Module: Elasticsearch::API::Security::Actions

Defined in:
lib/elasticsearch/api/actions/security/get_role.rb,
lib/elasticsearch/api/actions/security/get_user.rb,
lib/elasticsearch/api/actions/security/put_role.rb,
lib/elasticsearch/api/actions/security/put_user.rb,
lib/elasticsearch/api/actions/security/get_token.rb,
lib/elasticsearch/api/actions/security/query_role.rb,
lib/elasticsearch/api/actions/security/query_user.rb,
lib/elasticsearch/api/actions/security/delete_role.rb,
lib/elasticsearch/api/actions/security/delete_user.rb,
lib/elasticsearch/api/actions/security/enable_user.rb,
lib/elasticsearch/api/actions/security/enroll_node.rb,
lib/elasticsearch/api/actions/security/get_api_key.rb,
lib/elasticsearch/api/actions/security/oidc_logout.rb,
lib/elasticsearch/api/actions/security/saml_logout.rb,
lib/elasticsearch/api/actions/security/authenticate.rb,
lib/elasticsearch/api/actions/security/delegate_pki.rb,
lib/elasticsearch/api/actions/security/disable_user.rb,
lib/elasticsearch/api/actions/security/get_settings.rb,
lib/elasticsearch/api/actions/security/bulk_put_role.rb,
lib/elasticsearch/api/actions/security/enroll_kibana.rb,
lib/elasticsearch/api/actions/security/grant_api_key.rb,
lib/elasticsearch/api/actions/security/create_api_key.rb,
lib/elasticsearch/api/actions/security/get_privileges.rb,
lib/elasticsearch/api/actions/security/has_privileges.rb,
lib/elasticsearch/api/actions/security/put_privileges.rb,
lib/elasticsearch/api/actions/security/query_api_keys.rb,
lib/elasticsearch/api/actions/security/update_api_key.rb,
lib/elasticsearch/api/actions/security/change_password.rb,
lib/elasticsearch/api/actions/security/saml_invalidate.rb,
lib/elasticsearch/api/actions/security/update_settings.rb,
lib/elasticsearch/api/actions/security/bulk_delete_role.rb,
lib/elasticsearch/api/actions/security/get_role_mapping.rb,
lib/elasticsearch/api/actions/security/get_user_profile.rb,
lib/elasticsearch/api/actions/security/invalidate_token.rb,
lib/elasticsearch/api/actions/security/put_role_mapping.rb,
lib/elasticsearch/api/actions/security/delete_privileges.rb,
lib/elasticsearch/api/actions/security/oidc_authenticate.rb,
lib/elasticsearch/api/actions/security/saml_authenticate.rb,
lib/elasticsearch/api/actions/security/clear_cached_roles.rb,
lib/elasticsearch/api/actions/security/invalidate_api_key.rb,
lib/elasticsearch/api/actions/security/clear_api_key_cache.rb,
lib/elasticsearch/api/actions/security/clear_cached_realms.rb,
lib/elasticsearch/api/actions/security/delete_role_mapping.rb,
lib/elasticsearch/api/actions/security/enable_user_profile.rb,
lib/elasticsearch/api/actions/security/get_user_privileges.rb,
lib/elasticsearch/api/actions/security/bulk_update_api_keys.rb,
lib/elasticsearch/api/actions/security/create_service_token.rb,
lib/elasticsearch/api/actions/security/delete_service_token.rb,
lib/elasticsearch/api/actions/security/disable_user_profile.rb,
lib/elasticsearch/api/actions/security/get_service_accounts.rb,
lib/elasticsearch/api/actions/security/saml_complete_logout.rb,
lib/elasticsearch/api/actions/security/activate_user_profile.rb,
lib/elasticsearch/api/actions/security/suggest_user_profiles.rb,
lib/elasticsearch/api/actions/security/get_builtin_privileges.rb,
lib/elasticsearch/api/actions/security/clear_cached_privileges.rb,
lib/elasticsearch/api/actions/security/get_service_credentials.rb,
lib/elasticsearch/api/actions/security/update_user_profile_data.rb,
lib/elasticsearch/api/actions/security/clear_cached_service_tokens.rb,
lib/elasticsearch/api/actions/security/has_privileges_user_profile.rb,
lib/elasticsearch/api/actions/security/oidc_prepare_authentication.rb,
lib/elasticsearch/api/actions/security/saml_prepare_authentication.rb,
lib/elasticsearch/api/actions/security/create_cross_cluster_api_key.rb,
lib/elasticsearch/api/actions/security/update_cross_cluster_api_key.rb,
lib/elasticsearch/api/actions/security/saml_service_provider_metadata.rb

Instance Method Summary collapse

Instance Method Details

#activate_user_profile(arguments = {}) ⇒ Object

Activate a user profile. Create or update a user profile on behalf of another user. NOTE: The user profile feature is designed only for use by Kibana and Elastic’s Observability, Enterprise Search, and Elastic Security solutions. Individual users and external applications should not call this API directly. The calling application must have either an access_token or a combination of username and password for the user that the profile document is intended for. Elastic reserves the right to change or remove this feature in future releases without prior notice. This API creates or updates a profile document for end users with information that is extracted from the user’s authentication object including username, full_name, roles, and the authentication realm. For example, in the JWT access_token case, the profile user’s username is extracted from the JWT token claim pointed to by the claims.principal setting of the JWT realm that authenticated the token. When updating a profile document, the API enables the document if it was disabled. Any updates do not change existing content for either the labels or data fields.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :headers (Hash)

    Custom HTTP headers

  • :body (Hash)

    request body

Raises:

  • (ArgumentError)

See Also:



41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
# File 'lib/elasticsearch/api/actions/security/activate_user_profile.rb', line 41

def (arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.activate_user_profile' }

  raise ArgumentError, "Required argument 'body' missing" unless arguments[:body]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = arguments.delete(:body)

  method = Elasticsearch::API::HTTP_POST
  path   = '_security/profile/_activate'
  params = {}

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#authenticate(arguments = {}) ⇒ Object

Authenticate a user. Authenticates a user and returns information about the authenticated user. Include the user information in a basic auth header. A successful call returns a JSON structure that shows user information such as their username, the roles that are assigned to the user, any assigned metadata, and information about the realms that authenticated and authorized the user. If the user cannot be authenticated, this API returns a 401 status code.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :headers (Hash)

    Custom HTTP headers

See Also:



35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
# File 'lib/elasticsearch/api/actions/security/authenticate.rb', line 35

def authenticate(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.authenticate' }

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = nil

  method = Elasticsearch::API::HTTP_GET
  path   = '_security/_authenticate'
  params = {}

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#bulk_delete_role(arguments = {}) ⇒ Object

Bulk delete roles. The role management APIs are generally the preferred way to manage roles, rather than using file-based role management. The bulk delete roles API cannot delete roles that are defined in roles files.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :refresh (String)

    If true (the default) then refresh the affected shards to make this operation visible to search, if wait_for then wait for a refresh to make this operation visible to search, if false then do nothing with refreshes.

  • :headers (Hash)

    Custom HTTP headers

  • :body (Hash)

    request body

Raises:

  • (ArgumentError)

See Also:



35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
# File 'lib/elasticsearch/api/actions/security/bulk_delete_role.rb', line 35

def bulk_delete_role(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.bulk_delete_role' }

  raise ArgumentError, "Required argument 'body' missing" unless arguments[:body]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = arguments.delete(:body)

  method = Elasticsearch::API::HTTP_DELETE
  path   = '_security/role'
  params = Utils.process_params(arguments)

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#bulk_put_role(arguments = {}) ⇒ Object

Bulk create or update roles. The role management APIs are generally the preferred way to manage roles, rather than using file-based role management. The bulk create or update roles API cannot update roles that are defined in roles files.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :refresh (String)

    If true (the default) then refresh the affected shards to make this operation visible to search, if wait_for then wait for a refresh to make this operation visible to search, if false then do nothing with refreshes.

  • :headers (Hash)

    Custom HTTP headers

  • :body (Hash)

    request body

Raises:

  • (ArgumentError)

See Also:



35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
# File 'lib/elasticsearch/api/actions/security/bulk_put_role.rb', line 35

def bulk_put_role(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.bulk_put_role' }

  raise ArgumentError, "Required argument 'body' missing" unless arguments[:body]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = arguments.delete(:body)

  method = Elasticsearch::API::HTTP_POST
  path   = '_security/role'
  params = Utils.process_params(arguments)

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#bulk_update_api_keys(arguments = {}) ⇒ Object

Bulk update API keys. Update the attributes for multiple API keys. IMPORTANT: It is not possible to use an API key as the authentication credential for this API. To update API keys, the owner user’s credentials are required. This API is similar to the update API key API but enables you to apply the same update to multiple API keys in one API call. This operation can greatly improve performance over making individual updates. It is not possible to update expired or invalidated API keys. This API supports updates to API key access scope, metadata and expiration. The access scope of each API key is derived from the role_descriptors you specify in the request and a snapshot of the owner user’s permissions at the time of the request. The snapshot of the owner’s permissions is updated automatically on every call. IMPORTANT: If you don’t specify role_descriptors in the request, a call to this API might still change an API key’s access scope. This change can occur if the owner user’s permissions have changed since the API key was created or last modified. A successful request returns a JSON structure that contains the IDs of all updated API keys, the IDs of API keys that already had the requested changes and did not require an update, and error details for any failed update.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :headers (Hash)

    Custom HTTP headers

  • :body (Hash)

    request body

Raises:

  • (ArgumentError)

See Also:



41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
# File 'lib/elasticsearch/api/actions/security/bulk_update_api_keys.rb', line 41

def bulk_update_api_keys(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.bulk_update_api_keys' }

  raise ArgumentError, "Required argument 'body' missing" unless arguments[:body]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = arguments.delete(:body)

  method = Elasticsearch::API::HTTP_POST
  path   = '_security/api_key/_bulk_update'
  params = {}

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#change_password(arguments = {}) ⇒ Object

Change passwords. Change the passwords of users in the native realm and built-in users.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :username (String)

    The user whose password you want to change. If you do not specify this parameter, the password is changed for the current user.

  • :refresh (String)

    If true (the default) then refresh the affected shards to make this operation visible to search, if wait_for then wait for a refresh to make this operation visible to search, if false then do nothing with refreshes.

