diff --git a/output/openapi/elasticsearch-openapi.json b/output/openapi/elasticsearch-openapi.json index 4637770ad5..b253187318 100644 --- a/output/openapi/elasticsearch-openapi.json +++ b/output/openapi/elasticsearch-openapi.json @@ -81831,6 +81831,9 @@ "description": "Optional description of the role descriptor", "type": "string" }, + "restriction": { + "$ref": "#/components/schemas/security._types:Restriction" + }, "transient_metadata": { "type": "object", "additionalProperties": { @@ -82166,6 +82169,33 @@ "resources" ] }, + "security._types:Restriction": { + "type": "object", + "properties": { + "workflows": { + "type": "array", + "items": { + "$ref": "#/components/schemas/security._types:RestrictionWorkflow" + } + } + }, + "required": [ + "workflows" + ] + }, + "security._types:RestrictionWorkflow": { + "anyOf": [ + { + "type": "string", + "enum": [ + "search_application_query" + ] + }, + { + "type": "string" + } + ] + }, "security._types:RealmInfo": { "type": "object", "properties": { @@ -82607,6 +82637,9 @@ "description": "Optional description of the role descriptor", "type": "string" }, + "restriction": { + "$ref": "#/components/schemas/security._types:Restriction" + }, "transient_metadata": { "type": "object", "additionalProperties": { diff --git a/output/openapi/elasticsearch-serverless-openapi.json b/output/openapi/elasticsearch-serverless-openapi.json index a50de92ea3..f1057cdba8 100644 --- a/output/openapi/elasticsearch-serverless-openapi.json +++ b/output/openapi/elasticsearch-serverless-openapi.json @@ -53867,6 +53867,9 @@ "description": "Optional description of the role descriptor", "type": "string" }, + "restriction": { + "$ref": "#/components/schemas/security._types:Restriction" + }, "transient_metadata": { "type": "object", "additionalProperties": { @@ -54065,6 +54068,33 @@ "resources" ] }, + "security._types:Restriction": { + "type": "object", + "properties": { + "workflows": { + "type": "array", + "items": { + "$ref": "#/components/schemas/security._types:RestrictionWorkflow" + } + } + }, + "required": [ + "workflows" + ] + }, + "security._types:RestrictionWorkflow": { + "anyOf": [ + { + "type": "string", + "enum": [ + "search_application_query" + ] + }, + { + "type": "string" + } + ] + }, "security._types:RealmInfo": { "type": "object", "properties": { diff --git a/output/schema/schema-serverless.json b/output/schema/schema-serverless.json index a239169250..87b0f48bfa 100644 --- a/output/schema/schema-serverless.json +++ b/output/schema/schema-serverless.json @@ -103326,6 +103326,20 @@ }, "specLocation": "security/_types/Privileges.ts#L201-L214" }, + { + "isOpen": true, + "kind": "enum", + "members": [ + { + "name": "search_application_query" + } + ], + "name": { + "name": "RestrictionWorkflow", + "namespace": "security._types" + }, + "specLocation": "security/_types/RoleDescriptor.ts#L134-L137" + }, { "kind": "enum", "members": [ @@ -140066,6 +140080,18 @@ } } }, + { + "description": "Restriction for when the role descriptor is allowed to be effective.", + "name": "restriction", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "Restriction", + "namespace": "security._types" + } + } + }, { "name": "transient_metadata", "required": false, @@ -140085,7 +140111,7 @@ } } ], - "specLocation": "security/_types/RoleDescriptor.ts#L33-L79" + "specLocation": "security/_types/RoleDescriptor.ts#L33-L80" }, { "kind": "interface", @@ -140234,6 +140260,30 @@ ], "specLocation": "security/_types/Privileges.ts#L27-L40" }, + { + "kind": "interface", + "name": { + "name": "Restriction", + "namespace": "security._types" + }, + "properties": [ + { + "name": "workflows", + "required": true, + "type": { + "kind": "array_of", + "value": { + "kind": "instance_of", + "type": { + "name": "RestrictionWorkflow", + "namespace": "security._types" + } + } + } + } + ], + "specLocation": "security/_types/RoleDescriptor.ts#L130-L132" + }, { "kind": "interface", "name": { diff --git a/output/schema/schema.json b/output/schema/schema.json index 301bd2e73c..9961b5f933 100644 --- a/output/schema/schema.json +++ b/output/schema/schema.json @@ -188016,6 +188016,44 @@ ], "specLocation": "security/_types/Privileges.ts#L416-L426" }, + { + "kind": "interface", + "name": { + "name": "Restriction", + "namespace": "security._types" + }, + "properties": [ + { + "name": "workflows", + "required": true, + "type": { + "kind": "array_of", + "value": { + "kind": "instance_of", + "type": { + "name": "RestrictionWorkflow", + "namespace": "security._types" + } + } + } + } + ], + "specLocation": "security/_types/RoleDescriptor.ts#L130-L132" + }, + { + "kind": "enum", + "isOpen": true, + "members": [ + { + "name": "search_application_query" + } + ], + "name": { + "name": "RestrictionWorkflow", + "namespace": "security._types" + }, + "specLocation": "security/_types/RoleDescriptor.ts#L134-L137" + }, { "kind": "interface", "name": { @@ -188182,6 +188220,18 @@ } } }, + { + "description": "Restriction for when the role descriptor is allowed to be effective.", + "name": "restriction", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "Restriction", + "namespace": "security._types" + } + } + }, { "name": "transient_metadata", "required": false, @@ -188201,7 +188251,7 @@ } } ], - "specLocation": "security/_types/RoleDescriptor.ts#L33-L79" + "specLocation": "security/_types/RoleDescriptor.ts#L33-L80" }, { "kind": "interface", @@ -188389,6 +188439,18 @@ } } }, + { + "description": "Restriction for when the role descriptor is allowed to be effective.", + "name": "restriction", + "required": false, + "type": { + "kind": "instance_of", + "type": { + "name": "Restriction", + "namespace": "security._types" + } + } + }, { "name": "transient_metadata", "required": false, @@ -188408,7 +188470,7 @@ } } ], - "specLocation": "security/_types/RoleDescriptor.ts#L81-L124" + "specLocation": "security/_types/RoleDescriptor.ts#L82-L128" }, { "kind": "interface", diff --git a/output/typescript/types.ts b/output/typescript/types.ts index ad635d5a42..2c1abf3356 100644 --- a/output/typescript/types.ts +++ b/output/typescript/types.ts @@ -17699,6 +17699,12 @@ export interface SecurityReplicationAccess { allow_restricted_indices?: boolean } +export interface SecurityRestriction { + workflows: SecurityRestrictionWorkflow[] +} + +export type SecurityRestrictionWorkflow = 'search_application_query'| string + export interface SecurityRoleDescriptor { cluster?: SecurityClusterPrivilege[] indices?: SecurityIndicesPrivileges[] @@ -17710,6 +17716,7 @@ export interface SecurityRoleDescriptor { metadata?: Metadata run_as?: string[] description?: string + restriction?: SecurityRestriction transient_metadata?: Record } @@ -17724,6 +17731,7 @@ export interface SecurityRoleDescriptorRead { metadata?: Metadata run_as?: string[] description?: string + restriction?: SecurityRestriction transient_metadata?: Record } diff --git a/specification/security/_types/RoleDescriptor.ts b/specification/security/_types/RoleDescriptor.ts index ad8afe33a5..57ea1ac0ab 100644 --- a/specification/security/_types/RoleDescriptor.ts +++ b/specification/security/_types/RoleDescriptor.ts @@ -40,19 +40,16 @@ export class RoleDescriptor { * @aliases index */ indices?: IndicesPrivileges[] - /** * A list of indices permissions for remote clusters. * @availability stack since=8.14.0 */ remote_indices?: RemoteIndicesPrivileges[] - /** * A list of cluster permissions for remote clusters. Note - this is limited a subset of the cluster permissions. * @availability stack since=8.15.0 */ remote_cluster?: RemoteClusterPrivileges[] - /** * An object defining global privileges. A global privilege is a form of cluster privilege that is request-aware. Support for global privileges is currently limited to the management of application privileges. * @availability stack @@ -75,6 +72,10 @@ export class RoleDescriptor { * Optional description of the role descriptor */ description?: string + /** + * Restriction for when the role descriptor is allowed to be effective. + */ + restriction?: Restriction transient_metadata?: Dictionary } @@ -93,7 +94,6 @@ export class RoleDescriptorRead implements OverloadOf { * @availability stack since=8.14.0 */ remote_indices?: RemoteIndicesPrivileges[] - /** * A list of cluster permissions for remote clusters. Note - this is limited a subset of the cluster permissions. * @availability stack since=8.15.0 @@ -120,5 +120,18 @@ export class RoleDescriptorRead implements OverloadOf { * Optional description of the role descriptor */ description?: string + /** + * Restriction for when the role descriptor is allowed to be effective. + */ + restriction?: Restriction transient_metadata?: Dictionary } + +export class Restriction { + workflows: RestrictionWorkflow[] +} + +/** @non_exhaustive */ +export enum RestrictionWorkflow { + search_application_query +}