From 3075fc7a36bb625e90dde0104492a24ba34d349b Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 23 Sep 2024 15:27:23 +0400 Subject: [PATCH] Add remote_indices to Create or update roles API (#2915) (#2922) --- output/openapi/elasticsearch-openapi.json | 40 ++++++ output/schema/schema-serverless.json | 12 +- output/schema/schema.json | 128 ++++++++++++++++-- output/typescript/types.ts | 10 ++ specification/security/_types/Privileges.ts | 34 ++++- .../put_role/SecurityPutRoleRequest.ts | 9 +- 6 files changed, 214 insertions(+), 19 deletions(-) diff --git a/output/openapi/elasticsearch-openapi.json b/output/openapi/elasticsearch-openapi.json index 94b72ee596..cca6df89f2 100644 --- a/output/openapi/elasticsearch-openapi.json +++ b/output/openapi/elasticsearch-openapi.json @@ -84017,6 +84017,39 @@ "created" ] }, + "security._types:RemoteIndicesPrivileges": { + "type": "object", + "properties": { + "clusters": { + "$ref": "#/components/schemas/_types:Names" + }, + "field_security": { + "$ref": "#/components/schemas/security._types:FieldSecurity" + }, + "names": { + "$ref": "#/components/schemas/_types:Indices" + }, + "privileges": { + "description": "The index level privileges that owners of the role have on the specified indices.", + "type": "array", + "items": { + "$ref": "#/components/schemas/security._types:IndexPrivilege" + } + }, + "query": { + "$ref": "#/components/schemas/security._types:IndicesPrivilegesQuery" + }, + "allow_restricted_indices": { + "description": "Set to `true` if using wildcard or regular expressions for patterns that cover restricted indices. Implicitly, restricted indices have limited privileges that can cause pattern tests to fail. If restricted indices are explicitly included in the `names` list, Elasticsearch checks privileges against these indices regardless of the value set for `allow_restricted_indices`.", + "type": "boolean" + } + }, + "required": [ + "clusters", + "names", + "privileges" + ] + }, "security.query_api_keys:ApiKeyAggregationContainer": { "allOf": [ { @@ -104837,6 +104870,13 @@ "$ref": "#/components/schemas/security._types:IndicesPrivileges" } }, + "remote_indices": { + "description": "A list of remote indices permissions entries.", + "type": "array", + "items": { + "$ref": "#/components/schemas/security._types:RemoteIndicesPrivileges" + } + }, "metadata": { "$ref": "#/components/schemas/_types:Metadata" }, diff --git a/output/schema/schema-serverless.json b/output/schema/schema-serverless.json index 2ce52e936a..32e22f1b15 100644 --- a/output/schema/schema-serverless.json +++ b/output/schema/schema-serverless.json @@ -101691,7 +101691,7 @@ "name": "IndexPrivilege", "namespace": "security._types" }, - "specLocation": "security/_types/Privileges.ts#L292-L334" + "specLocation": "security/_types/Privileges.ts#L325-L367" }, { "codegenNames": [ @@ -101705,7 +101705,7 @@ "name": "IndicesPrivilegesQuery", "namespace": "security._types" }, - "specLocation": "security/_types/Privileges.ts#L247-L255", + "specLocation": "security/_types/Privileges.ts#L280-L288", "type": { "items": [ { @@ -101755,7 +101755,7 @@ } } ], - "specLocation": "security/_types/Privileges.ts#L257-L267" + "specLocation": "security/_types/Privileges.ts#L290-L300" }, { "kind": "interface", @@ -101843,7 +101843,7 @@ } ], "shortcutProperty": "source", - "specLocation": "security/_types/Privileges.ts#L269-L287" + "specLocation": "security/_types/Privileges.ts#L302-L320" }, { "codegenNames": [ @@ -101855,7 +101855,7 @@ "name": "RoleTemplateInlineQuery", "namespace": "security._types" }, - "specLocation": "security/_types/Privileges.ts#L289-L290", + "specLocation": "security/_types/Privileges.ts#L322-L323", "type": { "items": [ { @@ -137789,7 +137789,7 @@ } } ], - "specLocation": "security/_types/Privileges.ts#L197-L221" + "specLocation": "security/_types/Privileges.ts#L198-L222" }, { "kind": "interface", diff --git a/output/schema/schema.json b/output/schema/schema.json index d91f05659c..2a906773f8 100644 --- a/output/schema/schema.json +++ b/output/schema/schema.json @@ -184266,7 +184266,7 @@ } } ], - "specLocation": "security/_types/Privileges.ts#L340-L342" + "specLocation": "security/_types/Privileges.ts#L373-L375" }, { "kind": "interface", @@ -184783,7 +184783,7 @@ } } ], - "specLocation": "security/_types/Privileges.ts#L336-L338" + "specLocation": "security/_types/Privileges.ts#L369-L371" }, { "kind": "enum", @@ -184896,7 +184896,7 @@ "name": "IndexPrivilege", "namespace": "security._types" }, - "specLocation": "security/_types/Privileges.ts#L292-L334" + "specLocation": "security/_types/Privileges.ts#L325-L367" }, { "kind": "interface", @@ -184975,7 +184975,7 @@ } } ], - "specLocation": "security/_types/Privileges.ts#L197-L221" + "specLocation": "security/_types/Privileges.ts#L198-L222" }, { "kind": "type_alias", @@ -184989,7 +184989,7 @@ "name": "IndicesPrivilegesQuery", "namespace": "security._types" }, - "specLocation": "security/_types/Privileges.ts#L247-L255", + "specLocation": "security/_types/Privileges.ts#L280-L288", "type": { "kind": "union_of", "items": [ @@ -185039,7 +185039,7 @@ } } ], - "specLocation": "security/_types/Privileges.ts#L344-L346" + "specLocation": "security/_types/Privileges.ts#L377-L379" }, { "kind": "interface", @@ -185073,6 +185073,97 @@ ], "specLocation": "security/_types/RealmInfo.ts#L22-L25" }, + { + "kind": "interface", + "name": { + "name": "RemoteIndicesPrivileges", + "namespace": "security._types" + }, + "properties": [ + { + "description": "A list of cluster aliases to which the permissions in this entry apply.", + "name": "clusters", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "Names", + "namespace": "_types" + } + } + }, + { + "description": "The document fields that the owners of the role have read access to.", + "docId": "field-and-document-access-control", + "docUrl": "https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/field-and-document-access-control.html", + "name": "field_security", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "FieldSecurity", + "namespace": "security._types" + } + } + }, + { + "description": "A list of indices (or index name patterns) to which the permissions in this entry apply.", + "name": "names", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "Indices", + "namespace": "_types" + } + } + }, + { + "description": "The index level privileges that owners of the role have on the specified indices.", + "name": "privileges", + "required": true, + "type": { + "kind": "array_of", + "value": { + "kind": "instance_of", + "type": { + "name": "IndexPrivilege", + "namespace": "security._types" + } + } + } + }, + { + "description": "A search query that defines the documents the owners of the role have access to. A document within the specified indices must match this query for it to be accessible by the owners of the role.", + "name": "query", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "IndicesPrivilegesQuery", + "namespace": "security._types" + } + } + }, + { + "availability": { + "stack": {} + }, + "description": "Set to `true` if using wildcard or regular expressions for patterns that cover restricted indices. Implicitly, restricted indices have limited privileges that can cause pattern tests to fail. If restricted indices are explicitly included in the `names` list, Elasticsearch checks privileges against these indices regardless of the value set for `allow_restricted_indices`.", + "name": "allow_restricted_indices", + "required": false, + "serverDefault": false, + "type": { + "kind": "instance_of", + "type": { + "name": "boolean", + "namespace": "_builtins" + } + } + } + ], + "specLocation": "security/_types/Privileges.ts#L226-L254" + }, { "kind": "interface", "name": { @@ -185563,7 +185654,7 @@ "name": "RoleTemplateInlineQuery", "namespace": "security._types" }, - "specLocation": "security/_types/Privileges.ts#L289-L290", + "specLocation": "security/_types/Privileges.ts#L322-L323", "type": { "kind": "union_of", "items": [ @@ -185606,7 +185697,7 @@ } } ], - "specLocation": "security/_types/Privileges.ts#L257-L267" + "specLocation": "security/_types/Privileges.ts#L290-L300" }, { "kind": "interface", @@ -185694,7 +185785,7 @@ } ], "shortcutProperty": "source", - "specLocation": "security/_types/Privileges.ts#L269-L287" + "specLocation": "security/_types/Privileges.ts#L302-L320" }, { "kind": "enum", @@ -185905,7 +185996,7 @@ } } ], - "specLocation": "security/_types/Privileges.ts#L223-L245" + "specLocation": "security/_types/Privileges.ts#L256-L278" }, { "kind": "interface", @@ -191529,6 +191620,21 @@ } } }, + { + "description": "A list of remote indices permissions entries.", + "name": "remote_indices", + "required": false, + "type": { + "kind": "array_of", + "value": { + "kind": "instance_of", + "type": { + "name": "RemoteIndicesPrivileges", + "namespace": "security._types" + } + } + } + }, { "description": "Optional metadata. Within the metadata object, keys that begin with an underscore (`_`) are reserved for system