From ed058086e27c2b6f5015647b446304608d6b14a9 Mon Sep 17 00:00:00 2001 From: Elena Shostak <165678770+elena-shostak@users.noreply.github.com> Date: Thu, 3 Apr 2025 14:28:17 +0200 Subject: [PATCH] [Authz] Added allOf and anyOf nested conditions (#215516) ## Summary Currently, our `requiredPrivileges` structure supports `allRequired` and `anyRequired` for defining authorization logic. However, there is [a need to support](https://github.com/elastic/kibana/pull/205335#issuecomment-2569275302) more complex scenarios as `(privilege1 AND privilege2) OR (privilege3 AND privilege4)` To achieve `anyRequired` has been extended to allow defining multiple AND conditions evaluated with OR logic: ```ts security: { authz: { requiredPrivileges: [{ anyRequired: [ { allOf: ['privilege1', 'privilege2'] }, { allOf: ['privilege3', 'privilege4'] } ] } ] } } ``` `allRequired` now also supports scenarios `(privilege1 OR privilege2) AND (privilege3 OR privilege4)` ```ts security: { authz: { requiredPrivileges: [{ allRequired: [ { anyOf: ['privilege1', 'privilege2'] }, { anyOf: ['privilege3', 'privilege4'] } ] } ] } } ``` > [!IMPORTANT] > We expect to have unique privileges in `anyOf` or `allOf` conditions, assuming that most complex conditions can be simplified by boolean algebra laws (OR/AND distributive etc). ### Checklist - [x] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) __Closes: https://github.com/elastic/kibana/issues/210977__ --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Elastic Machine --- dev_docs/key_concepts/api_authorization.mdx | 42 +++ oas_docs/bundle.json | 194 +++++++------- oas_docs/bundle.serverless.json | 190 ++++++------- oas_docs/output/kibana.serverless.yaml | 190 ++++++------- oas_docs/output/kibana.yaml | 194 +++++++------- .../security_route_config_validator.test.ts | 104 ++++++++ .../src/security_route_config_validator.ts | 36 ++- .../http/router-server-internal/tsconfig.json | 3 +- src/core/packages/http/server/index.ts | 2 + .../packages/http/server/src/router/index.ts | 2 + .../packages/http/server/src/router/route.ts | 9 +- src/core/packages/security/server/index.ts | 1 + .../packages/security/server/src/authz.ts | 29 ++ src/core/server/index.ts | 2 + .../__snapshots__/generate_oas.test.ts.snap | 6 +- .../src/extract_authz_description.test.ts | 30 ++- .../src/extract_authz_description.ts | 37 ++- .../src/generate_oas.test.fixture.ts | 2 +- .../src/process_router.test.ts | 8 +- .../src/process_versioned_router.test.ts | 2 +- .../authorization/api_authorization.test.ts | 249 ++++++++++++++++++ .../server/authorization/api_authorization.ts | 30 ++- .../product_features_service.test.ts | 77 ++++++ .../product_features_service.ts | 16 +- 24 files changed, 1033 insertions(+), 422 deletions(-) create mode 100644 src/core/packages/security/server/src/authz.ts diff --git a/dev_docs/key_concepts/api_authorization.mdx b/dev_docs/key_concepts/api_authorization.mdx index a2ffe5c98bef..d5bf4f3f17b8 100644 --- a/dev_docs/key_concepts/api_authorization.mdx +++ b/dev_docs/key_concepts/api_authorization.mdx @@ -218,6 +218,48 @@ router.get({ }, handler); ``` +**Example 4: Complex configuration with nested `allOf`.** +Requires (`` AND ``) OR (`` AND ``) to access the route. +```ts +router.get({ + path: '/api/path', + security: { + authz: { + requiredPrivileges: [ + { + anyRequired: [ + { allOf: ['', '']}, + { allOf: ['', '']} + ], + } + ], + }, + }, + ... +}, handler); +``` + +**Example 5: Complex configuration with nested `anyOf`.** +Requires (`` OR ``) AND (`` OR ``) to access the route. +```ts +router.get({ + path: '/api/path', + security: { + authz: { + requiredPrivileges: [ + { + allRequired: [ + { anyOf: ['', '']}, + { anyOf: ['', '']} + ], + } + ], + }, + }, + ... +}, handler); +``` + ### Versioned router security configuration examples Different security configurations can be applied to each version when using the Versioned Router. This allows your authorization needs to evolve in lockstep with your API. diff --git a/oas_docs/bundle.json b/oas_docs/bundle.json index c248d8ce4af7..995e717a84a2 100644 --- a/oas_docs/bundle.json +++ b/oas_docs/bundle.json @@ -9913,7 +9913,7 @@ }, "/api/fleet/agent_download_sources": { "get": { - "description": "[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-settings-read].", + "description": "[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-settings-read.", "operationId": "get-fleet-agent-download-sources", "parameters": [], "responses": { @@ -10063,7 +10063,7 @@ ] }, "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].", + "description": "[Required authorization] Route required privileges: fleet-settings-all.", "operationId": "post-fleet-agent-download-sources", "parameters": [ { @@ -10295,7 +10295,7 @@ }, "/api/fleet/agent_download_sources/{sourceId}": { "delete": { - "description": "Delete an agent binary download source by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].", + "description": "Delete an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-settings-all.", "operationId": "delete-fleet-agent-download-sources-sourceid", "parameters": [ { @@ -10373,7 +10373,7 @@ ] }, "get": { - "description": "Get an agent binary download source by ID.

[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-settings-read].", + "description": "Get an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-settings-read.", "operationId": "get-fleet-agent-download-sources-sourceid", "parameters": [ { @@ -10517,7 +10517,7 @@ ] }, "put": { - "description": "Update an agent binary download source by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].", + "description": "Update an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-settings-all.", "operationId": "put-fleet-agent-download-sources-sourceid", "parameters": [ { @@ -10757,7 +10757,7 @@ }, "/api/fleet/agent_policies": { "get": { - "description": "[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].", + "description": "[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup.", "operationId": "get-fleet-agent-policies", "parameters": [ { @@ -11841,7 +11841,7 @@ ] }, "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].", + "description": "[Required authorization] Route required privileges: fleet-agent-policies-all.", "operationId": "post-fleet-agent-policies", "parameters": [ { @@ -13136,7 +13136,7 @@ }, "/api/fleet/agent_policies/_bulk_get": { "post": { - "description": "[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].", + "description": "[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup.", "operationId": "post-fleet-agent-policies-bulk-get", "parameters": [ { @@ -14169,7 +14169,7 @@ }, "/api/fleet/agent_policies/delete": { "post": { - "description": "Delete an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].", + "description": "Delete an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all.", "operationId": "post-fleet-agent-policies-delete", "parameters": [ { @@ -14267,7 +14267,7 @@ }, "/api/fleet/agent_policies/outputs": { "post": { - "description": "Get a list of outputs associated with agent policies.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-settings-read].", + "description": "Get a list of outputs associated with agent policies.

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-settings-read.", "operationId": "post-fleet-agent-policies-outputs", "parameters": [ { @@ -14445,7 +14445,7 @@ }, "/api/fleet/agent_policies/{agentPolicyId}": { "get": { - "description": "Get an agent policy by ID.

[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].", + "description": "Get an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup.", "operationId": "get-fleet-agent-policies-agentpolicyid", "parameters": [ { @@ -15442,7 +15442,7 @@ ] }, "put": { - "description": "Update an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].", + "description": "Update an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all.", "operationId": "put-fleet-agent-policies-agentpolicyid", "parameters": [ { @@ -16752,7 +16752,7 @@ }, "/api/fleet/agent_policies/{agentPolicyId}/copy": { "post": { - "description": "Copy an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].", + "description": "Copy an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all.", "operationId": "post-fleet-agent-policies-agentpolicyid-copy", "parameters": [ { @@ -17783,7 +17783,7 @@ }, "/api/fleet/agent_policies/{agentPolicyId}/download": { "get": { - "description": "Download an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].", + "description": "Download an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-setup.", "operationId": "get-fleet-agent-policies-agentpolicyid-download", "parameters": [ { @@ -17898,7 +17898,7 @@ }, "/api/fleet/agent_policies/{agentPolicyId}/full": { "get": { - "description": "Get a full agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read].", + "description": "Get a full agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read.", "operationId": "get-fleet-agent-policies-agentpolicyid-full", "parameters": [ { @@ -18503,7 +18503,7 @@ }, "/api/fleet/agent_policies/{agentPolicyId}/outputs": { "get": { - "description": "Get a list of outputs associated with agent policy by policy id.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-settings-read].", + "description": "Get a list of outputs associated with agent policy by policy id.

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-settings-read.", "operationId": "get-fleet-agent-policies-agentpolicyid-outputs", "parameters": [ { @@ -18800,7 +18800,7 @@ }, "/api/fleet/agent_status/data": { "get": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", + "description": "[Required authorization] Route required privileges: fleet-agents-read.", "operationId": "get-fleet-agent-status-data", "parameters": [ { @@ -18925,7 +18925,7 @@ }, "/api/fleet/agents": { "get": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", + "description": "[Required authorization] Route required privileges: fleet-agents-read.", "operationId": "get-fleet-agents", "parameters": [ { @@ -19506,7 +19506,7 @@ ] }, "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", + "description": "[Required authorization] Route required privileges: fleet-agents-read.", "operationId": "post-fleet-agents", "parameters": [ { @@ -19602,7 +19602,7 @@ }, "/api/fleet/agents/action_status": { "get": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", + "description": "[Required authorization] Route required privileges: fleet-agents-read.", "operationId": "get-fleet-agents-action-status", "parameters": [ { @@ -19831,7 +19831,7 @@ }, "/api/fleet/agents/actions/{actionId}/cancel": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", + "description": "[Required authorization] Route required privileges: fleet-agents-all.", "operationId": "post-fleet-agents-actions-actionid-cancel", "parameters": [ { @@ -19965,7 +19965,7 @@ }, "/api/fleet/agents/available_versions": { "get": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", + "description": "[Required authorization] Route required privileges: fleet-agents-read.", "operationId": "get-fleet-agents-available-versions", "parameters": [], "responses": { @@ -20029,7 +20029,7 @@ }, "/api/fleet/agents/bulk_reassign": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", + "description": "[Required authorization] Route required privileges: fleet-agents-all.", "operationId": "post-fleet-agents-bulk-reassign", "parameters": [ { @@ -20140,7 +20140,7 @@ }, "/api/fleet/agents/bulk_request_diagnostics": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", + "description": "[Required authorization] Route required privileges: fleet-agents-read.", "operationId": "post-fleet-agents-bulk-request-diagnostics", "parameters": [ { @@ -20252,7 +20252,7 @@ }, "/api/fleet/agents/bulk_unenroll": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", + "description": "[Required authorization] Route required privileges: fleet-agents-all.", "operationId": "post-fleet-agents-bulk-unenroll", "parameters": [ { @@ -20369,7 +20369,7 @@ }, "/api/fleet/agents/bulk_update_agent_tags": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", + "description": "[Required authorization] Route required privileges: fleet-agents-all.", "operationId": "post-fleet-agents-bulk-update-agent-tags", "parameters": [ { @@ -20488,7 +20488,7 @@ }, "/api/fleet/agents/bulk_upgrade": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", + "description": "[Required authorization] Route required privileges: fleet-agents-all.", "operationId": "post-fleet-agents-bulk-upgrade", "parameters": [ { @@ -20615,7 +20615,7 @@ }, "/api/fleet/agents/files/{fileId}": { "delete": { - "description": "Delete a file uploaded by an agent.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].", + "description": "Delete a file uploaded by an agent.

[Required authorization] Route required privileges: fleet-agents-all.", "operationId": "delete-fleet-agents-files-fileid", "parameters": [ { @@ -20699,7 +20699,7 @@ }, "/api/fleet/agents/files/{fileId}/{fileName}": { "get": { - "description": "Get a file uploaded by an agent.

[Required authorization] Route required privileges: ALL of [fleet-agents-read].", + "description": "Get a file uploaded by an agent.

[Required authorization] Route required privileges: fleet-agents-read.", "operationId": "get-fleet-agents-files-fileid-filename", "parameters": [ { @@ -20768,7 +20768,7 @@ }, "/api/fleet/agents/setup": { "get": { - "description": "[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].", + "description": "[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup.", "operationId": "get-fleet-agents-setup", "parameters": [], "responses": { @@ -20861,7 +20861,7 @@ ] }, "post": { - "description": "[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].", + "description": "[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup.", "operationId": "post-fleet-agents-setup", "parameters": [ { @@ -20954,7 +20954,7 @@ }, "/api/fleet/agents/tags": { "get": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", + "description": "[Required authorization] Route required privileges: fleet-agents-read.", "operationId": "get-fleet-agents-tags", "parameters": [ { @@ -21036,7 +21036,7 @@ }, "/api/fleet/agents/{agentId}": { "delete": { - "description": "Delete an agent by ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].", + "description": "Delete an agent by ID.

[Required authorization] Route required privileges: fleet-agents-all.", "operationId": "delete-fleet-agents-agentid", "parameters": [ { @@ -21117,7 +21117,7 @@ ] }, "get": { - "description": "Get an agent by ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-read].", + "description": "Get an agent by ID.

[Required authorization] Route required privileges: fleet-agents-read.", "operationId": "get-fleet-agents-agentid", "parameters": [ { @@ -21575,7 +21575,7 @@ ] }, "put": { - "description": "Update an agent by ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].", + "description": "Update an agent by ID.

[Required authorization] Route required privileges: fleet-agents-all.", "operationId": "put-fleet-agents-agentid", "parameters": [ { @@ -22058,7 +22058,7 @@ }, "/api/fleet/agents/{agentId}/actions": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", + "description": "[Required authorization] Route required privileges: fleet-agents-all.", "operationId": "post-fleet-agents-agentid-actions", "parameters": [ { @@ -22267,7 +22267,7 @@ }, "/api/fleet/agents/{agentId}/reassign": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", + "description": "[Required authorization] Route required privileges: fleet-agents-all.", "operationId": "post-fleet-agents-agentid-reassign", "parameters": [ { @@ -22358,7 +22358,7 @@ }, "/api/fleet/agents/{agentId}/request_diagnostics": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", + "description": "[Required authorization] Route required privileges: fleet-agents-read.", "operationId": "post-fleet-agents-agentid-request-diagnostics", "parameters": [ { @@ -22460,7 +22460,7 @@ }, "/api/fleet/agents/{agentId}/unenroll": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", + "description": "[Required authorization] Route required privileges: fleet-agents-all.", "operationId": "post-fleet-agents-agentid-unenroll", "parameters": [ { @@ -22510,7 +22510,7 @@ }, "/api/fleet/agents/{agentId}/upgrade": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", + "description": "[Required authorization] Route required privileges: fleet-agents-all.", "operationId": "post-fleet-agents-agentid-upgrade", "parameters": [ { @@ -22610,7 +22610,7 @@ }, "/api/fleet/agents/{agentId}/uploads": { "get": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", + "description": "[Required authorization] Route required privileges: fleet-agents-read.", "operationId": "get-fleet-agents-agentid-uploads", "parameters": [ { @@ -22800,7 +22800,7 @@ }, "/api/fleet/data_streams": { "get": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all, fleet-agent-policies-all, fleet-settings-all].", + "description": "[Required authorization] Route required privileges: fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all.", "operationId": "get-fleet-data-streams", "parameters": [], "responses": { @@ -22950,7 +22950,7 @@ }, "/api/fleet/enrollment_api_keys": { "get": { - "description": "[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-setup].", + "description": "[Required authorization] Route required privileges: fleet-agents-all OR fleet-setup.", "operationId": "get-fleet-enrollment-api-keys", "parameters": [ { @@ -23131,7 +23131,7 @@ ] }, "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", + "description": "[Required authorization] Route required privileges: fleet-agents-all.", "operationId": "post-fleet-enrollment-api-keys", "parameters": [ { @@ -23270,7 +23270,7 @@ }, "/api/fleet/enrollment_api_keys/{keyId}": { "delete": { - "description": "Revoke an enrollment API key by ID by marking it as inactive.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].", + "description": "Revoke an enrollment API key by ID by marking it as inactive.

[Required authorization] Route required privileges: fleet-agents-all.", "operationId": "delete-fleet-enrollment-api-keys-keyid", "parameters": [ { @@ -23351,7 +23351,7 @@ ] }, "get": { - "description": "Get an enrollment API key by ID.

[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-setup].", + "description": "Get an enrollment API key by ID.

