role descriptors assigned to this API key when it was created or last updated.\nAn empty role descriptor means the API key inherits the owner user’s permissions.", + "type": "object", + "additionalProperties": { + "$ref": "#/components/schemas/security._types:RoleDescriptor" + } + }, + "limited_by": { + "description": "The owner user’s permissions associated with the API key.\nIt is a point-in-time snapshot captured at creation and subsequent updates.\nAn API key’s effective permissions are an intersection of its assigned privileges and the owner user’s permissions.", + "type": "array", + "items": { + "type": "object", + "additionalProperties": { + "$ref": "#/components/schemas/security._types:RoleDescriptor" + } + } + }, + "access": { + "$ref": "#/components/schemas/security._types:Access" + }, + "profile_uid": { + "description": "The profile uid for the API key owner principal, if requested and if it exists", + "type": "string" + }, + "_sort": { + "$ref": "#/components/schemas/_types:SortResults" } }, "required": [ + "id", "name", - "type" + "type", + "creation", + "invalidated", + "username", + "realm", + "metadata" ] }, - "security.authenticate:Token": { + "security._types:ApiKeyType": { + "type": "string", + "enum": [ + "rest", + "cross_cluster" + ] + }, + "security._types:Access": { "type": "object", "properties": { - "name": { - "$ref": "#/components/schemas/_types:Name" + "replication": { + "description": "A list of indices permission entries for cross-cluster replication.", + "type": "array", + "items": { + "$ref": "#/components/schemas/security._types:ReplicationAccess" + } }, - "type": { - "type": "string" + "search": { + "description": "A list of indices permission entries for cross-cluster search.", + "type": "array", + "items": { + "$ref": "#/components/schemas/security._types:SearchAccess" + } + } + } + }, + "security._types:ReplicationAccess": { + "type": "object", + "properties": { + "names": { + "description": "A list of indices (or index name patterns) to which the permissions in this entry apply.", + "oneOf": [ + { + "$ref": "#/components/schemas/_types:IndexName" + }, + { + "type": "array", + "items": { + "$ref": "#/components/schemas/_types:IndexName" + } + } + ] + }, + "allow_restricted_indices": { + "description": "This needs to be set to true if the patterns in the names field should cover system indices.", + "type": "boolean" } }, "required": [ - "name" + "names" + ] + }, + "security._types:SearchAccess": { + "type": "object", + "properties": { + "field_security": { + "$ref": "#/components/schemas/security._types:FieldSecurity" + }, + "names": { + "description": "A list of indices (or index name patterns) to which the permissions in this entry apply.", + "oneOf": [ + { + "$ref": "#/components/schemas/_types:IndexName" + }, + { + "type": "array", + "items": { + "$ref": "#/components/schemas/_types:IndexName" + } + } + ] + }, + "query": { + "$ref": "#/components/schemas/security._types:IndicesPrivilegesQuery" + } + }, + "required": [ + "names" ] }, "security.has_privileges:ApplicationPrivilegesCheck": { diff --git a/output/schema/schema-serverless.json b/output/schema/schema-serverless.json index 0bb1a69210..0a5e5d07d6 100644 --- a/output/schema/schema-serverless.json +++ b/output/schema/schema-serverless.json @@ -39092,8 +39092,8 @@ "type": { "kind": "instance_of", "type": { - "name": "ApiKey", - "namespace": "security._types" + "name": "AuthenticateApiKey", + "namespace": "security.authenticate" } } }, @@ -39247,7 +39247,7 @@ "name": "Response", "namespace": "security.authenticate" }, - "specLocation": "security/authenticate/SecurityAuthenticateResponse.ts#L25-L43" + "specLocation": "security/authenticate/SecurityAuthenticateResponse.ts#L24-L42" }, { "attachedBehaviors": [ @@ -102978,6 +102978,22 @@ }, "specLocation": "searchable_snapshots/_types/stats.ts#L20-L24" }, + { + "kind": "enum", + "members": [ + { + "name": "rest" + }, + { + "name": "cross_cluster" + } + ], + "name": { + "name": "ApiKeyType", + "namespace": "security._types" + }, + "specLocation": "security/_types/ApiKey.ts#L116-L119" + }, { "isOpen": true, "kind": "enum", @@ -139809,36 +139825,11 @@ { "kind": "interface", "name": { - "name": "ApiKey", - "namespace": "security._types" + "name": "AuthenticateApiKey", + "namespace": "security.authenticate" }, "properties": [ { - "description": "Creation time for the API key in milliseconds.", - "name": "creation", - "required": false, - "type": { - "kind": "instance_of", - "type": { - "name": "long", - "namespace": "_types" - } - } - }, - { - "description": "Expiration time for the API key in milliseconds.", - "name": "expiration", - "required": false, - "type": { - "kind": "instance_of", - "type": { - "name": "long", - "namespace": "_types" - } - } - }, - { - "description": "Id for the API key", "name": "id", "required": true, "type": { @@ -139850,19 +139841,27 @@ } }, { - "description": "Invalidation status for the API key.