Support for security remote_cluster and associated privileges (#3125)

This commit adds support for the remote_cluster in the role and role descriptors.
Additionally:

* adds missing references to remote_indices
* add new cluster privilege monitor_stats
* adds related version information where applicable
* updates references to cluster from string[] to proper enumeration

Author: jakelandis

output/schema/schema.json

@@ -1,5 +1,5 @@
 {
   "dependencies": {
-    "@stoplight/spectral-cli": "^6.13.1"
+    "@stoplight/spectral-cli": "^6.14.1"
   }
 }

output/typescript/types.ts

@@ -151,6 +151,10 @@ export enum ClusterPrivilege {
    * @availability stack
    */
   monitor_snapshot,
+  /**
+   * @availability stack since=8.17.0
+   */
+  monitor_stats,
   /**
    * @availability stack
    */
@@ -194,6 +198,21 @@ export enum ClusterPrivilege {
   write_fleet_secrets
 }
 
+/**
+ * The subset of cluster level privileges that can be defined for remote clusters.
+ * @availability stack
+ */
+export enum RemoteClusterPrivilege {
+  /**
+   * @availability stack since=8.14.0
+   */
+  monitor_enrich,
+  /**
+   * @availability stack since=8.17.0
+   */
+  monitor_stats
+}
+
 // Keep in sync with RemoteIndicesPrivileges
 export class IndicesPrivileges {
   /**
@@ -221,6 +240,9 @@ export class IndicesPrivileges {
   allow_restricted_indices?: boolean
 }
 
+/**
+ * The subset of index level privileges that can be defined for remote clusters.
+ */
 // Keep in sync with IndicesPrivileges
 export class RemoteIndicesPrivileges {
   /**
@@ -252,6 +274,20 @@ export class RemoteIndicesPrivileges {
   allow_restricted_indices?: boolean
 }
 
+/**
+ * The subset of cluster level privileges that can be defined for remote clusters.
+ */
+export class RemoteClusterPrivileges {
+  /**
+   *  A list of cluster aliases to which the permissions in this entry apply.
+   */
+  clusters: Names
+  /**
+   * The cluster level privileges that owners of the role have on the remote cluster.
+   */
+  privileges: RemoteClusterPrivilege[]
+}
+
 export class UserIndicesPrivileges {
   /**
    * The document fields that the owners of the role have read access to.

package.json

@@ -25,7 +25,9 @@ import {
   ApplicationPrivileges,
   ClusterPrivilege,
   GlobalPrivilege,
-  IndicesPrivileges
+  IndicesPrivileges,
+  RemoteClusterPrivileges,
+  RemoteIndicesPrivileges
 } from './Privileges'
 
 export class RoleDescriptor {
@@ -38,6 +40,19 @@ export class RoleDescriptor {
    * @aliases index
    */
   indices?: IndicesPrivileges[]
+
+  /**
+   * A list of indices permissions for remote clusters.
+   * @availability stack since=8.14.0
+   */
+  remote_indices?: RemoteIndicesPrivileges[]
+
+  /**
+   * A list of cluster permissions for remote clusters. Note - this is limited a subset of the cluster permissions.
+   * @availability stack since=8.15.0
+   */
+  remote_cluster?: RemoteClusterPrivileges[]
+
   /**
    * An object defining global privileges. A global privilege is a form of cluster privilege that is request-aware. Support for global privileges is currently limited to the management of application privileges.
    * @availability stack
@@ -73,6 +88,17 @@ export class RoleDescriptorRead implements OverloadOf<RoleDescriptor> {
    * @aliases index
    */
   indices: IndicesPrivileges[]
+  /**
+   * A list of indices permissions for remote clusters.
+   * @availability stack since=8.14.0
+   */
+  remote_indices?: RemoteIndicesPrivileges[]
+
+  /**
+   * A list of cluster permissions for remote clusters. Note - this is limited a subset of the cluster permissions.
+   * @availability stack since=8.15.0
+   */
+  remote_cluster?: RemoteClusterPrivileges[]
   /**
    * An object defining global privileges. A global privilege is a form of cluster privilege that is request-aware. Support for global privileges is currently limited to the management of application privileges.
    */

specification/security/_types/Privileges.ts

@@ -17,8 +17,16 @@
  * under the License.
  */
 
+import {
+  ClusterPrivilege,
+  RemoteClusterPrivilege
+} from '@security/_types/Privileges'
 import { IndexName } from '@_types/common'
 
 export class Response {
-  body: { cluster: string[]; index: IndexName[] }
+  body: {
+    cluster: ClusterPrivilege[]
+    index: IndexName[]
+    remote_cluster: RemoteClusterPrivilege[]
+  }
 }

specification/security/_types/RoleDescriptor.ts

@@ -19,16 +19,27 @@
 
 import {
   ApplicationPrivileges,
-  IndicesPrivileges
+  ClusterPrivilege,
+  IndicesPrivileges,
+  RemoteClusterPrivileges,
+  RemoteIndicesPrivileges
 } from '@security/_types/Privileges'
 import { RoleTemplate } from '@security/_types/RoleTemplate'
 import { Dictionary } from '@spec_utils/Dictionary'
 import { UserDefinedValue } from '@spec_utils/UserDefinedValue'
 import { Metadata } from '@_types/common'
 
 export class Role {
-  cluster: string[]
+  cluster: ClusterPrivilege[]
   indices: IndicesPrivileges[]
+  /**
+   * @availability stack since=8.14.0
+   */
+  remote_indices?: RemoteIndicesPrivileges[]
+  /**
+   * @availability stack since=8.15.0
+   */
+  remote_cluster?: RemoteClusterPrivileges[]
   metadata: Metadata
   run_as: string[]
   transient_metadata?: Dictionary<string, UserDefinedValue>

specification/security/get_builtin_privileges/SecurityGetBuiltinPrivilegesResponse.ts

@@ -21,6 +21,7 @@ import {
   ApplicationPrivileges,
   ClusterPrivilege,
   IndicesPrivileges,
+  RemoteClusterPrivileges,
   RemoteIndicesPrivileges
 } from '@security/_types/Privileges'
 import { Dictionary } from '@spec_utils/Dictionary'
@@ -74,6 +75,12 @@ export interface Request extends RequestBase {
      *
      */
     remote_indices?: RemoteIndicesPrivileges[]
+    /**
+     * A list of remote cluster permissions entries.
+     * @availability stack since=8.15.0
+     *
+     */
+    remote_cluster?: RemoteClusterPrivileges[]
     /**
      * Optional metadata. Within the metadata object, keys that begin with an underscore (`_`) are reserved for system use.
      */