[Required authorization] Route required privileges: fleet-agents-all OR fleet-setup.", "operationId": "get-fleet-enrollment-api-keys-keyid", "parameters": [ { @@ -23457,7 +23457,7 @@ }, "/api/fleet/epm/bulk_assets": { "post": { - "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", + "description": "[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.", "operationId": "post-fleet-epm-bulk-assets", "parameters": [ { @@ -23601,7 +23601,7 @@ }, "/api/fleet/epm/categories": { "get": { - "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", + "description": "[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.", "operationId": "get-fleet-epm-categories", "parameters": [ { @@ -23705,7 +23705,7 @@ }, "/api/fleet/epm/custom_integrations": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].", + "description": "[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.", "operationId": "post-fleet-epm-custom-integrations", "parameters": [ { @@ -23914,7 +23914,7 @@ }, "/api/fleet/epm/data_streams": { "get": { - "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", + "description": "[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.", "operationId": "get-fleet-epm-data-streams", "parameters": [ { @@ -24033,7 +24033,7 @@ }, "/api/fleet/epm/packages": { "get": { - "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", + "description": "[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.", "operationId": "get-fleet-epm-packages", "parameters": [ { @@ -24633,7 +24633,7 @@ ] }, "post": { - "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].", + "description": "[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.", "operationId": "post-fleet-epm-packages", "parameters": [ { @@ -24822,7 +24822,7 @@ }, "/api/fleet/epm/packages/_bulk": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].", + "description": "[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.", "operationId": "post-fleet-epm-packages-bulk", "parameters": [ { @@ -25100,7 +25100,7 @@ }, "/api/fleet/epm/packages/installed": { "get": { - "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", + "description": "[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.", "operationId": "get-fleet-epm-packages-installed", "parameters": [ { @@ -25334,7 +25334,7 @@ }, "/api/fleet/epm/packages/limited": { "get": { - "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", + "description": "[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.", "operationId": "get-fleet-epm-packages-limited", "parameters": [], "responses": { @@ -25398,7 +25398,7 @@ }, "/api/fleet/epm/packages/{pkgName}/stats": { "get": { - "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", + "description": "[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.", "operationId": "get-fleet-epm-packages-pkgname-stats", "parameters": [ { @@ -25477,7 +25477,7 @@ }, "/api/fleet/epm/packages/{pkgName}/{pkgVersion}": { "delete": { - "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].", + "description": "[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.", "operationId": "delete-fleet-epm-packages-pkgname-pkgversion", "parameters": [ { @@ -26358,7 +26358,7 @@ ] }, "post": { - "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].", + "description": "[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.", "operationId": "post-fleet-epm-packages-pkgname-pkgversion", "parameters": [ { @@ -26580,7 +26580,7 @@ ] }, "put": { - "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].", + "description": "[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.", "operationId": "put-fleet-epm-packages-pkgname-pkgversion", "parameters": [ { @@ -27277,7 +27277,7 @@ }, "/api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets": { "delete": { - "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].", + "description": "[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.", "operationId": "delete-fleet-epm-packages-pkgname-pkgversion-kibana-assets", "parameters": [ { @@ -27363,7 +27363,7 @@ ] }, "post": { - "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].", + "description": "[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.", "operationId": "post-fleet-epm-packages-pkgname-pkgversion-kibana-assets", "parameters": [ { @@ -27611,7 +27611,7 @@ }, "/api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}": { "get": { - "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", + "description": "[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.", "operationId": "get-fleet-epm-packages-pkgname-pkgversion-filepath", "parameters": [ { @@ -27686,7 +27686,7 @@ }, "/api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs": { "get": { - "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", + "description": "[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.", "operationId": "get-fleet-epm-templates-pkgname-pkgversion-inputs", "parameters": [ { @@ -27848,7 +27848,7 @@ }, "/api/fleet/epm/verification_key_id": { "get": { - "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", + "description": "[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.", "operationId": "get-fleet-epm-verification-key-id", "parameters": [], "responses": { @@ -27910,7 +27910,7 @@ }, "/api/fleet/fleet_server_hosts": { "get": { - "description": "[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-settings-read].", + "description": "[Required authorization] Route required privileges: fleet-agents-all OR fleet-settings-read.", "operationId": "get-fleet-fleet-server-hosts", "parameters": [], "responses": { @@ -28109,7 +28109,7 @@ ] }, "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].", + "description": "[Required authorization] Route required privileges: fleet-settings-all.", "operationId": "post-fleet-fleet-server-hosts", "parameters": [ { @@ -28439,7 +28439,7 @@ }, "/api/fleet/fleet_server_hosts/{itemId}": { "delete": { - "description": "Delete a Fleet Server host by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].", + "description": "Delete a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-all.", "operationId": "delete-fleet-fleet-server-hosts-itemid", "parameters": [ { @@ -28517,7 +28517,7 @@ ] }, "get": { - "description": "Get a Fleet Server host by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-read].", + "description": "Get a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-read.", "operationId": "get-fleet-fleet-server-hosts-itemid", "parameters": [ { @@ -28710,7 +28710,7 @@ ] }, "put": { - "description": "Update a Fleet Server host by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].", + "description": "Update a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-all.", "operationId": "put-fleet-fleet-server-hosts-itemid", "parameters": [ { @@ -29039,7 +29039,7 @@ }, "/api/fleet/health_check": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].", + "description": "[Required authorization] Route required privileges: fleet-settings-all.", "operationId": "post-fleet-health-check", "parameters": [ { @@ -29165,7 +29165,7 @@ }, "/api/fleet/kubernetes": { "get": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].", + "description": "[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-setup.", "operationId": "get-fleet-kubernetes", "parameters": [ { @@ -29251,7 +29251,7 @@ }, "/api/fleet/kubernetes/download": { "get": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].", + "description": "[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-setup.", "operationId": "get-fleet-kubernetes-download", "parameters": [ { @@ -29358,7 +29358,7 @@ }, "/api/fleet/logstash_api_keys": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].", + "description": "[Required authorization] Route required privileges: fleet-settings-all.", "operationId": "post-fleet-logstash-api-keys", "parameters": [ { @@ -29430,7 +29430,7 @@ }, "/api/fleet/message_signing_service/rotate_key_pair": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all, fleet-agent-policies-all, fleet-settings-all].", + "description": "[Required authorization] Route required privileges: fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all.", "operationId": "post-fleet-message-signing-service-rotate-key-pair", "parameters": [ { @@ -29541,7 +29541,7 @@ }, "/api/fleet/outputs": { "get": { - "description": "[Required authorization] Route required privileges: ANY of [fleet-settings-read OR fleet-agent-policies-read].", + "description": "[Required authorization] Route required privileges: fleet-settings-read OR fleet-agent-policies-read.", "operationId": "get-fleet-outputs", "parameters": [], "responses": { @@ -30716,7 +30716,7 @@ ] }, "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].", + "description": "[Required authorization] Route required privileges: fleet-settings-all.", "operationId": "post-fleet-outputs", "parameters": [ { @@ -32999,7 +32999,7 @@ }, "/api/fleet/outputs/{outputId}": { "delete": { - "description": "Delete output by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].", + "description": "Delete output by ID.

[Required authorization] Route required privileges: fleet-settings-all.", "operationId": "delete-fleet-outputs-outputid", "parameters": [ { @@ -33107,7 +33107,7 @@ ] }, "get": { - "description": "Get output by ID.

[Required authorization] Route required privileges: ANY of [fleet-settings-read OR fleet-agent-policies-read].", + "description": "Get output by ID.

[Required authorization] Route required privileges: fleet-settings-read OR fleet-agent-policies-read.", "operationId": "get-fleet-outputs-outputid", "parameters": [ { @@ -34276,7 +34276,7 @@ ] }, "put": { - "description": "Update output by ID.

[Required authorization] Route required privileges: ANY of [fleet-settings-all OR fleet-agent-policies-all].", + "description": "Update output by ID.

[Required authorization] Route required privileges: fleet-settings-all OR fleet-agent-policies-all.", "operationId": "put-fleet-outputs-outputid", "parameters": [ { @@ -36543,7 +36543,7 @@ }, "/api/fleet/outputs/{outputId}/health": { "get": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-read].", + "description": "[Required authorization] Route required privileges: fleet-settings-read.", "operationId": "get-fleet-outputs-outputid-health", "parameters": [ { @@ -39362,7 +39362,7 @@ }, "/api/fleet/package_policies/delete": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].", + "description": "[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all.", "operationId": "post-fleet-package-policies-delete", "parameters": [ { @@ -39559,7 +39559,7 @@ }, "/api/fleet/package_policies/upgrade": { "post": { - "description": "Upgrade a package policy to a newer package version.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].", + "description": "Upgrade a package policy to a newer package version.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all.", "operationId": "post-fleet-package-policies-upgrade", "parameters": [ { @@ -39677,7 +39677,7 @@ }, "/api/fleet/package_policies/upgrade/dryrun": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, integrations-read].", + "description": "[Required authorization] Route required privileges: fleet-agent-policies-read AND integrations-read.", "operationId": "post-fleet-package-policies-upgrade-dryrun", "parameters": [ { @@ -40883,7 +40883,7 @@ }, "/api/fleet/package_policies/{packagePolicyId}": { "delete": { - "description": "Delete a package policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].", + "description": "Delete a package policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all.", "operationId": "delete-fleet-package-policies-packagepolicyid", "parameters": [ { @@ -42956,7 +42956,7 @@ }, "/api/fleet/proxies": { "get": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-read].", + "description": "[Required authorization] Route required privileges: fleet-settings-read.", "operationId": "get-fleet-proxies", "parameters": [], "responses": { @@ -43080,7 +43080,7 @@ ] }, "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].", + "description": "[Required authorization] Route required privileges: fleet-settings-all.", "operationId": "post-fleet-proxies", "parameters": [ { @@ -43260,7 +43260,7 @@ }, "/api/fleet/proxies/{itemId}": { "delete": { - "description": "Delete a proxy by ID

[Required authorization] Route required privileges: ALL of [fleet-settings-all].", + "description": "Delete a proxy by ID

[Required authorization] Route required privileges: fleet-settings-all.", "operationId": "delete-fleet-proxies-itemid", "parameters": [ { @@ -43338,7 +43338,7 @@ ] }, "get": { - "description": "Get a proxy by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-read].", + "description": "Get a proxy by ID.

[Required authorization] Route required privileges: fleet-settings-read.", "operationId": "get-fleet-proxies-itemid", "parameters": [ { @@ -43456,7 +43456,7 @@ ] }, "put": { - "description": "Update a proxy by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].", + "description": "Update a proxy by ID.

[Required authorization] Route required privileges: fleet-settings-all.", "operationId": "put-fleet-proxies-itemid", "parameters": [ { @@ -43639,7 +43639,7 @@ }, "/api/fleet/service_tokens": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", + "description": "[Required authorization] Route required privileges: fleet-agents-all.", "operationId": "post-fleet-service-tokens", "parameters": [ { @@ -43732,7 +43732,7 @@ }, "/api/fleet/settings": { "get": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-read].", + "description": "[Required authorization] Route required privileges: fleet-settings-read.", "operationId": "get-fleet-settings", "parameters": [], "responses": { @@ -43870,7 +43870,7 @@ ] }, "put": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].", + "description": "[Required authorization] Route required privileges: fleet-settings-all.", "operationId": "put-fleet-settings", "parameters": [ { @@ -44068,7 +44068,7 @@ }, "/api/fleet/setup": { "post": { - "description": "[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].", + "description": "[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup.", "operationId": "post-fleet-setup", "parameters": [ { @@ -44180,7 +44180,7 @@ }, "/api/fleet/uninstall_tokens": { "get": { - "description": "List the metadata for the latest uninstall tokens per agent policy.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].", + "description": "List the metadata for the latest uninstall tokens per agent policy.

[Required authorization] Route required privileges: fleet-agents-all.", "operationId": "get-fleet-uninstall-tokens", "parameters": [ { @@ -44322,7 +44322,7 @@ }, "/api/fleet/uninstall_tokens/{uninstallTokenId}": { "get": { - "description": "Get one decrypted uninstall token by its ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].", + "description": "Get one decrypted uninstall token by its ID.

[Required authorization] Route required privileges: fleet-agents-all.", "operationId": "get-fleet-uninstall-tokens-uninstalltokenid", "parameters": [ { @@ -45194,7 +45194,7 @@ }, "/api/spaces/_copy_saved_objects": { "post": { - "description": "It also allows you to automatically copy related objects, so when you copy a dashboard, this can automatically copy over the associated visualizations, data views, and saved Discover sessions, as required. You can request to overwrite any objects that already exist in the target space if they share an identifier or you can use the resolve copy saved objects conflicts API to do this on a per-object basis.

[Required authorization] Route required privileges: ALL of [copySavedObjectsToSpaces].", + "description": "It also allows you to automatically copy related objects, so when you copy a dashboard, this can automatically copy over the associated visualizations, data views, and saved Discover sessions, as required. You can request to overwrite any objects that already exist in the target space if they share an identifier or you can use the resolve copy saved objects conflicts API to do this on a per-object basis.

[Required authorization] Route required privileges: copySavedObjectsToSpaces.", "operationId": "post-spaces-copy-saved-objects", "parameters": [ { @@ -45401,7 +45401,7 @@ }, "/api/spaces/_resolve_copy_saved_objects_errors": { "post": { - "description": "Overwrite saved objects that are returned as errors from the copy saved objects to space API.

[Required authorization] Route required privileges: ALL of [copySavedObjectsToSpaces].", + "description": "Overwrite saved objects that are returned as errors from the copy saved objects to space API.

[Required authorization] Route required privileges: copySavedObjectsToSpaces.", "operationId": "post-spaces-resolve-copy-saved-objects-errors", "parameters": [ { diff --git a/oas_docs/bundle.serverless.json b/oas_docs/bundle.serverless.json index bcb16b841be3..be7b2b81e64b 100644 --- a/oas_docs/bundle.serverless.json +++ b/oas_docs/bundle.serverless.json @@ -9913,7 +9913,7 @@ }, "/api/fleet/agent_download_sources": { "get": { - "description": "[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-settings-read].", + "description": "[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-settings-read.", "operationId": "get-fleet-agent-download-sources", "parameters": [], "responses": { @@ -10063,7 +10063,7 @@ ] }, "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].", + "description": "[Required authorization] Route required privileges: fleet-settings-all.", "operationId": "post-fleet-agent-download-sources", "parameters": [ { @@ -10295,7 +10295,7 @@ }, "/api/fleet/agent_download_sources/{sourceId}": { "delete": { - "description": "Delete an agent binary download source by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].", + "description": "Delete an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-settings-all.", "operationId": "delete-fleet-agent-download-sources-sourceid", "parameters": [ { @@ -10373,7 +10373,7 @@ ] }, "get": { - "description": "Get an agent binary download source by ID.

[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-settings-read].", + "description": "Get an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-settings-read.", "operationId": "get-fleet-agent-download-sources-sourceid", "parameters": [ { @@ -10517,7 +10517,7 @@ ] }, "put": { - "description": "Update an agent binary download source by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].", + "description": "Update an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-settings-all.", "operationId": "put-fleet-agent-download-sources-sourceid", "parameters": [ { @@ -10757,7 +10757,7 @@ }, "/api/fleet/agent_policies": { "get": { - "description": "[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].", + "description": "[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup.", "operationId": "get-fleet-agent-policies", "parameters": [ { @@ -11841,7 +11841,7 @@ ] }, "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].", + "description": "[Required authorization] Route required privileges: fleet-agent-policies-all.", "operationId": "post-fleet-agent-policies", "parameters": [ { @@ -13136,7 +13136,7 @@ }, "/api/fleet/agent_policies/_bulk_get": { "post": { - "description": "[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].", + "description": "[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup.", "operationId": "post-fleet-agent-policies-bulk-get", "parameters": [ { @@ -14169,7 +14169,7 @@ }, "/api/fleet/agent_policies/delete": { "post": { - "description": "Delete an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].", + "description": "Delete an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all.", "operationId": "post-fleet-agent-policies-delete", "parameters": [ { @@ -14267,7 +14267,7 @@ }, "/api/fleet/agent_policies/outputs": { "post": { - "description": "Get a list of outputs associated with agent policies.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-settings-read].", + "description": "Get a list of outputs associated with agent policies.

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-settings-read.", "operationId": "post-fleet-agent-policies-outputs", "parameters": [ { @@ -14445,7 +14445,7 @@ }, "/api/fleet/agent_policies/{agentPolicyId}": { "get": { - "description": "Get an agent policy by ID.

[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].", + "description": "Get an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup.", "operationId": "get-fleet-agent-policies-agentpolicyid", "parameters": [ { @@ -15442,7 +15442,7 @@ ] }, "put": { - "description": "Update an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].", + "description": "Update an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all.", "operationId": "put-fleet-agent-policies-agentpolicyid", "parameters": [ { @@ -16752,7 +16752,7 @@ }, "/api/fleet/agent_policies/{agentPolicyId}/copy": { "post": { - "description": "Copy an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].", + "description": "Copy an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all.", "operationId": "post-fleet-agent-policies-agentpolicyid-copy", "parameters": [ { @@ -17783,7 +17783,7 @@ }, "/api/fleet/agent_policies/{agentPolicyId}/download": { "get": { - "description": "Download an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].", + "description": "Download an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-setup.", "operationId": "get-fleet-agent-policies-agentpolicyid-download", "parameters": [ { @@ -17898,7 +17898,7 @@ }, "/api/fleet/agent_policies/{agentPolicyId}/full": { "get": { - "description": "Get a full agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read].", + "description": "Get a full agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read.", "operationId": "get-fleet-agent-policies-agentpolicyid-full", "parameters": [ { @@ -18503,7 +18503,7 @@ }, "/api/fleet/agent_policies/{agentPolicyId}/outputs": { "get": { - "description": "Get a list of outputs associated with agent policy by policy id.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-settings-read].", + "description": "Get a list of outputs associated with agent policy by policy id.