\nIf the key has been invalidated, it has a value of `true`. Otherwise, it is `false`.", - "name": "invalidated", + "name": "name", "required": false, "type": { "kind": "instance_of", "type": { - "name": "boolean", - "namespace": "_builtins" + "name": "Name", + "namespace": "_types" } } - }, + } + ], + "specLocation": "security/authenticate/SecurityAuthenticateResponse.ts#L44-L47" + }, + { + "kind": "interface", + "name": { + "name": "RealmInfo", + "namespace": "security._types" + }, + "properties": [ { - "description": "Name of the API key.", "name": "name", "required": true, "type": { @@ -139874,27 +139873,8 @@ } }, { - "description": "Realm name of the principal for which this API key was created.", - "name": "realm", - "required": false, - "type": { - "kind": "instance_of", - "type": { - "name": "string", - "namespace": "_builtins" - } - } - }, - { - "availability": { - "serverless": {}, - "stack": { - "since": "8.14.0" - } - }, - "description": "Realm type of the principal for which this API key was created", - "name": "realm_type", - "required": false, + "name": "type", + "required": true, "type": { "kind": "instance_of", "type": { @@ -139902,15 +139882,24 @@ "namespace": "_builtins" } } - }, + } + ], + "specLocation": "security/_types/RealmInfo.ts#L22-L25" + }, + { + "kind": "interface", + "name": { + "name": "Token", + "namespace": "security.authenticate" + }, + "properties": [ { - "description": "Principal for which this API key was created", - "name": "username", - "required": false, + "name": "name", + "required": true, "type": { "kind": "instance_of", "type": { - "name": "Username", + "name": "Name", "namespace": "_types" } } @@ -139919,11 +139908,10 @@ "availability": { "serverless": {}, "stack": { - "since": "8.14.0" + "since": "7.14.0" } }, - "description": "The profile uid for the API key owner principal, if requested and if it exists", - "name": "profile_uid", + "name": "type", "required": false, "type": { "kind": "instance_of", @@ -139932,93 +139920,9 @@ "namespace": "_builtins" } } - }, - { - "availability": { - "serverless": {}, - "stack": { - "since": "7.13.0" - } - }, - "description": "Metadata of the API key", - "name": "metadata", - "required": false, - "type": { - "kind": "instance_of", - "type": { - "name": "Metadata", - "namespace": "_types" - } - } - }, - { - "description": "The role descriptors assigned to this API key when it was created or last updated.\nAn empty role descriptor means the API key inherits the owner user’s permissions.", - "name": "role_descriptors", - "required": false, - "type": { - "key": { - "kind": "instance_of", - "type": { - "name": "string", - "namespace": "_builtins" - } - }, - "kind": "dictionary_of", - "singleKey": false, - "value": { - "kind": "instance_of", - "type": { - "name": "RoleDescriptor", - "namespace": "security._types" - } - } - } - }, - { - "availability": { - "serverless": {}, - "stack": { - "since": "8.5.0" - } - }, - "description": "The owner user’s permissions associated with the API key.\nIt is a point-in-time snapshot captured at creation and subsequent updates.