Service Accounts - HLRC (#72431)

This PR adds corresponding components in High Level Rest Client for the new
APIs related to the service accounts feature.

docs/java-rest/high-level/security/authenticate.asciidoc

@@ -45,6 +45,10 @@ see {javadoc-client}/security/user/User.html.
 <5> `getLookupRealm().getName()` retrieves the name of the realm from where the user information is looked up.
 <6> `getLookupRealm().getType()` retrieves the type of the realm from where the user information is looked up.
 <7> `getAuthenticationType()` retrieves the authentication type of the authenticated user.
+<8> `getMetadata()` retrieves metadata relevant to this authentication.
+Note this is different from `user.getMetadata()`.
+For <<{upid}-create-service-account-token,service account token>> authentication, it contains
+a key of `_token_name` with the value being the token name.
 
 [id="{upid}-{api}-async"]
 ==== Asynchronous Execution

docs/java-rest/high-level/security/clear-service-account-token-cache.asciidoc

@@ -0,0 +1,37 @@
+
+--
+:api: clear-service-account-token-cache
+:request: ClearServiceAccountTokenCacheRequest
+:response: ClearSecurityCacheResponse
+--
+[role="xpack"]
+[id="{upid}-{api}"]
+=== Clear Service Account Token Cache API
+
+[id="{upid}-{api}-request"]
+==== Clear Service Account Token Cache Request
+
+A +{request}+ supports clearing service account token cache for the given
+namespace, service name and token names.
+It can also clear the entire cache if a `*` is specified for the token name.
+
+["source","java",subs="attributes,callouts,macros"]
+--------------------------------------------------
+include-tagged::{doc-tests-file}[{api}-request]
+--------------------------------------------------
+<1> Namespace of the service account
+<2> Service name of the service account
+<3> Name(s) for the service account token to be evicted from the cache
+
+include::../execution.asciidoc[]
+
+[id="{upid}-{api}-response"]
+==== Clear Service Account Token Cache Response
+
+The returned +{response}+ allows to retrieve information about where the cache was cleared.
+
+["source","java",subs="attributes,callouts,macros"]
+--------------------------------------------------
+include-tagged::{doc-tests-file}[{api}-response]
+--------------------------------------------------
+<1> the list of nodes that the cache was cleared on

docs/java-rest/high-level/security/create-service-account-token.asciidoc

@@ -0,0 +1,42 @@
+--
+:api: create-service-account-token
+:request: CreateServiceAccountTokenRequest
+:response: CreateServiceAccountTokenResponse
+--
+[role="xpack"]
+[id="{upid}-{api}"]
+=== Create Service Account Token API
+
+Index-based service account token can be created using this API.
+
+[id="{upid}-{api}-request"]
+==== Create Service Account Token Request
+
+A +{request}+ contains the namespace and service-name of a
+service account and an optional name for the service account token.
+
+["source","java",subs="attributes,callouts,macros"]
+--------------------------------------------------
+include-tagged::{doc-tests-file}[{api}-request]
+--------------------------------------------------
+
+A token name will be auto generated if the +{request}+ does not specify it:
+
+["source","java",subs="attributes,callouts,macros"]
+--------------------------------------------------
+include-tagged::{doc-tests-file}[{api}-request-auto-name]
+--------------------------------------------------
+
+include::../execution.asciidoc[]
+
+[id="{upid}-{api}-response"]
+==== Create Service Account Token Response
+
+The returned +{response}+ contains the name and value of the service account token.
+
+["source","java",subs="attributes,callouts,macros"]
+--------------------------------------------------
+include-tagged::{doc-tests-file}[{api}-response]
+--------------------------------------------------
+<1> Name of the service account token
+<2> Value of the service account token to be used as the bearer authentication header

docs/java-rest/high-level/security/delete-service-account-token.asciidoc

@@ -0,0 +1,35 @@
+--
+:api: delete-service-account-token
+:request: DeleteServiceAccountTokenRequest
+:response: DeleteServiceAccountTokenResponse
+--
+[role="xpack"]
+[id="{upid}-{api}"]
+=== Delete Service Account Token API
+
+Index-based service account token can be deleted using this API.
+
+[id="{upid}-{api}-request"]
+==== Delete Service Account Token Request
+
+A +{request}+ contains the namespace, service-name and token name of a
+service account token.
+
+["source","java",subs="attributes,callouts,macros"]
+--------------------------------------------------
+include-tagged::{doc-tests-file}[{api}-request]
+--------------------------------------------------
+
+include::../execution.asciidoc[]
+
+[id="{upid}-{api}-response"]
+==== Delete Service Account Token Response
+
+The returned +{response}+ allows to retrieve information about the executed
+operation as follows:
+
+["source","java",subs="attributes,callouts,macros"]
+--------------------------------------------------
+include-tagged::{doc-tests-file}[{api}-response]
+--------------------------------------------------
+<1> whether the given service account token was found