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-settings-read.", "operationId": "get-fleet-agent-policies-agentpolicyid-outputs", "parameters": [ { @@ -18800,7 +18800,7 @@ }, "/api/fleet/agent_status/data": { "get": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", + "description": "[Required authorization] Route required privileges: fleet-agents-read.", "operationId": "get-fleet-agent-status-data", "parameters": [ { @@ -18925,7 +18925,7 @@ }, "/api/fleet/agents": { "get": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", + "description": "[Required authorization] Route required privileges: fleet-agents-read.", "operationId": "get-fleet-agents", "parameters": [ { @@ -19506,7 +19506,7 @@ ] }, "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", + "description": "[Required authorization] Route required privileges: fleet-agents-read.", "operationId": "post-fleet-agents", "parameters": [ { @@ -19602,7 +19602,7 @@ }, "/api/fleet/agents/action_status": { "get": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", + "description": "[Required authorization] Route required privileges: fleet-agents-read.", "operationId": "get-fleet-agents-action-status", "parameters": [ { @@ -19831,7 +19831,7 @@ }, "/api/fleet/agents/actions/{actionId}/cancel": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", + "description": "[Required authorization] Route required privileges: fleet-agents-all.", "operationId": "post-fleet-agents-actions-actionid-cancel", "parameters": [ { @@ -19965,7 +19965,7 @@ }, "/api/fleet/agents/available_versions": { "get": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", + "description": "[Required authorization] Route required privileges: fleet-agents-read.", "operationId": "get-fleet-agents-available-versions", "parameters": [], "responses": { @@ -20029,7 +20029,7 @@ }, "/api/fleet/agents/bulk_reassign": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", + "description": "[Required authorization] Route required privileges: fleet-agents-all.", "operationId": "post-fleet-agents-bulk-reassign", "parameters": [ { @@ -20140,7 +20140,7 @@ }, "/api/fleet/agents/bulk_request_diagnostics": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", + "description": "[Required authorization] Route required privileges: fleet-agents-read.", "operationId": "post-fleet-agents-bulk-request-diagnostics", "parameters": [ { @@ -20252,7 +20252,7 @@ }, "/api/fleet/agents/bulk_unenroll": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", + "description": "[Required authorization] Route required privileges: fleet-agents-all.", "operationId": "post-fleet-agents-bulk-unenroll", "parameters": [ { @@ -20369,7 +20369,7 @@ }, "/api/fleet/agents/bulk_update_agent_tags": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", + "description": "[Required authorization] Route required privileges: fleet-agents-all.", "operationId": "post-fleet-agents-bulk-update-agent-tags", "parameters": [ { @@ -20488,7 +20488,7 @@ }, "/api/fleet/agents/bulk_upgrade": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", + "description": "[Required authorization] Route required privileges: fleet-agents-all.", "operationId": "post-fleet-agents-bulk-upgrade", "parameters": [ { @@ -20615,7 +20615,7 @@ }, "/api/fleet/agents/files/{fileId}": { "delete": { - "description": "Delete a file uploaded by an agent.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].", + "description": "Delete a file uploaded by an agent.

[Required authorization] Route required privileges: fleet-agents-all.", "operationId": "delete-fleet-agents-files-fileid", "parameters": [ { @@ -20699,7 +20699,7 @@ }, "/api/fleet/agents/files/{fileId}/{fileName}": { "get": { - "description": "Get a file uploaded by an agent.

[Required authorization] Route required privileges: ALL of [fleet-agents-read].", + "description": "Get a file uploaded by an agent.

[Required authorization] Route required privileges: fleet-agents-read.", "operationId": "get-fleet-agents-files-fileid-filename", "parameters": [ { @@ -20768,7 +20768,7 @@ }, "/api/fleet/agents/setup": { "get": { - "description": "[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].", + "description": "[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup.", "operationId": "get-fleet-agents-setup", "parameters": [], "responses": { @@ -20861,7 +20861,7 @@ ] }, "post": { - "description": "[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].", + "description": "[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup.", "operationId": "post-fleet-agents-setup", "parameters": [ { @@ -20954,7 +20954,7 @@ }, "/api/fleet/agents/tags": { "get": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", + "description": "[Required authorization] Route required privileges: fleet-agents-read.", "operationId": "get-fleet-agents-tags", "parameters": [ { @@ -21036,7 +21036,7 @@ }, "/api/fleet/agents/{agentId}": { "delete": { - "description": "Delete an agent by ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].", + "description": "Delete an agent by ID.

[Required authorization] Route required privileges: fleet-agents-all.", "operationId": "delete-fleet-agents-agentid", "parameters": [ { @@ -21117,7 +21117,7 @@ ] }, "get": { - "description": "Get an agent by ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-read].", + "description": "Get an agent by ID.

[Required authorization] Route required privileges: fleet-agents-read.", "operationId": "get-fleet-agents-agentid", "parameters": [ { @@ -21575,7 +21575,7 @@ ] }, "put": { - "description": "Update an agent by ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].", + "description": "Update an agent by ID.

[Required authorization] Route required privileges: fleet-agents-all.", "operationId": "put-fleet-agents-agentid", "parameters": [ { @@ -22058,7 +22058,7 @@ }, "/api/fleet/agents/{agentId}/actions": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", + "description": "[Required authorization] Route required privileges: fleet-agents-all.", "operationId": "post-fleet-agents-agentid-actions", "parameters": [ { @@ -22267,7 +22267,7 @@ }, "/api/fleet/agents/{agentId}/reassign": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", + "description": "[Required authorization] Route required privileges: fleet-agents-all.", "operationId": "post-fleet-agents-agentid-reassign", "parameters": [ { @@ -22358,7 +22358,7 @@ }, "/api/fleet/agents/{agentId}/request_diagnostics": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", + "description": "[Required authorization] Route required privileges: fleet-agents-read.", "operationId": "post-fleet-agents-agentid-request-diagnostics", "parameters": [ { @@ -22460,7 +22460,7 @@ }, "/api/fleet/agents/{agentId}/unenroll": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", + "description": "[Required authorization] Route required privileges: fleet-agents-all.", "operationId": "post-fleet-agents-agentid-unenroll", "parameters": [ { @@ -22510,7 +22510,7 @@ }, "/api/fleet/agents/{agentId}/upgrade": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", + "description": "[Required authorization] Route required privileges: fleet-agents-all.", "operationId": "post-fleet-agents-agentid-upgrade", "parameters": [ { @@ -22610,7 +22610,7 @@ }, "/api/fleet/agents/{agentId}/uploads": { "get": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-read].", + "description": "[Required authorization] Route required privileges: fleet-agents-read.", "operationId": "get-fleet-agents-agentid-uploads", "parameters": [ { @@ -22800,7 +22800,7 @@ }, "/api/fleet/data_streams": { "get": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all, fleet-agent-policies-all, fleet-settings-all].", + "description": "[Required authorization] Route required privileges: fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all.", "operationId": "get-fleet-data-streams", "parameters": [], "responses": { @@ -22950,7 +22950,7 @@ }, "/api/fleet/enrollment_api_keys": { "get": { - "description": "[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-setup].", + "description": "[Required authorization] Route required privileges: fleet-agents-all OR fleet-setup.", "operationId": "get-fleet-enrollment-api-keys", "parameters": [ { @@ -23131,7 +23131,7 @@ ] }, "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", + "description": "[Required authorization] Route required privileges: fleet-agents-all.", "operationId": "post-fleet-enrollment-api-keys", "parameters": [ { @@ -23270,7 +23270,7 @@ }, "/api/fleet/enrollment_api_keys/{keyId}": { "delete": { - "description": "Revoke an enrollment API key by ID by marking it as inactive.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].", + "description": "Revoke an enrollment API key by ID by marking it as inactive.

[Required authorization] Route required privileges: fleet-agents-all.", "operationId": "delete-fleet-enrollment-api-keys-keyid", "parameters": [ { @@ -23351,7 +23351,7 @@ ] }, "get": { - "description": "Get an enrollment API key by ID.

[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-setup].", + "description": "Get an enrollment API key by ID.

[Required authorization] Route required privileges: fleet-agents-all OR fleet-setup.", "operationId": "get-fleet-enrollment-api-keys-keyid", "parameters": [ { @@ -23457,7 +23457,7 @@ }, "/api/fleet/epm/bulk_assets": { "post": { - "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", + "description": "[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.", "operationId": "post-fleet-epm-bulk-assets", "parameters": [ { @@ -23601,7 +23601,7 @@ }, "/api/fleet/epm/categories": { "get": { - "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", + "description": "[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.", "operationId": "get-fleet-epm-categories", "parameters": [ { @@ -23705,7 +23705,7 @@ }, "/api/fleet/epm/custom_integrations": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].", + "description": "[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.", "operationId": "post-fleet-epm-custom-integrations", "parameters": [ { @@ -23914,7 +23914,7 @@ }, "/api/fleet/epm/data_streams": { "get": { - "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", + "description": "[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.", "operationId": "get-fleet-epm-data-streams", "parameters": [ { @@ -24033,7 +24033,7 @@ }, "/api/fleet/epm/packages": { "get": { - "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", + "description": "[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.", "operationId": "get-fleet-epm-packages", "parameters": [ { @@ -24633,7 +24633,7 @@ ] }, "post": { - "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].", + "description": "[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.", "operationId": "post-fleet-epm-packages", "parameters": [ { @@ -24822,7 +24822,7 @@ }, "/api/fleet/epm/packages/_bulk": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].", + "description": "[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.", "operationId": "post-fleet-epm-packages-bulk", "parameters": [ { @@ -25100,7 +25100,7 @@ }, "/api/fleet/epm/packages/installed": { "get": { - "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", + "description": "[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.", "operationId": "get-fleet-epm-packages-installed", "parameters": [ { @@ -25334,7 +25334,7 @@ }, "/api/fleet/epm/packages/limited": { "get": { - "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", + "description": "[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.", "operationId": "get-fleet-epm-packages-limited", "parameters": [], "responses": { @@ -25398,7 +25398,7 @@ }, "/api/fleet/epm/packages/{pkgName}/stats": { "get": { - "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", + "description": "[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.", "operationId": "get-fleet-epm-packages-pkgname-stats", "parameters": [ { @@ -25477,7 +25477,7 @@ }, "/api/fleet/epm/packages/{pkgName}/{pkgVersion}": { "delete": { - "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].", + "description": "[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.", "operationId": "delete-fleet-epm-packages-pkgname-pkgversion", "parameters": [ { @@ -26358,7 +26358,7 @@ ] }, "post": { - "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].", + "description": "[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.", "operationId": "post-fleet-epm-packages-pkgname-pkgversion", "parameters": [ { @@ -26580,7 +26580,7 @@ ] }, "put": { - "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].", + "description": "[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.", "operationId": "put-fleet-epm-packages-pkgname-pkgversion", "parameters": [ { @@ -27277,7 +27277,7 @@ }, "/api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets": { "delete": { - "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].", + "description": "[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.", "operationId": "delete-fleet-epm-packages-pkgname-pkgversion-kibana-assets", "parameters": [ { @@ -27363,7 +27363,7 @@ ] }, "post": { - "description": "[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].", + "description": "[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.", "operationId": "post-fleet-epm-packages-pkgname-pkgversion-kibana-assets", "parameters": [ { @@ -27611,7 +27611,7 @@ }, "/api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}": { "get": { - "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", + "description": "[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.", "operationId": "get-fleet-epm-packages-pkgname-pkgversion-filepath", "parameters": [ { @@ -27686,7 +27686,7 @@ }, "/api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs": { "get": { - "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", + "description": "[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.", "operationId": "get-fleet-epm-templates-pkgname-pkgversion-inputs", "parameters": [ { @@ -27848,7 +27848,7 @@ }, "/api/fleet/epm/verification_key_id": { "get": { - "description": "[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].", + "description": "[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.", "operationId": "get-fleet-epm-verification-key-id", "parameters": [], "responses": { @@ -27910,7 +27910,7 @@ }, "/api/fleet/fleet_server_hosts": { "get": { - "description": "[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-settings-read].", + "description": "[Required authorization] Route required privileges: fleet-agents-all OR fleet-settings-read.", "operationId": "get-fleet-fleet-server-hosts", "parameters": [], "responses": { @@ -28109,7 +28109,7 @@ ] }, "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].", + "description": "[Required authorization] Route required privileges: fleet-settings-all.", "operationId": "post-fleet-fleet-server-hosts", "parameters": [ { @@ -28439,7 +28439,7 @@ }, "/api/fleet/fleet_server_hosts/{itemId}": { "delete": { - "description": "Delete a Fleet Server host by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].", + "description": "Delete a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-all.", "operationId": "delete-fleet-fleet-server-hosts-itemid", "parameters": [ { @@ -28517,7 +28517,7 @@ ] }, "get": { - "description": "Get a Fleet Server host by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-read].", + "description": "Get a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-read.", "operationId": "get-fleet-fleet-server-hosts-itemid", "parameters": [ { @@ -28710,7 +28710,7 @@ ] }, "put": { - "description": "Update a Fleet Server host by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].", + "description": "Update a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-all.", "operationId": "put-fleet-fleet-server-hosts-itemid", "parameters": [ { @@ -29039,7 +29039,7 @@ }, "/api/fleet/health_check": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].", + "description": "[Required authorization] Route required privileges: fleet-settings-all.", "operationId": "post-fleet-health-check", "parameters": [ { @@ -29165,7 +29165,7 @@ }, "/api/fleet/kubernetes": { "get": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].", + "description": "[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-setup.", "operationId": "get-fleet-kubernetes", "parameters": [ { @@ -29251,7 +29251,7 @@ }, "/api/fleet/kubernetes/download": { "get": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].", + "description": "[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-setup.", "operationId": "get-fleet-kubernetes-download", "parameters": [ { @@ -29358,7 +29358,7 @@ }, "/api/fleet/logstash_api_keys": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].", + "description": "[Required authorization] Route required privileges: fleet-settings-all.", "operationId": "post-fleet-logstash-api-keys", "parameters": [ { @@ -29430,7 +29430,7 @@ }, "/api/fleet/message_signing_service/rotate_key_pair": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all, fleet-agent-policies-all, fleet-settings-all].", + "description": "[Required authorization] Route required privileges: fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all.", "operationId": "post-fleet-message-signing-service-rotate-key-pair", "parameters": [ { @@ -29541,7 +29541,7 @@ }, "/api/fleet/outputs": { "get": { - "description": "[Required authorization] Route required privileges: ANY of [fleet-settings-read OR fleet-agent-policies-read].", + "description": "[Required authorization] Route required privileges: fleet-settings-read OR fleet-agent-policies-read.", "operationId": "get-fleet-outputs", "parameters": [], "responses": { @@ -30716,7 +30716,7 @@ ] }, "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].", + "description": "[Required authorization] Route required privileges: fleet-settings-all.", "operationId": "post-fleet-outputs", "parameters": [ { @@ -32999,7 +32999,7 @@ }, "/api/fleet/outputs/{outputId}": { "delete": { - "description": "Delete output by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].", + "description": "Delete output by ID.

[Required authorization] Route required privileges: fleet-settings-all.", "operationId": "delete-fleet-outputs-outputid", "parameters": [ { @@ -33107,7 +33107,7 @@ ] }, "get": { - "description": "Get output by ID.

[Required authorization] Route required privileges: ANY of [fleet-settings-read OR fleet-agent-policies-read].", + "description": "Get output by ID.

[Required authorization] Route required privileges: fleet-settings-read OR fleet-agent-policies-read.", "operationId": "get-fleet-outputs-outputid", "parameters": [ { @@ -34276,7 +34276,7 @@ ] }, "put": { - "description": "Update output by ID.

[Required authorization] Route required privileges: ANY of [fleet-settings-all OR fleet-agent-policies-all].", + "description": "Update output by ID.