  • :headers (Hash)

    Custom HTTP headers

  • :body (Hash)

    request body

Raises:

  • (ArgumentError)

See Also:



36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
# File 'lib/elasticsearch/api/actions/security/change_password.rb', line 36

def change_password(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.change_password' }

  defined_params = [:username].each_with_object({}) do |variable, set_variables|
    set_variables[variable] = arguments[variable] if arguments.key?(variable)
  end
  request_opts[:defined_params] = defined_params unless defined_params.empty?

  raise ArgumentError, "Required argument 'body' missing" unless arguments[:body]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = arguments.delete(:body)

  _username = arguments.delete(:username)

  method = Elasticsearch::API::HTTP_PUT
  path   = if _username
             "_security/user/#{Utils.listify(_username)}/_password"
           else
             '_security/user/_password'
           end
  params = Utils.process_params(arguments)

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#clear_api_key_cache(arguments = {}) ⇒ Object

Clear the API key cache. Evict a subset of all entries from the API key cache. The cache is also automatically cleared on state changes of the security index.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :ids (String, Array)

    Comma-separated list of API key IDs to evict from the API key cache. To evict all API keys, use *. Does not support other wildcard patterns. (Required)

  • :headers (Hash)

    Custom HTTP headers

Raises:

  • (ArgumentError)

See Also:



36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
# File 'lib/elasticsearch/api/actions/security/clear_api_key_cache.rb', line 36

def clear_api_key_cache(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.clear_api_key_cache' }

  defined_params = [:ids].each_with_object({}) do |variable, set_variables|
    set_variables[variable] = arguments[variable] if arguments.key?(variable)
  end
  request_opts[:defined_params] = defined_params unless defined_params.empty?

  raise ArgumentError, "Required argument 'ids' missing" unless arguments[:ids]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = nil

  _ids = arguments.delete(:ids)

  method = Elasticsearch::API::HTTP_POST
  path   = "_security/api_key/#{Utils.listify(_ids)}/_clear_cache"
  params = {}

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#clear_cached_privileges(arguments = {}) ⇒ Object

Clear the privileges cache. Evict privileges from the native application privilege cache. The cache is also automatically cleared for applications that have their privileges updated.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :application (String)

    A comma-separated list of applications. To clear all applications, use an asterism (+*+). It does not support other wildcard patterns. (Required)

  • :headers (Hash)

    Custom HTTP headers

Raises:

  • (ArgumentError)

See Also:



36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
# File 'lib/elasticsearch/api/actions/security/clear_cached_privileges.rb', line 36

def clear_cached_privileges(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.clear_cached_privileges' }

  defined_params = [:application].each_with_object({}) do |variable, set_variables|
    set_variables[variable] = arguments[variable] if arguments.key?(variable)
  end
  request_opts[:defined_params] = defined_params unless defined_params.empty?

  raise ArgumentError, "Required argument 'application' missing" unless arguments[:application]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = nil

  _application = arguments.delete(:application)

  method = Elasticsearch::API::HTTP_POST
  path   = "_security/privilege/#{Utils.listify(_application)}/_clear_cache"
  params = {}

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#clear_cached_realms(arguments = {}) ⇒ Object

Clear the user cache. Evict users from the user cache. You can completely clear the cache or evict specific users. User credentials are cached in memory on each node to avoid connecting to a remote authentication service or hitting the disk for every incoming request. There are realm settings that you can use to configure the user cache. For more information, refer to the documentation about controlling the user cache.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :realms (String, Array<String>)

    A comma-separated list of realms. To clear all realms, use an asterisk (+*+). It does not support other wildcard patterns. (Required)

  • :usernames (Array<String>)

    A comma-separated list of the users to clear from the cache. If you do not specify this parameter, the API evicts all users from the user cache.

  • :headers (Hash)

    Custom HTTP headers

Raises:

  • (ArgumentError)

See Also:



41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
# File 'lib/elasticsearch/api/actions/security/clear_cached_realms.rb', line 41

def clear_cached_realms(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.clear_cached_realms' }

  defined_params = [:realms].each_with_object({}) do |variable, set_variables|
    set_variables[variable] = arguments[variable] if arguments.key?(variable)
  end
  request_opts[:defined_params] = defined_params unless defined_params.empty?

  raise ArgumentError, "Required argument 'realms' missing" unless arguments[:realms]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = nil

  _realms = arguments.delete(:realms)

  method = Elasticsearch::API::HTTP_POST
  path   = "_security/realm/#{Utils.listify(_realms)}/_clear_cache"
  params = Utils.process_params(arguments)

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#clear_cached_roles(arguments = {}) ⇒ Object

Clear the roles cache. Evict roles from the native role cache.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :name (String, Array<String>)

    A comma-separated list of roles to evict from the role cache. To evict all roles, use an asterisk (+*+). It does not support other wildcard patterns. (Required)

  • :headers (Hash)

    Custom HTTP headers

Raises:

  • (ArgumentError)

See Also:



35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
# File 'lib/elasticsearch/api/actions/security/clear_cached_roles.rb', line 35

def clear_cached_roles(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.clear_cached_roles' }

  defined_params = [:name].each_with_object({}) do |variable, set_variables|
    set_variables[variable] = arguments[variable] if arguments.key?(variable)
  end
  request_opts[:defined_params] = defined_params unless defined_params.empty?

  raise ArgumentError, "Required argument 'name' missing" unless arguments[:name]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = nil

  _name = arguments.delete(:name)

  method = Elasticsearch::API::HTTP_POST
  path   = "_security/role/#{Utils.listify(_name)}/_clear_cache"
  params = {}

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#clear_cached_service_tokens(arguments = {}) ⇒ Object

Clear service account token caches. Evict a subset of all entries from the service account token caches. Two separate caches exist for service account tokens: one cache for tokens backed by the service_tokens file, and another for tokens backed by the .security index. This API clears matching entries from both caches. The cache for service account tokens backed by the .security index is cleared automatically on state changes of the security index. The cache for tokens backed by the service_tokens file is cleared automatically on file changes.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :namespace (String)

    The namespace, which is a top-level grouping of service accounts. (Required)

  • :service (String)

    The name of the service, which must be unique within its namespace. (Required)

  • :name (String, Array<String>)

    A comma-separated list of token names to evict from the service account token caches. Use a wildcard (+*+) to evict all tokens that belong to a service account. It does not support other wildcard patterns. (Required)

  • :headers (Hash)

    Custom HTTP headers

Raises:

  • (ArgumentError)

See Also:



41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
# File 'lib/elasticsearch/api/actions/security/clear_cached_service_tokens.rb', line 41

def clear_cached_service_tokens(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.clear_cached_service_tokens' }

  defined_params = [:namespace, :service, :name].each_with_object({}) do |variable, set_variables|
    set_variables[variable] = arguments[variable] if arguments.key?(variable)
  end
  request_opts[:defined_params] = defined_params unless defined_params.empty?

  raise ArgumentError, "Required argument 'namespace' missing" unless arguments[:namespace]
  raise ArgumentError, "Required argument 'service' missing" unless arguments[:service]
  raise ArgumentError, "Required argument 'name' missing" unless arguments[:name]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = nil

  _namespace = arguments.delete(:namespace)

  _service = arguments.delete(:service)

  _name = arguments.delete(:name)

  method = Elasticsearch::API::HTTP_POST
  path   = "_security/service/#{Utils.listify(_namespace)}/#{Utils.listify(_service)}/credential/token/#{Utils.listify(_name)}/_clear_cache"
  params = {}

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#create_api_key(arguments = {}) ⇒ Object

Create an API key. Create an API key for access without requiring basic authentication. IMPORTANT: If the credential that is used to authenticate this request is an API key, the derived API key cannot have any privileges. If you specify privileges, the API returns an error. A successful request returns a JSON structure that contains the API key, its unique id, and its name. If applicable, it also returns expiration information for the API key in milliseconds. NOTE: By default, API keys never expire. You can specify expiration information when you create the API keys. The API keys are created by the Elasticsearch API key service, which is automatically enabled. To configure or turn off the API key service, refer to API key service setting documentation.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :refresh (String)

    If true (the default) then refresh the affected shards to make this operation visible to search, if wait_for then wait for a refresh to make this operation visible to search, if false then do nothing with refreshes.

  • :headers (Hash)

    Custom HTTP headers

  • :body (Hash)

    request body

Raises:

  • (ArgumentError)

See Also:



41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
# File 'lib/elasticsearch/api/actions/security/create_api_key.rb', line 41

def create_api_key(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.create_api_key' }

  raise ArgumentError, "Required argument 'body' missing" unless arguments[:body]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = arguments.delete(:body)

  method = Elasticsearch::API::HTTP_PUT
  path   = '_security/api_key'
  params = Utils.process_params(arguments)

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#create_cross_cluster_api_key(arguments = {}) ⇒ Object

Create a cross-cluster API key. Create an API key of the cross_cluster type for the API key based remote cluster access. A cross_cluster API key cannot be used to authenticate through the REST interface. IMPORTANT: To authenticate this request you must use a credential that is not an API key. Even if you use an API key that has the required privilege, the API returns an error. Cross-cluster API keys are created by the Elasticsearch API key service, which is automatically enabled. NOTE: Unlike REST API keys, a cross-cluster API key does not capture permissions of the authenticated user. The API key’s effective permission is exactly as specified with the access property. A successful request returns a JSON structure that contains the API key, its unique ID, and its name. If applicable, it also returns expiration information for the API key in milliseconds. By default, API keys never expire. You can specify expiration information when you create the API keys. Cross-cluster API keys can only be updated with the update cross-cluster API key API. Attempting to update them with the update REST API key API or the bulk update REST API keys API will result in an error.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :headers (Hash)

    Custom HTTP headers

  • :body (Hash)

    request body

Raises:

  • (ArgumentError)

See Also:



41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
# File 'lib/elasticsearch/api/actions/security/create_cross_cluster_api_key.rb', line 41

def create_cross_cluster_api_key(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.create_cross_cluster_api_key' }

  raise ArgumentError, "Required argument 'body' missing" unless arguments[:body]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = arguments.delete(:body)

  method = Elasticsearch::API::HTTP_POST
  path   = '_security/cross_cluster/api_key'
  params = {}

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#create_service_token(arguments = {}) ⇒ Object

Create a service account token. Create a service accounts token for access without requiring basic authentication. NOTE: Service account tokens never expire. You must actively delete them if they are no longer needed.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :namespace (String)

    The name of the namespace, which is a top-level grouping of service accounts. (Required)

  • :service (String)

    The name of the service. (Required)

  • :name (String)

    The name for the service account token. If omitted, a random name will be generated.Token names must be at least one and no more than 256 characters. They can contain alphanumeric characters (a-z, A-Z, 0-9), dashes (-), and underscores (_), but cannot begin with an underscore.NOTE: Token names must be unique in the context of the associated service account. They must also be globally unique with their fully qualified names, which are comprised of the service account principal and token name, such as <namespace>/<service>/<token-name>.

  • :refresh (String)

    If true then refresh the affected shards to make this operation visible to search, if wait_for (the default) then wait for a refresh to make this operation visible to search, if false then do nothing with refreshes.