\nAn API key’s effective permissions are an intersection of its assigned privileges and the owner user’s permissions.", - "name": "limited_by", - "required": false, - "type": { - "kind": "array_of", - "value": { - "key": { - "kind": "instance_of", - "type": { - "name": "string", - "namespace": "_builtins" - } - }, - "kind": "dictionary_of", - "singleKey": false, - "value": { - "kind": "instance_of", - "type": { - "name": "RoleDescriptor", - "namespace": "security._types" - } - } - } - } - }, - { - "name": "_sort", - "required": false, - "type": { - "kind": "instance_of", - "type": { - "name": "SortResults", - "namespace": "_types" - } - } } ], - "specLocation": "security/_types/ApiKey.ts#L26-L88" + "specLocation": "security/authenticate/types.ts#L22-L29" }, { "kind": "interface", @@ -140338,11 +140242,24 @@ { "kind": "interface", "name": { - "name": "RealmInfo", + "name": "ApiKey", "namespace": "security._types" }, "properties": [ { + "description": "Id for the API key", + "name": "id", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "Id", + "namespace": "_types" + } + } + }, + { + "description": "Name of the API key.", "name": "name", "required": true, "type": { @@ -140354,8 +140271,120 @@ } }, { + "availability": { + "serverless": {}, + "stack": { + "since": "8.10.0" + } + }, + "description": "The type of the API key (e.g. `rest` or `cross_cluster`).", "name": "type", "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "ApiKeyType", + "namespace": "security._types" + } + } + }, + { + "description": "Creation time for the API key in milliseconds.", + "name": "creation", + "required": true, + "type": { + "generics": [ + { + "kind": "instance_of", + "type": { + "name": "UnitMillis", + "namespace": "_types" + } + } + ], + "kind": "instance_of", + "type": { + "name": "EpochTime", + "namespace": "_types" + } + } + }, + { + "description": "Expiration time for the API key in milliseconds.", + "name": "expiration", + "required": false, + "type": { + "generics": [ + { + "kind": "instance_of", + "type": { + "name": "UnitMillis", + "namespace": "_types" + } + } + ], + "kind": "instance_of", + "type": { + "name": "EpochTime", + "namespace": "_types" + } + } + }, + { + "description": "Invalidation status for the API key.\nIf the key has been invalidated, it has a value of `true`. Otherwise, it is `false`.", + "name": "invalidated", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "boolean", + "namespace": "_builtins" + } + } + }, + { + "availability": { + "serverless": {}, + "stack": { + "since": "8.12.0" + } + }, + "description": "If the key has been invalidated, invalidation time in milliseconds.", + "name": "invalidation", + "required": false, + "type": { + "generics": [ + { + "kind": "instance_of", + "type": { + "name": "UnitMillis", + "namespace": "_types" + } + } + ], + "kind": "instance_of", + "type": { + "name": "EpochTime", + "namespace": "_types" + } + } + }, + { + "description": "Principal for which this API key was created", + "name": "username", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "Username", + "namespace": "_types" + } + } + }, + { + "description": "Realm name of the principal for which this API key was created.", + "name": "realm", + "required": true, "type": { "kind": "instance_of", "type": { @@ -140363,36 +140392,125 @@ "namespace": "_builtins" } } - } - ], - "specLocation": "security/_types/RealmInfo.ts#L22-L25" - }, - { - "kind": "interface", - "name": { - "name": "Token", - "namespace": "security.authenticate" - }, - "properties": [ + }, { - "name": "name", + "availability": { + "serverless": {}, + "stack": { + "since": "8.14.0" + } + }, + "description": "Realm type of the principal for which this API key was created", + "name": "realm_type", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + }, + { + "availability": { + "serverless": {}, + "stack": { + "since": "7.13.0" + } + }, + "description": "Metadata of the API key", + "name": "metadata", "required": true, "type": { "kind": "instance_of", "type": { - "name": "Name", + "name": "Metadata", "namespace": "_types" } } }, + { + "description": "The role descriptors assigned to this API key when it was created or last updated.\nAn empty role descriptor means the API key inherits the owner user’s permissions.", + "name": "role_descriptors", + "required": false, + "type": { + "key": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + }, + "kind": "dictionary_of", + "singleKey": false, + "value": { + "kind": "instance_of", + "type": { + "name": "RoleDescriptor", + "namespace": "security._types" + } + } + } + }, { "availability": { "serverless": {}, "stack": { - "since": "7.14.0" + "since": "8.5.0" } }, - "name": "type", + "description": "The owner user’s permissions associated with the API key.\nIt is a point-in-time snapshot captured at creation and subsequent updates.