[Required authorization] Route required privileges: fleet-settings-all OR fleet-agent-policies-all.", "operationId": "put-fleet-outputs-outputid", "parameters": [ { @@ -36543,7 +36543,7 @@ }, "/api/fleet/outputs/{outputId}/health": { "get": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-read].", + "description": "[Required authorization] Route required privileges: fleet-settings-read.", "operationId": "get-fleet-outputs-outputid-health", "parameters": [ { @@ -39362,7 +39362,7 @@ }, "/api/fleet/package_policies/delete": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].", + "description": "[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all.", "operationId": "post-fleet-package-policies-delete", "parameters": [ { @@ -39559,7 +39559,7 @@ }, "/api/fleet/package_policies/upgrade": { "post": { - "description": "Upgrade a package policy to a newer package version.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].", + "description": "Upgrade a package policy to a newer package version.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all.", "operationId": "post-fleet-package-policies-upgrade", "parameters": [ { @@ -39677,7 +39677,7 @@ }, "/api/fleet/package_policies/upgrade/dryrun": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, integrations-read].", + "description": "[Required authorization] Route required privileges: fleet-agent-policies-read AND integrations-read.", "operationId": "post-fleet-package-policies-upgrade-dryrun", "parameters": [ { @@ -40883,7 +40883,7 @@ }, "/api/fleet/package_policies/{packagePolicyId}": { "delete": { - "description": "Delete a package policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].", + "description": "Delete a package policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all.", "operationId": "delete-fleet-package-policies-packagepolicyid", "parameters": [ { @@ -42956,7 +42956,7 @@ }, "/api/fleet/proxies": { "get": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-read].", + "description": "[Required authorization] Route required privileges: fleet-settings-read.", "operationId": "get-fleet-proxies", "parameters": [], "responses": { @@ -43080,7 +43080,7 @@ ] }, "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].", + "description": "[Required authorization] Route required privileges: fleet-settings-all.", "operationId": "post-fleet-proxies", "parameters": [ { @@ -43260,7 +43260,7 @@ }, "/api/fleet/proxies/{itemId}": { "delete": { - "description": "Delete a proxy by ID

[Required authorization] Route required privileges: ALL of [fleet-settings-all].", + "description": "Delete a proxy by ID

[Required authorization] Route required privileges: fleet-settings-all.", "operationId": "delete-fleet-proxies-itemid", "parameters": [ { @@ -43338,7 +43338,7 @@ ] }, "get": { - "description": "Get a proxy by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-read].", + "description": "Get a proxy by ID.

[Required authorization] Route required privileges: fleet-settings-read.", "operationId": "get-fleet-proxies-itemid", "parameters": [ { @@ -43456,7 +43456,7 @@ ] }, "put": { - "description": "Update a proxy by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].", + "description": "Update a proxy by ID.

[Required authorization] Route required privileges: fleet-settings-all.", "operationId": "put-fleet-proxies-itemid", "parameters": [ { @@ -43639,7 +43639,7 @@ }, "/api/fleet/service_tokens": { "post": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-agents-all].", + "description": "[Required authorization] Route required privileges: fleet-agents-all.", "operationId": "post-fleet-service-tokens", "parameters": [ { @@ -43732,7 +43732,7 @@ }, "/api/fleet/settings": { "get": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-read].", + "description": "[Required authorization] Route required privileges: fleet-settings-read.", "operationId": "get-fleet-settings", "parameters": [], "responses": { @@ -43870,7 +43870,7 @@ ] }, "put": { - "description": "[Required authorization] Route required privileges: ALL of [fleet-settings-all].", + "description": "[Required authorization] Route required privileges: fleet-settings-all.", "operationId": "put-fleet-settings", "parameters": [ { @@ -44068,7 +44068,7 @@ }, "/api/fleet/setup": { "post": { - "description": "[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].", + "description": "[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup.", "operationId": "post-fleet-setup", "parameters": [ { @@ -44180,7 +44180,7 @@ }, "/api/fleet/uninstall_tokens": { "get": { - "description": "List the metadata for the latest uninstall tokens per agent policy.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].", + "description": "List the metadata for the latest uninstall tokens per agent policy.

[Required authorization] Route required privileges: fleet-agents-all.", "operationId": "get-fleet-uninstall-tokens", "parameters": [ { @@ -44322,7 +44322,7 @@ }, "/api/fleet/uninstall_tokens/{uninstallTokenId}": { "get": { - "description": "Get one decrypted uninstall token by its ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].", + "description": "Get one decrypted uninstall token by its ID.

[Required authorization] Route required privileges: fleet-agents-all.", "operationId": "get-fleet-uninstall-tokens-uninstalltokenid", "parameters": [ { diff --git a/oas_docs/output/kibana.serverless.yaml b/oas_docs/output/kibana.serverless.yaml index ac02386a631f..ba32ad8c225d 100644 --- a/oas_docs/output/kibana.serverless.yaml +++ b/oas_docs/output/kibana.serverless.yaml @@ -15282,7 +15282,7 @@ paths: - Security Exceptions API /api/fleet/agent_download_sources: get: - description: '[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-settings-read].' + description: '[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-settings-read.' operationId: get-fleet-agent-download-sources parameters: [] responses: @@ -15382,7 +15382,7 @@ paths: tags: - Elastic Agent binary download sources post: - description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].' + description: '[Required authorization] Route required privileges: fleet-settings-all.' operationId: post-fleet-agent-download-sources parameters: - description: A required header to protect against CSRF attacks @@ -15533,7 +15533,7 @@ paths: - Elastic Agent binary download sources /api/fleet/agent_download_sources/{sourceId}: delete: - description: 'Delete an agent binary download source by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].' + description: 'Delete an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-settings-all.' operationId: delete-fleet-agent-download-sources-sourceid parameters: - description: A required header to protect against CSRF attacks @@ -15584,7 +15584,7 @@ paths: tags: - Elastic Agent binary download sources get: - description: 'Get an agent binary download source by ID.

[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-settings-read].' + description: 'Get an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-settings-read.' operationId: get-fleet-agent-download-sources-sourceid parameters: - in: path @@ -15678,7 +15678,7 @@ paths: tags: - Elastic Agent binary download sources put: - description: 'Update an agent binary download source by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].' + description: 'Update an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-settings-all.' operationId: put-fleet-agent-download-sources-sourceid parameters: - description: A required header to protect against CSRF attacks @@ -15834,7 +15834,7 @@ paths: - Elastic Agent binary download sources /api/fleet/agent_policies: get: - description: '[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].' + description: '[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup.' operationId: get-fleet-agent-policies parameters: - in: query @@ -16560,7 +16560,7 @@ paths: tags: - Elastic Agent policies post: - description: '[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].' + description: '[Required authorization] Route required privileges: fleet-agent-policies-all.' operationId: post-fleet-agent-policies parameters: - description: A required header to protect against CSRF attacks @@ -17434,7 +17434,7 @@ paths: - Elastic Agent policies /api/fleet/agent_policies/_bulk_get: post: - description: '[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].' + description: '[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup.' operationId: post-fleet-agent-policies-bulk-get parameters: - description: A required header to protect against CSRF attacks @@ -18126,7 +18126,7 @@ paths: - Elastic Agent policies /api/fleet/agent_policies/{agentPolicyId}: get: - description: 'Get an agent policy by ID.

[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].' + description: 'Get an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup.' operationId: get-fleet-agent-policies-agentpolicyid parameters: - in: path @@ -18794,7 +18794,7 @@ paths: tags: - Elastic Agent policies put: - description: 'Update an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].' + description: 'Update an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all.' operationId: put-fleet-agent-policies-agentpolicyid parameters: - description: A required header to protect against CSRF attacks @@ -19678,7 +19678,7 @@ paths: - Elastic Agent policies /api/fleet/agent_policies/{agentPolicyId}/copy: post: - description: 'Copy an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].' + description: 'Copy an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all.' operationId: post-fleet-agent-policies-agentpolicyid-copy parameters: - description: A required header to protect against CSRF attacks @@ -20368,7 +20368,7 @@ paths: - Elastic Agent policies /api/fleet/agent_policies/{agentPolicyId}/download: get: - description: 'Download an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].' + description: 'Download an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-setup.' operationId: get-fleet-agent-policies-agentpolicyid-download parameters: - in: path @@ -20442,7 +20442,7 @@ paths: - Elastic Agent policies /api/fleet/agent_policies/{agentPolicyId}/full: get: - description: 'Get a full agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read].' + description: 'Get a full agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read.' operationId: get-fleet-agent-policies-agentpolicyid-full parameters: - in: path @@ -20844,7 +20844,7 @@ paths: - Elastic Agent policies /api/fleet/agent_policies/{agentPolicyId}/outputs: get: - description: 'Get a list of outputs associated with agent policy by policy id.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-settings-read].' + description: 'Get a list of outputs associated with agent policy by policy id.

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-settings-read.' operationId: get-fleet-agent-policies-agentpolicyid-outputs parameters: - in: path @@ -20944,7 +20944,7 @@ paths: - Elastic Agent policies /api/fleet/agent_policies/delete: post: - description: 'Delete an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].' + description: 'Delete an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all.' operationId: post-fleet-agent-policies-delete parameters: - description: A required header to protect against CSRF attacks @@ -21008,7 +21008,7 @@ paths: - Elastic Agent policies /api/fleet/agent_policies/outputs: post: - description: 'Get a list of outputs associated with agent policies.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-settings-read].' + description: 'Get a list of outputs associated with agent policies.

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-settings-read.' operationId: post-fleet-agent-policies-outputs parameters: - description: A required header to protect against CSRF attacks @@ -21221,7 +21221,7 @@ paths: - Elastic Agent status /api/fleet/agent_status/data: get: - description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' + description: '[Required authorization] Route required privileges: fleet-agents-read.' operationId: get-fleet-agent-status-data parameters: - in: query @@ -21300,7 +21300,7 @@ paths: - Elastic Agents /api/fleet/agents: get: - description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' + description: '[Required authorization] Route required privileges: fleet-agents-read.' operationId: get-fleet-agents parameters: - in: query @@ -21710,7 +21710,7 @@ paths: tags: - Elastic Agents post: - description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' + description: '[Required authorization] Route required privileges: fleet-agents-read.' operationId: post-fleet-agents parameters: - description: A required header to protect against CSRF attacks @@ -21772,7 +21772,7 @@ paths: - Elastic Agents /api/fleet/agents/{agentId}: delete: - description: 'Delete an agent by ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].' + description: 'Delete an agent by ID.

[Required authorization] Route required privileges: fleet-agents-all.' operationId: delete-fleet-agents-agentid parameters: - description: A required header to protect against CSRF attacks @@ -21825,7 +21825,7 @@ paths: tags: - Elastic Agents get: - description: 'Get an agent by ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-read].' + description: 'Get an agent by ID.

[Required authorization] Route required privileges: fleet-agents-read.' operationId: get-fleet-agents-agentid parameters: - in: path @@ -22154,7 +22154,7 @@ paths: tags: - Elastic Agents put: - description: 'Update an agent by ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].' + description: 'Update an agent by ID.

[Required authorization] Route required privileges: fleet-agents-all.' operationId: put-fleet-agents-agentid parameters: - description: A required header to protect against CSRF attacks @@ -22499,7 +22499,7 @@ paths: - Elastic Agents /api/fleet/agents/{agentId}/actions: post: - description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' + description: '[Required authorization] Route required privileges: fleet-agents-all.' operationId: post-fleet-agents-agentid-actions parameters: - description: A required header to protect against CSRF attacks @@ -22639,7 +22639,7 @@ paths: - Elastic Agent actions /api/fleet/agents/{agentId}/reassign: post: - description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' + description: '[Required authorization] Route required privileges: fleet-agents-all.' operationId: post-fleet-agents-agentid-reassign parameters: - description: A required header to protect against CSRF attacks @@ -22698,7 +22698,7 @@ paths: - Elastic Agent actions /api/fleet/agents/{agentId}/request_diagnostics: post: - description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' + description: '[Required authorization] Route required privileges: fleet-agents-read.' operationId: post-fleet-agents-agentid-request-diagnostics parameters: - description: A required header to protect against CSRF attacks @@ -22764,7 +22764,7 @@ paths: - Elastic Agent actions /api/fleet/agents/{agentId}/unenroll: post: - description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' + description: '[Required authorization] Route required privileges: fleet-agents-all.' operationId: post-fleet-agents-agentid-unenroll parameters: - description: A required header to protect against CSRF attacks @@ -22797,7 +22797,7 @@ paths: - Elastic Agent actions /api/fleet/agents/{agentId}/upgrade: post: - description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' + description: '[Required authorization] Route required privileges: fleet-agents-all.' operationId: post-fleet-agents-agentid-upgrade parameters: - description: A required header to protect against CSRF attacks @@ -22862,7 +22862,7 @@ paths: - Elastic Agent actions /api/fleet/agents/{agentId}/uploads: get: - description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' + description: '[Required authorization] Route required privileges: fleet-agents-read.' operationId: get-fleet-agents-agentid-uploads parameters: - in: path @@ -22939,7 +22939,7 @@ paths: - Elastic Agents /api/fleet/agents/action_status: get: - description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' + description: '[Required authorization] Route required privileges: fleet-agents-read.' operationId: get-fleet-agents-action-status parameters: - in: query @@ -23101,7 +23101,7 @@ paths: - Elastic Agent actions /api/fleet/agents/actions/{actionId}/cancel: post: - description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' + description: '[Required authorization] Route required privileges: fleet-agents-all.' operationId: post-fleet-agents-actions-actionid-cancel parameters: - description: A required header to protect against CSRF attacks @@ -23191,7 +23191,7 @@ paths: - Elastic Agent actions /api/fleet/agents/available_versions: get: - description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' + description: '[Required authorization] Route required privileges: fleet-agents-read.' operationId: get-fleet-agents-available-versions parameters: [] responses: @@ -23233,7 +23233,7 @@ paths: - Elastic Agents /api/fleet/agents/bulk_reassign: post: - description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' + description: '[Required authorization] Route required privileges: fleet-agents-all.' operationId: post-fleet-agents-bulk-reassign parameters: - description: A required header to protect against CSRF attacks @@ -23303,7 +23303,7 @@ paths: - Elastic Agent actions /api/fleet/agents/bulk_request_diagnostics: post: - description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' + description: '[Required authorization] Route required privileges: fleet-agents-read.' operationId: post-fleet-agents-bulk-request-diagnostics parameters: - description: A required header to protect against CSRF attacks @@ -23373,7 +23373,7 @@ paths: - Elastic Agent actions /api/fleet/agents/bulk_unenroll: post: - description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' + description: '[Required authorization] Route required privileges: fleet-agents-all.' operationId: post-fleet-agents-bulk-unenroll parameters: - description: A required header to protect against CSRF attacks @@ -23448,7 +23448,7 @@ paths: - Elastic Agent actions /api/fleet/agents/bulk_update_agent_tags: post: - description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' + description: '[Required authorization] Route required privileges: fleet-agents-all.' operationId: post-fleet-agents-bulk-update-agent-tags parameters: - description: A required header to protect against CSRF attacks @@ -23523,7 +23523,7 @@ paths: - Elastic Agent actions /api/fleet/agents/bulk_upgrade: post: - description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' + description: '[Required authorization] Route required privileges: fleet-agents-all.' operationId: post-fleet-agents-bulk-upgrade parameters: - description: A required header to protect against CSRF attacks @@ -23604,7 +23604,7 @@ paths: - Elastic Agent actions /api/fleet/agents/files/{fileId}: delete: - description: 'Delete a file uploaded by an agent.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].' + description: 'Delete a file uploaded by an agent.

[Required authorization] Route required privileges: fleet-agents-all.' operationId: delete-fleet-agents-files-fileid parameters: - description: A required header to protect against CSRF attacks @@ -23659,7 +23659,7 @@ paths: - Elastic Agents /api/fleet/agents/files/{fileId}/{fileName}: get: - description: 'Get a file uploaded by an agent.

[Required authorization] Route required privileges: ALL of [fleet-agents-read].' + description: 'Get a file uploaded by an agent.

[Required authorization] Route required privileges: fleet-agents-read.' operationId: get-fleet-agents-files-fileid-filename parameters: - in: path @@ -23703,7 +23703,7 @@ paths: - Elastic Agents /api/fleet/agents/setup: get: - description: '[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].' + description: '[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup.' operationId: get-fleet-agents-setup parameters: [] responses: @@ -23767,7 +23767,7 @@ paths: tags: - Elastic Agents post: - description: '[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].' + description: '[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup.' operationId: post-fleet-agents-setup parameters: - description: A required header to protect against CSRF attacks @@ -23829,7 +23829,7 @@ paths: - Elastic Agents /api/fleet/agents/tags: get: - description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' + description: '[Required authorization] Route required privileges: fleet-agents-read.' operationId: get-fleet-agents-tags parameters: - in: query @@ -23932,7 +23932,7 @@ paths: - Fleet internals /api/fleet/data_streams: get: - description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all, fleet-agent-policies-all, fleet-settings-all].' + description: '[Required authorization] Route required privileges: fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all.' operationId: get-fleet-data-streams parameters: [] responses: @@ -24033,7 +24033,7 @@ paths: - Data streams /api/fleet/enrollment_api_keys: get: - description: '[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-setup].' + description: '[Required authorization] Route required privileges: fleet-agents-all OR fleet-setup.' operationId: get-fleet-enrollment-api-keys parameters: - in: query @@ -24160,7 +24160,7 @@ paths: tags: - Fleet enrollment API keys post: - description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' + description: '[Required authorization] Route required privileges: fleet-agents-all.' operationId: post-fleet-enrollment-api-keys parameters: - description: A required header to protect against CSRF attacks @@ -24254,7 +24254,7 @@ paths: - Fleet enrollment API keys /api/fleet/enrollment_api_keys/{keyId}: delete: - description: 'Revoke an enrollment API key by ID by marking it as inactive.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].' + description: 'Revoke an enrollment API key by ID by marking it as inactive.