  • :headers (Hash)

    Custom HTTP headers

Raises:

  • (ArgumentError)

See Also:



41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
# File 'lib/elasticsearch/api/actions/security/create_service_token.rb', line 41

def create_service_token(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.create_service_token' }

  defined_params = [:namespace, :service, :name].each_with_object({}) do |variable, set_variables|
    set_variables[variable] = arguments[variable] if arguments.key?(variable)
  end
  request_opts[:defined_params] = defined_params unless defined_params.empty?

  raise ArgumentError, "Required argument 'namespace' missing" unless arguments[:namespace]
  raise ArgumentError, "Required argument 'service' missing" unless arguments[:service]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = nil

  _namespace = arguments.delete(:namespace)

  _service = arguments.delete(:service)

  _name = arguments.delete(:name)

  method = _name ? Elasticsearch::API::HTTP_PUT : Elasticsearch::API::HTTP_POST
  path   = if _namespace && _service && _name
             "_security/service/#{Utils.listify(_namespace)}/#{Utils.listify(_service)}/credential/token/#{Utils.listify(_name)}"
           else
             "_security/service/#{Utils.listify(_namespace)}/#{Utils.listify(_service)}/credential/token"
           end
  params = Utils.process_params(arguments)

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#delegate_pki(arguments = {}) ⇒ Object

Delegate PKI authentication. This API implements the exchange of an X509Certificate chain for an Elasticsearch access token. The certificate chain is validated, according to RFC 5280, by sequentially considering the trust configuration of every installed PKI realm that has delegation.enabled set to true. A successfully trusted client certificate is also subject to the validation of the subject distinguished name according to thw username_pattern of the respective realm. This API is called by smart and trusted proxies, such as Kibana, which terminate the user’s TLS session but still want to authenticate the user by using a PKI realm—-​as if the user connected directly to Elasticsearch. IMPORTANT: The association between the subject public key in the target certificate and the corresponding private key is not validated. This is part of the TLS authentication process and it is delegated to the proxy that calls this API. The proxy is trusted to have performed the TLS authentication and this API translates that authentication into an Elasticsearch access token.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :headers (Hash)

    Custom HTTP headers

  • :body (Hash)

    request body

Raises:

  • (ArgumentError)

See Also:



39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
# File 'lib/elasticsearch/api/actions/security/delegate_pki.rb', line 39

def delegate_pki(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.delegate_pki' }

  raise ArgumentError, "Required argument 'body' missing" unless arguments[:body]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = arguments.delete(:body)

  method = Elasticsearch::API::HTTP_POST
  path   = '_security/delegate_pki'
  params = {}

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#delete_privileges(arguments = {}) ⇒ Object

Delete application privileges. To use this API, you must have one of the following privileges:

  • The manage_security cluster privilege (or a greater privilege such as all).

  • The “Manage Application Privileges” global privilege for the application being referenced in the request.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :application (String)

    The name of the application. Application privileges are always associated with exactly one application. (Required)

  • :name (String, Array<String>)

    The name of the privilege. (Required)

  • :refresh (String)

    If true (the default) then refresh the affected shards to make this operation visible to search, if wait_for then wait for a refresh to make this operation visible to search, if false then do nothing with refreshes.

  • :headers (Hash)

    Custom HTTP headers

Raises:

  • (ArgumentError)

See Also:



38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
# File 'lib/elasticsearch/api/actions/security/delete_privileges.rb', line 38

def delete_privileges(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.delete_privileges' }

  defined_params = [:application, :name].each_with_object({}) do |variable, set_variables|
    set_variables[variable] = arguments[variable] if arguments.key?(variable)
  end
  request_opts[:defined_params] = defined_params unless defined_params.empty?

  raise ArgumentError, "Required argument 'application' missing" unless arguments[:application]
  raise ArgumentError, "Required argument 'name' missing" unless arguments[:name]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = nil

  _application = arguments.delete(:application)

  _name = arguments.delete(:name)

  method = Elasticsearch::API::HTTP_DELETE
  path   = "_security/privilege/#{Utils.listify(_application)}/#{Utils.listify(_name)}"
  params = Utils.process_params(arguments)

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#delete_role(arguments = {}) ⇒ Object

Delete roles. Delete roles in the native realm. The role management APIs are generally the preferred way to manage roles, rather than using file-based role management. The delete roles API cannot remove roles that are defined in roles files.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :name (String)

    The name of the role. (Required)

  • :refresh (String)

    If true (the default) then refresh the affected shards to make this operation visible to search, if wait_for then wait for a refresh to make this operation visible to search, if false then do nothing with refreshes.

  • :headers (Hash)

    Custom HTTP headers

Raises:

  • (ArgumentError)

See Also:



36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
# File 'lib/elasticsearch/api/actions/security/delete_role.rb', line 36

def delete_role(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.delete_role' }

  defined_params = [:name].each_with_object({}) do |variable, set_variables|
    set_variables[variable] = arguments[variable] if arguments.key?(variable)
  end
  request_opts[:defined_params] = defined_params unless defined_params.empty?

  raise ArgumentError, "Required argument 'name' missing" unless arguments[:name]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = nil

  _name = arguments.delete(:name)

  method = Elasticsearch::API::HTTP_DELETE
  path   = "_security/role/#{Utils.listify(_name)}"
  params = Utils.process_params(arguments)

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#delete_role_mapping(arguments = {}) ⇒ Object

Delete role mappings. Role mappings define which roles are assigned to each user. The role mapping APIs are generally the preferred way to manage role mappings rather than using role mapping files. The delete role mappings API cannot remove role mappings that are defined in role mapping files.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :name (String)

    The distinct name that identifies the role mapping. The name is used solely as an identifier to facilitate interaction via the API; it does not affect the behavior of the mapping in any way. (Required)

  • :refresh (String)

    If true (the default) then refresh the affected shards to make this operation visible to search, if wait_for then wait for a refresh to make this operation visible to search, if false then do nothing with refreshes.

  • :headers (Hash)

    Custom HTTP headers

Raises:

  • (ArgumentError)

See Also:



37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
# File 'lib/elasticsearch/api/actions/security/delete_role_mapping.rb', line 37

def delete_role_mapping(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.delete_role_mapping' }

  defined_params = [:name].each_with_object({}) do |variable, set_variables|
    set_variables[variable] = arguments[variable] if arguments.key?(variable)
  end
  request_opts[:defined_params] = defined_params unless defined_params.empty?

  raise ArgumentError, "Required argument 'name' missing" unless arguments[:name]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = nil

  _name = arguments.delete(:name)

  method = Elasticsearch::API::HTTP_DELETE
  path   = "_security/role_mapping/#{Utils.listify(_name)}"
  params = Utils.process_params(arguments)

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#delete_service_token(arguments = {}) ⇒ Object

Delete service account tokens. Delete service account tokens for a service in a specified namespace.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :namespace (String)

    The namespace, which is a top-level grouping of service accounts. (Required)

  • :service (String)

    The service name. (Required)

  • :name (String)

    The name of the service account token. (Required)

  • :refresh (String)

    If true then refresh the affected shards to make this operation visible to search, if wait_for (the default) then wait for a refresh to make this operation visible to search, if false then do nothing with refreshes.

  • :headers (Hash)

    Custom HTTP headers

Raises:

  • (ArgumentError)

See Also:



36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
# File 'lib/elasticsearch/api/actions/security/delete_service_token.rb', line 36

def delete_service_token(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.delete_service_token' }

  defined_params = [:namespace, :service, :name].each_with_object({}) do |variable, set_variables|
    set_variables[variable] = arguments[variable] if arguments.key?(variable)
  end
  request_opts[:defined_params] = defined_params unless defined_params.empty?

  raise ArgumentError, "Required argument 'namespace' missing" unless arguments[:namespace]
  raise ArgumentError, "Required argument 'service' missing" unless arguments[:service]
  raise ArgumentError, "Required argument 'name' missing" unless arguments[:name]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = nil

  _namespace = arguments.delete(:namespace)

  _service = arguments.delete(:service)

  _name = arguments.delete(:name)

  method = Elasticsearch::API::HTTP_DELETE
  path   = "_security/service/#{Utils.listify(_namespace)}/#{Utils.listify(_service)}/credential/token/#{Utils.listify(_name)}"
  params = Utils.process_params(arguments)

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#delete_user(arguments = {}) ⇒ Object

Delete users. Delete users from the native realm.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :username (String)

    An identifier for the user. (Required)

  • :refresh (String)

    If true (the default) then refresh the affected shards to make this operation visible to search, if wait_for then wait for a refresh to make this operation visible to search, if false then do nothing with refreshes.

  • :headers (Hash)

    Custom HTTP headers

Raises:

  • (ArgumentError)

See Also:



34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
# File 'lib/elasticsearch/api/actions/security/delete_user.rb', line 34

def delete_user(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.delete_user' }

  defined_params = [:username].each_with_object({}) do |variable, set_variables|
    set_variables[variable] = arguments[variable] if arguments.key?(variable)
  end
  request_opts[:defined_params] = defined_params unless defined_params.empty?

  raise ArgumentError, "Required argument 'username' missing" unless arguments[:username]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = nil

  _username = arguments.delete(:username)

  method = Elasticsearch::API::HTTP_DELETE
  path   = "_security/user/#{Utils.listify(_username)}"
  params = Utils.process_params(arguments)

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#disable_user(arguments = {}) ⇒ Object

Disable users. Disable users in the native realm. By default, when you create users, they are enabled. You can use this API to revoke a user’s access to Elasticsearch.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :username (String)

    An identifier for the user. (Required)

  • :refresh (String)

    If true (the default) then refresh the affected shards to make this operation visible to search, if wait_for then wait for a refresh to make this operation visible to search, if false then do nothing with refreshes.

  • :headers (Hash)

    Custom HTTP headers

Raises:

  • (ArgumentError)

See Also:



36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
# File 'lib/elasticsearch/api/actions/security/disable_user.rb', line 36

def disable_user(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.disable_user' }

  defined_params = [:username].each_with_object({}) do |variable, set_variables|
    set_variables[variable] = arguments[variable] if arguments.key?(variable)
  end
  request_opts[:defined_params] = defined_params unless defined_params.empty?

  raise ArgumentError, "Required argument 'username' missing" unless arguments[:username]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = nil

  _username = arguments.delete(:username)

  method = Elasticsearch::API::HTTP_PUT
  path   = "_security/user/#{Utils.listify(_username)}/_disable"
  params = Utils.process_params(arguments)

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#disable_user_profile(arguments = {}) ⇒ Object

Disable a user profile. Disable user profiles so that they are not visible in user profile searches. NOTE: The user profile feature is designed only for use by Kibana and Elastic’s Observability, Enterprise Search, and Elastic Security solutions. Individual users and external applications should not call this API directly. Elastic reserves the right to change or remove this feature in future releases without prior notice. When you activate a user profile, its automatically enabled and visible in user profile searches. You can use the disable user profile API to disable a user profile so it’s not visible in these searches. To re-enable a disabled user profile, use the enable user profile API .