\nAn API key’s effective permissions are an intersection of its assigned privileges and the owner user’s permissions.", + "name": "limited_by", + "required": false, + "type": { + "kind": "array_of", + "value": { + "key": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + }, + "kind": "dictionary_of", + "singleKey": false, + "value": { + "kind": "instance_of", + "type": { + "name": "RoleDescriptor", + "namespace": "security._types" + } + } + } + } + }, + { + "availability": { + "serverless": {}, + "stack": { + "since": "8.10.0" + } + }, + "description": "The access granted to cross-cluster API keys.\nThe access is composed of permissions for cross cluster search and cross cluster replication.\nAt least one of them must be specified.\nWhen specified, the new access assignment fully replaces the previously assigned access.", + "name": "access", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "Access", + "namespace": "security._types" + } + } + }, + { + "availability": { + "serverless": {}, + "stack": { + "since": "8.14.0" + } + }, + "description": "The profile uid for the API key owner principal, if requested and if it exists", + "name": "profile_uid", "required": false, "type": { "kind": "instance_of", @@ -140401,9 +140519,174 @@ "namespace": "_builtins" } } + }, + { + "description": "Sorting values when using the `sort` parameter with the `security.query_api_keys` API.", + "name": "_sort", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "SortResults", + "namespace": "_types" + } + } + } + ], + "specLocation": "security/_types/ApiKey.ts#L28-L114" + }, + { + "kind": "interface", + "name": { + "name": "Access", + "namespace": "security._types" + }, + "properties": [ + { + "description": "A list of indices permission entries for cross-cluster replication.", + "name": "replication", + "required": false, + "type": { + "kind": "array_of", + "value": { + "kind": "instance_of", + "type": { + "name": "ReplicationAccess", + "namespace": "security._types" + } + } + } + }, + { + "description": "A list of indices permission entries for cross-cluster search.", + "name": "search", + "required": false, + "type": { + "kind": "array_of", + "value": { + "kind": "instance_of", + "type": { + "name": "SearchAccess", + "namespace": "security._types" + } + } + } + } + ], + "specLocation": "security/_types/Access.ts#L22-L31" + }, + { + "kind": "interface", + "name": { + "name": "ReplicationAccess", + "namespace": "security._types" + }, + "properties": [ + { + "description": "A list of indices (or index name patterns) to which the permissions in this entry apply.", + "name": "names", + "required": true, + "type": { + "items": [ + { + "kind": "instance_of", + "type": { + "name": "IndexName", + "namespace": "_types" + } + }, + { + "kind": "array_of", + "value": { + "kind": "instance_of", + "type": { + "name": "IndexName", + "namespace": "_types" + } + } + } + ], + "kind": "union_of" + } + }, + { + "description": "This needs to be set to true if the patterns in the names field should cover system indices.", + "name": "allow_restricted_indices", + "required": false, + "serverDefault": false, + "type": { + "kind": "instance_of", + "type": { + "name": "boolean", + "namespace": "_builtins" + } + } } ], - "specLocation": "security/authenticate/types.ts#L22-L29" + "specLocation": "security/_types/Privileges.ts#L418-L428" + }, + { + "kind": "interface", + "name": { + "name": "SearchAccess", + "namespace": "security._types" + }, + "properties": [ + { + "description": "The document fields that the owners of the role have read access to.", + "docId": "field-and-document-access-control", + "docUrl": "https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/field-and-document-access-control.html", + "name": "field_security", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "FieldSecurity", + "namespace": "security._types" + } + } + }, + { + "description": "A list of indices (or index name patterns) to which the permissions in this entry apply.", + "name": "names", + "required": true, + "type": { + "items": [ + { + "kind": "instance_of", + "type": { + "name": "IndexName", + "namespace": "_types" + } + }, + { + "kind": "array_of", + "value": { + "kind": "instance_of", + "type": { + "name": "IndexName", + "namespace": "_types" + } + } + } + ], + "kind": "union_of" + } + }, + { + "description": "A