From e4a48236c46d8b7ef747c17ee0d39867eb927d0a Mon Sep 17 00:00:00 2001 From: Nikolaj Volgushev Date: Mon, 10 Jun 2024 16:32:30 +0200 Subject: [PATCH] Serverless role and privilege model updates (#2547) Brings back https://github.com/elastic/elasticsearch-specification/pull/2491 with a few corrected annotations. The changes included in this PR are ready to be published: the privileges pertain to the API key APIs which are already public in Serverless. However, the visibility of the Create or Update Roles API (as well as other Role-related APIs) remains private until the feature is ready. I will open a separate PR for those when the time has come. --- .../elasticsearch-serverless-openapi.json | 44 +---- output/schema/schema.json | 154 ++++++++++++++++-- output/schema/validation-errors.json | 7 + output/typescript/types.ts | 2 +- specification/security/_types/Privileges.ts | 119 ++++++++++++++ .../put_role/SecurityPutRoleRequest.ts | 3 +- 6 files changed, 270 insertions(+), 59 deletions(-) diff --git a/output/openapi/elasticsearch-serverless-openapi.json b/output/openapi/elasticsearch-serverless-openapi.json index 8aacd68b29..2d0dc2c7b5 100644 --- a/output/openapi/elasticsearch-serverless-openapi.json +++ b/output/openapi/elasticsearch-serverless-openapi.json @@ -60607,10 +60607,6 @@ }, "query": { "$ref": "#/components/schemas/security._types:IndicesPrivilegesQuery" - }, - "allow_restricted_indices": { - "description": "Set to `true` if using wildcard or regular expressions for patterns that cover restricted indices. Implicitly, restricted indices have limited privileges that can cause pattern tests to fail. If restricted indices are explicitly included in the `names` list, Elasticsearch checks privileges against these indices regardless of the value set for `allow_restricted_indices`.", - "type": "boolean" } }, "required": [ @@ -60639,21 +60635,15 @@ "create", "create_doc", "create_index", - "cross_cluster_replication", - "cross_cluster_replication_internal", "delete", "delete_index", "index", "maintenance", "manage", "manage_data_stream_lifecycle", - "manage_follow_index", - "manage_ilm", - "manage_leader_index", "monitor", "none", "read", - "read_cross_cluster", "view_index_metadata", "write" ] @@ -60860,63 +60850,31 @@ "enum": [ "all", "cancel_task", - "create_snapshot", - "cross_cluster_replication", - "cross_cluster_search", - "delegate_pki", - "grant_api_key", "manage", "manage_api_key", - "manage_autoscaling", "manage_behavioral_analytics", - "manage_ccr", - "manage_data_frame_transforms", - "manage_data_stream_global_retention", "manage_enrich", - "manage_ilm", "manage_index_templates", "manage_inference", "manage_ingest_pipelines", "manage_logstash_pipelines", "manage_ml", - "manage_oidc", "manage_own_api_key", "manage_pipeline", - "manage_rollup", - "manage_saml", "manage_search_application", "manage_search_query_rules", "manage_search_synonyms", "manage_security", - "manage_service_account", - "manage_slm", - "manage_token", "manage_transform", - "manage_user_profile", - "manage_watcher", "monitor", - "monitor_data_frame_transforms", - "monitor_data_stream_global_retention", "monitor_enrich", "monitor_inference", "monitor_ml", - "monitor_rollup", - "monitor_snapshot", - "monitor_text_structure", "monitor_transform", - "monitor_watcher", "none", "post_behavioral_analytics_event", - "read_ccr", - "read_connector_secrets", - "read_fleet_secrets", - "read_ilm", "read_pipeline", - "read_security", - "read_slm", - "transport_client", - "write_connector_secrets", - "write_fleet_secrets" + "read_security" ] }, { diff --git a/output/schema/schema.json b/output/schema/schema.json index 478edc203f..b13b34f48d 100644 --- a/output/schema/schema.json +++ b/output/schema/schema.json @@ -178692,7 +178692,7 @@ } } ], - "specLocation": "security/_types/Privileges.ts#L218-L220" + "specLocation": "security/_types/Privileges.ts#L337-L339" }, { "kind": "interface", @@ -178778,18 +178778,33 @@ "name": "cancel_task" }, { + "availability": { + "stack": {} + }, "name": "create_snapshot" }, { + "availability": { + "stack": {} + }, "name": "cross_cluster_replication" }, { + "availability": { + "stack": {} + }, "name": "cross_cluster_search" }, { + "availability": { + "stack": {} + }, "name": "delegate_pki" }, { + "availability": { + "stack": {} + }, "name": "grant_api_key" }, { @@ -178799,24 +178814,39 @@ "name": "manage_api_key" }, { + "availability": { + "stack": {} + }, "name": "manage_autoscaling" }, { "name": "manage_behavioral_analytics" }, { + "availability": { + "stack": {} + }, "name": "manage_ccr" }, { + "availability": { + "stack": {} + }, "name": "manage_data_frame_transforms" }, { + "availability": { + "stack": {} + }, "name": "manage_data_stream_global_retention" }, { "name": "manage_enrich" }, { + "availability": { + "stack": {} + }, "name": "manage_ilm" }, { @@ -178835,6 +178865,9 @@ "name": "manage_ml" }, { + "availability": { + "stack": {} + }, "name": "manage_oidc" }, { @@ -178844,9 +178877,15 @@ "name": "manage_pipeline" }, { + "availability": { + "stack": {} + }, "name": "manage_rollup" }, { + "availability": { + "stack": {} + }, "name": "manage_saml" }, { @@ -178862,30 +178901,51 @@ "name": "manage_security" }, { + "availability": { + "stack": {} + }, "name": "manage_service_account" }, { + "availability": { + "stack": {} + }, "name": "manage_slm" }, { + "availability": { + "stack": {} + }, "name": "manage_token" }, { "name": "manage_transform" }, { + "availability": { + "stack": {} + }, "name": "manage_user_profile" }, { + "availability": { + "stack": {} + }, "name": "manage_watcher" }, { "name": "monitor" }, { + "availability": { + "stack": {} + }, "name": "monitor_data_frame_transforms" }, { + "availability": { + "stack": {} + }, "name": "monitor_data_stream_global_retention" }, { @@ -178898,18 +178958,30 @@ "name": "monitor_ml" }, { + "availability": { + "stack": {} + }, "name": "monitor_rollup" }, { + "availability": { + "stack": {} + }, "name": "monitor_snapshot" }, { + "availability": { + "stack": {} + }, "name": "monitor_text_structure" }, { "name": "monitor_transform" }, { + "availability": { + "stack": {} + }, "name": "monitor_watcher" }, { @@ -178919,17 +178991,35 @@ "name": "post_behavioral_analytics_event" }, { + "availability": { + "stack": {} + }, "name": "read_ccr" }, { + "availability": { + "stack": {} + }, "name": "read_connector_secrets" }, { + "availability": { + "stack": {} + }, "name": "read_fleet_secrets" }, { + "availability": { + "stack": {} + }, "name": "read_ilm" }, + { + "availability": { + "stack": {} + }, + "name": "read_slm" + }, { "name": "read_pipeline" }, @@ -178937,15 +179027,27 @@ "name": "read_security" }, { + "availability": { + "stack": {} + }, "name": "read_slm" }, { + "availability": { + "stack": {} + }, "name": "transport_client" }, { + "availability": { + "stack": {} + }, "name": "write_connector_secrets" }, { + "availability": { + "stack": {} + }, "name": "write_fleet_secrets" } ], @@ -178953,7 +179055,7 @@ "name": "ClusterPrivilege", "namespace": "security._types" }, - "specLocation": "security/_types/Privileges.ts#L41-L102" + "specLocation": "security/_types/Privileges.ts#L41-L202" }, { "kind": "interface", @@ -179074,7 +179176,7 @@ } } ], - "specLocation": "security/_types/Privileges.ts#L214-L216" + "specLocation": "security/_types/Privileges.ts#L333-L335" }, { "kind": "enum", @@ -179114,9 +179216,15 @@ "name": "create_index" }, { + "availability": { + "stack": {} + }, "name": "cross_cluster_replication" }, { + "availability": { + "stack": {} + }, "name": "cross_cluster_replication_internal" }, { @@ -179138,12 +179246,21 @@ "name": "manage_data_stream_lifecycle" }, { + "availability": { + "stack": {} + }, "name": "manage_follow_index" }, { + "availability": { + "stack": {} + }, "name": "manage_ilm" }, { + "availability": { + "stack": {} + }, "name": "manage_leader_index" }, { @@ -179156,6 +179273,9 @@ "name": "read" }, { + "availability": { + "stack": {} + }, "name": "read_cross_cluster" }, { @@ -179169,7 +179289,7 @@ "name": "IndexPrivilege", "namespace": "security._types" }, - "specLocation": "security/_types/Privileges.ts#L188-L212" + "specLocation": "security/_types/Privileges.ts#L289-L331" }, { "kind": "interface", @@ -179232,6 +179352,9 @@ } }, { + "availability": { + "stack": {} + }, "description": "Set to `true` if using wildcard or regular expressions for patterns that cover restricted indices. Implicitly, restricted indices have limited privileges that can cause pattern tests to fail. If restricted indices are explicitly included in the `names` list, Elasticsearch checks privileges against these indices regardless of the value set for `allow_restricted_indices`.", "name": "allow_restricted_indices", "required": false, @@ -179245,7 +179368,7 @@ } } ], - "specLocation": "security/_types/Privileges.ts#L104-L127" + "specLocation": "security/_types/Privileges.ts#L204-L228" }, { "codegenNames": [ @@ -179259,7 +179382,7 @@ "name": "IndicesPrivilegesQuery", "namespace": "security._types" }, - "specLocation": "security/_types/Privileges.ts#L153-L161", + "specLocation": "security/_types/Privileges.ts#L254-L262", "type": { "items": [ { @@ -179309,7 +179432,7 @@ } } ], - "specLocation": "security/_types/Privileges.ts#L222-L224" + "specLocation": "security/_types/Privileges.ts#L341-L343" }, { "kind": "interface", @@ -179803,7 +179926,7 @@ "name": "RoleTemplateInlineQuery", "namespace": "security._types" }, - "specLocation": "security/_types/Privileges.ts#L182-L183", + "specLocation": "security/_types/Privileges.ts#L283-L284", "type": { "items": [ { @@ -179883,7 +180006,7 @@ } ], "shortcutProperty": "source", - "specLocation": "security/_types/Privileges.ts#L175-L180" + "specLocation": "security/_types/Privileges.ts#L276-L281" }, { "kind": "interface", @@ -179907,7 +180030,7 @@ } } ], - "specLocation": "security/_types/Privileges.ts#L163-L173" + "specLocation": "security/_types/Privileges.ts#L264-L274" }, { "codegenNames": [ @@ -179919,7 +180042,7 @@ "name": "RoleTemplateScript", "namespace": "security._types" }, - "specLocation": "security/_types/Privileges.ts#L185-L186", + "specLocation": "security/_types/Privileges.ts#L286-L287", "type": { "items": [ { @@ -180149,7 +180272,7 @@ } } ], - "specLocation": "security/_types/Privileges.ts#L129-L151" + "specLocation": "security/_types/Privileges.ts#L230-L252" }, { "kind": "interface", @@ -185506,6 +185629,9 @@ } }, { + "availability": { + "stack": {} + }, "description": "An object defining global privileges. A global privilege is a form of cluster privilege that is request-aware. Support for global privileges is currently limited to the management of application privileges.", "name": "global", "required": false, @@ -185552,7 +185678,7 @@ } }, { - "description": "A list of users that the owners of this role can impersonate.", + "description": "A list of users that the owners of this role can impersonate. *Note*: in Serverless, the run-as feature is disabled. For API compatibility, you can still specify an empty `run_as` field, but a non-empty list will be rejected.", "docId": "run-as-privilege", "docUrl": "https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/run-as-privilege.html", "name": "run_as", @@ -185629,7 +185755,7 @@ } } ], - "specLocation": "security/put_role/SecurityPutRoleRequest.ts#L30-L79" + "specLocation": "security/put_role/SecurityPutRoleRequest.ts#L30-L80" }, { "body": { diff --git a/output/schema/validation-errors.json b/output/schema/validation-errors.json index 2164f23902..7f2d942cf6 100644 --- a/output/schema/validation-errors.json +++ b/output/schema/validation-errors.json @@ -1279,6 +1279,13 @@ ], "response": [] }, + "security.has_privileges": { + "request": [ + "enum definition security._types:ClusterPrivilege - Duplicate enum member codegen_name 'read_slm'", + "enum definition security._types:ClusterPrivilege - Duplicate