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :uid (String)

    Unique identifier for the user profile. (Required)

  • :refresh (String)

    If ‘true’, Elasticsearch refreshes the affected shards to make this operation visible to search. If ‘wait_for’, it waits for a refresh to make this operation visible to search. If ‘false’, it does nothing with refreshes. Server default: false.

  • :headers (Hash)

    Custom HTTP headers

Raises:

  • (ArgumentError)

See Also:



41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
# File 'lib/elasticsearch/api/actions/security/disable_user_profile.rb', line 41

def (arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.disable_user_profile' }

  defined_params = [:uid].each_with_object({}) do |variable, set_variables|
    set_variables[variable] = arguments[variable] if arguments.key?(variable)
  end
  request_opts[:defined_params] = defined_params unless defined_params.empty?

  raise ArgumentError, "Required argument 'uid' missing" unless arguments[:uid]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = nil

  _uid = arguments.delete(:uid)

  method = Elasticsearch::API::HTTP_PUT
  path   = "_security/profile/#{Utils.listify(_uid)}/_disable"
  params = Utils.process_params(arguments)

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#enable_user(arguments = {}) ⇒ Object

Enable users. Enable users in the native realm. By default, when you create users, they are enabled.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :username (String)

    An identifier for the user. (Required)

  • :refresh (String)

    If true (the default) then refresh the affected shards to make this operation visible to search, if wait_for then wait for a refresh to make this operation visible to search, if false then do nothing with refreshes.

  • :headers (Hash)

    Custom HTTP headers

Raises:

  • (ArgumentError)

See Also:



35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
# File 'lib/elasticsearch/api/actions/security/enable_user.rb', line 35

def enable_user(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.enable_user' }

  defined_params = [:username].each_with_object({}) do |variable, set_variables|
    set_variables[variable] = arguments[variable] if arguments.key?(variable)
  end
  request_opts[:defined_params] = defined_params unless defined_params.empty?

  raise ArgumentError, "Required argument 'username' missing" unless arguments[:username]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = nil

  _username = arguments.delete(:username)

  method = Elasticsearch::API::HTTP_PUT
  path   = "_security/user/#{Utils.listify(_username)}/_enable"
  params = Utils.process_params(arguments)

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#enable_user_profile(arguments = {}) ⇒ Object

Enable a user profile. Enable user profiles to make them visible in user profile searches. NOTE: The user profile feature is designed only for use by Kibana and Elastic’s Observability, Enterprise Search, and Elastic Security solutions. Individual users and external applications should not call this API directly. Elastic reserves the right to change or remove this feature in future releases without prior notice. When you activate a user profile, it’s automatically enabled and visible in user profile searches. If you later disable the user profile, you can use the enable user profile API to make the profile visible in these searches again.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :uid (String)

    A unique identifier for the user profile. (Required)

  • :refresh (String)

    If ‘true’, Elasticsearch refreshes the affected shards to make this operation visible to search. If ‘wait_for’, it waits for a refresh to make this operation visible to search. If ‘false’, nothing is done with refreshes. Server default: false.

  • :headers (Hash)

    Custom HTTP headers

Raises:

  • (ArgumentError)

See Also:



42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
# File 'lib/elasticsearch/api/actions/security/enable_user_profile.rb', line 42

def (arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.enable_user_profile' }

  defined_params = [:uid].each_with_object({}) do |variable, set_variables|
    set_variables[variable] = arguments[variable] if arguments.key?(variable)
  end
  request_opts[:defined_params] = defined_params unless defined_params.empty?

  raise ArgumentError, "Required argument 'uid' missing" unless arguments[:uid]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = nil

  _uid = arguments.delete(:uid)

  method = Elasticsearch::API::HTTP_PUT
  path   = "_security/profile/#{Utils.listify(_uid)}/_enable"
  params = Utils.process_params(arguments)

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#enroll_kibana(arguments = {}) ⇒ Object

Enroll Kibana. Enable a Kibana instance to configure itself for communication with a secured Elasticsearch cluster. NOTE: This API is currently intended for internal use only by Kibana. Kibana uses this API internally to configure itself for communications with an Elasticsearch cluster that already has security features enabled.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :headers (Hash)

    Custom HTTP headers

See Also:



34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
# File 'lib/elasticsearch/api/actions/security/enroll_kibana.rb', line 34

def enroll_kibana(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.enroll_kibana' }

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = nil

  method = Elasticsearch::API::HTTP_GET
  path   = '_security/enroll/kibana'
  params = {}

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#enroll_node(arguments = {}) ⇒ Object

Enroll a node. Enroll a new node to allow it to join an existing cluster with security features enabled. The response contains all the necessary information for the joining node to bootstrap discovery and security related settings so that it can successfully join the cluster. The response contains key and certificate material that allows the caller to generate valid signed certificates for the HTTP layer of all nodes in the cluster.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :headers (Hash)

    Custom HTTP headers

See Also:



34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
# File 'lib/elasticsearch/api/actions/security/enroll_node.rb', line 34

def enroll_node(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.enroll_node' }

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = nil

  method = Elasticsearch::API::HTTP_GET
  path   = '_security/enroll/node'
  params = {}

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#get_api_key(arguments = {}) ⇒ Object

Get API key information. Retrieves information for one or more API keys. NOTE: If you have only the manage_own_api_key privilege, this API returns only the API keys that you own. If you have read_security, manage_api_key or greater privileges (including manage_security), this API returns all API keys regardless of ownership.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :id (String)

    An API key id. This parameter cannot be used with any of name, realm_name or username.

  • :name (String)

    An API key name. This parameter cannot be used with any of id, realm_name or username. It supports prefix search with wildcard.

  • :owner (Boolean)

    A boolean flag that can be used to query API keys owned by the currently authenticated user. The realm_name or username parameters cannot be specified when this parameter is set to true as they are assumed to be the currently authenticated ones.

  • :realm_name (String)

    The name of an authentication realm. This parameter cannot be used with either id or name or when owner flag is set to true.

  • :username (String)

    The username of a user. This parameter cannot be used with either id or name or when owner flag is set to true.

  • :with_limited_by (Boolean)

    Return the snapshot of the owner user’s role descriptors associated with the API key. An API key’s actual permission is the intersection of its assigned role descriptors and the owner user’s role descriptors.

  • :active_only (Boolean)

    A boolean flag that can be used to query API keys that are currently active. An API key is considered active if it is neither invalidated, nor expired at query time. You can specify this together with other parameters such as owner or name. If active_only is false, the response will include both active and inactive (expired or invalidated) keys.

  • :with_profile_uid (Boolean)

    Determines whether to also retrieve the profile uid, for the API key owner principal, if it exists.

  • :headers (Hash)

    Custom HTTP headers

See Also:



51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
# File 'lib/elasticsearch/api/actions/security/get_api_key.rb', line 51

def get_api_key(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.get_api_key' }

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = nil

  method = Elasticsearch::API::HTTP_GET
  path   = '_security/api_key'
  params = Utils.process_params(arguments)

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#get_builtin_privileges(arguments = {}) ⇒ Object

Get builtin privileges. Get the list of cluster privileges and index privileges that are available in this version of Elasticsearch.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :headers (Hash)

    Custom HTTP headers

See Also:



32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
# File 'lib/elasticsearch/api/actions/security/get_builtin_privileges.rb', line 32

def get_builtin_privileges(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.get_builtin_privileges' }

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = nil

  method = Elasticsearch::API::HTTP_GET
  path   = '_security/privilege/_builtin'
  params = {}

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#get_privileges(arguments = {}) ⇒ Object

Get application privileges. To use this API, you must have one of the following privileges:

  • The read_security cluster privilege (or a greater privilege such as manage_security or all).

  • The “Manage Application Privileges” global privilege for the application being referenced in the request.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :application (String)

    The name of the application. Application privileges are always associated with exactly one application. If you do not specify this parameter, the API returns information about all privileges for all applications.

  • :name (String, Array<String>)

    The name of the privilege. If you do not specify this parameter, the API returns information about all privileges for the requested application.

  • :headers (Hash)

    Custom HTTP headers

See Also:



39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
# File 'lib/elasticsearch/api/actions/security/get_privileges.rb', line 39

def get_privileges(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.get_privileges' }

  defined_params = [:application, :name].each_with_object({}) do |variable, set_variables|
    set_variables[variable] = arguments[variable] if arguments.key?(variable)
  end
  request_opts[:defined_params] = defined_params unless defined_params.empty?

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = nil

  _application = arguments.delete(:application)

  _name = arguments.delete(:name)

  method = Elasticsearch::API::HTTP_GET
  path   = if _application && _name
             "_security/privilege/#{Utils.listify(_application)}/#{Utils.listify(_name)}"
           elsif _application
             "_security/privilege/#{Utils.listify(_application)}"
           else
             '_security/privilege'
           end
  params = {}

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#get_role(arguments = {}) ⇒ Object

Get roles. Get roles in the native realm. The role management APIs are generally the preferred way to manage roles, rather than using file-based role management. The get roles API cannot retrieve roles that are defined in roles files.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :name (String, Array<String>)

    The name of the role. You can specify multiple roles as a comma-separated list. If you do not specify this parameter, the API returns information about all roles.

  • :headers (Hash)

    Custom HTTP headers

See Also:



37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
# File 'lib/elasticsearch/api/actions/security/get_role.rb', line 37

def get_role(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.get_role' }

  defined_params = [:name].each_with_object({}) do |variable, set_variables|
    set_variables[variable] = arguments[variable] if arguments.key?(variable)
  end
  request_opts[:defined_params] = defined_params unless defined_params.empty?

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = nil

  _name = arguments.delete(:name)

  method = Elasticsearch::API::HTTP_GET
  path   = if _name
             "_security/role/#{Utils.listify(_name)}"
           else
             '_security/role'
           end
  params = Utils.process_params(arguments)

  if Array(arguments[:ignore]).include?(404)
    Utils.rescue_from_not_found do
      Elasticsearch::API::Response.new(
        perform_request(method, path, params, body, headers, request_opts)
      )
    end
  else
    Elasticsearch::API::Response.new(
      perform_request(method, path, params, body, headers, request_opts)
    )
  end
end

#get_role_mapping(arguments = {}) ⇒ Object

Get role mappings. Role mappings define which roles are assigned to each user. The role mapping APIs are generally the preferred way to manage role mappings rather than using role mapping files. The get role mappings API cannot retrieve role mappings that are defined in role mapping files.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :name (String, Array<String>)

    The distinct name that identifies the role mapping. The name is used solely as an identifier to facilitate interaction via the API; it does not affect the behavior of the mapping in any way. You can specify multiple mapping names as a comma-separated list. If you do not specify this parameter, the API returns information about all role mappings.

