From 5f5e597065f8859f191ca8efb73fd097249fc9f2 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 8 Nov 2024 14:20:08 +0400 Subject: [PATCH] [Backport 8.x] Add cross cluster security APIs (#3088) Co-authored-by: Florian Bernd Co-authored-by: Lisa Cawley --- output/openapi/elasticsearch-openapi.json | 208 +++++++++ output/schema/schema.json | 425 +++++++++++++++++- output/schema/validation-errors.json | 12 - output/typescript/types.ts | 46 ++ specification/_doc_ids/table.csv | 1 + specification/security/_types/Access.ts | 31 ++ specification/security/_types/Privileges.ts | 31 +- .../CreateCrossClusterApiKeyRequest.ts | 73 +++ .../CreateCrossClusterApiKeyResponse.ts | 48 ++ .../UpdateCrossClusterApiKeyRequest.ts | 61 +++ .../UpdateCrossClusterApiKeyResponse.ts | 28 ++ 11 files changed, 941 insertions(+), 23 deletions(-) create mode 100644 specification/security/_types/Access.ts create mode 100644 specification/security/create_cross_cluster_api_key/CreateCrossClusterApiKeyRequest.ts create mode 100644 specification/security/create_cross_cluster_api_key/CreateCrossClusterApiKeyResponse.ts create mode 100644 specification/security/update_cross_cluster_api_key/UpdateCrossClusterApiKeyRequest.ts create mode 100644 specification/security/update_cross_cluster_api_key/UpdateCrossClusterApiKeyResponse.ts diff --git a/output/openapi/elasticsearch-openapi.json b/output/openapi/elasticsearch-openapi.json index 9b76a91742..0c82f033d2 100644 --- a/output/openapi/elasticsearch-openapi.json +++ b/output/openapi/elasticsearch-openapi.json @@ -27916,6 +27916,84 @@ "x-state": "Added in 6.7.0" } }, + "/_security/cross_cluster/api_key": { + "post": { + "tags": [ + "security" + ], + "summary": "Create a cross-cluster API key", + "description": "Create an API key of the `cross_cluster` type for the API key based remote cluster access.\nA `cross_cluster` API key cannot be used to authenticate through the REST interface.\n\nIMPORTANT: To authenticate this request you must use a credential that is not an API key. Even if you use an API key that has the required privilege, the API returns an error.\n\nCross-cluster API keys are created by the Elasticsearch API key service, which is automatically enabled.\n\nNOTE: Unlike REST API keys, a cross-cluster API key does not capture permissions of the authenticated user. The API key’s effective permission is exactly as specified with the `access` property.\n\nA successful request returns a JSON structure that contains the API key, its unique ID, and its name. If applicable, it also returns expiration information for the API key in milliseconds.\n\nBy default, API keys never expire. You can specify expiration information when you create the API keys.\n\nCross-cluster API keys can only be updated with the update cross-cluster API key API.\nAttempting to update them with the update REST API key API or the bulk update REST API keys API will result in an error.", + "externalDocs": { + "url": "https://www.elastic.co/guide/en/elasticsearch/reference/current/remote-clusters-api-key.html" + }, + "operationId": "security-create-cross-cluster-api-key", + "requestBody": { + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "access": { + "$ref": "#/components/schemas/security._types:Access" + }, + "expiration": { + "$ref": "#/components/schemas/_types:Duration" + }, + "metadata": { + "$ref": "#/components/schemas/_types:Metadata" + }, + "name": { + "$ref": "#/components/schemas/_types:Name" + } + }, + "required": [ + "access", + "name" + ] + } + } + }, + "required": true + }, + "responses": { + "200": { + "description": "", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "api_key": { + "description": "Generated API key.", + "type": "string" + }, + "expiration": { + "$ref": "#/components/schemas/_types:DurationValueUnitMillis" + }, + "id": { + "$ref": "#/components/schemas/_types:Id" + }, + "name": { + "$ref": "#/components/schemas/_types:Name" + }, + "encoded": { + "description": "API key credentials which is the base64-encoding of\nthe UTF-8 representation of `id` and `api_key` joined\nby a colon (`:`).", + "type": "string" + } + }, + "required": [ + "api_key", + "id", + "name", + "encoded" + ] + } + } + } + } + } + } + }, "/_security/service/{namespace}/{service}/credential/token/{name}": { "put": { "tags": [ @@ -30283,6 +30361,77 @@ "x-state": "Added in 8.4.0" } }, + "/_security/cross_cluster/api_key/{id}": { + "put": { + "tags": [ + "security" + ], + "summary": "Update