enum member name 'read_slm'" + ], + "response": [] + }, "security.oidc_authenticate": { "request": [ "Missing request & response" diff --git a/output/typescript/types.ts b/output/typescript/types.ts index 7be4e13eab..5300437e26 100644 --- a/output/typescript/types.ts +++ b/output/typescript/types.ts @@ -16787,7 +16787,7 @@ export interface SecurityClusterNode { name: Name } -export type SecurityClusterPrivilege = 'all' | 'cancel_task' | 'create_snapshot' | 'cross_cluster_replication' | 'cross_cluster_search' | 'delegate_pki' | 'grant_api_key' | 'manage' | 'manage_api_key' | 'manage_autoscaling' | 'manage_behavioral_analytics' | 'manage_ccr' | 'manage_data_frame_transforms' | 'manage_data_stream_global_retention' | 'manage_enrich' | 'manage_ilm' | 'manage_index_templates' | 'manage_inference' | 'manage_ingest_pipelines' | 'manage_logstash_pipelines' | 'manage_ml' | 'manage_oidc' | 'manage_own_api_key' | 'manage_pipeline' | 'manage_rollup' | 'manage_saml' | 'manage_search_application' | 'manage_search_query_rules' | 'manage_search_synonyms' | 'manage_security' | 'manage_service_account' | 'manage_slm' | 'manage_token' | 'manage_transform' | 'manage_user_profile' | 'manage_watcher' | 'monitor' | 'monitor_data_frame_transforms' | 'monitor_data_stream_global_retention' | 'monitor_enrich' | 'monitor_inference' | 'monitor_ml' | 'monitor_rollup' | 'monitor_snapshot' | 'monitor_text_structure' | 'monitor_transform' | 'monitor_watcher' | 'none' | 'post_behavioral_analytics_event' | 'read_ccr' | 'read_connector_secrets' | 'read_fleet_secrets' | 'read_ilm' | 'read_pipeline' | 'read_security' | 'read_slm' | 'transport_client' | 'write_connector_secrets' | 'write_fleet_secrets'| string +export type SecurityClusterPrivilege = 'all' | 'cancel_task' | 'create_snapshot' | 'cross_cluster_replication' | 'cross_cluster_search' | 'delegate_pki' | 'grant_api_key' | 'manage' | 'manage_api_key' | 'manage_autoscaling' | 'manage_behavioral_analytics' | 'manage_ccr' | 'manage_data_frame_transforms' | 'manage_data_stream_global_retention' | 'manage_enrich' | 'manage_ilm' | 'manage_index_templates' | 'manage_inference' | 'manage_ingest_pipelines' | 'manage_logstash_pipelines' | 'manage_ml' | 'manage_oidc' | 'manage_own_api_key' | 'manage_pipeline' | 'manage_rollup' | 'manage_saml' | 'manage_search_application' | 'manage_search_query_rules' | 'manage_search_synonyms' | 'manage_security' | 'manage_service_account' | 'manage_slm' | 'manage_token' | 'manage_transform' | 'manage_user_profile' | 'manage_watcher' | 'monitor' | 'monitor_data_frame_transforms' | 'monitor_data_stream_global_retention' | 'monitor_enrich' | 'monitor_inference' | 'monitor_ml' | 'monitor_rollup' | 'monitor_snapshot' | 'monitor_text_structure' | 'monitor_transform' | 'monitor_watcher' | 'none' | 'post_behavioral_analytics_event' | 'read_ccr' | 'read_connector_secrets' | 'read_fleet_secrets' | 'read_ilm' | 'read_slm' | 'read_pipeline' | 'read_security' | 'read_slm' | 'transport_client' | 'write_connector_secrets' | 'write_fleet_secrets'| string export interface SecurityCreatedStatus { created: boolean diff --git a/specification/security/_types/Privileges.ts b/specification/security/_types/Privileges.ts index d013df8308..8e8756c336 100644 --- a/specification/security/_types/Privileges.ts +++ b/specification/security/_types/Privileges.ts @@ -42,62 +42,162 @@ export class ApplicationPrivileges { export enum ClusterPrivilege { all, cancel_task, + /** + * @availability stack + */ create_snapshot, + /** + * @availability stack + */ cross_cluster_replication, + /** + * @availability stack + */ cross_cluster_search, + /** + * @availability stack + */ delegate_pki, + /** + * @availability stack + */ grant_api_key, manage, manage_api_key, + /** + * @availability stack + */ manage_autoscaling, manage_behavioral_analytics, + /** + * @availability stack + */ manage_ccr, + /** + * @availability stack + */ manage_data_frame_transforms, + /** + * @availability