[Required authorization] Route required privileges: fleet-agents-all.' operationId: delete-fleet-enrollment-api-keys-keyid parameters: - description: A required header to protect against CSRF attacks @@ -24307,7 +24307,7 @@ paths: tags: - Fleet enrollment API keys get: - description: 'Get an enrollment API key by ID.

[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-setup].' + description: 'Get an enrollment API key by ID.

[Required authorization] Route required privileges: fleet-agents-all OR fleet-setup.' operationId: get-fleet-enrollment-api-keys-keyid parameters: - in: path @@ -24379,7 +24379,7 @@ paths: - Fleet enrollment API keys /api/fleet/epm/bulk_assets: post: - description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' + description: '[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.' operationId: post-fleet-epm-bulk-assets parameters: - description: A required header to protect against CSRF attacks @@ -24474,7 +24474,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/categories: get: - description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' + description: '[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.' operationId: get-fleet-epm-categories parameters: - in: query @@ -24542,7 +24542,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/custom_integrations: post: - description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].' + description: '[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.' operationId: post-fleet-epm-custom-integrations parameters: - description: A required header to protect against CSRF attacks @@ -24683,7 +24683,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/data_streams: get: - description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' + description: '[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.' operationId: get-fleet-epm-data-streams parameters: - in: query @@ -24762,7 +24762,7 @@ paths: - Data streams /api/fleet/epm/packages: get: - description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' + description: '[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.' operationId: get-fleet-epm-packages parameters: - in: query @@ -25170,7 +25170,7 @@ paths: tags: - Elastic Package Manager (EPM) post: - description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].' + description: '[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.' operationId: post-fleet-epm-packages parameters: - description: A required header to protect against CSRF attacks @@ -25296,7 +25296,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/packages/_bulk: post: - description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].' + description: '[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.' operationId: post-fleet-epm-packages-bulk parameters: - description: A required header to protect against CSRF attacks @@ -25477,7 +25477,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/packages/{pkgName}/{pkgVersion}: delete: - description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].' + description: '[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.' operationId: delete-fleet-epm-packages-pkgname-pkgversion parameters: - description: A required header to protect against CSRF attacks @@ -26072,7 +26072,7 @@ paths: tags: - Elastic Package Manager (EPM) post: - description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].' + description: '[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.' operationId: post-fleet-epm-packages-pkgname-pkgversion parameters: - description: A required header to protect against CSRF attacks @@ -26220,7 +26220,7 @@ paths: tags: - Elastic Package Manager (EPM) put: - description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].' + description: '[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.' operationId: put-fleet-epm-packages-pkgname-pkgversion parameters: - description: A required header to protect against CSRF attacks @@ -26693,7 +26693,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}: get: - description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' + description: '[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.' operationId: get-fleet-epm-packages-pkgname-pkgversion-filepath parameters: - in: path @@ -26741,7 +26741,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets: delete: - description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].' + description: '[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.' operationId: delete-fleet-epm-packages-pkgname-pkgversion-kibana-assets parameters: - description: A required header to protect against CSRF attacks @@ -26797,7 +26797,7 @@ paths: tags: - Elastic Package Manager (EPM) post: - description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].' + description: '[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.' operationId: post-fleet-epm-packages-pkgname-pkgversion-kibana-assets parameters: - description: A required header to protect against CSRF attacks @@ -26958,7 +26958,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/packages/{pkgName}/stats: get: - description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' + description: '[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.' operationId: get-fleet-epm-packages-pkgname-stats parameters: - in: path @@ -27009,7 +27009,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/packages/installed: get: - description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' + description: '[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.' operationId: get-fleet-epm-packages-installed parameters: - in: query @@ -27159,7 +27159,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/packages/limited: get: - description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' + description: '[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.' operationId: get-fleet-epm-packages-limited parameters: [] responses: @@ -27201,7 +27201,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs: get: - description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' + description: '[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.' operationId: get-fleet-epm-templates-pkgname-pkgversion-inputs parameters: - in: path @@ -27305,7 +27305,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/verification_key_id: get: - description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' + description: '[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.' operationId: get-fleet-epm-verification-key-id parameters: [] responses: @@ -27346,7 +27346,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/fleet_server_hosts: get: - description: '[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-settings-read].' + description: '[Required authorization] Route required privileges: fleet-agents-all OR fleet-settings-read.' operationId: get-fleet-fleet-server-hosts parameters: [] responses: @@ -27477,7 +27477,7 @@ paths: tags: - Fleet Server hosts post: - description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].' + description: '[Required authorization] Route required privileges: fleet-settings-all.' operationId: post-fleet-fleet-server-hosts parameters: - description: A required header to protect against CSRF attacks @@ -27690,7 +27690,7 @@ paths: - Fleet Server hosts /api/fleet/fleet_server_hosts/{itemId}: delete: - description: 'Delete a Fleet Server host by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].' + description: 'Delete a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-all.' operationId: delete-fleet-fleet-server-hosts-itemid parameters: - description: A required header to protect against CSRF attacks @@ -27741,7 +27741,7 @@ paths: tags: - Fleet Server hosts get: - description: 'Get a Fleet Server host by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-read].' + description: 'Get a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-read.' operationId: get-fleet-fleet-server-hosts-itemid parameters: - in: path @@ -27866,7 +27866,7 @@ paths: tags: - Fleet Server hosts put: - description: 'Update a Fleet Server host by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].' + description: 'Update a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-all.' operationId: put-fleet-fleet-server-hosts-itemid parameters: - description: A required header to protect against CSRF attacks @@ -28077,7 +28077,7 @@ paths: - Fleet Server hosts /api/fleet/health_check: post: - description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].' + description: '[Required authorization] Route required privileges: fleet-settings-all.' operationId: post-fleet-health-check parameters: - description: A required header to protect against CSRF attacks @@ -28159,7 +28159,7 @@ paths: - Fleet internals /api/fleet/kubernetes: get: - description: '[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].' + description: '[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-setup.' operationId: get-fleet-kubernetes parameters: - in: query @@ -28214,7 +28214,7 @@ paths: - Elastic Agent policies /api/fleet/kubernetes/download: get: - description: '[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].' + description: '[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-setup.' operationId: get-fleet-kubernetes-download parameters: - in: query @@ -28283,7 +28283,7 @@ paths: - Elastic Agent policies /api/fleet/logstash_api_keys: post: - description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].' + description: '[Required authorization] Route required privileges: fleet-settings-all.' operationId: post-fleet-logstash-api-keys parameters: - description: A required header to protect against CSRF attacks @@ -28330,7 +28330,7 @@ paths: - Fleet outputs /api/fleet/message_signing_service/rotate_key_pair: post: - description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all, fleet-agent-policies-all, fleet-settings-all].' + description: '[Required authorization] Route required privileges: fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all.' operationId: post-fleet-message-signing-service-rotate-key-pair parameters: - description: A required header to protect against CSRF attacks @@ -28403,7 +28403,7 @@ paths: - Message Signing Service /api/fleet/outputs: get: - description: '[Required authorization] Route required privileges: ANY of [fleet-settings-read OR fleet-agent-policies-read].' + description: '[Required authorization] Route required privileges: fleet-settings-read OR fleet-agent-policies-read.' operationId: get-fleet-outputs parameters: [] responses: @@ -29182,7 +29182,7 @@ paths: tags: - Fleet outputs post: - description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].' + description: '[Required authorization] Route required privileges: fleet-settings-all.' operationId: post-fleet-outputs parameters: - description: A required header to protect against CSRF attacks @@ -30692,7 +30692,7 @@ paths: - Fleet outputs /api/fleet/outputs/{outputId}: delete: - description: 'Delete output by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].' + description: 'Delete output by ID.

[Required authorization] Route required privileges: fleet-settings-all.' operationId: delete-fleet-outputs-outputid parameters: - description: A required header to protect against CSRF attacks @@ -30763,7 +30763,7 @@ paths: tags: - Fleet outputs get: - description: 'Get output by ID.

[Required authorization] Route required privileges: ANY of [fleet-settings-read OR fleet-agent-policies-read].' + description: 'Get output by ID.

[Required authorization] Route required privileges: fleet-settings-read OR fleet-agent-policies-read.' operationId: get-fleet-outputs-outputid parameters: - in: path @@ -31536,7 +31536,7 @@ paths: tags: - Fleet outputs put: - description: 'Update output by ID.

[Required authorization] Route required privileges: ANY of [fleet-settings-all OR fleet-agent-policies-all].' + description: 'Update output by ID.

[Required authorization] Route required privileges: fleet-settings-all OR fleet-agent-policies-all.' operationId: put-fleet-outputs-outputid parameters: - description: A required header to protect against CSRF attacks @@ -33030,7 +33030,7 @@ paths: - Fleet outputs /api/fleet/outputs/{outputId}/health: get: - description: '[Required authorization] Route required privileges: ALL of [fleet-settings-read].' + description: '[Required authorization] Route required privileges: fleet-settings-read.' operationId: get-fleet-outputs-outputid-health parameters: - in: path @@ -34888,7 +34888,7 @@ paths: - Fleet package policies /api/fleet/package_policies/{packagePolicyId}: delete: - description: 'Delete a package policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].' + description: 'Delete a package policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all.' operationId: delete-fleet-package-policies-packagepolicyid parameters: - description: A required header to protect against CSRF attacks @@ -36253,7 +36253,7 @@ paths: - Fleet package policies /api/fleet/package_policies/delete: post: - description: '[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].' + description: '[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all.' operationId: post-fleet-package-policies-delete parameters: - description: A required header to protect against CSRF attacks @@ -36386,7 +36386,7 @@ paths: - Fleet package policies /api/fleet/package_policies/upgrade: post: - description: 'Upgrade a package policy to a newer package version.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].' + description: 'Upgrade a package policy to a newer package version.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all.' operationId: post-fleet-package-policies-upgrade parameters: - description: A required header to protect against CSRF attacks @@ -36463,7 +36463,7 @@ paths: - Fleet package policies /api/fleet/package_policies/upgrade/dryrun: post: - description: '[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, integrations-read].' + description: '[Required authorization] Route required privileges: fleet-agent-policies-read AND integrations-read.' operationId: post-fleet-package-policies-upgrade-dryrun parameters: - description: A required header to protect against CSRF attacks @@ -37271,7 +37271,7 @@ paths: - Fleet package policies /api/fleet/proxies: get: - description: '[Required authorization] Route required privileges: ALL of [fleet-settings-read].' + description: '[Required authorization] Route required privileges: fleet-settings-read.' operationId: get-fleet-proxies parameters: [] responses: @@ -37353,7 +37353,7 @@ paths: tags: - Fleet proxies post: - description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].' + description: '[Required authorization] Route required privileges: fleet-settings-all.' operationId: post-fleet-proxies parameters: - description: A required header to protect against CSRF attacks @@ -37468,7 +37468,7 @@ paths: - Fleet proxies /api/fleet/proxies/{itemId}: delete: - description: 'Delete a proxy by ID

[Required authorization] Route required privileges: ALL of [fleet-settings-all].' + description: 'Delete a proxy by ID

[Required authorization] Route required privileges: fleet-settings-all.' operationId: delete-fleet-proxies-itemid parameters: - description: A required header to protect against CSRF attacks @@ -37519,7 +37519,7 @@ paths: tags: - Fleet proxies get: - description: 'Get a proxy by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-read].' + description: 'Get a proxy by ID.

[Required authorization] Route required privileges: fleet-settings-read.' operationId: get-fleet-proxies-itemid parameters: - in: path @@ -37595,7 +37595,7 @@ paths: tags: - Fleet proxies put: - description: 'Update a proxy by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].' + description: 'Update a proxy by ID.

[Required authorization] Route required privileges: fleet-settings-all.' operationId: put-fleet-proxies-itemid parameters: - description: A required header to protect against CSRF attacks @@ -37712,7 +37712,7 @@ paths: - Fleet proxies /api/fleet/service_tokens: post: - description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' + description: '[Required authorization] Route required privileges: fleet-agents-all.' operationId: post-fleet-service-tokens parameters: - description: A required header to protect against CSRF attacks @@ -37773,7 +37773,7 @@ paths: - Fleet service tokens /api/fleet/settings: get: - description: '[Required authorization] Route required privileges: ALL of [fleet-settings-read].' + description: '[Required authorization] Route required privileges: fleet-settings-read.' operationId: get-fleet-settings parameters: [] responses: @@ -37865,7 +37865,7 @@ paths: tags: - Fleet internals put: - description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].' + description: '[Required authorization] Route required privileges: fleet-settings-all.' operationId: put-fleet-settings parameters: - description: A required header to protect against CSRF attacks @@ -37996,7 +37996,7 @@ paths: - Fleet internals /api/fleet/setup: post: - description: '[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].' + description: '[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup.' operationId: post-fleet-setup parameters: - description: A required header to protect against CSRF attacks @@ -38070,7 +38070,7 @@ paths: - Fleet internals /api/fleet/uninstall_tokens: get: - description: 'List the metadata for the latest uninstall tokens per agent policy.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].' + description: 'List the metadata for the latest uninstall tokens per agent policy.

[Required authorization] Route required privileges: fleet-agents-all.' operationId: get-fleet-uninstall-tokens parameters: - description: Partial match filtering for policy IDs @@ -38166,7 +38166,7 @@ paths: - Fleet uninstall tokens /api/fleet/uninstall_tokens/{uninstallTokenId}: get: - description: 'Get one decrypted uninstall token by its ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].' + description: 'Get one decrypted uninstall token by its ID.

[Required authorization] Route required privileges: fleet-agents-all.' operationId: get-fleet-uninstall-tokens-uninstalltokenid parameters: - in: path diff --git a/oas_docs/output/kibana.yaml b/oas_docs/output/kibana.yaml index df57d5907448..26480a0a0ed7 100644 --- a/oas_docs/output/kibana.yaml +++ b/oas_docs/output/kibana.yaml @@ -17517,7 +17517,7 @@ paths: x-state: Technical Preview /api/fleet/agent_download_sources: get: - description: '[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-settings-read].' + description: '[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-settings-read.' operationId: get-fleet-agent-download-sources parameters: [] responses: @@ -17617,7 +17617,7 @@ paths: tags: - Elastic Agent binary download sources post: - description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].' + description: '[Required authorization] Route required privileges: fleet-settings-all.' operationId: post-fleet-agent-download-sources parameters: - description: A required header to protect against CSRF attacks @@ -17768,7 +17768,7 @@ paths: - Elastic Agent binary download sources /api/fleet/agent_download_sources/{sourceId}: delete: - description: 'Delete an agent binary download source by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].' + description: 'Delete an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-settings-all.' operationId: delete-fleet-agent-download-sources-sourceid parameters: - description: A required header to protect against CSRF attacks @@ -17819,7 +17819,7 @@ paths: tags: - Elastic Agent binary download sources get: - description: 'Get an agent binary download source by ID.

[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-settings-read].' + description: 'Get an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-settings-read.' operationId: get-fleet-agent-download-sources-sourceid parameters: - in: path @@ -17913,7 +17913,7 @@ paths: tags: - Elastic Agent binary download sources put: - description: 'Update an agent binary download source by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].' + description: 'Update an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-settings-all.' operationId: put-fleet-agent-download-sources-sourceid parameters: - description: A required header to protect against CSRF attacks @@ -18069,7 +18069,7 @@ paths: - Elastic Agent binary download sources /api/fleet/agent_policies: get: - description: '[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].' + description: '[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup.' operationId: get-fleet-agent-policies parameters: - in: query @@ -18795,7 +18795,7 @@ paths: tags: - Elastic Agent policies post: - description: '[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].' + description: '[Required authorization] Route required privileges: fleet-agent-policies-all.' operationId: post-fleet-agent-policies parameters: - description: A required header to protect against CSRF attacks @@ -19669,7 +19669,7 @@ paths: - Elastic Agent policies /api/fleet/agent_policies/_bulk_get: post: - description: '[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].' + description: '[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup.' operationId: post-fleet-agent-policies-bulk-get parameters: - description: A required header to protect against CSRF attacks @@ -20361,7 +20361,7 @@ paths: - Elastic Agent policies /api/fleet/agent_policies/{agentPolicyId}: get: - description: 'Get an agent policy by ID.