a cross-cluster API key", + "description": "Update the attributes of an existing cross-cluster API key, which is used for API key based remote cluster access.", + "externalDocs": { + "url": "https://www.elastic.co/guide/en/elasticsearch/reference/current/remote-clusters-api-key.html" + }, + "operationId": "security-update-cross-cluster-api-key", + "parameters": [ + { + "in": "path", + "name": "id", + "description": "The ID of the cross-cluster API key to update.", + "required": true, + "deprecated": false, + "schema": { + "$ref": "#/components/schemas/_types:Id" + }, + "style": "simple" + } + ], + "requestBody": { + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "access": { + "$ref": "#/components/schemas/security._types:Access" + }, + "expiration": { + "$ref": "#/components/schemas/_types:Duration" + }, + "metadata": { + "$ref": "#/components/schemas/_types:Metadata" + } + }, + "required": [ + "access" + ] + } + } + }, + "required": true + }, + "responses": { + "200": { + "description": "", + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "updated": { + "description": "If `true`, the API key was updated.\nIf `false`, the API key didn’t change because no change was detected.", + "type": "boolean" + } + }, + "required": [ + "updated" + ] + } + } + } + } + } + } + }, "/_security/profile/{uid}/_data": { "put": { "tags": [ @@ -81951,6 +82100,65 @@ "_types:Service": { "type": "string" }, + "security._types:Access": { + "type": "object", + "properties": { + "replication": { + "description": "A list of indices permission entries for cross-cluster replication.", + "type": "array", + "items": { + "$ref": "#/components/schemas/security._types:ReplicationAccess" + } + }, + "search": { + "description": "A list of indices permission entries for cross-cluster search.", + "type": "array", + "items": { + "$ref": "#/components/schemas/security._types:SearchAccess" + } + } + } + }, + "security._types:ReplicationAccess": { + "type": "object", + "properties": { + "names": { + "description": "A list of indices (or index name patterns) to which the permissions in this entry apply.", + "type": "array", + "items": { + "$ref": "#/components/schemas/_types:IndexName" + } + } + }, + "required": [ + "names" + ] + }, + "security._types:SearchAccess": { + "type": "object", + "properties": { + "field_security": { + "$ref": "#/components/schemas/security._types:FieldSecurity" + }, + "names": { + "description": "A list of indices (or index name patterns) to which the permissions in this entry apply.", + "type": "array", + "items": { + "$ref": "#/components/schemas/_types:IndexName" + } + }, + "query": { + "$ref": "#/components/schemas/security._types:IndicesPrivilegesQuery" + }, + "allow_restricted_indices": { + "description": "Set to `true` if using wildcard or regular expressions for patterns that cover restricted indices. Implicitly, restricted indices have limited privileges that can cause pattern tests to fail. If restricted indices are explicitly included in the `names` list, Elasticsearch checks privileges against these indices regardless of the value set for `allow_restricted_indices`.", + "type": "boolean" + } + }, + "required": [ + "names" + ] + }, "security.create_service_token:Token": { "type": "object", "properties": { diff --git a/output/schema/schema.json b/output/schema/schema.json index 6b3fbc6cb1..3f454a59b3 100644 --- a/output/schema/schema.json +++ b/output/schema/schema.json @@ -15476,19 +15476,31 @@ { "availability": { "stack": { - "stability": "stable", - "visibility": "public" + "stability": "stable" } }, - "description": "Creates a cross-cluster API key for API key based remote cluster access.", + "description": "Create a cross-cluster API key.\n\nCreate an API key of the `cross_cluster` type for the API key based remote cluster access.\nA `cross_cluster` API key cannot be used to authenticate through the REST interface.\n\nIMPORTANT: To authenticate this request you must use a credential that is not an API key. Even if you use an API key that has the required privilege, the API returns an error.\n\nCross-cluster API keys are created by the Elasticsearch API key service, which is automatically enabled.\n\nNOTE: Unlike REST API keys, a cross-cluster API key does not capture permissions of the authenticated user. The API key’s effective permission is exactly as specified with the `access` property.