  • :headers (Hash)

    Custom HTTP headers

See Also:



35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
# File 'lib/elasticsearch/api/actions/security/get_role_mapping.rb', line 35

def get_role_mapping(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.get_role_mapping' }

  defined_params = [:name].each_with_object({}) do |variable, set_variables|
    set_variables[variable] = arguments[variable] if arguments.key?(variable)
  end
  request_opts[:defined_params] = defined_params unless defined_params.empty?

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = nil

  _name = arguments.delete(:name)

  method = Elasticsearch::API::HTTP_GET
  path   = if _name
             "_security/role_mapping/#{Utils.listify(_name)}"
           else
             '_security/role_mapping'
           end
  params = {}

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#get_service_accounts(arguments = {}) ⇒ Object

Get service accounts. Get a list of service accounts that match the provided path parameters. NOTE: Currently, only the elastic/fleet-server service account is available.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :namespace (String)

    The name of the namespace. Omit this parameter to retrieve information about all service accounts. If you omit this parameter, you must also omit the service parameter.

  • :service (String)

    The service name. Omit this parameter to retrieve information about all service accounts that belong to the specified namespace.

  • :headers (Hash)

    Custom HTTP headers

See Also:



38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
# File 'lib/elasticsearch/api/actions/security/get_service_accounts.rb', line 38

def get_service_accounts(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.get_service_accounts' }

  defined_params = [:namespace, :service].each_with_object({}) do |variable, set_variables|
    set_variables[variable] = arguments[variable] if arguments.key?(variable)
  end
  request_opts[:defined_params] = defined_params unless defined_params.empty?

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = nil

  _namespace = arguments.delete(:namespace)

  _service = arguments.delete(:service)

  method = Elasticsearch::API::HTTP_GET
  path   = if _namespace && _service
             "_security/service/#{Utils.listify(_namespace)}/#{Utils.listify(_service)}"
           elsif _namespace
             "_security/service/#{Utils.listify(_namespace)}"
           else
             '_security/service'
           end
  params = {}

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#get_service_credentials(arguments = {}) ⇒ Object

Get service account credentials. To use this API, you must have at least the read_security cluster privilege (or a greater privilege such as manage_service_account or manage_security). The response includes service account tokens that were created with the create service account tokens API as well as file-backed tokens from all nodes of the cluster. NOTE: For tokens backed by the service_tokens file, the API collects them from all nodes of the cluster. Tokens with the same name from different nodes are assumed to be the same token and are only counted once towards the total number of service tokens.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :namespace (String)

    The name of the namespace. (Required)

  • :service (String)

    The service name. (Required)

  • :headers (Hash)

    Custom HTTP headers

Raises:

  • (ArgumentError)

See Also:



37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
# File 'lib/elasticsearch/api/actions/security/get_service_credentials.rb', line 37

def get_service_credentials(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.get_service_credentials' }

  defined_params = [:namespace, :service].each_with_object({}) do |variable, set_variables|
    set_variables[variable] = arguments[variable] if arguments.key?(variable)
  end
  request_opts[:defined_params] = defined_params unless defined_params.empty?

  raise ArgumentError, "Required argument 'namespace' missing" unless arguments[:namespace]
  raise ArgumentError, "Required argument 'service' missing" unless arguments[:service]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = nil

  _namespace = arguments.delete(:namespace)

  _service = arguments.delete(:service)

  method = Elasticsearch::API::HTTP_GET
  path   = "_security/service/#{Utils.listify(_namespace)}/#{Utils.listify(_service)}/credential"
  params = {}

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#get_settings(arguments = {}) ⇒ Object

Get security index settings. Get the user-configurable settings for the security internal index (.security and associated indices). Only a subset of the index settings — those that are user-configurable—will be shown. This includes:

  • index.auto_expand_replicas

  • index.number_of_replicas

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :master_timeout (Time)

    Period to wait for a connection to the master node. If no response is received before the timeout expires, the request fails and returns an error.

  • :headers (Hash)

    Custom HTTP headers

See Also:



38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
# File 'lib/elasticsearch/api/actions/security/get_settings.rb', line 38

def get_settings(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.get_settings' }

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = nil

  method = Elasticsearch::API::HTTP_GET
  path   = '_security/settings'
  params = Utils.process_params(arguments)

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#get_token(arguments = {}) ⇒ Object

Get a token. Create a bearer token for access without requiring basic authentication. The tokens are created by the Elasticsearch Token Service, which is automatically enabled when you configure TLS on the HTTP interface. Alternatively, you can explicitly enable the xpack.security.authc.token.enabled setting. When you are running in production mode, a bootstrap check prevents you from enabling the token service unless you also enable TLS on the HTTP interface. The get token API takes the same parameters as a typical OAuth 2.0 token API except for the use of a JSON request body. A successful get token API call returns a JSON structure that contains the access token, the amount of time (seconds) that the token expires in, the type, and the scope if available. The tokens returned by the get token API have a finite period of time for which they are valid and after that time period, they can no longer be used. That time period is defined by the xpack.security.authc.token.timeout setting. If you want to invalidate a token immediately, you can do so by using the invalidate token API.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :headers (Hash)

    Custom HTTP headers

  • :body (Hash)

    request body

Raises:

  • (ArgumentError)

See Also:



41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
# File 'lib/elasticsearch/api/actions/security/get_token.rb', line 41

def get_token(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.get_token' }

  raise ArgumentError, "Required argument 'body' missing" unless arguments[:body]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = arguments.delete(:body)

  method = Elasticsearch::API::HTTP_POST
  path   = '_security/oauth2/token'
  params = {}

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#get_user(arguments = {}) ⇒ Object

Get users. Get information about users in the native realm and built-in users.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :username (Username)

    An identifier for the user. You can specify multiple usernames as a comma-separated list. If you omit this parameter, the API retrieves information about all users.

  • :with_profile_uid (Boolean)

    Determines whether to retrieve the user profile UID, if it exists, for the users.

  • :headers (Hash)

    Custom HTTP headers

See Also:



34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
# File 'lib/elasticsearch/api/actions/security/get_user.rb', line 34

def get_user(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.get_user' }

  defined_params = [:username].each_with_object({}) do |variable, set_variables|
    set_variables[variable] = arguments[variable] if arguments.key?(variable)
  end
  request_opts[:defined_params] = defined_params unless defined_params.empty?

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = nil

  _username = arguments.delete(:username)

  method = Elasticsearch::API::HTTP_GET
  path   = if _username
             "_security/user/#{Utils.listify(_username)}"
           else
             '_security/user'
           end
  params = Utils.process_params(arguments)

  if Array(arguments[:ignore]).include?(404)
    Utils.rescue_from_not_found do
      Elasticsearch::API::Response.new(
        perform_request(method, path, params, body, headers, request_opts)
      )
    end
  else
    Elasticsearch::API::Response.new(
      perform_request(method, path, params, body, headers, request_opts)
    )
  end
end

#get_user_privileges(arguments = {}) ⇒ Object

Get user privileges. Get the security privileges for the logged in user. All users can use this API, but only to determine their own privileges. To check the privileges of other users, you must use the run as feature. To check whether a user has a specific list of privileges, use the has privileges API.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :application (String)

    The name of the application. Application privileges are always associated with exactly one application. If you do not specify this parameter, the API returns information about all privileges for all applications.

  • :priviledge (String)

    The name of the privilege. If you do not specify this parameter, the API returns information about all privileges for the requested application.

  • :username (Name, Null)
    TODO
  • :headers (Hash)

    Custom HTTP headers

See Also:



38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
# File 'lib/elasticsearch/api/actions/security/get_user_privileges.rb', line 38

def get_user_privileges(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.get_user_privileges' }

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = nil

  method = Elasticsearch::API::HTTP_GET
  path   = '_security/user/_privileges'
  params = Utils.process_params(arguments)

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#get_user_profile(arguments = {}) ⇒ Object

Get a user profile. Get a user’s profile using the unique profile ID. NOTE: The user profile feature is designed only for use by Kibana and Elastic’s Observability, Enterprise Search, and Elastic Security solutions. Individual users and external applications should not call this API directly. Elastic reserves the right to change or remove this feature in future releases without prior notice.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :uid (Userprofileid)

    A unique identifier for the user profile. (Required)

  • :data (String)

    A comma-separated list of filters for the data field of the profile document. To return all content use data=*. To return a subset of content use data=<key> to retrieve content nested under the specified <key>. By default returns no data content.

  • :headers (Hash)

    Custom HTTP headers

Raises:

  • (ArgumentError)

See Also:



40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
# File 'lib/elasticsearch/api/actions/security/get_user_profile.rb', line 40

def (arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.get_user_profile' }

  defined_params = [:uid].each_with_object({}) do |variable, set_variables|
    set_variables[variable] = arguments[variable] if arguments.key?(variable)
  end
  request_opts[:defined_params] = defined_params unless defined_params.empty?

  raise ArgumentError, "Required argument 'uid' missing" unless arguments[:uid]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = nil

  _uid = arguments.delete(:uid)

  method = Elasticsearch::API::HTTP_GET
  path   = "_security/profile/#{Utils.listify(_uid)}"
  params = Utils.process_params(arguments)

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#grant_api_key(arguments = {}) ⇒ Object

Grant an API key. Create an API key on behalf of another user. This API is similar to the create API keys API, however it creates the API key for a user that is different than the user that runs the API. The caller must have authentication credentials for the user on whose behalf the API key will be created. It is not possible to use this API to create an API key without that user’s credentials. The supported user authentication credential types are:

  • username and password

  • Elasticsearch access tokens

  • JWTs

The user, for whom the authentication credentials is provided, can optionally “run as” (impersonate) another user. In this case, the API key will be created on behalf of the impersonated user. This API is intended be used by applications that need to create and manage API keys for end users, but cannot guarantee that those users have permission to create API keys on their own behalf. The API keys are created by the Elasticsearch API key service, which is automatically enabled. A successful grant API key API call returns a JSON structure that contains the API key, its unique id, and its name. If applicable, it also returns expiration information for the API key in milliseconds. By default, API keys never expire. You can specify expiration information when you create the API keys.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :headers (Hash)

    Custom HTTP headers

  • :body (Hash)

    request body

Raises:

  • (ArgumentError)

See Also:



47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
# File 'lib/elasticsearch/api/actions/security/grant_api_key.rb', line 47

def grant_api_key(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.grant_api_key' }

  raise ArgumentError, "Required argument 'body' missing" unless arguments[:body]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = arguments.delete(:body)

  method = Elasticsearch::API::HTTP_POST
  path   = '_security/api_key/grant'
  params = {}

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#has_privileges(arguments = {}) ⇒ Object

Check user privileges. Determine whether the specified user has a specified list of privileges. All users can use this API, but only to determine their own privileges. To check the privileges of other users, you must use the run as feature.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :user (String)

    Username

  • :headers (Hash)

    Custom HTTP headers

  • :body (Hash)

    request body

Raises:

  • (ArgumentError)

See Also:



36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
# File 'lib/elasticsearch/api/actions/security/has_privileges.rb', line 36

def has_privileges(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.has_privileges' }

  defined_params = [:user].each_with_object({}) do |variable, set_variables|
    set_variables[variable] = arguments[variable] if arguments.key?(variable)
  end
  request_opts[:defined_params] = defined_params unless defined_params.empty?

  raise ArgumentError, "Required argument 'body' missing" unless arguments[:body]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = arguments.delete(:body)

  _user = arguments.delete(:user)

  method = Elasticsearch::API::HTTP_POST
  path   = if _user
             "_security/user/#{Utils.listify(_user)}/_has_privileges"
           else
             '_security/user/_has_privileges'
           end
  params = {}

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#has_privileges_user_profile(arguments = {}) ⇒ Object

Check user profile privileges. Determine whether the users associated with the specified user profile IDs have all the requested privileges. NOTE: The user profile feature is designed only for use by Kibana and Elastic’s Observability, Enterprise Search, and Elastic Security solutions. Individual users and external applications should not call this API directly. Elastic reserves the right to change or remove this feature in future releases without prior notice.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :headers (Hash)

    Custom HTTP headers

  • :body (Hash)

    request body

Raises:

  • (ArgumentError)

See Also:



35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
# File 'lib/elasticsearch/api/actions/security/has_privileges_user_profile.rb', line 35

def (arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.has_privileges_user_profile' }

  raise ArgumentError, "Required argument 'body' missing" unless arguments[:body]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = arguments.delete(:body)

  method = Elasticsearch::API::HTTP_POST
  path   = '_security/profile/_has_privileges'
  params = {}

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#invalidate_api_key(arguments = {}) ⇒ Object

Invalidate API keys. This API invalidates API keys created by the create API key or grant API key APIs. Invalidated API keys fail authentication, but they can still be viewed using the get API key information and query API key information APIs, for at least the configured retention period, until they are automatically deleted. To use this API, you must have at least the manage_security, manage_api_key, or manage_own_api_key cluster privileges. The manage_security privilege allows deleting any API key, including both REST and cross cluster API keys. The manage_api_key privilege allows deleting any REST API key, but not cross cluster API keys. The manage_own_api_key only allows deleting REST API keys that are owned by the user. In addition, with the manage_own_api_key privilege, an invalidation request must be issued in one of the three formats:

  • Set the parameter owner=true.

  • Or, set both username and realm_name to match the user’s identity.

  • Or, if the request is issued by an API key, that is to say an API key invalidates itself, specify its ID in the ids field.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :headers (Hash)

    Custom HTTP headers

  • :body (Hash)

    request body

Raises:

  • (ArgumentError)

See Also:



42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
# File 'lib/elasticsearch/api/actions/security/invalidate_api_key.rb', line 42

def invalidate_api_key(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.invalidate_api_key' }

  raise ArgumentError, "Required argument 'body' missing" unless arguments[:body]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = arguments.delete(:body)

  method = Elasticsearch::API::HTTP_DELETE
  path   = '_security/api_key'
  params = {}

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#invalidate_token(arguments = {}) ⇒ Object

Invalidate a token. The access tokens returned by the get token API have a finite period of time for which they are valid. After that time period, they can no longer be used. The time period is defined by the xpack.security.authc.token.timeout setting. The refresh tokens returned by the get token API are only valid for 24 hours. They can also be used exactly once. If you want to invalidate one or more access or refresh tokens immediately, use this invalidate token API. NOTE: While all parameters are optional, at least one of them is required. More specifically, either one of token or refresh_token parameters is required. If none of these two are specified, then realm_name and/or username need to be specified.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :headers (Hash)

    Custom HTTP headers

  • :body (Hash)

    request body

Raises:

  • (ArgumentError)

See Also:



41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
# File 'lib/elasticsearch/api/actions/security/invalidate_token.rb', line 41

def invalidate_token(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.invalidate_token' }

  raise ArgumentError, "Required argument 'body' missing" unless arguments[:body]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = arguments.delete(:body)

  method = Elasticsearch::API::HTTP_DELETE
  path   = '_security/oauth2/token'
  params = {}

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#oidc_authenticate(arguments = {}) ⇒ Object

Authenticate OpenID Connect. Exchange an OpenID Connect authentication response message for an Elasticsearch internal access token and refresh token that can be subsequently used for authentication. Elasticsearch exposes all the necessary OpenID Connect related functionality with the OpenID Connect APIs. These APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :headers (Hash)

    Custom HTTP headers

  • :body (Hash)

    request body

Raises:

  • (ArgumentError)

See Also:



35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
# File 'lib/elasticsearch/api/actions/security/oidc_authenticate.rb', line 35

def oidc_authenticate(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.oidc_authenticate' }

  raise ArgumentError, "Required argument 'body' missing" unless arguments[:body]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = arguments.delete(:body)

  method = Elasticsearch::API::HTTP_POST
  path   = '_security/oidc/authenticate'
  params = {}

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#oidc_logout(arguments = {}) ⇒ Object

Logout of OpenID Connect. Invalidate an access token and a refresh token that were generated as a response to the /_security/oidc/authenticate API. If the OpenID Connect authentication realm in Elasticsearch is accordingly configured, the response to this call will contain a URI pointing to the end session endpoint of the OpenID Connect Provider in order to perform single logout. Elasticsearch exposes all the necessary OpenID Connect related functionality with the OpenID Connect APIs. These APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :headers (Hash)

    Custom HTTP headers

  • :body (Hash)

    request body

Raises:

  • (ArgumentError)

See Also:



36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
# File 'lib/elasticsearch/api/actions/security/oidc_logout.rb', line 36

def oidc_logout(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.oidc_logout' }

  raise ArgumentError, "Required argument 'body' missing" unless arguments[:body]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = arguments.delete(:body)

  method = Elasticsearch::API::HTTP_POST
  path   = '_security/oidc/logout'
  params = {}

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#oidc_prepare_authentication(arguments = {}) ⇒ Object

Prepare OpenID connect authentication. Create an oAuth 2.0 authentication request as a URL string based on the configuration of the OpenID Connect authentication realm in Elasticsearch. The response of this API is a URL pointing to the Authorization Endpoint of the configured OpenID Connect Provider, which can be used to redirect the browser of the user in order to continue the authentication process. Elasticsearch exposes all the necessary OpenID Connect related functionality with the OpenID Connect APIs. These APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :headers (Hash)

    Custom HTTP headers

  • :body (Hash)

    request body

Raises:

  • (ArgumentError)

See Also:



36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
# File 'lib/elasticsearch/api/actions/security/oidc_prepare_authentication.rb', line 36

def oidc_prepare_authentication(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.oidc_prepare_authentication' }

  raise ArgumentError, "Required argument 'body' missing" unless arguments[:body]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = arguments.delete(:body)

  method = Elasticsearch::API::HTTP_POST
  path   = '_security/oidc/prepare'
  params = {}

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#put_privileges(arguments = {}) ⇒ Object

Create or update application privileges. To use this API, you must have one of the following privileges:

  • The manage_security cluster privilege (or a greater privilege such as all).

  • The “Manage Application Privileges” global privilege for the application being referenced in the request.

Application names are formed from a prefix, with an optional suffix that conform to the following rules:

  • The prefix must begin with a lowercase ASCII letter.

  • The prefix must contain only ASCII letters or digits.

  • The prefix must be at least 3 characters long.

  • If the suffix exists, it must begin with either a dash - or _.

  • The suffix cannot contain any of the following characters: ++, /, *, ?, , <, >, |, ,, *.

  • No part of the name can contain whitespace.

Privilege names must begin with a lowercase ASCII letter and must contain only ASCII letters and digits along with the characters _, -, and .. Action names can contain any number of printable ASCII characters and must contain at least one of the following characters: /, *, :.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :refresh (String)

    If true (the default) then refresh the affected shards to make this operation visible to search, if wait_for then wait for a refresh to make this operation visible to search, if false then do nothing with refreshes.

  • :headers (Hash)

    Custom HTTP headers

  • :body (Hash)

    privileges

Raises:

  • (ArgumentError)

See Also:



45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
# File 'lib/elasticsearch/api/actions/security/put_privileges.rb', line 45

def put_privileges(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.put_privileges' }

  raise ArgumentError, "Required argument 'body' missing" unless arguments[:body]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = arguments.delete(:body)

  method = Elasticsearch::API::HTTP_PUT
  path   = '_security/privilege'
  params = Utils.process_params(arguments)

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#put_role(arguments = {}) ⇒ Object

Create or update roles. The role management APIs are generally the preferred way to manage roles in the native realm, rather than using file-based role management. The create or update roles API cannot update roles that are defined in roles files. File-based role management is not available in Elastic Serverless.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :name (String)

    The name of the role that is being created or updated. On Elasticsearch Serverless, the role name must begin with a letter or digit and can only contain letters, digits and the characters ‘_’, ‘-’, and ‘.’. Each role must have a unique name, as this will serve as the identifier for that role. (Required)

  • :refresh (String)

    If true (the default) then refresh the affected shards to make this operation visible to search, if wait_for then wait for a refresh to make this operation visible to search, if false then do nothing with refreshes.

  • :headers (Hash)

    Custom HTTP headers

  • :body (Hash)

    request body

Raises:

  • (ArgumentError)

See Also:



37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
# File 'lib/elasticsearch/api/actions/security/put_role.rb', line 37

def put_role(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.put_role' }

  defined_params = [:name].each_with_object({}) do |variable, set_variables|
    set_variables[variable] = arguments[variable] if arguments.key?(variable)
  end
  request_opts[:defined_params] = defined_params unless defined_params.empty?

  raise ArgumentError, "Required argument 'body' missing" unless arguments[:body]
  raise ArgumentError, "Required argument 'name' missing" unless arguments[:name]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = arguments.delete(:body)

  _name = arguments.delete(:name)

  method = Elasticsearch::API::HTTP_PUT
  path   = "_security/role/#{Utils.listify(_name)}"
  params = Utils.process_params(arguments)

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#put_role_mapping(arguments = {}) ⇒ Object

Create or update role mappings. Role mappings define which roles are assigned to each user. Each mapping has rules that identify users and a list of roles that are granted to those users. The role mapping APIs are generally the preferred way to manage role mappings rather than using role mapping files. The create or update role mappings API cannot update role mappings that are defined in role mapping files. NOTE: This API does not create roles. Rather, it maps users to existing roles. Roles can be created by using the create or update roles API or roles files. **Role templates** The most common use for role mappings is to create a mapping from a known value on the user to a fixed role name. For example, all users in the cn=admin,dc=example,dc=com LDAP group should be given the superuser role in Elasticsearch. The roles field is used for this purpose. For more complex needs, it is possible to use Mustache templates to dynamically determine the names of the roles that should be granted to the user. The role_templates field is used for this purpose. NOTE: To use role templates successfully, the relevant scripting feature must be enabled. Otherwise, all attempts to create a role mapping with role templates fail. All of the user fields that are available in the role mapping rules are also available in the role templates. Thus it is possible to assign a user to a role that reflects their username, their groups, or the name of the realm to which they authenticated. By default a template is evaluated to produce a single string that is the name of the role which should be assigned to the user. If the format of the template is set to “json” then the template is expected to produce a JSON string or an array of JSON strings for the role names.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :name (String)

    The distinct name that identifies the role mapping. The name is used solely as an identifier to facilitate interaction via the API; it does not affect the behavior of the mapping in any way. (Required)

  • :refresh (String)

    If true (the default) then refresh the affected shards to make this operation visible to search, if wait_for then wait for a refresh to make this operation visible to search, if false then do nothing with refreshes.