[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].' + description: 'Get an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup.' operationId: get-fleet-agent-policies-agentpolicyid parameters: - in: path @@ -21029,7 +21029,7 @@ paths: tags: - Elastic Agent policies put: - description: 'Update an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].' + description: 'Update an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all.' operationId: put-fleet-agent-policies-agentpolicyid parameters: - description: A required header to protect against CSRF attacks @@ -21913,7 +21913,7 @@ paths: - Elastic Agent policies /api/fleet/agent_policies/{agentPolicyId}/copy: post: - description: 'Copy an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].' + description: 'Copy an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all.' operationId: post-fleet-agent-policies-agentpolicyid-copy parameters: - description: A required header to protect against CSRF attacks @@ -22603,7 +22603,7 @@ paths: - Elastic Agent policies /api/fleet/agent_policies/{agentPolicyId}/download: get: - description: 'Download an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].' + description: 'Download an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-setup.' operationId: get-fleet-agent-policies-agentpolicyid-download parameters: - in: path @@ -22677,7 +22677,7 @@ paths: - Elastic Agent policies /api/fleet/agent_policies/{agentPolicyId}/full: get: - description: 'Get a full agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read].' + description: 'Get a full agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read.' operationId: get-fleet-agent-policies-agentpolicyid-full parameters: - in: path @@ -23079,7 +23079,7 @@ paths: - Elastic Agent policies /api/fleet/agent_policies/{agentPolicyId}/outputs: get: - description: 'Get a list of outputs associated with agent policy by policy id.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-settings-read].' + description: 'Get a list of outputs associated with agent policy by policy id.

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-settings-read.' operationId: get-fleet-agent-policies-agentpolicyid-outputs parameters: - in: path @@ -23179,7 +23179,7 @@ paths: - Elastic Agent policies /api/fleet/agent_policies/delete: post: - description: 'Delete an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].' + description: 'Delete an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all.' operationId: post-fleet-agent-policies-delete parameters: - description: A required header to protect against CSRF attacks @@ -23243,7 +23243,7 @@ paths: - Elastic Agent policies /api/fleet/agent_policies/outputs: post: - description: 'Get a list of outputs associated with agent policies.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-settings-read].' + description: 'Get a list of outputs associated with agent policies.

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-settings-read.' operationId: post-fleet-agent-policies-outputs parameters: - description: A required header to protect against CSRF attacks @@ -23456,7 +23456,7 @@ paths: - Elastic Agent status /api/fleet/agent_status/data: get: - description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' + description: '[Required authorization] Route required privileges: fleet-agents-read.' operationId: get-fleet-agent-status-data parameters: - in: query @@ -23535,7 +23535,7 @@ paths: - Elastic Agents /api/fleet/agents: get: - description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' + description: '[Required authorization] Route required privileges: fleet-agents-read.' operationId: get-fleet-agents parameters: - in: query @@ -23945,7 +23945,7 @@ paths: tags: - Elastic Agents post: - description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' + description: '[Required authorization] Route required privileges: fleet-agents-read.' operationId: post-fleet-agents parameters: - description: A required header to protect against CSRF attacks @@ -24007,7 +24007,7 @@ paths: - Elastic Agents /api/fleet/agents/{agentId}: delete: - description: 'Delete an agent by ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].' + description: 'Delete an agent by ID.

[Required authorization] Route required privileges: fleet-agents-all.' operationId: delete-fleet-agents-agentid parameters: - description: A required header to protect against CSRF attacks @@ -24060,7 +24060,7 @@ paths: tags: - Elastic Agents get: - description: 'Get an agent by ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-read].' + description: 'Get an agent by ID.

[Required authorization] Route required privileges: fleet-agents-read.' operationId: get-fleet-agents-agentid parameters: - in: path @@ -24389,7 +24389,7 @@ paths: tags: - Elastic Agents put: - description: 'Update an agent by ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].' + description: 'Update an agent by ID.

[Required authorization] Route required privileges: fleet-agents-all.' operationId: put-fleet-agents-agentid parameters: - description: A required header to protect against CSRF attacks @@ -24734,7 +24734,7 @@ paths: - Elastic Agents /api/fleet/agents/{agentId}/actions: post: - description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' + description: '[Required authorization] Route required privileges: fleet-agents-all.' operationId: post-fleet-agents-agentid-actions parameters: - description: A required header to protect against CSRF attacks @@ -24874,7 +24874,7 @@ paths: - Elastic Agent actions /api/fleet/agents/{agentId}/reassign: post: - description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' + description: '[Required authorization] Route required privileges: fleet-agents-all.' operationId: post-fleet-agents-agentid-reassign parameters: - description: A required header to protect against CSRF attacks @@ -24933,7 +24933,7 @@ paths: - Elastic Agent actions /api/fleet/agents/{agentId}/request_diagnostics: post: - description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' + description: '[Required authorization] Route required privileges: fleet-agents-read.' operationId: post-fleet-agents-agentid-request-diagnostics parameters: - description: A required header to protect against CSRF attacks @@ -24999,7 +24999,7 @@ paths: - Elastic Agent actions /api/fleet/agents/{agentId}/unenroll: post: - description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' + description: '[Required authorization] Route required privileges: fleet-agents-all.' operationId: post-fleet-agents-agentid-unenroll parameters: - description: A required header to protect against CSRF attacks @@ -25032,7 +25032,7 @@ paths: - Elastic Agent actions /api/fleet/agents/{agentId}/upgrade: post: - description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' + description: '[Required authorization] Route required privileges: fleet-agents-all.' operationId: post-fleet-agents-agentid-upgrade parameters: - description: A required header to protect against CSRF attacks @@ -25097,7 +25097,7 @@ paths: - Elastic Agent actions /api/fleet/agents/{agentId}/uploads: get: - description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' + description: '[Required authorization] Route required privileges: fleet-agents-read.' operationId: get-fleet-agents-agentid-uploads parameters: - in: path @@ -25174,7 +25174,7 @@ paths: - Elastic Agents /api/fleet/agents/action_status: get: - description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' + description: '[Required authorization] Route required privileges: fleet-agents-read.' operationId: get-fleet-agents-action-status parameters: - in: query @@ -25336,7 +25336,7 @@ paths: - Elastic Agent actions /api/fleet/agents/actions/{actionId}/cancel: post: - description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' + description: '[Required authorization] Route required privileges: fleet-agents-all.' operationId: post-fleet-agents-actions-actionid-cancel parameters: - description: A required header to protect against CSRF attacks @@ -25426,7 +25426,7 @@ paths: - Elastic Agent actions /api/fleet/agents/available_versions: get: - description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' + description: '[Required authorization] Route required privileges: fleet-agents-read.' operationId: get-fleet-agents-available-versions parameters: [] responses: @@ -25468,7 +25468,7 @@ paths: - Elastic Agents /api/fleet/agents/bulk_reassign: post: - description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' + description: '[Required authorization] Route required privileges: fleet-agents-all.' operationId: post-fleet-agents-bulk-reassign parameters: - description: A required header to protect against CSRF attacks @@ -25538,7 +25538,7 @@ paths: - Elastic Agent actions /api/fleet/agents/bulk_request_diagnostics: post: - description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' + description: '[Required authorization] Route required privileges: fleet-agents-read.' operationId: post-fleet-agents-bulk-request-diagnostics parameters: - description: A required header to protect against CSRF attacks @@ -25608,7 +25608,7 @@ paths: - Elastic Agent actions /api/fleet/agents/bulk_unenroll: post: - description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' + description: '[Required authorization] Route required privileges: fleet-agents-all.' operationId: post-fleet-agents-bulk-unenroll parameters: - description: A required header to protect against CSRF attacks @@ -25683,7 +25683,7 @@ paths: - Elastic Agent actions /api/fleet/agents/bulk_update_agent_tags: post: - description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' + description: '[Required authorization] Route required privileges: fleet-agents-all.' operationId: post-fleet-agents-bulk-update-agent-tags parameters: - description: A required header to protect against CSRF attacks @@ -25758,7 +25758,7 @@ paths: - Elastic Agent actions /api/fleet/agents/bulk_upgrade: post: - description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' + description: '[Required authorization] Route required privileges: fleet-agents-all.' operationId: post-fleet-agents-bulk-upgrade parameters: - description: A required header to protect against CSRF attacks @@ -25839,7 +25839,7 @@ paths: - Elastic Agent actions /api/fleet/agents/files/{fileId}: delete: - description: 'Delete a file uploaded by an agent.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].' + description: 'Delete a file uploaded by an agent.

[Required authorization] Route required privileges: fleet-agents-all.' operationId: delete-fleet-agents-files-fileid parameters: - description: A required header to protect against CSRF attacks @@ -25894,7 +25894,7 @@ paths: - Elastic Agents /api/fleet/agents/files/{fileId}/{fileName}: get: - description: 'Get a file uploaded by an agent.

[Required authorization] Route required privileges: ALL of [fleet-agents-read].' + description: 'Get a file uploaded by an agent.

[Required authorization] Route required privileges: fleet-agents-read.' operationId: get-fleet-agents-files-fileid-filename parameters: - in: path @@ -25938,7 +25938,7 @@ paths: - Elastic Agents /api/fleet/agents/setup: get: - description: '[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].' + description: '[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup.' operationId: get-fleet-agents-setup parameters: [] responses: @@ -26002,7 +26002,7 @@ paths: tags: - Elastic Agents post: - description: '[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].' + description: '[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup.' operationId: post-fleet-agents-setup parameters: - description: A required header to protect against CSRF attacks @@ -26064,7 +26064,7 @@ paths: - Elastic Agents /api/fleet/agents/tags: get: - description: '[Required authorization] Route required privileges: ALL of [fleet-agents-read].' + description: '[Required authorization] Route required privileges: fleet-agents-read.' operationId: get-fleet-agents-tags parameters: - in: query @@ -26167,7 +26167,7 @@ paths: - Fleet internals /api/fleet/data_streams: get: - description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all, fleet-agent-policies-all, fleet-settings-all].' + description: '[Required authorization] Route required privileges: fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all.' operationId: get-fleet-data-streams parameters: [] responses: @@ -26268,7 +26268,7 @@ paths: - Data streams /api/fleet/enrollment_api_keys: get: - description: '[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-setup].' + description: '[Required authorization] Route required privileges: fleet-agents-all OR fleet-setup.' operationId: get-fleet-enrollment-api-keys parameters: - in: query @@ -26395,7 +26395,7 @@ paths: tags: - Fleet enrollment API keys post: - description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' + description: '[Required authorization] Route required privileges: fleet-agents-all.' operationId: post-fleet-enrollment-api-keys parameters: - description: A required header to protect against CSRF attacks @@ -26489,7 +26489,7 @@ paths: - Fleet enrollment API keys /api/fleet/enrollment_api_keys/{keyId}: delete: - description: 'Revoke an enrollment API key by ID by marking it as inactive.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].' + description: 'Revoke an enrollment API key by ID by marking it as inactive.

[Required authorization] Route required privileges: fleet-agents-all.' operationId: delete-fleet-enrollment-api-keys-keyid parameters: - description: A required header to protect against CSRF attacks @@ -26542,7 +26542,7 @@ paths: tags: - Fleet enrollment API keys get: - description: 'Get an enrollment API key by ID.

[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-setup].' + description: 'Get an enrollment API key by ID.

[Required authorization] Route required privileges: fleet-agents-all OR fleet-setup.' operationId: get-fleet-enrollment-api-keys-keyid parameters: - in: path @@ -26614,7 +26614,7 @@ paths: - Fleet enrollment API keys /api/fleet/epm/bulk_assets: post: - description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' + description: '[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.' operationId: post-fleet-epm-bulk-assets parameters: - description: A required header to protect against CSRF attacks @@ -26709,7 +26709,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/categories: get: - description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' + description: '[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.' operationId: get-fleet-epm-categories parameters: - in: query @@ -26777,7 +26777,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/custom_integrations: post: - description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].' + description: '[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.' operationId: post-fleet-epm-custom-integrations parameters: - description: A required header to protect against CSRF attacks @@ -26918,7 +26918,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/data_streams: get: - description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' + description: '[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.' operationId: get-fleet-epm-data-streams parameters: - in: query @@ -26997,7 +26997,7 @@ paths: - Data streams /api/fleet/epm/packages: get: - description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' + description: '[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.' operationId: get-fleet-epm-packages parameters: - in: query @@ -27405,7 +27405,7 @@ paths: tags: - Elastic Package Manager (EPM) post: - description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].' + description: '[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.' operationId: post-fleet-epm-packages parameters: - description: A required header to protect against CSRF attacks @@ -27531,7 +27531,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/packages/_bulk: post: - description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].' + description: '[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.' operationId: post-fleet-epm-packages-bulk parameters: - description: A required header to protect against CSRF attacks @@ -27712,7 +27712,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/packages/{pkgName}/{pkgVersion}: delete: - description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].' + description: '[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.' operationId: delete-fleet-epm-packages-pkgname-pkgversion parameters: - description: A required header to protect against CSRF attacks @@ -28307,7 +28307,7 @@ paths: tags: - Elastic Package Manager (EPM) post: - description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].' + description: '[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.' operationId: post-fleet-epm-packages-pkgname-pkgversion parameters: - description: A required header to protect against CSRF attacks @@ -28455,7 +28455,7 @@ paths: tags: - Elastic Package Manager (EPM) put: - description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].' + description: '[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.' operationId: put-fleet-epm-packages-pkgname-pkgversion parameters: - description: A required header to protect against CSRF attacks @@ -28928,7 +28928,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}: get: - description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' + description: '[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.' operationId: get-fleet-epm-packages-pkgname-pkgversion-filepath parameters: - in: path @@ -28976,7 +28976,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets: delete: - description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].' + description: '[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.' operationId: delete-fleet-epm-packages-pkgname-pkgversion-kibana-assets parameters: - description: A required header to protect against CSRF attacks @@ -29032,7 +29032,7 @@ paths: tags: - Elastic Package Manager (EPM) post: - description: '[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].' + description: '[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.' operationId: post-fleet-epm-packages-pkgname-pkgversion-kibana-assets parameters: - description: A required header to protect against CSRF attacks @@ -29193,7 +29193,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/packages/{pkgName}/stats: get: - description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' + description: '[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.' operationId: get-fleet-epm-packages-pkgname-stats parameters: - in: path @@ -29244,7 +29244,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/packages/installed: get: - description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' + description: '[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.' operationId: get-fleet-epm-packages-installed parameters: - in: query @@ -29394,7 +29394,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/packages/limited: get: - description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' + description: '[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.' operationId: get-fleet-epm-packages-limited parameters: [] responses: @@ -29436,7 +29436,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs: get: - description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' + description: '[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.' operationId: get-fleet-epm-templates-pkgname-pkgversion-inputs parameters: - in: path @@ -29540,7 +29540,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/epm/verification_key_id: get: - description: '[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].' + description: '[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.' operationId: get-fleet-epm-verification-key-id parameters: [] responses: @@ -29581,7 +29581,7 @@ paths: - Elastic Package Manager (EPM) /api/fleet/fleet_server_hosts: get: - description: '[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-settings-read].' + description: '[Required authorization] Route required privileges: fleet-agents-all OR fleet-settings-read.' operationId: get-fleet-fleet-server-hosts parameters: [] responses: @@ -29712,7 +29712,7 @@ paths: tags: - Fleet Server hosts post: - description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].' + description: '[Required authorization] Route required privileges: fleet-settings-all.' operationId: post-fleet-fleet-server-hosts parameters: - description: A required header to protect against CSRF attacks @@ -29925,7 +29925,7 @@ paths: - Fleet Server hosts /api/fleet/fleet_server_hosts/{itemId}: delete: - description: 'Delete a Fleet Server host by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].' + description: 'Delete a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-all.' operationId: delete-fleet-fleet-server-hosts-itemid parameters: - description: A required header to protect against CSRF attacks @@ -29976,7 +29976,7 @@ paths: tags: - Fleet Server hosts get: - description: 'Get a Fleet Server host by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-read].' + description: 'Get a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-read.' operationId: get-fleet-fleet-server-hosts-itemid parameters: - in: path @@ -30101,7 +30101,7 @@ paths: tags: - Fleet Server hosts put: - description: 'Update a Fleet Server host by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].' + description: 'Update a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-all.' operationId: put-fleet-fleet-server-hosts-itemid parameters: - description: A required header to protect against CSRF attacks @@ -30312,7 +30312,7 @@ paths: - Fleet Server hosts /api/fleet/health_check: post: - description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].' + description: '[Required authorization] Route required privileges: fleet-settings-all.' operationId: post-fleet-health-check parameters: - description: A required header to protect against CSRF attacks @@ -30394,7 +30394,7 @@ paths: - Fleet internals /api/fleet/kubernetes: get: - description: '[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].' + description: '[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-setup.' operationId: get-fleet-kubernetes parameters: - in: query @@ -30449,7 +30449,7 @@ paths: - Elastic Agent policies /api/fleet/kubernetes/download: get: - description: '[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-setup].' + description: '[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-setup.' operationId: get-fleet-kubernetes-download parameters: - in: query @@ -30518,7 +30518,7 @@ paths: - Elastic Agent policies /api/fleet/logstash_api_keys: post: - description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].' + description: '[Required authorization] Route required privileges: fleet-settings-all.' operationId: post-fleet-logstash-api-keys parameters: - description: A required header to protect against CSRF attacks @@ -30565,7 +30565,7 @@ paths: - Fleet outputs /api/fleet/message_signing_service/rotate_key_pair: post: - description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all, fleet-agent-policies-all, fleet-settings-all].' + description: '[Required authorization] Route required privileges: fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all.' operationId: post-fleet-message-signing-service-rotate-key-pair parameters: - description: A required header to protect against CSRF attacks @@ -30638,7 +30638,7 @@ paths: - Message Signing Service /api/fleet/outputs: get: - description: '[Required authorization] Route required privileges: ANY of [fleet-settings-read OR fleet-agent-policies-read].' + description: '[Required authorization] Route required privileges: fleet-settings-read OR fleet-agent-policies-read.' operationId: get-fleet-outputs parameters: [] responses: @@ -31417,7 +31417,7 @@ paths: tags: - Fleet outputs post: - description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].' + description: '[Required authorization] Route required privileges: fleet-settings-all.' operationId: post-fleet-outputs parameters: - description: A required header to protect against CSRF attacks @@ -32927,7 +32927,7 @@ paths: - Fleet outputs /api/fleet/outputs/{outputId}: delete: - description: 'Delete output by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].' + description: 'Delete output by ID.