\n\nA successful request returns a JSON structure that contains the API key, its unique ID, and its name. If applicable, it also returns expiration information for the API key in milliseconds.\n\nBy default, API keys never expire. You can specify expiration information when you create the API keys.\n\nCross-cluster API keys can only be updated with the update cross-cluster API key API.\nAttempting to update them with the update REST API key API or the bulk update REST API keys API will result in an error.", "docUrl": "https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-create-cross-cluster-api-key.html", + "extDocId": "remote-clusters-api-key", + "extDocUrl": "https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/remote-clusters-api-key.html", "name": "security.create_cross_cluster_api_key", - "request": null, + "privileges": { + "cluster": [ + "manage_security" + ] + }, + "request": { + "name": "Request", + "namespace": "security.create_cross_cluster_api_key" + }, "requestBodyRequired": true, "requestMediaType": [ "application/json" ], - "response": null, + "response": { + "name": "Response", + "namespace": "security.create_cross_cluster_api_key" + }, "responseMediaType": [ "application/json" ], @@ -17332,19 +17344,26 @@ { "availability": { "stack": { - "stability": "stable", - "visibility": "public" + "stability": "stable" } }, - "description": "Updates attributes of an existing cross-cluster API key.", + "description": "Update a cross-cluster API key.\n\nUpdate the attributes of an existing cross-cluster API key, which is used for API key based remote cluster access.", "docUrl": "https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-update-cross-cluster-api-key.html", + "extDocId": "remote-clusters-api-key", + "extDocUrl": "https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/remote-clusters-api-key.html", "name": "security.update_cross_cluster_api_key", - "request": null, + "request": { + "name": "Request", + "namespace": "security.update_cross_cluster_api_key" + }, "requestBodyRequired": true, "requestMediaType": [ "application/json" ], - "response": null, + "response": { + "name": "Response", + "namespace": "security.update_cross_cluster_api_key" + }, "responseMediaType": [ "application/json" ], @@ -186448,6 +186467,46 @@ }, "specLocation": "searchable_snapshots/stats/SearchableSnapshotsStatsResponse.ts#L22-L27" }, + { + "kind": "interface", + "name": { + "name": "Access", + "namespace": "security._types" + }, + "properties": [ + { + "description": "A list of indices permission entries for cross-cluster replication.", + "name": "replication", + "required": false, + "type": { + "kind": "array_of", + "value": { + "kind": "instance_of", + "type": { + "name": "ReplicationAccess", + "namespace": "security._types" + } + } + } + }, + { + "description": "A list of indices permission entries for cross-cluster search.", + "name": "search", + "required": false, + "type": { + "kind": "array_of", + "value": { + "kind": "instance_of", + "type": { + "name": "SearchAccess", + "namespace": "security._types" + } + } + } + } + ], + "specLocation": "security/_types/Access.ts#L22-L31" + }, { "kind": "interface", "name": { @@ -187579,6 +187638,31 @@ ], "specLocation": "security/_types/Privileges.ts#L225-L253" }, + { + "kind": "interface", + "name": { + "name": "ReplicationAccess", + "namespace": "security._types" + }, + "properties": [ + { + "description": "A list of indices (or index name patterns) to which the permissions in this entry apply.", + "name": "names", + "required": true, + "type": { + "kind": "array_of", + "value": { + "kind": "instance_of", + "type": { + "name": "IndexName", + "namespace": "_types" + } + } + } + } + ], + "specLocation": "security/_types/Privileges.ts#L380-L385" + }, { "kind": "interface", "name": { @@ -188202,6 +188286,73 @@ "shortcutProperty": "source", "specLocation": "security/_types/Privileges.ts#L301-L319" }, + { + "kind": "interface", + "name": { + "name": "SearchAccess", + "namespace": "security._types" + }, + "properties": [ + { + "description": "The document fields that the owners of the role have read access to.", + "docId": "field-and-document-access-control", + "docUrl": "https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/field-and-document-access-control.html", + "name": "field_security", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "FieldSecurity", + "namespace": "security._types" + } + } + }, + { + "description": "A list of indices (or index name patterns) to which the permissions in this entry