  • :headers (Hash)

    Custom HTTP headers

  • :body (Hash)

    request body

Raises:

  • (ArgumentError)

See Also:



52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
# File 'lib/elasticsearch/api/actions/security/put_role_mapping.rb', line 52

def put_role_mapping(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.put_role_mapping' }

  defined_params = [:name].each_with_object({}) do |variable, set_variables|
    set_variables[variable] = arguments[variable] if arguments.key?(variable)
  end
  request_opts[:defined_params] = defined_params unless defined_params.empty?

  raise ArgumentError, "Required argument 'body' missing" unless arguments[:body]
  raise ArgumentError, "Required argument 'name' missing" unless arguments[:name]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = arguments.delete(:body)

  _name = arguments.delete(:name)

  method = Elasticsearch::API::HTTP_PUT
  path   = "_security/role_mapping/#{Utils.listify(_name)}"
  params = Utils.process_params(arguments)

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#put_user(arguments = {}) ⇒ Object

Create or update users. Add and update users in the native realm. A password is required for adding a new user but is optional when updating an existing user. To change a user’s password without updating any other fields, use the change password API.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :username (String)

    An identifier for the user.NOTE: Usernames must be at least 1 and no more than 507 characters. They can contain alphanumeric characters (a-z, A-Z, 0-9), spaces, punctuation, and printable symbols in the Basic Latin (ASCII) block. Leading or trailing whitespace is not allowed. (Required)

  • :refresh (String)

    Valid values are true, false, and wait_for. These values have the same meaning as in the index API, but the default value for this API is true. Server default: true.

  • :headers (Hash)

    Custom HTTP headers

  • :body (Hash)

    request body

Raises:

  • (ArgumentError)

See Also:



40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
# File 'lib/elasticsearch/api/actions/security/put_user.rb', line 40

def put_user(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.put_user' }

  defined_params = [:username].each_with_object({}) do |variable, set_variables|
    set_variables[variable] = arguments[variable] if arguments.key?(variable)
  end
  request_opts[:defined_params] = defined_params unless defined_params.empty?

  raise ArgumentError, "Required argument 'body' missing" unless arguments[:body]
  raise ArgumentError, "Required argument 'username' missing" unless arguments[:username]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = arguments.delete(:body)

  _username = arguments.delete(:username)

  method = Elasticsearch::API::HTTP_PUT
  path   = "_security/user/#{Utils.listify(_username)}"
  params = Utils.process_params(arguments)

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#query_api_keys(arguments = {}) ⇒ Object

Find API keys with a query. Get a paginated list of API keys and their information. You can optionally filter the results with a query. To use this API, you must have at least the manage_own_api_key or the read_security cluster privileges. If you have only the manage_own_api_key privilege, this API returns only the API keys that you own. If you have the read_security, manage_api_key, or greater privileges (including manage_security), this API returns all API keys regardless of ownership.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :with_limited_by (Boolean)

    Return the snapshot of the owner user’s role descriptors associated with the API key. An API key’s actual permission is the intersection of its assigned role descriptors and the owner user’s role descriptors (effectively limited by it). An API key cannot retrieve any API key’s limited-by role descriptors (including itself) unless it has manage_api_key or higher privileges.

  • :with_profile_uid (Boolean)

    Determines whether to also retrieve the profile UID for the API key owner principal. If it exists, the profile UID is returned under the profile_uid response field for each API key.

  • :typed_keys (Boolean)

    Determines whether aggregation names are prefixed by their respective types in the response.

  • :headers (Hash)

    Custom HTTP headers

  • :body (Hash)

    request body

See Also:



43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
# File 'lib/elasticsearch/api/actions/security/query_api_keys.rb', line 43

def query_api_keys(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.query_api_keys' }

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = arguments.delete(:body)

  method = if body
             Elasticsearch::API::HTTP_POST
           else
             Elasticsearch::API::HTTP_GET
           end

  path   = '_security/_query/api_key'
  params = Utils.process_params(arguments)

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#query_role(arguments = {}) ⇒ Object

Find roles with a query. Get roles in a paginated manner. The role management APIs are generally the preferred way to manage roles, rather than using file-based role management. The query roles API does not retrieve roles that are defined in roles files, nor built-in ones. You can optionally filter the results with a query. Also, the results can be paginated and sorted.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :headers (Hash)

    Custom HTTP headers

  • :body (Hash)

    request body

See Also:



37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
# File 'lib/elasticsearch/api/actions/security/query_role.rb', line 37

def query_role(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.query_role' }

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = arguments.delete(:body)

  method = if body
             Elasticsearch::API::HTTP_POST
           else
             Elasticsearch::API::HTTP_GET
           end

  path   = '_security/_query/role'
  params = {}

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#query_user(arguments = {}) ⇒ Object

Find users with a query. Get information for users in a paginated manner. You can optionally filter the results with a query. NOTE: As opposed to the get user API, built-in users are excluded from the result. This API is only for native users.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :with_profile_uid (Boolean)

    Determines whether to retrieve the user profile UID, if it exists, for the users.

  • :headers (Hash)

    Custom HTTP headers

  • :body (Hash)

    request body

See Also:



37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
# File 'lib/elasticsearch/api/actions/security/query_user.rb', line 37

def query_user(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.query_user' }

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = arguments.delete(:body)

  method = if body
             Elasticsearch::API::HTTP_POST
           else
             Elasticsearch::API::HTTP_GET
           end

  path   = '_security/_query/user'
  params = Utils.process_params(arguments)

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#saml_authenticate(arguments = {}) ⇒ Object

Authenticate SAML. Submit a SAML response message to Elasticsearch for consumption. NOTE: This API is intended for use by custom web applications other than Kibana. If you are using Kibana, refer to the documentation for configuring SAML single-sign-on on the Elastic Stack. The SAML message that is submitted can be:

  • A response to a SAML authentication request that was previously created using the SAML prepare authentication API.

  • An unsolicited SAML message in the case of an IdP-initiated single sign-on (SSO) flow.

In either case, the SAML message needs to be a base64 encoded XML document with a root element of <Response>. After successful validation, Elasticsearch responds with an Elasticsearch internal access token and refresh token that can be subsequently used for authentication. This API endpoint essentially exchanges SAML responses that indicate successful authentication in the IdP for Elasticsearch access and refresh tokens, which can be used for authentication against Elasticsearch.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :headers (Hash)

    Custom HTTP headers

  • :body (Hash)

    request body

Raises:

  • (ArgumentError)

See Also:



41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
# File 'lib/elasticsearch/api/actions/security/saml_authenticate.rb', line 41

def saml_authenticate(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.saml_authenticate' }

  raise ArgumentError, "Required argument 'body' missing" unless arguments[:body]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = arguments.delete(:body)

  method = Elasticsearch::API::HTTP_POST
  path   = '_security/saml/authenticate'
  params = {}

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#saml_complete_logout(arguments = {}) ⇒ Object

Logout of SAML completely. Verifies the logout response sent from the SAML IdP. NOTE: This API is intended for use by custom web applications other than Kibana. If you are using Kibana, refer to the documentation for configuring SAML single-sign-on on the Elastic Stack. The SAML IdP may send a logout response back to the SP after handling the SP-initiated SAML Single Logout. This API verifies the response by ensuring the content is relevant and validating its signature. An empty response is returned if the verification process is successful. The response can be sent by the IdP with either the HTTP-Redirect or the HTTP-Post binding. The caller of this API must prepare the request accordingly so that this API can handle either of them.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :headers (Hash)

    Custom HTTP headers

  • :body (Hash)

    request body

Raises:

  • (ArgumentError)

See Also:



40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
# File 'lib/elasticsearch/api/actions/security/saml_complete_logout.rb', line 40

def saml_complete_logout(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.saml_complete_logout' }

  raise ArgumentError, "Required argument 'body' missing" unless arguments[:body]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = arguments.delete(:body)

  method = Elasticsearch::API::HTTP_POST
  path   = '_security/saml/complete_logout'
  params = {}

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#saml_invalidate(arguments = {}) ⇒ Object

Invalidate SAML. Submit a SAML LogoutRequest message to Elasticsearch for consumption. NOTE: This API is intended for use by custom web applications other than Kibana. If you are using Kibana, refer to the documentation for configuring SAML single-sign-on on the Elastic Stack. The logout request comes from the SAML IdP during an IdP initiated Single Logout. The custom web application can use this API to have Elasticsearch process the LogoutRequest. After successful validation of the request, Elasticsearch invalidates the access token and refresh token that corresponds to that specific SAML principal and provides a URL that contains a SAML LogoutResponse message. Thus the user can be redirected back to their IdP.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :headers (Hash)

    Custom HTTP headers

  • :body (Hash)

    request body

Raises:

  • (ArgumentError)

See Also:



39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
# File 'lib/elasticsearch/api/actions/security/saml_invalidate.rb', line 39

def saml_invalidate(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.saml_invalidate' }

  raise ArgumentError, "Required argument 'body' missing" unless arguments[:body]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = arguments.delete(:body)

  method = Elasticsearch::API::HTTP_POST
  path   = '_security/saml/invalidate'
  params = {}

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#saml_logout(arguments = {}) ⇒ Object

Logout of SAML. Submits a request to invalidate an access token and refresh token. NOTE: This API is intended for use by custom web applications other than Kibana. If you are using Kibana, refer to the documentation for configuring SAML single-sign-on on the Elastic Stack. This API invalidates the tokens that were generated for a user by the SAML authenticate API. If the SAML realm in Elasticsearch is configured accordingly and the SAML IdP supports this, the Elasticsearch response contains a URL to redirect the user to the IdP that contains a SAML logout request (starting an SP-initiated SAML Single Logout).