[Required authorization] Route required privileges: fleet-settings-all.' operationId: delete-fleet-outputs-outputid parameters: - description: A required header to protect against CSRF attacks @@ -32998,7 +32998,7 @@ paths: tags: - Fleet outputs get: - description: 'Get output by ID.

[Required authorization] Route required privileges: ANY of [fleet-settings-read OR fleet-agent-policies-read].' + description: 'Get output by ID.

[Required authorization] Route required privileges: fleet-settings-read OR fleet-agent-policies-read.' operationId: get-fleet-outputs-outputid parameters: - in: path @@ -33771,7 +33771,7 @@ paths: tags: - Fleet outputs put: - description: 'Update output by ID.

[Required authorization] Route required privileges: ANY of [fleet-settings-all OR fleet-agent-policies-all].' + description: 'Update output by ID.

[Required authorization] Route required privileges: fleet-settings-all OR fleet-agent-policies-all.' operationId: put-fleet-outputs-outputid parameters: - description: A required header to protect against CSRF attacks @@ -35265,7 +35265,7 @@ paths: - Fleet outputs /api/fleet/outputs/{outputId}/health: get: - description: '[Required authorization] Route required privileges: ALL of [fleet-settings-read].' + description: '[Required authorization] Route required privileges: fleet-settings-read.' operationId: get-fleet-outputs-outputid-health parameters: - in: path @@ -37123,7 +37123,7 @@ paths: - Fleet package policies /api/fleet/package_policies/{packagePolicyId}: delete: - description: 'Delete a package policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].' + description: 'Delete a package policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all.' operationId: delete-fleet-package-policies-packagepolicyid parameters: - description: A required header to protect against CSRF attacks @@ -38488,7 +38488,7 @@ paths: - Fleet package policies /api/fleet/package_policies/delete: post: - description: '[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].' + description: '[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all.' operationId: post-fleet-package-policies-delete parameters: - description: A required header to protect against CSRF attacks @@ -38621,7 +38621,7 @@ paths: - Fleet package policies /api/fleet/package_policies/upgrade: post: - description: 'Upgrade a package policy to a newer package version.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].' + description: 'Upgrade a package policy to a newer package version.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all.' operationId: post-fleet-package-policies-upgrade parameters: - description: A required header to protect against CSRF attacks @@ -38698,7 +38698,7 @@ paths: - Fleet package policies /api/fleet/package_policies/upgrade/dryrun: post: - description: '[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, integrations-read].' + description: '[Required authorization] Route required privileges: fleet-agent-policies-read AND integrations-read.' operationId: post-fleet-package-policies-upgrade-dryrun parameters: - description: A required header to protect against CSRF attacks @@ -39506,7 +39506,7 @@ paths: - Fleet package policies /api/fleet/proxies: get: - description: '[Required authorization] Route required privileges: ALL of [fleet-settings-read].' + description: '[Required authorization] Route required privileges: fleet-settings-read.' operationId: get-fleet-proxies parameters: [] responses: @@ -39588,7 +39588,7 @@ paths: tags: - Fleet proxies post: - description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].' + description: '[Required authorization] Route required privileges: fleet-settings-all.' operationId: post-fleet-proxies parameters: - description: A required header to protect against CSRF attacks @@ -39703,7 +39703,7 @@ paths: - Fleet proxies /api/fleet/proxies/{itemId}: delete: - description: 'Delete a proxy by ID

[Required authorization] Route required privileges: ALL of [fleet-settings-all].' + description: 'Delete a proxy by ID

[Required authorization] Route required privileges: fleet-settings-all.' operationId: delete-fleet-proxies-itemid parameters: - description: A required header to protect against CSRF attacks @@ -39754,7 +39754,7 @@ paths: tags: - Fleet proxies get: - description: 'Get a proxy by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-read].' + description: 'Get a proxy by ID.

[Required authorization] Route required privileges: fleet-settings-read.' operationId: get-fleet-proxies-itemid parameters: - in: path @@ -39830,7 +39830,7 @@ paths: tags: - Fleet proxies put: - description: 'Update a proxy by ID.

[Required authorization] Route required privileges: ALL of [fleet-settings-all].' + description: 'Update a proxy by ID.

[Required authorization] Route required privileges: fleet-settings-all.' operationId: put-fleet-proxies-itemid parameters: - description: A required header to protect against CSRF attacks @@ -39947,7 +39947,7 @@ paths: - Fleet proxies /api/fleet/service_tokens: post: - description: '[Required authorization] Route required privileges: ALL of [fleet-agents-all].' + description: '[Required authorization] Route required privileges: fleet-agents-all.' operationId: post-fleet-service-tokens parameters: - description: A required header to protect against CSRF attacks @@ -40008,7 +40008,7 @@ paths: - Fleet service tokens /api/fleet/settings: get: - description: '[Required authorization] Route required privileges: ALL of [fleet-settings-read].' + description: '[Required authorization] Route required privileges: fleet-settings-read.' operationId: get-fleet-settings parameters: [] responses: @@ -40100,7 +40100,7 @@ paths: tags: - Fleet internals put: - description: '[Required authorization] Route required privileges: ALL of [fleet-settings-all].' + description: '[Required authorization] Route required privileges: fleet-settings-all.' operationId: put-fleet-settings parameters: - description: A required header to protect against CSRF attacks @@ -40231,7 +40231,7 @@ paths: - Fleet internals /api/fleet/setup: post: - description: '[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].' + description: '[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup.' operationId: post-fleet-setup parameters: - description: A required header to protect against CSRF attacks @@ -40305,7 +40305,7 @@ paths: - Fleet internals /api/fleet/uninstall_tokens: get: - description: 'List the metadata for the latest uninstall tokens per agent policy.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].' + description: 'List the metadata for the latest uninstall tokens per agent policy.

[Required authorization] Route required privileges: fleet-agents-all.' operationId: get-fleet-uninstall-tokens parameters: - description: Partial match filtering for policy IDs @@ -40401,7 +40401,7 @@ paths: - Fleet uninstall tokens /api/fleet/uninstall_tokens/{uninstallTokenId}: get: - description: 'Get one decrypted uninstall token by its ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].' + description: 'Get one decrypted uninstall token by its ID.

[Required authorization] Route required privileges: fleet-agents-all.' operationId: get-fleet-uninstall-tokens-uninstalltokenid parameters: - in: path @@ -45795,7 +45795,7 @@ paths: x-state: Technical Preview /api/spaces/_copy_saved_objects: post: - description: 'It also allows you to automatically copy related objects, so when you copy a dashboard, this can automatically copy over the associated visualizations, data views, and saved Discover sessions, as required. You can request to overwrite any objects that already exist in the target space if they share an identifier or you can use the resolve copy saved objects conflicts API to do this on a per-object basis.

[Required authorization] Route required privileges: ALL of [copySavedObjectsToSpaces].' + description: 'It also allows you to automatically copy related objects, so when you copy a dashboard, this can automatically copy over the associated visualizations, data views, and saved Discover sessions, as required. You can request to overwrite any objects that already exist in the target space if they share an identifier or you can use the resolve copy saved objects conflicts API to do this on a per-object basis.

[Required authorization] Route required privileges: copySavedObjectsToSpaces.' operationId: post-spaces-copy-saved-objects parameters: - description: A required header to protect against CSRF attacks @@ -45958,7 +45958,7 @@ paths: - spaces /api/spaces/_resolve_copy_saved_objects_errors: post: - description: 'Overwrite saved objects that are returned as errors from the copy saved objects to space API.

[Required authorization] Route required privileges: ALL of [copySavedObjectsToSpaces].' + description: 'Overwrite saved objects that are returned as errors from the copy saved objects to space API.