apply.", + "name": "names", + "required": true, + "type": { + "kind": "array_of", + "value": { + "kind": "instance_of", + "type": { + "name": "IndexName", + "namespace": "_types" + } + } + } + }, + { + "description": "A search query that defines the documents the owners of the role have access to. A document within the specified indices must match this query for it to be accessible by the owners of the role.", + "name": "query", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "IndicesPrivilegesQuery", + "namespace": "security._types" + } + } + }, + { + "availability": { + "stack": {} + }, + "description": "Set to `true` if using wildcard or regular expressions for patterns that cover restricted indices. Implicitly, restricted indices have limited privileges that can cause pattern tests to fail. If restricted indices are explicitly included in the `names` list, Elasticsearch checks privileges against these indices regardless of the value set for `allow_restricted_indices`.", + "name": "allow_restricted_indices", + "required": false, + "serverDefault": false, + "type": { + "kind": "instance_of", + "type": { + "name": "boolean", + "namespace": "_builtins" + } + } + } + ], + "specLocation": "security/_types/Privileges.ts#L387-L407" + }, { "kind": "enum", "members": [ @@ -190015,6 +190166,161 @@ }, "specLocation": "security/create_api_key/SecurityCreateApiKeyResponse.ts#L23-L50" }, + { + "kind": "request", + "attachedBehaviors": [ + "CommonQueryParameters" + ], + "body": { + "kind": "properties", + "properties": [ + { + "description": "The access to be granted to this API key.\nThe access is composed of permissions for cross-cluster search and cross-cluster replication.\nAt least one of them must be specified.\n\nNOTE: No explicit privileges should be specified for either search or replication access.\nThe creation process automatically converts the access specification to a role descriptor which has relevant privileges assigned accordingly.", + "name": "access", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "Access", + "namespace": "security._types" + } + } + }, + { + "description": "Expiration time for the API key.\nBy default, API keys never expire.", + "name": "expiration", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "Duration", + "namespace": "_types" + } + } + }, + { + "description": "Arbitrary metadata that you want to associate with the API key.\nIt supports nested data structure.\nWithin the metadata object, keys beginning with `_` are reserved for system usage.", + "name": "metadata", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "Metadata", + "namespace": "_types" + } + } + }, + { + "description": "Specifies the name for this API key.", + "name": "name", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "Name", + "namespace": "_types" + } + } + } + ] + }, + "description": "Create a cross-cluster API key.\n\nCreate an API key of the `cross_cluster` type for the API key based remote cluster access.\nA `cross_cluster` API key cannot be used to authenticate through the REST interface.\n\nIMPORTANT: To authenticate this request you must use a credential that is not an API key. Even if you use an API key that has the required privilege, the API returns an error.\n\nCross-cluster API keys are created by the Elasticsearch API key service, which is automatically enabled.\n\nNOTE: Unlike REST API keys, a cross-cluster API key does not capture permissions of the authenticated user. The API key’s effective permission is exactly as specified with the `access` property.\n\nA successful request returns a JSON structure that contains the API key, its unique ID, and its name. If applicable, it also returns expiration information for the API key in milliseconds.\n\nBy default, API keys never expire. You can specify expiration information when you create the API keys.\n\nCross-cluster API keys can only be updated with the update cross-cluster API key API.