search query that defines the documents the owners of the role have access to. A document within the specified indices must match this query for it to be accessible by the owners of the role.", + "name": "query", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "IndicesPrivilegesQuery", + "namespace": "security._types" + } + } + } + ], + "specLocation": "security/_types/Privileges.ts#L430-L450" }, { "kind": "interface", diff --git a/output/schema/schema.json b/output/schema/schema.json index db01a0a3c8..dbddf0e91c 100644 --- a/output/schema/schema.json +++ b/output/schema/schema.json @@ -186900,73 +186900,97 @@ }, "properties": [ { - "description": "Creation time for the API key in milliseconds.", - "name": "creation", - "required": false, + "description": "Id for the API key", + "name": "id", + "required": true, "type": { "kind": "instance_of", "type": { - "name": "long", + "name": "Id", "namespace": "_types" } } }, { - "description": "Expiration time for the API key in milliseconds.", - "name": "expiration", - "required": false, + "description": "Name of the API key.", + "name": "name", + "required": true, "type": { "kind": "instance_of", "type": { - "name": "long", + "name": "Name", "namespace": "_types" } } }, { - "description": "Id for the API key", - "name": "id", + "availability": { + "serverless": {}, + "stack": { + "since": "8.10.0" + } + }, + "description": "The type of the API key (e.g. `rest` or `cross_cluster`).", + "name": "type", "required": true, "type": { "kind": "instance_of", "type": { - "name": "Id", - "namespace": "_types" + "name": "ApiKeyType", + "namespace": "security._types" } } }, { - "description": "Invalidation status for the API key.\nIf the key has been invalidated, it has a value of `true`. Otherwise, it is `false`.", - "name": "invalidated", - "required": false, + "description": "Creation time for the API key in milliseconds.", + "name": "creation", + "required": true, "type": { "kind": "instance_of", + "generics": [ + { + "kind": "instance_of", + "type": { + "name": "UnitMillis", + "namespace": "_types" + } + } + ], "type": { - "name": "boolean", - "namespace": "_builtins" + "name": "EpochTime", + "namespace": "_types" } } }, { - "description": "Name of the API key.", - "name": "name", - "required": true, + "description": "Expiration time for the API key in milliseconds.", + "name": "expiration", + "required": false, "type": { "kind": "instance_of", + "generics": [ + { + "kind": "instance_of", + "type": { + "name": "UnitMillis", + "namespace": "_types" + } + } + ], "type": { - "name": "Name", + "name": "EpochTime", "namespace": "_types" } } }, { - "description": "Realm name of the principal for which this API key was created.", - "name": "realm", - "required": false, + "description": "Invalidation status for the API key.\nIf the key has been invalidated, it has a value of `true`. Otherwise, it is `false`.", + "name": "invalidated", + "required": true, "type": { "kind": "instance_of", "type": { - "name": "string", + "name": "boolean", "namespace": "_builtins" } } @@ -186975,24 +186999,33 @@ "availability": { "serverless": {}, "stack": { - "since": "8.14.0" + "since": "8.12.0" } }, - "description": "Realm type of the principal for which this API key was created", - "name": "realm_type", + "description": "If the key has been invalidated, invalidation time in milliseconds.", + "name": "invalidation", "required": false, "type": { "kind": "instance_of", + "generics": [ + { + "kind": "instance_of", + "type": { + "name": "UnitMillis", + "namespace": "_types" + } + } + ], "type": { - "name": "string", - "namespace": "_builtins" + "name": "EpochTime", + "namespace": "_types" } } }, { "description": "Principal for which this API key was created", "name": "username", - "required": false, + "required": true, "type": { "kind": "instance_of", "type": { @@ -187001,6 +187034,18 @@ } } }, + { + "description": "Realm name of the principal for which this API key was created.", + "name": "realm", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + }, { "availability": { "serverless": {}, @@ -187008,8 +187053,8 @@ "since": "8.14.0" } }, - "description": "The profile uid for the API key owner principal, if requested and if it exists", - "name": "profile_uid", + "description": "Realm type of the principal for which this API key was created", + "name": "realm_type", "required": false, "type": { "kind": "instance_of", @@ -187028,7 +187073,7 @@ }, "description": "Metadata of the API key", "name": "metadata", - "required": false, + "required": true, "type": { "kind": "instance_of", "type": { @@ -187093,6 +187138,43 @@ } }, { + "availability": { + "serverless": {}, + "stack": { + "since": "8.10.0" + } + }, + "description": "The access granted to cross-cluster API keys.