stack + */ manage_data_stream_global_retention, manage_enrich, + /** + * @availability stack + */ manage_ilm, manage_index_templates, manage_inference, manage_ingest_pipelines, manage_logstash_pipelines, manage_ml, + /** + * @availability stack + */ manage_oidc, manage_own_api_key, manage_pipeline, + /** + * @availability stack + */ manage_rollup, + /** + * @availability stack + */ manage_saml, manage_search_application, manage_search_query_rules, manage_search_synonyms, manage_security, + /** + * @availability stack + */ manage_service_account, + /** + * @availability stack + */ manage_slm, + /** + * @availability stack + */ manage_token, manage_transform, + /** + * @availability stack + */ manage_user_profile, + /** + * @availability stack + */ manage_watcher, monitor, + /** + * @availability stack + */ monitor_data_frame_transforms, + /** + * @availability stack + */ monitor_data_stream_global_retention, monitor_enrich, monitor_inference, monitor_ml, + /** + * @availability stack + */ monitor_rollup, + /** + * @availability stack + */ monitor_snapshot, + /** + * @availability stack + */ monitor_text_structure, monitor_transform, + /** + * @availability stack + */ monitor_watcher, none, post_behavioral_analytics_event, + /** + * @availability stack + */ read_ccr, + /** + * @availability stack + */ read_connector_secrets, + /** + * @availability stack + */ read_fleet_secrets, + /** + * @availability stack + */ read_ilm, + /** + * @availability stack + */ + read_slm, read_pipeline, read_security, + /** + * @availability stack + */ read_slm, + /** + * @availability stack + */ transport_client, + /** + * @availability stack + */ write_connector_secrets, + /** + * @availability stack + */ write_fleet_secrets } @@ -122,6 +222,7 @@ export class IndicesPrivileges { /** * Set to `true` if using wildcard or regular expressions for patterns that cover restricted indices. Implicitly, restricted indices have limited privileges that can cause pattern tests to fail. If restricted indices are explicitly included in the `names` list, Elasticsearch checks privileges against these indices regardless of the value set for `allow_restricted_indices`. * @server_default false + * @availability stack */ allow_restricted_indices?: boolean } @@ -192,7 +293,13 @@ export enum IndexPrivilege { create, create_doc, create_index, + /** + * @availability stack + */ cross_cluster_replication, + /** + * @availability stack + */ cross_cluster_replication_internal, delete, delete_index, @@ -200,12 +307,24 @@ export enum IndexPrivilege { maintenance, manage, manage_data_stream_lifecycle, + /** + * @availability stack + */ manage_follow_index, + /** + * @availability stack + */ manage_ilm, + /** + * @availability stack + */ manage_leader_index, monitor, none, read, + /** + * @availability stack + */ read_cross_cluster, view_index_metadata, write diff --git a/specification/security/put_role/SecurityPutRoleRequest.ts b/specification/security/put_role/SecurityPutRoleRequest.ts index 4a0c8656b1..c27b1e5fb9 100644 --- a/specification/security/put_role/SecurityPutRoleRequest.ts +++ b/specification/security/put_role/SecurityPutRoleRequest.ts @@ -56,6 +56,7 @@ export interface Request extends RequestBase { cluster?: ClusterPrivilege[] /** * An object defining global privileges. A global privilege is a form of cluster privilege that is request-aware. Support for global privileges is currently limited to the management of application privileges. + * @availability stack */ global?: Dictionary /** @@ -67,7 +68,7 @@ export interface Request extends RequestBase { */ metadata?: Metadata /** - * A list of users that the owners of this role can impersonate. + * A list of users that the owners of this role can impersonate. *Note*: in Serverless, the run-as feature is disabled. For API compatibility, you can still specify an empty `run_as` field, but a non-empty list will be rejected. * @doc_id run-as-privilege */ run_as?: string[]