\nAttempting to update them with the update REST API key API or the bulk update REST API keys API will result in an error.", + "inherits": { + "type": { + "name": "RequestBase", + "namespace": "_types" + } + }, + "name": { + "name": "Request", + "namespace": "security.create_cross_cluster_api_key" + }, + "path": [], + "query": [], + "specLocation": "security/create_cross_cluster_api_key/CreateCrossClusterApiKeyRequest.ts#L25-L73" + }, + { + "kind": "response", + "body": { + "kind": "properties", + "properties": [ + { + "description": "Generated API key.", + "name": "api_key", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + }, + { + "description": "Expiration in milliseconds for the API key.", + "name": "expiration", + "required": false, + "type": { + "kind": "instance_of", + "generics": [ + { + "kind": "instance_of", + "type": { + "name": "UnitMillis", + "namespace": "_types" + } + } + ], + "type": { + "name": "DurationValue", + "namespace": "_types" + } + } + }, + { + "description": "Unique ID for this API key.", + "name": "id", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "Id", + "namespace": "_types" + } + } + }, + { + "description": "Specifies the name for this API key.", + "name": "name", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "Name", + "namespace": "_types" + } + } + }, + { + "description": "API key credentials which is the base64-encoding of\nthe UTF-8 representation of `id` and `api_key` joined\nby a colon (`:`).", + "name": "encoded", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "string", + "namespace": "_builtins" + } + } + } + ] + }, + "name": { + "name": "Response", + "namespace": "security.create_cross_cluster_api_key" + }, + "specLocation": "security/create_cross_cluster_api_key/CreateCrossClusterApiKeyResponse.ts#L23-L48" + }, { "kind": "request", "attachedBehaviors": [ @@ -197100,6 +197406,105 @@ }, "specLocation": "security/update_api_key/Response.ts#L20-L28" }, + { + "kind": "request", + "attachedBehaviors": [ + "CommonQueryParameters" + ], + "body": { + "kind": "properties", + "properties": [ + { + "description": "The access to be granted to this API key.\nThe access is composed of permissions for cross cluster search and cross cluster replication.\nAt least one of them must be specified.\nWhen specified, the new access assignment fully replaces the previously assigned access.", + "name": "access", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "Access", + "namespace": "security._types" + } + } + }, + { + "description": "Expiration time for the API key.\nBy default, API keys never expire. This property can be omitted to leave the value unchanged.", + "name": "expiration", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "Duration", + "namespace": "_types" + } + } + }, + { + "description": "Arbitrary metadata that you want to associate with the API key.\nIt supports nested data structure.\nWithin the metadata object, keys beginning with `_` are reserved for system usage.\nWhen specified, this information fully replaces metadata previously associated with the API key.", + "name": "metadata", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "Metadata", + "namespace": "_types" + } + } + } + ] + }, + "description": "Update a cross-cluster API key.\n\nUpdate the attributes of an existing cross-cluster API key, which is used for API key based remote cluster access.", + "inherits": { + "type": { + "name": "RequestBase", + "namespace": "_types" + } + }, + "name": { + "name": "Request", + "namespace": "security.update_cross_cluster_api_key" + }, + "path": [ + { + "description": "The ID of the cross-cluster API key to update.", + "name": "id", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "Id", + "namespace": "_types" + } + } + } + ], + "query": [], + "specLocation": "security/update_cross_cluster_api_key/UpdateCrossClusterApiKeyRequest.ts#L25-L61" + }, + { + "kind": "response", + "body": { + "kind": "properties", + "properties": [ + { + "description": "If `true`, the API key was updated.\nIf `false`, the API key didn’t change because no change was detected.", + "name": "updated", + "required": true, + "type": { + "kind": "instance_of", + "type": { + "name": "boolean", + "namespace": "_builtins" + } + } + } + ] + }, + "name": { + "name": "Response", + "namespace": "security.update_cross_cluster_api_key" + }, + "specLocation": "security/update_cross_cluster_api_key/UpdateCrossClusterApiKeyResponse.ts#L20-L28" + }, { "kind": "request", "attachedBehaviors": [ diff --git a/output/schema/validation-errors.json b/output/schema/validation-errors.json index 6b40b6b077..3e6e4455ba 100644 --- a/output/schema/validation-errors.json +++ b/output/schema/validation-errors.json @@ -1079,12 +1079,6 @@ ], "response": [] }, - "security.create_cross_cluster_api_key": { - "request": [ - "Missing request & response" - ], - "response": [] - }, "security.get_settings": { "request": [ "Missing request & response" @@ -1123,12 +1117,6 @@ ], "response": [] }, - "security.update_cross_cluster_api_key": { - "request": [ - "Missing request & response" - ], - "response": [] - }, "security.update_settings": { "request": [ "Missing request & response" diff --git a/output/typescript/types.ts b/output/typescript/types.ts index f036ece6ca..f4854b275d 100644 --- a/output/typescript/types.ts +++ b/output/typescript/types.ts @@ -17580,6 +17580,11 @@ export interface SearchableSnapshotsStatsResponse { total: any } +export interface SecurityAccess { + replication?: SecurityReplicationAccess[] + search?: SecuritySearchAccess[] +} + export interface SecurityApiKey { creation?: long expiration?: long @@ -17668,6 +17673,10 @@ export interface SecurityRemoteIndicesPrivileges { allow_restricted_indices?: boolean } +export interface SecurityReplicationAccess { + names: IndexName[] +} + export interface SecurityRoleDescriptor { cluster?: SecurityClusterPrivilege[] indices?: SecurityIndicesPrivileges[] @@ -17726,6 +17735,13 @@ export interface SecurityRoleTemplateScript { options?: Record } +export interface SecuritySearchAccess { + field_security?: SecurityFieldSecurity + names: IndexName[] + query?: SecurityIndicesPrivilegesQuery + allow_restricted_indices?: boolean +} + export type SecurityTemplateFormat = 'string' | 'json' export interface SecurityUser { @@ -17918,6 +17934,23 @@ export interface SecurityCreateApiKeyResponse { encoded: string } +export interface SecurityCreateCrossClusterApiKeyRequest extends RequestBase { + body?: { + access: SecurityAccess + expiration?: Duration + metadata?: Metadata + name: Name + } +} + +export interface SecurityCreateCrossClusterApiKeyResponse { + api_key: string + expiration?: DurationValue + id: Id + name: Name + encoded: string +} + export interface SecurityCreateServiceTokenRequest extends RequestBase { namespace: Namespace service: Service @@ -18635,6 +18668,19 @@ export interface SecurityUpdateApiKeyResponse { updated: boolean } +export interface SecurityUpdateCrossClusterApiKeyRequest extends RequestBase { + id: Id + body?: { + access: SecurityAccess + expiration?: Duration + metadata?: Metadata + } +} + +export interface SecurityUpdateCrossClusterApiKeyResponse { + updated: boolean +} + export interface SecurityUpdateUserProfileDataRequest extends RequestBase { uid: SecurityUserProfileId if_seq_no?: SequenceNumber diff --git a/specification/_doc_ids/table.csv b/specification/_doc_ids/table.csv index 9f94e2835f..02c04d4df9 100644 --- a/specification/_doc_ids/table.csv +++ b/specification/_doc_ids/table.csv @@ -419,6 +419,7 @@ redact-processor,https://www.elastic.co/guide/en/elasticsearch/reference/{branch regexp-syntax,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/regexp-syntax.html registered-domain-processor,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/registered-domain-processor.html remove-processor,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/remove-processor.html +remote-clusters-api-key,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/remote-clusters-api-key.html rename-processor,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/rename-processor.html reroute-processor,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/reroute-processor.html render-search-template-api,https://www.elastic.co/guide/en/elasticsearch/reference/{branch}/render-search-template-api.html diff --git a/specification/security/_types/Access.ts b/specification/security/_types/Access.ts new file mode 100644 index 0000000000..ec74661ae0 --- /dev/null +++ b/specification/security/_types/Access.ts @@ -0,0 +1,31 @@ +/* + * Licensed to Elasticsearch B.V. under one or more contributor + * license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright + * ownership. Elasticsearch B.V. licenses this file to you under + * the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +import { ReplicationAccess, SearchAccess } from './Privileges' + +export class Access { + /** + * A list of indices permission entries for cross-cluster replication. + */ + replication?: ReplicationAccess[] + /** + * A list of indices permission entries for cross-cluster search. + */ + search?: SearchAccess[] +} diff --git a/specification/security/_types/Privileges.ts b/specification/security/_types/Privileges.ts index 356973864c..e9767aa159 100644 --- a/specification/security/_types/Privileges.ts +++ b/specification/security/_types/Privileges.ts @@ -19,7 +19,7 @@ import { Dictionary } from '@spec_utils/Dictionary' import { UserDefinedValue } from '@spec_utils/UserDefinedValue' -import { Id, Indices, Names } from '@_types/common' +import { Id, IndexName, Indices, Names } from '@_types/common' import { QueryContainer } from '@_types/query_dsl/abstractions' import { ScriptLanguage } from '@_types/Scripting' import { FieldSecurity } from './FieldSecurity' @@ -376,3 +376,32 @@ export class ApplicationGlobalUserPrivileges { export class ManageUserPrivileges { applications: string[] } + +export class ReplicationAccess { + /** + * A list of indices (or index name patterns) to which the permissions in this entry apply. + */ + names: IndexName[] +} + +export class SearchAccess { + /** + * The document fields that the owners of the role have read access to. + * @doc_id field-and-document-access-control + */ + field_security?: FieldSecurity + /** + * A list of indices (or index name patterns) to which the permissions in this entry apply. + */ + names: IndexName[] + /** + * A search query that defines the documents the owners of the role have access to. A document within the specified indices must match this query for it to be accessible by the owners of the role. + */ + query?: IndicesPrivilegesQuery + /** + * Set to `true` if using wildcard or regular expressions for patterns that cover restricted indices. Implicitly, restricted indices have limited privileges that can cause pattern tests to fail. If restricted indices are explicitly included in the `names` list, Elasticsearch checks privileges against these indices regardless of the value set for `allow_restricted_indices`. + * @server_default false + * @availability stack + */ + allow_restricted_indices?: boolean +} diff --git a/specification/security/create_cross_cluster_api_key/CreateCrossClusterApiKeyRequest.ts b/specification/security/create_cross_cluster_api_key/CreateCrossClusterApiKeyRequest.ts new file mode 100644 index 0000000000..853aa86ebc --- /dev/null +++ b/specification/security/create_cross_cluster_api_key/CreateCrossClusterApiKeyRequest.ts @@ -0,0 +1,73 @@ +/* + * Licensed to Elasticsearch B.V. under one or more contributor + * license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright + * ownership. Elasticsearch B.V. licenses this file to you under + * the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +import { Access } from '@security/_types/Access' +import { RequestBase } from '@_types/Base' +import { Metadata, Name } from '@_types/common' +import { Duration } from '@_types/Time' + +/** + * Create a cross-cluster API key. + * + * Create an API key of the `cross_cluster` type for the API key based remote cluster access. + * A `cross_cluster` API key cannot be used to authenticate through the REST interface. + * + * IMPORTANT: To authenticate this request you must use a credential that is not an API key. Even if you use an API key that has the required privilege, the API returns an error. + * + * Cross-cluster API keys are created by the Elasticsearch API key service, which is automatically enabled. + * + * NOTE: Unlike REST API keys, a cross-cluster API key does not capture permissions of the authenticated user. The API key’s effective permission is exactly as specified with the `access` property. + * + * A successful request returns a JSON structure that contains the API key, its unique ID, and its name. If applicable, it also returns expiration information for the API key in milliseconds. + * + * By default, API keys never expire. You can specify expiration information when you create the API keys. + * + * Cross-cluster API keys can only be updated with the update cross-cluster API key API. + * Attempting to update them with the update REST API key API or the bulk update REST API keys API will result in an error. + * @rest_spec_name security.create_cross_cluster_api_key + * @availability stack stability=stable + * @cluster_privileges manage_security + * @ext_doc_id remote-clusters-api-key + */ +export interface Request extends RequestBase { + body: { + /** + * The access to be granted to this API key. + * The access is composed of permissions for cross-cluster search and cross-cluster replication. + * At least one of them must be specified. + * + * NOTE: No explicit privileges should be specified for either search or replication access. + * The creation process automatically converts the access specification to a role descriptor which has relevant privileges assigned accordingly. + */ + access: Access + /** + * Expiration time for the API