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :headers (Hash)

    Custom HTTP headers

  • :body (Hash)

    request body

Raises:

  • (ArgumentError)

See Also:



37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
# File 'lib/elasticsearch/api/actions/security/saml_logout.rb', line 37

def saml_logout(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.saml_logout' }

  raise ArgumentError, "Required argument 'body' missing" unless arguments[:body]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = arguments.delete(:body)

  method = Elasticsearch::API::HTTP_POST
  path   = '_security/saml/logout'
  params = {}

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#saml_prepare_authentication(arguments = {}) ⇒ Object

Prepare SAML authentication. Create a SAML authentication request (+<AuthnRequest>+) as a URL string based on the configuration of the respective SAML realm in Elasticsearch. NOTE: This API is intended for use by custom web applications other than Kibana. If you are using Kibana, refer to the documentation for configuring SAML single-sign-on on the Elastic Stack. This API returns a URL pointing to the SAML Identity Provider. You can use the URL to redirect the browser of the user in order to continue the authentication process. The URL includes a single parameter named SAMLRequest, which contains a SAML Authentication request that is deflated and Base64 encoded. If the configuration dictates that SAML authentication requests should be signed, the URL has two extra parameters named SigAlg and Signature. These parameters contain the algorithm used for the signature and the signature value itself. It also returns a random string that uniquely identifies this SAML Authentication request. The caller of this API needs to store this identifier as it needs to be used in a following step of the authentication process.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :headers (Hash)

    Custom HTTP headers

  • :body (Hash)

    request body

Raises:

  • (ArgumentError)

See Also:



42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
# File 'lib/elasticsearch/api/actions/security/saml_prepare_authentication.rb', line 42

def saml_prepare_authentication(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.saml_prepare_authentication' }

  raise ArgumentError, "Required argument 'body' missing" unless arguments[:body]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = arguments.delete(:body)

  method = Elasticsearch::API::HTTP_POST
  path   = '_security/saml/prepare'
  params = {}

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#saml_service_provider_metadata(arguments = {}) ⇒ Object

Create SAML service provider metadata. Generate SAML metadata for a SAML 2.0 Service Provider. The SAML 2.0 specification provides a mechanism for Service Providers to describe their capabilities and configuration using a metadata file. This API generates Service Provider metadata based on the configuration of a SAML realm in Elasticsearch.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :realm_name (String)

    The name of the SAML realm in Elasticsearch. (Required)

  • :headers (Hash)

    Custom HTTP headers

Raises:

  • (ArgumentError)

See Also:



35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
# File 'lib/elasticsearch/api/actions/security/saml_service_provider_metadata.rb', line 35

def (arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.saml_service_provider_metadata' }

  defined_params = [:realm_name].each_with_object({}) do |variable, set_variables|
    set_variables[variable] = arguments[variable] if arguments.key?(variable)
  end
  request_opts[:defined_params] = defined_params unless defined_params.empty?

  raise ArgumentError, "Required argument 'realm_name' missing" unless arguments[:realm_name]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = nil

  _realm_name = arguments.delete(:realm_name)

  method = Elasticsearch::API::HTTP_GET
  path   = "_security/saml/metadata/#{Utils.listify(_realm_name)}"
  params = {}

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#suggest_user_profiles(arguments = {}) ⇒ Object

Suggest a user profile. Get suggestions for user profiles that match specified search criteria. NOTE: The user profile feature is designed only for use by Kibana and Elastic’s Observability, Enterprise Search, and Elastic Security solutions. Individual users and external applications should not call this API directly. Elastic reserves the right to change or remove this feature in future releases without prior notice.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :data (String)

    A comma-separated list of filters for the data field of the profile document. To return all content use data=*. To return a subset of content, use data=<key> to retrieve content nested under the specified <key>. By default, the API returns no data content. It is an error to specify data as both the query parameter and the request body field.

  • :headers (Hash)

    Custom HTTP headers

  • :body (Hash)

    request body

See Also:



41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
# File 'lib/elasticsearch/api/actions/security/suggest_user_profiles.rb', line 41

def suggest_user_profiles(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.suggest_user_profiles' }

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = arguments.delete(:body)

  method = if body
             Elasticsearch::API::HTTP_POST
           else
             Elasticsearch::API::HTTP_GET
           end

  path   = '_security/profile/_suggest'
  params = Utils.process_params(arguments)

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#update_api_key(arguments = {}) ⇒ Object

Update an API key. Update attributes of an existing API key. This API supports updates to an API key’s access scope, expiration, and metadata. To use this API, you must have at least the manage_own_api_key cluster privilege. Users can only update API keys that they created or that were granted to them. To update another user’s API key, use the run_as feature to submit a request on behalf of another user. IMPORTANT: It’s not possible to use an API key as the authentication credential for this API. The owner user’s credentials are required. Use this API to update API keys created by the create API key or grant API Key APIs. If you need to apply the same update to many API keys, you can use the bulk update API keys API to reduce overhead. It’s not possible to update expired API keys or API keys that have been invalidated by the invalidate API key API. The access scope of an API key is derived from the role_descriptors you specify in the request and a snapshot of the owner user’s permissions at the time of the request. The snapshot of the owner’s permissions is updated automatically on every call. IMPORTANT: If you don’t specify role_descriptors in the request, a call to this API might still change the API key’s access scope. This change can occur if the owner user’s permissions have changed since the API key was created or last modified.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :id (String)

    The ID of the API key to update. (Required)

  • :headers (Hash)

    Custom HTTP headers

  • :body (Hash)

    request body

Raises:

  • (ArgumentError)

See Also:



46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
# File 'lib/elasticsearch/api/actions/security/update_api_key.rb', line 46

def update_api_key(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.update_api_key' }

  defined_params = [:id].each_with_object({}) do |variable, set_variables|
    set_variables[variable] = arguments[variable] if arguments.key?(variable)
  end
  request_opts[:defined_params] = defined_params unless defined_params.empty?

  raise ArgumentError, "Required argument 'id' missing" unless arguments[:id]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = arguments.delete(:body)

  _id = arguments.delete(:id)

  method = Elasticsearch::API::HTTP_PUT
  path   = "_security/api_key/#{Utils.listify(_id)}"
  params = {}

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#update_cross_cluster_api_key(arguments = {}) ⇒ Object

Update a cross-cluster API key. Update the attributes of an existing cross-cluster API key, which is used for API key based remote cluster access. To use this API, you must have at least the manage_security cluster privilege. Users can only update API keys that they created. To update another user’s API key, use the run_as feature to submit a request on behalf of another user. IMPORTANT: It’s not possible to use an API key as the authentication credential for this API. To update an API key, the owner user’s credentials are required. It’s not possible to update expired API keys, or API keys that have been invalidated by the invalidate API key API. This API supports updates to an API key’s access scope, metadata, and expiration. The owner user’s information, such as the username and realm, is also updated automatically on every call. NOTE: This API cannot update REST API keys, which should be updated by either the update API key or bulk update API keys API.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :id (String)

    The ID of the cross-cluster API key to update. (Required)

  • :headers (Hash)

    Custom HTTP headers

  • :body (Hash)

    request body

Raises:

  • (ArgumentError)

See Also:



43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
# File 'lib/elasticsearch/api/actions/security/update_cross_cluster_api_key.rb', line 43

def update_cross_cluster_api_key(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.update_cross_cluster_api_key' }

  defined_params = [:id].each_with_object({}) do |variable, set_variables|
    set_variables[variable] = arguments[variable] if arguments.key?(variable)
  end
  request_opts[:defined_params] = defined_params unless defined_params.empty?

  raise ArgumentError, "Required argument 'body' missing" unless arguments[:body]
  raise ArgumentError, "Required argument 'id' missing" unless arguments[:id]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = arguments.delete(:body)

  _id = arguments.delete(:id)

  method = Elasticsearch::API::HTTP_PUT
  path   = "_security/cross_cluster/api_key/#{Utils.listify(_id)}"
  params = {}

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#update_settings(arguments = {}) ⇒ Object

Update security index settings. Update the user-configurable settings for the security internal index (.security and associated indices). Only a subset of settings are allowed to be modified. This includes index.auto_expand_replicas and index.number_of_replicas. NOTE: If index.auto_expand_replicas is set, index.number_of_replicas will be ignored during updates. If a specific index is not in use on the system and settings are provided for it, the request will be rejected. This API does not yet support configuring the settings for indices before they are in use.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :master_timeout (Time)

    The period to wait for a connection to the master node. If no response is received before the timeout expires, the request fails and returns an error.

  • :timeout (Time)

    The period to wait for a response. If no response is received before the timeout expires, the request fails and returns an error.

  • :headers (Hash)

    Custom HTTP headers

  • :body (Hash)

    request body

Raises:

  • (ArgumentError)

See Also:



40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
# File 'lib/elasticsearch/api/actions/security/update_settings.rb', line 40

def update_settings(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.update_settings' }

  raise ArgumentError, "Required argument 'body' missing" unless arguments[:body]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = arguments.delete(:body)

  method = Elasticsearch::API::HTTP_PUT
  path   = '_security/settings'
  params = Utils.process_params(arguments)

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#update_user_profile_data(arguments = {}) ⇒ Object

Update user profile data. Update specific data for the user profile that is associated with a unique ID. NOTE: The user profile feature is designed only for use by Kibana and Elastic’s Observability, Enterprise Search, and Elastic Security solutions. Individual users and external applications should not call this API directly. Elastic reserves the right to change or remove this feature in future releases without prior notice. To use this API, you must have one of the following privileges:

  • The manage_user_profile cluster privilege.

  • The update_profile_data global privilege for the namespaces that are referenced in the request.

This API updates the labels and data fields of an existing user profile document with JSON objects. New keys and their values are added to the profile document and conflicting keys are replaced by data that’s included in the request. For both labels and data, content is namespaced by the top-level fields. The update_profile_data global privilege grants privileges for updating only the allowed namespaces.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :uid (String)

    A unique identifier for the user profile. (Required)

  • :if_seq_no (Integer)

    Only perform the operation if the document has this sequence number.

  • :if_primary_term (Integer)

    Only perform the operation if the document has this primary term.

  • :refresh (String)

    If ‘true’, Elasticsearch refreshes the affected shards to make this operation visible to search. If ‘wait_for’, it waits for a refresh to make this operation visible to search. If ‘false’, nothing is done with refreshes. Server default: false.

  • :headers (Hash)

    Custom HTTP headers

  • :body (Hash)

    request body

Raises:

  • (ArgumentError)

See Also:



50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
# File 'lib/elasticsearch/api/actions/security/update_user_profile_data.rb', line 50

def (arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'security.update_user_profile_data' }

  defined_params = [:uid].each_with_object({}) do |variable, set_variables|
    set_variables[variable] = arguments[variable] if arguments.key?(variable)
  end
  request_opts[:defined_params] = defined_params unless defined_params.empty?

  raise ArgumentError, "Required argument 'body' missing" unless arguments[:body]
  raise ArgumentError, "Required argument 'uid' missing" unless arguments[:uid]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = arguments.delete(:body)

  _uid = arguments.delete(:uid)

  method = Elasticsearch::API::HTTP_PUT
  path   = "_security/profile/#{Utils.listify(_uid)}/_data"
  params = Utils.process_params(arguments)

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end