\nThe access is composed of permissions for cross cluster search and cross cluster replication.\nAt least one of them must be specified.\nWhen specified, the new access assignment fully replaces the previously assigned access.", + "name": "access", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "Access", + "namespace": "security._types" + } + } + }, + { + "availability": { + "serverless": {}, + "stack": { + "since": "8.14.0" + } + }, + "description": "The profile uid for the API key owner principal, if requested and if it exists", + "name": "profile_uid", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + }, + { + "description": "Sorting values when using the `sort` parameter with the `security.query_api_keys` API.", "name": "_sort", "required": false, "type": { @@ -187104,7 +187186,23 @@ } } ], - "specLocation": "security/_types/ApiKey.ts#L26-L88" + "specLocation": "security/_types/ApiKey.ts#L28-L114" + }, + { + "kind": "enum", + "members": [ + { + "name": "rest" + }, + { + "name": "cross_cluster" + } + ], + "name": { + "name": "ApiKeyType", + "namespace": "security._types" + }, + "specLocation": "security/_types/ApiKey.ts#L116-L119" }, { "kind": "interface", @@ -189600,6 +189698,38 @@ }, "specLocation": "security/activate_user_profile/Response.ts#L22-L24" }, + { + "kind": "interface", + "name": { + "name": "AuthenticateApiKey", + "namespace": "security.authenticate" + }, + "properties": [ + { + "name": "id", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "Id", + "namespace": "_types" + } + } + }, + { + "name": "name", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "Name", + "namespace": "_types" + } + } + } + ], + "specLocation": "security/authenticate/SecurityAuthenticateResponse.ts#L44-L47" + }, { "kind": "request", "attachedBehaviors": [ @@ -189634,8 +189764,8 @@ "type": { "kind": "instance_of", "type": { - "name": "ApiKey", - "namespace": "security._types" + "name": "AuthenticateApiKey", + "namespace": "security.authenticate" } } }, @@ -189788,7 +189918,7 @@ "name": "Response", "namespace": "security.authenticate" }, - "specLocation": "security/authenticate/SecurityAuthenticateResponse.ts#L25-L43" + "specLocation": "security/authenticate/SecurityAuthenticateResponse.ts#L24-L42" }, { "kind": "interface", diff --git a/output/typescript/types.ts b/output/typescript/types.ts index 9e846a1c8d..4948d3096f 100644 --- a/output/typescript/types.ts +++ b/output/typescript/types.ts @@ -17608,21 +17608,26 @@ export interface SecurityAccess { } export interface SecurityApiKey { - creation?: long - expiration?: long id: Id - invalidated?: boolean name: Name - realm?: string + type: SecurityApiKeyType + creation: EpochTime + expiration?: EpochTime + invalidated: boolean + invalidation?: EpochTime + username: Username + realm: string realm_type?: string - username?: Username - profile_uid?: string - metadata?: Metadata + metadata: Metadata role_descriptors?: Record limited_by?: Record[] + access?: SecurityAccess + profile_uid?: string _sort?: SortResults } +export type SecurityApiKeyType = 'rest' | 'cross_cluster' + export interface SecurityApplicationGlobalUserPrivileges { manage: SecurityManageUserPrivileges } @@ -17844,11 +17849,16 @@ export interface SecurityActivateUserProfileRequest extends RequestBase { export type SecurityActivateUserProfileResponse = SecurityUserProfileWithMetadata +export interface SecurityAuthenticateAuthenticateApiKey { + id: Id + name?: Name +} + export interface SecurityAuthenticateRequest extends RequestBase { } export interface SecurityAuthenticateResponse { - api_key?: SecurityApiKey + api_key?: SecurityAuthenticateAuthenticateApiKey authentication_realm: SecurityRealmInfo email?: string | null full_name?: Name | null diff --git a/specification/security/_types/ApiKey.ts b/specification/security/_types/ApiKey.ts index 9d7135c25b..d5ea6b9798 