key. + * By default, API keys never expire. + */ + expiration?: Duration + /** + * Arbitrary metadata that you want to associate with the API key. + * It supports nested data structure. + * Within the metadata object, keys beginning with `_` are reserved for system usage. + */ + metadata?: Metadata + /** Specifies the name for this API key. */ + name: Name + } +} diff --git a/specification/security/create_cross_cluster_api_key/CreateCrossClusterApiKeyResponse.ts b/specification/security/create_cross_cluster_api_key/CreateCrossClusterApiKeyResponse.ts new file mode 100644 index 0000000000..2f271bea07 --- /dev/null +++ b/specification/security/create_cross_cluster_api_key/CreateCrossClusterApiKeyResponse.ts @@ -0,0 +1,48 @@ +/* + * Licensed to Elasticsearch B.V. under one or more contributor + * license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright + * ownership. Elasticsearch B.V. licenses this file to you under + * the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +import { Id, Name } from '@_types/common' +import { DurationValue, UnitMillis } from '@_types/Time' + +export class Response { + body: { + /** + * Generated API key. + */ + api_key: string + /** + * Expiration in milliseconds for the API key. + */ + expiration?: DurationValue + /** + * Unique ID for this API key. + */ + id: Id + /** + * Specifies the name for this API key. + */ + name: Name + /** + * API key credentials which is the base64-encoding of + * the UTF-8 representation of `id` and `api_key` joined + * by a colon (`:`). + */ + encoded: string + } +} diff --git a/specification/security/update_cross_cluster_api_key/UpdateCrossClusterApiKeyRequest.ts b/specification/security/update_cross_cluster_api_key/UpdateCrossClusterApiKeyRequest.ts new file mode 100644 index 0000000000..4cadb5f200 --- /dev/null +++ b/specification/security/update_cross_cluster_api_key/UpdateCrossClusterApiKeyRequest.ts @@ -0,0 +1,61 @@ +/* + * Licensed to Elasticsearch B.V. under one or more contributor + * license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright + * ownership. Elasticsearch B.V. licenses this file to you under + * the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +import { Access } from '@security/_types/Access' +import { RequestBase } from '@_types/Base' +import { Id, Metadata } from '@_types/common' +import { Duration } from '@_types/Time' + +/** + * Update a cross-cluster API key. + * + * Update the attributes of an existing cross-cluster API key, which is used for API key based remote cluster access. + * @rest_spec_name security.update_cross_cluster_api_key + * @availability stack stability=stable + * @ext_doc_id remote-clusters-api-key + */ +export interface Request extends RequestBase { + path_parts: { + /** + * The ID of the cross-cluster API key to update. + */ + id: Id + } + body: { + /** + * The access to be granted to this API key. + * The access is composed of permissions for cross cluster search and cross cluster replication. + * At least one of them must be specified. + * When specified, the new access assignment fully replaces the previously assigned access. + */ + access: Access + /** + * Expiration time for the API key. + * By default, API keys never expire. This property can be omitted to leave the value unchanged. + */ + expiration?: Duration + /** + * Arbitrary metadata that you want to associate with the API key. + * It supports nested data structure. + * Within the metadata object, keys beginning with `_` are reserved for system usage. + * When specified, this information fully replaces metadata previously associated with the API key. + */ + metadata?: Metadata + } +} diff --git a/specification/security/update_cross_cluster_api_key/UpdateCrossClusterApiKeyResponse.ts b/specification/security/update_cross_cluster_api_key/UpdateCrossClusterApiKeyResponse.ts new file mode 100644 index 0000000000..4fd7257fa5 --- /dev/null +++ b/specification/security/update_cross_cluster_api_key/UpdateCrossClusterApiKeyResponse.ts @@ -0,0 +1,28 @@ +/* + * Licensed to Elasticsearch B.V. under one or more contributor + * license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright + * ownership. Elasticsearch B.V. licenses this file to you under + * the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +export class Response { + body: { + /** + * If `true`, the API key was updated. + * If `false`, the API key didn’t change because no change was detected. + */ + updated: boolean + } +}