docs/java-rest/high-level/security/get-service-account-credentials.asciidoc

@@ -0,0 +1,38 @@
+
+--
+:api: get-service-account-credentials
+:request: GetServiceAccountCredentialsRequest
+:response: GetServiceAccountCredentialsResponse
+--
+[role="xpack"]
+[id="{upid}-{api}"]
+=== Get Service Account Credentials API
+
+[id="{upid}-{api}-request"]
+==== Get Service Account Credentials Request
+
+Retrieving all credentials for a service account can be performed by setting the namespace
+and service-name on +{request}+:
+
+["source","java",subs="attributes,callouts,macros"]
+--------------------------------------------------
+include-tagged::{doc-tests-file}[{api}-request]
+--------------------------------------------------
+
+include::../execution.asciidoc[]
+
+[id="{upid}-{api}-response"]
+==== Get Service Account Credentials Response
+
+The returned +{response}+ contains a list of service account tokens for the requested service account.
+
+["source","java",subs="attributes,callouts,macros"]
+--------------------------------------------------
+include-tagged::{doc-tests-file}[{api}-response]
+--------------------------------------------------
+<1> Principal of the service account
+<2> Name of the node that processed the request. Information of file service tokens is only collected from this node.
+<3> List of service token information
+<4> Name of the first service account token
+<5> Source of the first service account token. The value is either `file` or `index`.
+

docs/java-rest/high-level/security/get-service-accounts.asciidoc

@@ -0,0 +1,49 @@
+
+--
+:api: get-service-accounts
+:request: GetServiceAccountsRequest
+:response: GetServiceAccountsResponse
+--
+[role="xpack"]
+[id="{upid}-{api}"]
+=== Get Service Accounts API
+
+[id="{upid}-{api}-request"]
+==== Get Service Accounts Request
+
+Retrieving a service account can be performed by setting the namespace
+and service-name on +{request}+:
+
+["source","java",subs="attributes,callouts,macros"]
+--------------------------------------------------
+include-tagged::{doc-tests-file}[{api}-request]
+--------------------------------------------------
+
+Retrieving service accounts belong to a namespace can be performed
+by just setting the namespace on +{request}+:
+
+["source","java",subs="attributes,callouts,macros"]
+--------------------------------------------------
+include-tagged::{doc-tests-file}[{api}-request-namespace]
+--------------------------------------------------
+
+Retrieving all service accounts can be performed without specifying
+either namespace or service-name on +{request}+:
+
+["source","java",subs="attributes,callouts,macros"]
+--------------------------------------------------
+include-tagged::{doc-tests-file}[{api}-request-all]
+--------------------------------------------------
+
+include::../execution.asciidoc[]
+
+[id="{upid}-{api}-response"]
+==== Get Service Accounts Response
+
+The returned +{response}+ allows getting information about the retrieved service accounts as follows.
+
+["source","java",subs="attributes,callouts,macros"]
+--------------------------------------------------
+include-tagged::{doc-tests-file}[{api}-response]
+--------------------------------------------------
+<1> Information for the requested service account

docs/java-rest/high-level/supported-apis.asciidoc

@@ -487,6 +487,7 @@ The Java High Level REST Client supports the following Security APIs:
 * <<{upid}-clear-privileges-cache>>
 * <<{upid}-clear-realm-cache>>
 * <<{upid}-clear-api-key-cache>>
+* <<{upid}-clear-service-account-token-cache>>
 * <<{upid}-authenticate>>
 * <<{upid}-has-privileges>>
 * <<{upid}-get-user-privileges>>
@@ -503,6 +504,10 @@ The Java High Level REST Client supports the following Security APIs:
 * <<{upid}-create-api-key>>
 * <<{upid}-get-api-key>>
 * <<{upid}-invalidate-api-key>>
+* <<{upid}-get-service-accounts>>
+* <<{upid}-create-service-account-token>>
+* <<{upid}-delete-service-account-token>>
+* <<{upid}-get-service-account-credentials>>
 
 include::security/put-user.asciidoc[]
 include::security/get-users.asciidoc[]
@@ -520,6 +525,7 @@ include::security/clear-roles-cache.asciidoc[]
 include::security/clear-privileges-cache.asciidoc[]
 include::security/clear-realm-cache.asciidoc[]
 include::security/clear-api-key-cache.asciidoc[]
+include::security/clear-service-account-token-cache.asciidoc[]
 include::security/authenticate.asciidoc[]
 include::security/has-privileges.asciidoc[]
 include::security/get-user-privileges.asciidoc[]
@@ -534,6 +540,10 @@ include::security/create-api-key.asciidoc[]
 include::security/grant-api-key.asciidoc[]
 include::security/get-api-key.asciidoc[]
 include::security/invalidate-api-key.asciidoc[]
+include::security/get-service-accounts.asciidoc[]
+include::security/create-service-account-token.asciidoc[]
+include::security/delete-service-account-token.asciidoc[]
+include::security/get-service-account-credentials.asciidoc[]
 
 [role="xpack"]
 == Text Structure APIs