use.", "name": "metadata", @@ -191630,7 +191736,7 @@ } } ], - "specLocation": "security/put_role/SecurityPutRoleRequest.ts#L30-L84" + "specLocation": "security/put_role/SecurityPutRoleRequest.ts#L31-L89" }, { "kind": "response", diff --git a/output/typescript/types.ts b/output/typescript/types.ts index dc9647eabf..74a9140179 100644 --- a/output/typescript/types.ts +++ b/output/typescript/types.ts @@ -17474,6 +17474,15 @@ export interface SecurityRealmInfo { type: string } +export interface SecurityRemoteIndicesPrivileges { + clusters: Names + field_security?: SecurityFieldSecurity + names: Indices + privileges: SecurityIndexPrivilege[] + query?: SecurityIndicesPrivilegesQuery + allow_restricted_indices?: boolean +} + export interface SecurityRoleDescriptor { cluster?: SecurityClusterPrivilege[] indices?: SecurityIndicesPrivileges[] @@ -18149,6 +18158,7 @@ export interface SecurityPutRoleRequest extends RequestBase { cluster?: SecurityClusterPrivilege[] global?: Record indices?: SecurityIndicesPrivileges[] + remote_indices?: SecurityRemoteIndicesPrivileges[] metadata?: Metadata run_as?: string[] description?: string diff --git a/specification/security/_types/Privileges.ts b/specification/security/_types/Privileges.ts index 137bf81105..abfafbdef2 100644 --- a/specification/security/_types/Privileges.ts +++ b/specification/security/_types/Privileges.ts @@ -19,7 +19,7 @@ import { Dictionary } from '@spec_utils/Dictionary' import { UserDefinedValue } from '@spec_utils/UserDefinedValue' -import { Id, Indices } from '@_types/common' +import { Id, Indices, Names } from '@_types/common' import { QueryContainer } from '@_types/query_dsl/abstractions' import { ScriptLanguage } from '@_types/Scripting' import { FieldSecurity } from './FieldSecurity' @@ -194,6 +194,7 @@ export enum ClusterPrivilege { write_fleet_secrets } +// Keep in sync with RemoteIndicesPrivileges export class IndicesPrivileges { /** * The document fields that the owners of the role have read access to. @@ -220,6 +221,37 @@ export class IndicesPrivileges { allow_restricted_indices?: boolean } +// Keep in sync with IndicesPrivileges +export class RemoteIndicesPrivileges { + /** + * A list of cluster aliases to which the permissions in this entry apply. + */ + clusters: Names + /** + * The document fields that the owners of the role have read access to. + * @doc_id field-and-document-access-control + */ + field_security?: FieldSecurity + /** + * A list of indices (or index name patterns) to which the permissions in this entry apply. + */ + names: Indices + /** + * The index level privileges that owners of the role have on the specified indices. + */ + privileges: IndexPrivilege[] + /** + * A search query that defines the documents the owners of the role have access to. A document within the specified indices must match this query for it to be accessible by the owners of the role. + */ + query?: IndicesPrivilegesQuery + /** + * Set to `true` if using wildcard or regular expressions for patterns that cover restricted indices. Implicitly, restricted indices have limited privileges that can cause pattern tests to fail. If restricted indices are explicitly included in the `names` list, Elasticsearch checks privileges against these indices regardless of the value set for `allow_restricted_indices`. + * @server_default false + * @availability stack + */ + allow_restricted_indices?: boolean +} + export class UserIndicesPrivileges { /** * The document fields that the owners of the role have read access to. diff --git a/specification/security/put_role/SecurityPutRoleRequest.ts b/specification/security/put_role/SecurityPutRoleRequest.ts index af4e3d723b..bfe818361f 100644 --- a/specification/security/put_role/SecurityPutRoleRequest.ts +++ b/specification/security/put_role/SecurityPutRoleRequest.ts @@ -20,7 +20,8 @@ import { ApplicationPrivileges, ClusterPrivilege, - IndicesPrivileges + IndicesPrivileges, + RemoteIndicesPrivileges } from '@security/_types/Privileges' import { Dictionary } from '@spec_utils/Dictionary' import { UserDefinedValue } from '@spec_utils/UserDefinedValue' @@ -63,6 +64,12 @@ export interface Request extends RequestBase { * A list of indices permissions entries. */ indices?: IndicesPrivileges[] + /** + * A list of remote indices permissions entries. + * @availability stack since=8.14.0 + * + */ + remote_indices?: RemoteIndicesPrivileges[] /** * Optional metadata. Within the metadata object, keys that begin with an underscore (`_`) are reserved for system use. */