100644 --- a/specification/security/_types/ApiKey.ts +++ b/specification/security/_types/ApiKey.ts @@ -19,58 +19,65 @@ import { Dictionary } from '@spec_utils/Dictionary' import { Id, Metadata, Name, Username } from '@_types/common' -import { long } from '@_types/Numeric' import { SortResults } from '@_types/sort' +import { EpochTime, UnitMillis } from '@_types/Time' +import { Access } from './Access' import { RoleDescriptor } from './RoleDescriptor' export class ApiKey { /** - * Creation time for the API key in milliseconds. + * Id for the API key */ - creation?: long + id: Id /** - * Expiration time for the API key in milliseconds. + * Name of the API key. */ - expiration?: long + name: Name /** - * Id for the API key + * The type of the API key (e.g. `rest` or `cross_cluster`). + * @availability stack since=8.10.0 + * @availability serverless */ - id: Id + type: ApiKeyType /** - * Invalidation status for the API key. - * If the key has been invalidated, it has a value of `true`. Otherwise, it is `false`. + * Creation time for the API key in milliseconds. */ - invalidated?: boolean + creation: EpochTime /** - * Name of the API key. + * Expiration time for the API key in milliseconds. */ - name: Name + expiration?: EpochTime /** - * Realm name of the principal for which this API key was created. + * Invalidation status for the API key. + * If the key has been invalidated, it has a value of `true`. Otherwise, it is `false`. */ - realm?: string + invalidated: boolean /** - * Realm type of the principal for which this API key was created - * @availability stack since=8.14.0 + * If the key has been invalidated, invalidation time in milliseconds. + * @availability stack since=8.12.0 * @availability serverless */ - realm_type?: string + invalidation?: EpochTime /** * Principal for which this API key was created */ - username?: Username + username: Username /** - * The profile uid for the API key owner principal, if requested and if it exists + * Realm name of the principal for which this API key was created. + */ + realm: string + /** + * Realm type of the principal for which this API key was created * @availability stack since=8.14.0 * @availability serverless */ - profile_uid?: string + realm_type?: string /** * Metadata of the API key * @availability stack since=7.13.0 * @availability serverless */ - metadata?: Metadata + metadata: Metadata /** * The role descriptors assigned to this API key when it was created or last updated. * An empty role descriptor means the API key inherits the owner user’s permissions. @@ -84,5 +91,28 @@ export class ApiKey { * @availability serverless */ limited_by?: Array> + /** + * The access granted to cross-cluster API keys. + * The access is composed of permissions for cross cluster search and cross cluster replication. + * At least one of them must be specified. + * When specified, the new access assignment fully replaces the previously assigned access. + * @availability stack since=8.10.0 + * @availability serverless + */ + access?: Access + /** + * The profile uid for the API key owner principal, if requested and if it exists + * @availability stack since=8.14.0 + * @availability serverless + */ + profile_uid?: string + /** + * Sorting values when using the `sort` parameter with the `security.query_api_keys` API. + */ _sort?: SortResults } + +export enum ApiKeyType { + rest, + cross_cluster +} diff --git a/specification/security/authenticate/SecurityAuthenticateResponse.ts b/specification/security/authenticate/SecurityAuthenticateResponse.ts index a6716f45c9..75bfb082b8 100644 --- a/specification/security/authenticate/SecurityAuthenticateResponse.ts +++ b/specification/security/authenticate/SecurityAuthenticateResponse.ts @@ -17,14 +17,13 @@ * under the License. */ -import { ApiKey } from '@security/_types/ApiKey' import { RealmInfo } from '@security/_types/RealmInfo' -import { Metadata, Name, Username } from '@_types/common' +import { Id, Metadata, Name, Username } from '@_types/common' import { Token } from './types' export class Response { body: { - api_key?: ApiKey + api_key?: AuthenticateApiKey authentication_realm: RealmInfo email?: string | null full_name?: Name | null @@ -41,3 +40,8 @@ export class Response { token?: Token } } + +export class AuthenticateApiKey { + id: Id + name?: Name +}