[Required authorization] Route required privileges: copySavedObjectsToSpaces.' operationId: post-spaces-resolve-copy-saved-objects-errors parameters: - description: A required header to protect against CSRF attacks diff --git a/src/core/packages/http/router-server-internal/src/security_route_config_validator.test.ts b/src/core/packages/http/router-server-internal/src/security_route_config_validator.test.ts index a0cadaacfbf7..7d5d9cd3879c 100644 --- a/src/core/packages/http/router-server-internal/src/security_route_config_validator.test.ts +++ b/src/core/packages/http/router-server-internal/src/security_route_config_validator.test.ts @@ -230,6 +230,40 @@ describe('RouteSecurity validation', () => { expect(() => validRouteSecurity(routeSecurity)).not.toThrow(); }); + it('should pass validation with anyOf defined', () => { + const routeSecurity = { + authz: { + requiredPrivileges: [ + { + allRequired: [ + { anyOf: ['privilege1', 'privilege2'] }, + { anyOf: ['privilege3', 'privilege4'] }, + ], + }, + ], + }, + }; + + expect(() => validRouteSecurity(routeSecurity)).not.toThrow(); + }); + + it('should pass validation with allOf defined', () => { + const routeSecurity = { + authz: { + requiredPrivileges: [ + { + anyRequired: [ + { allOf: ['privilege1', 'privilege2'] }, + { allOf: ['privilege3', 'privilege4'] }, + ], + }, + ], + }, + }; + + expect(() => validRouteSecurity(routeSecurity)).not.toThrow(); + }); + it('should fail validation when anyRequired and allRequired have the same values', () => { const invalidRouteSecurity = { authz: { @@ -365,4 +399,74 @@ describe('RouteSecurity validation', () => { `"[authz.requiredPrivileges]: Operator privilege requires at least one additional non-operator privilege to be defined"` ); }); + + it('should fail validation when anyOf does not satisfy minSize', () => { + const invalidRouteSecurity = { + authz: { + requiredPrivileges: [{ allRequired: [{ anyOf: ['privilege1'] }] }], + }, + }; + + expect(() => validRouteSecurity(invalidRouteSecurity)).toThrowErrorMatchingInlineSnapshot(` + "[authz.requiredPrivileges.0]: types that failed validation: + - [authz.requiredPrivileges.0.0.allRequired.0]: types that failed validation: + - [authz.requiredPrivileges.0.allRequired.0.0]: expected value of type [string] but got [Object] + - [authz.requiredPrivileges.0.allRequired.0.1.anyOf]: array size is [1], but cannot be smaller than [2] + - [authz.requiredPrivileges.0.1]: expected value of type [string] but got [Object]" + `); + }); + + it('should fail validation when allOf does not satisfy minSize', () => { + const invalidRouteSecurity = { + authz: { + requiredPrivileges: [{ anyRequired: [{ allOf: ['privilege1'] }, 'privilege2'] }], + }, + }; + + expect(() => validRouteSecurity(invalidRouteSecurity)).toThrowErrorMatchingInlineSnapshot(` + "[authz.requiredPrivileges.0]: types that failed validation: + - [authz.requiredPrivileges.0.0.anyRequired.0]: types that failed validation: + - [authz.requiredPrivileges.0.anyRequired.0.0]: expected value of type [string] but got [Object] + - [authz.requiredPrivileges.0.anyRequired.0.1.allOf]: array size is [1], but cannot be smaller than [2] + - [authz.requiredPrivileges.0.1]: expected value of type [string] but got [Object]" + `); + }); + + it('should fail validation when anyOf has duplicated privileges', () => { + const invalidRouteSecurity = { + authz: { + requiredPrivileges: [ + { + allRequired: [ + { anyOf: ['privilege1', 'privilege2'] }, + { anyOf: ['privilege3', 'privilege1'] }, + ], + }, + ], + }, + }; + + expect(() => validRouteSecurity(invalidRouteSecurity)).toThrowErrorMatchingInlineSnapshot( + `"[authz.requiredPrivileges]: allRequired privileges must contain unique values"` + ); + }); + + it('should fail validation when allOf has duplicated privileges', () => { + const invalidRouteSecurity = { + authz: { + requiredPrivileges: [ + { + anyRequired: [ + { allOf: ['privilege1', 'privilege2'] }, + { allOf: ['privilege3', 'privilege1'] }, + ], + }, + ], + }, + }; + + expect(() => validRouteSecurity(invalidRouteSecurity)).toThrowErrorMatchingInlineSnapshot( + `"[authz.requiredPrivileges]: anyRequired privileges must contain unique values"` + ); + }); }); diff --git a/src/core/packages/http/router-server-internal/src/security_route_config_validator.ts b/src/core/packages/http/router-server-internal/src/security_route_config_validator.ts index ec54c5e61ce0..fd6033915c74 100644 --- a/src/core/packages/http/router-server-internal/src/security_route_config_validator.ts +++ b/src/core/packages/http/router-server-internal/src/security_route_config_validator.ts @@ -8,14 +8,36 @@ */ import { schema } from '@kbn/config-schema'; -import type { RouteSecurity, RouteConfigOptions } from '@kbn/core-http-server'; +import type { + RouteSecurity, + RouteConfigOptions, + AllRequiredCondition, + AnyRequiredCondition, +} from '@kbn/core-http-server'; import { ReservedPrivilegesSet } from '@kbn/core-http-server'; +import { unwindNestedSecurityPrivileges } from '@kbn/core-security-server'; import type { DeepPartial } from '@kbn/utility-types'; const privilegeSetSchema = schema.object( { - anyRequired: schema.maybe(schema.arrayOf(schema.string(), { minSize: 2 })), - allRequired: schema.maybe(schema.arrayOf(schema.string(), { minSize: 1 })), + anyRequired: schema.maybe( + schema.arrayOf( + schema.oneOf([ + schema.string(), + schema.object({ allOf: schema.arrayOf(schema.string(), { minSize: 2 }) }), + ]), + { minSize: 2 } + ) + ), + allRequired: schema.maybe( + schema.arrayOf( + schema.oneOf([ + schema.string(), + schema.object({ anyOf: schema.arrayOf(schema.string(), { minSize: 2 }) }), + ]), + { minSize: 1 } + ) + ), }, { validate: (value) => { @@ -42,10 +64,14 @@ const requiredPrivilegesSchema = schema.arrayOf( allRequired.push(privilege); } else { if (privilege.anyRequired) { - anyRequired.push(...privilege.anyRequired); + anyRequired.push( + ...unwindNestedSecurityPrivileges(privilege.anyRequired) + ); } if (privilege.allRequired) { - allRequired.push(...privilege.allRequired); + allRequired.push( + ...unwindNestedSecurityPrivileges(privilege.allRequired) + ); } } }); diff --git a/src/core/packages/http/router-server-internal/tsconfig.json b/src/core/packages/http/router-server-internal/tsconfig.json index 15bac8a66e44..2643bfe30dbe 100644 --- a/src/core/packages/http/router-server-internal/tsconfig.json +++ b/src/core/packages/http/router-server-internal/tsconfig.json @@ -21,7 +21,8 @@ "@kbn/core-http-common", "@kbn/logging-mocks", "@kbn/config-mocks", - "@kbn/config" + "@kbn/config", + "@kbn/core-security-server" ], "exclude": [ "target/**/*", diff --git a/src/core/packages/http/server/index.ts b/src/core/packages/http/server/index.ts index d0e9475cb189..1b408c3bcb50 100644 --- a/src/core/packages/http/server/index.ts +++ b/src/core/packages/http/server/index.ts @@ -119,6 +119,8 @@ export type { AuthcEnabled, Privilege, PrivilegeSet, + AllRequiredCondition, + AnyRequiredCondition, RouteSecurity, RouteSecurityGetter, InternalRouteSecurity, diff --git a/src/core/packages/http/server/src/router/index.ts b/src/core/packages/http/server/src/router/index.ts index 278ab761cf8d..27fb646733fd 100644 --- a/src/core/packages/http/server/src/router/index.ts +++ b/src/core/packages/http/server/src/router/index.ts @@ -63,6 +63,8 @@ export type { AuthcDisabled, AuthcEnabled, RouteSecurity, + AllRequiredCondition, + AnyRequiredCondition, Privilege, PrivilegeSet, RouteDeprecationInfo, diff --git a/src/core/packages/http/server/src/router/route.ts b/src/core/packages/http/server/src/router/route.ts index a7dd294f5204..edde890c2c2b 100644 --- a/src/core/packages/http/server/src/router/route.ts +++ b/src/core/packages/http/server/src/router/route.ts @@ -202,6 +202,9 @@ interface DeprecateApiDeprecationType { type: 'deprecate'; } +export type AllRequiredCondition = Array; +export type AnyRequiredCondition = Array; + /** * A set of privileges that can be used to define complex authorization requirements. * @@ -209,14 +212,14 @@ interface DeprecateApiDeprecationType { * - `allRequired`: An array of privileges where all listed privileges must be satisfied to meet the authorization requirement. */ export interface PrivilegeSet { - anyRequired?: Privilege[]; - allRequired?: Privilege[]; + anyRequired?: AnyRequiredCondition; + allRequired?: AllRequiredCondition; } /** * An array representing a combination of simple privileges or complex privilege sets. */ -type Privileges = Array; +export type Privileges = Array; /** * Describes the authorization requirements when authorization is enabled. diff --git a/src/core/packages/security/server/index.ts b/src/core/packages/security/server/index.ts index b26b0ba483c8..3533a668c8e6 100644 --- a/src/core/packages/security/server/index.ts +++ b/src/core/packages/security/server/index.ts @@ -50,3 +50,4 @@ export type { export type { KibanaPrivilegesType, ElasticsearchPrivilegesType } from './src/roles'; export { isCreateRestAPIKeyParams } from './src/authentication/api_keys'; export type { CoreFipsService } from './src/fips'; +export { unwindNestedSecurityPrivileges } from './src/authz'; diff --git a/src/core/packages/security/server/src/authz.ts b/src/core/packages/security/server/src/authz.ts new file mode 100644 index 000000000000..a676074a675a --- /dev/null +++ b/src/core/packages/security/server/src/authz.ts @@ -0,0 +1,29 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the "Elastic License + * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side + * Public License v 1"; you may not use this file except in compliance with, at + * your election, the "Elastic License 2.0", the "GNU Affero General Public + * License v3.0 only", or the "Server Side Public License, v 1". + */ + +export const unwindNestedSecurityPrivileges = < + T extends Array +>( + privileges: T +): string[] => + privileges.reduce((acc: string[], privilege) => { + if (typeof privilege === 'object') { + if (privilege.allOf?.length) { + acc.push(...privilege.allOf); + } + + if (privilege?.anyOf?.length) { + acc.push(...privilege.anyOf); + } + } else if (typeof privilege === 'string') { + acc.push(privilege); + } + + return acc; + }, []); diff --git a/src/core/server/index.ts b/src/core/server/index.ts index e222f2db927b..bd8ae9afd31b 100644 --- a/src/core/server/index.ts +++ b/src/core/server/index.ts @@ -615,4 +615,6 @@ export type { RouteSecurityGetter, Privilege, PrivilegeSet, + AllRequiredCondition, + AnyRequiredCondition, } from '@kbn/core-http-server'; diff --git a/src/platform/packages/shared/kbn-router-to-openapispec/src/__snapshots__/generate_oas.test.ts.snap b/src/platform/packages/shared/kbn-router-to-openapispec/src/__snapshots__/generate_oas.test.ts.snap index 07fc12cbb7c1..a02767cced70 100644 --- a/src/platform/packages/shared/kbn-router-to-openapispec/src/__snapshots__/generate_oas.test.ts.snap +++ b/src/platform/packages/shared/kbn-router-to-openapispec/src/__snapshots__/generate_oas.test.ts.snap @@ -126,7 +126,7 @@ Object { "/bar": Object { "get": Object { "deprecated": true, - "description": "[Required authorization] Route required privileges: ALL of [foo].", + "description": "[Required authorization] Route required privileges: foo.", "operationId": "get-bar", "parameters": Array [], "requestBody": Object { @@ -491,7 +491,7 @@ Object { "/no-xsrf/{id}/{path}": Object { "post": Object { "deprecated": true, - "description": "[Required authorization] Route required privileges: ALL of [foo].", + "description": "[Required authorization] Route required privileges: foo.", "operationId": "post-no-xsrf-id-path", "parameters": Array [], "requestBody": Object { @@ -704,7 +704,7 @@ Object { }, "/test": Object { "get": Object { - "description": "[Required authorization] Route required privileges: ALL of [foo].", + "description": "[Required authorization] Route required privileges: foo.", "operationId": "get-test", "parameters": Array [], "requestBody": Object { diff --git a/src/platform/packages/shared/kbn-router-to-openapispec/src/extract_authz_description.test.ts b/src/platform/packages/shared/kbn-router-to-openapispec/src/extract_authz_description.test.ts index 308f0a768659..70056ea22b77 100644 --- a/src/platform/packages/shared/kbn-router-to-openapispec/src/extract_authz_description.test.ts +++ b/src/platform/packages/shared/kbn-router-to-openapispec/src/extract_authz_description.test.ts @@ -33,9 +33,7 @@ describe('extractAuthzDescription', () => { }, }; const description = extractAuthzDescription(routeSecurity); - expect(description).toBe( - '[Required authorization] Route required privileges: ALL of [manage_spaces].' - ); + expect(description).toBe('[Required authorization] Route required privileges: manage_spaces.'); }); it('should return route authz description for privilege groups', () => { @@ -46,9 +44,7 @@ describe('extractAuthzDescription', () => { }, }; const description = extractAuthzDescription(routeSecurity); - expect(description).toBe( - '[Required authorization] Route required privileges: ALL of [console].' - ); + expect(description).toBe('[Required authorization] Route required privileges: console.'); } { const routeSecurity: RouteSecurity = { @@ -62,7 +58,7 @@ describe('extractAuthzDescription', () => { }; const description = extractAuthzDescription(routeSecurity); expect(description).toBe( - '[Required authorization] Route required privileges: ANY of [manage_spaces OR taskmanager].' + '[Required authorization] Route required privileges: manage_spaces OR taskmanager.' ); } { @@ -78,7 +74,25 @@ describe('extractAuthzDescription', () => { }; const description = extractAuthzDescription(routeSecurity); expect(description).toBe( - '[Required authorization] Route required privileges: ALL of [console, filesManagement] AND ANY of [manage_spaces OR taskmanager].' + '[Required authorization] Route required privileges: (console AND filesManagement) AND (manage_spaces OR taskmanager).' + ); + } + { + const routeSecurity: RouteSecurity = { + authz: { + requiredPrivileges: [ + { + anyRequired: [ + { allOf: ['manage_spaces', 'taskmanager'] }, + { allOf: ['console', 'filesManagement'] }, + ], + }, + ], + }, + }; + const description = extractAuthzDescription(routeSecurity); + expect(description).toBe( + '[Required authorization] Route required privileges: (manage_spaces AND taskmanager) OR (console AND filesManagement).' ); } }); diff --git a/src/platform/packages/shared/kbn-router-to-openapispec/src/extract_authz_description.ts b/src/platform/packages/shared/kbn-router-to-openapispec/src/extract_authz_description.ts index 7979188f2641..6c2ffacaf437 100644 --- a/src/platform/packages/shared/kbn-router-to-openapispec/src/extract_authz_description.ts +++ b/src/platform/packages/shared/kbn-router-to-openapispec/src/extract_authz_description.ts @@ -7,11 +7,17 @@ * License v3.0 only", or the "Server Side Public License, v 1". */ -import type { AuthzEnabled, AuthzDisabled, InternalRouteSecurity } from '@kbn/core-http-server'; +import type { + AuthzEnabled, + AuthzDisabled, + InternalRouteSecurity, + AllRequiredCondition, + AnyRequiredCondition, +} from '@kbn/core-http-server'; interface PrivilegeGroupValue { - allRequired: string[]; - anyRequired: string[]; + allRequired: AllRequiredCondition; + anyRequired: AnyRequiredCondition; } export const extractAuthzDescription = (routeSecurity: InternalRouteSecurity | undefined) => { @@ -42,11 +48,28 @@ export const extractAuthzDescription = (routeSecurity: InternalRouteSecurity | u } ); - const getPrivilegesDescription = (allRequired: string[], anyRequired: string[]) => { - const allDescription = allRequired.length ? `ALL of [${allRequired.join(', ')}]` : ''; - const anyDescription = anyRequired.length ? `ANY of [${anyRequired.join(' OR ')}]` : ''; + const getPrivilegesDescription = ( + allRequired: AllRequiredCondition, + anyRequired: AnyRequiredCondition + ) => { + const allPrivileges = allRequired + .map((privilege) => + typeof privilege === 'string' ? privilege : `(${privilege.anyOf?.join(' OR ')})` + ) + .join(' AND '); + const anyPrivileges = anyRequired + .map((privilege) => + typeof privilege === 'string' ? privilege : `(${privilege.allOf?.join(' AND ')})` + ) + .join(' OR '); + const allDescription = allRequired.length ? allPrivileges : ''; + const anyDescription = anyRequired.length ? anyPrivileges : ''; - return `${allDescription}${allDescription && anyDescription ? ' AND ' : ''}${anyDescription}`; + if (allDescription && anyDescription) { + return `(${allDescription}) AND (${anyDescription})`; + } + + return `${allDescription}${anyDescription}`; }; const getDescriptionForRoute = () => { diff --git a/src/platform/packages/shared/kbn-router-to-openapispec/src/generate_oas.test.fixture.ts b/src/platform/packages/shared/kbn-router-to-openapispec/src/generate_oas.test.fixture.ts index eae04c1bbe52..424353df935c 100644 --- a/src/platform/packages/shared/kbn-router-to-openapispec/src/generate_oas.test.fixture.ts +++ b/src/platform/packages/shared/kbn-router-to-openapispec/src/generate_oas.test.fixture.ts @@ -36,7 +36,7 @@ export const sharedOas = { deprecated: true, 'x-discontinued': 'route discontinued version or date', operationId: 'get-bar', - description: '[Required authorization] Route required privileges: ALL of [foo].', + description: '[Required authorization] Route required privileges: foo.', parameters: [], requestBody: { content: { diff --git a/src/platform/packages/shared/kbn-router-to-openapispec/src/process_router.test.ts b/src/platform/packages/shared/kbn-router-to-openapispec/src/process_router.test.ts index 3c3d568ce8c9..21116bfcbdb0 100644 --- a/src/platform/packages/shared/kbn-router-to-openapispec/src/process_router.test.ts +++ b/src/platform/packages/shared/kbn-router-to-openapispec/src/process_router.test.ts @@ -118,7 +118,7 @@ describe('processRouter', () => { 'manage_spaces', { allRequired: ['taskmanager'], - anyRequired: ['console'], + anyRequired: ['console', 'devtools'], }, ], }, @@ -139,7 +139,7 @@ describe('processRouter', () => { 'manage_spaces', { allRequired: ['taskmanager'], - anyRequired: ['console'], + anyRequired: ['console', 'devtools'], }, ], }, @@ -172,11 +172,11 @@ describe('processRouter', () => { expect(result.paths['/qux']?.post).toBeDefined(); expect(result.paths['/qux']?.post?.description).toEqual( - '[Required authorization] Route required privileges: ALL of [manage_spaces, taskmanager] AND ANY of [console].' + '[Required authorization] Route required privileges: (manage_spaces AND taskmanager) AND (console OR devtools).' ); expect(result.paths['/quux']?.post?.description).toEqual( - 'This a test route description.

[Required authorization] Route required privileges: ALL of [manage_spaces, taskmanager] AND ANY of [console].' + 'This a test route description.

[Required authorization] Route required privileges: (manage_spaces AND taskmanager) AND (console OR devtools).' ); }); }); diff --git a/src/platform/packages/shared/kbn-router-to-openapispec/src/process_versioned_router.test.ts b/src/platform/packages/shared/kbn-router-to-openapispec/src/process_versioned_router.test.ts index 394e8e7f462a..b5c45f4572f8 100644 --- a/src/platform/packages/shared/kbn-router-to-openapispec/src/process_versioned_router.test.ts +++ b/src/platform/packages/shared/kbn-router-to-openapispec/src/process_versioned_router.test.ts @@ -156,7 +156,7 @@ describe('processVersionedRouter', () => { expect(results.paths['/foo']!.get).toBeDefined(); expect(results.paths['/foo']!.get!.description).toBe( - 'This is a test route description.

[Required authorization] Route required privileges: ALL of [manage_spaces].' + 'This is a test route description.

[Required authorization] Route required privileges: manage_spaces.' ); }); }); diff --git a/x-pack/platform/plugins/shared/security/server/authorization/api_authorization.test.ts b/x-pack/platform/plugins/shared/security/server/authorization/api_authorization.test.ts index d2db2a535b1d..93e8aa603ad9 100644 --- a/x-pack/platform/plugins/shared/security/server/authorization/api_authorization.test.ts +++ b/x-pack/platform/plugins/shared/security/server/authorization/api_authorization.test.ts @@ -546,6 +546,255 @@ describe('initAPIAuthorization', () => { } ); + testSecurityConfig( + `protected route returns "authzResult" if user has permissions with complex anyRequired config`, + { + security: { + authz: { + requiredPrivileges: [ + { + anyRequired: [ + { allOf: ['privilege1', 'privilege2'] }, + { allOf: ['privilege3', 'privilege4'] }, + ], + }, + ], + }, + }, + kibanaPrivilegesResponse: { + privileges: { + kibana: [ + { privilege: 'api:privilege1', authorized: true }, + { privilege: 'api:privilege2', authorized: false }, + { privilege: 'api:privilege3', authorized: true }, + { privilege: 'api:privilege4', authorized: true }, + ], + }, + }, + kibanaPrivilegesRequestActions: ['privilege1', 'privilege2', 'privilege3', 'privilege4'], + asserts: { + authzResult: { + privilege1: true, + privilege2: false, + privilege3: true, + privilege4: true, + }, + }, + } + ); + + testSecurityConfig( + `protected route returns "authzResult" if user has permissions requested with complex allRequired config`, + { + security: { + authz: { + requiredPrivileges: [ + { + allRequired: [ + { anyOf: ['privilege1', 'privilege2'] }, + { anyOf: ['privilege3', 'privilege4'] }, + ], + }, + ], + }, + }, + kibanaPrivilegesResponse: { + privileges: { + kibana: [ + { privilege: 'api:privilege1', authorized: true }, + { privilege: 'api:privilege2', authorized: false }, + { privilege: 'api:privilege3', authorized: true }, + { privilege: 'api:privilege4', authorized: false }, + ], + }, + }, + kibanaPrivilegesRequestActions: ['privilege1', 'privilege2', 'privilege3', 'privilege4'], + asserts: { + authzResult: { + privilege1: true, + privilege2: false, + privilege3: true, + privilege4: false, + }, + }, + } + ); + + testSecurityConfig( + `protected route returns forbidden if user doesn't have required privileges requested with complex allRequired config`, + { + security: { + authz: { + requiredPrivileges: [ + { + allRequired: [ + { anyOf: ['privilege1', 'privilege2'] }, + { anyOf: ['privilege3', 'privilege4'] }, + ], + }, + ], + }, + }, + kibanaPrivilegesResponse: { + privileges: { + kibana: [ + { privilege: 'api:privilege1', authorized: true }, + { privilege: 'api:privilege2', authorized: false }, + { privilege: 'api:privilege3', authorized: false }, + { privilege: 'api:privilege4', authorized: false }, + ], + }, + }, + kibanaPrivilegesRequestActions: ['privilege1', 'privilege2', 'privilege3', 'privilege4'], + asserts: { + forbidden: true, + }, + } + ); + + testSecurityConfig( + `protected route returns "authzResult" if user has permissions requested with complex config`, + { + security: { + authz: { + requiredPrivileges: [ + { + // (privilege1 OR privilege2) AND (privilege3 OR privilege4) + // AND ((privilege5 AND privilege6) OR (privilege7 AND privilege8)) + allRequired: [ + { anyOf: ['privilege1', 'privilege2'] }, + { anyOf: ['privilege3', 'privilege4'] }, + ], + anyRequired: [ + { allOf: ['privilege5', 'privilege6'] }, + { allOf: ['privilege7', 'privilege8'] }, + ], + }, + ], + }, + }, + kibanaPrivilegesResponse: { + privileges: { + kibana: [ + { privilege: 'api:privilege1', authorized: true }, + { privilege: 'api:privilege2', authorized: false }, + { privilege: 'api:privilege3', authorized: false }, + { privilege: 'api:privilege4', authorized: true }, + { privilege: 'api:privilege5', authorized: false }, + { privilege: 'api:privilege6', authorized: false }, + { privilege: 'api:privilege7', authorized: true }, + { privilege: 'api:privilege8', authorized: true }, + ], + }, + }, + kibanaPrivilegesRequestActions: [ + 'privilege1', + 'privilege2', + 'privilege3', + 'privilege4', + 'privilege5', + 'privilege6', + 'privilege7', + 'privilege8', + ], + asserts: { + authzResult: { + privilege1: true, + privilege2: false, + privilege3: false, + privilege4: true, + privilege5: false, + privilege6: false, + privilege7: true, + privilege8: true, + }, + }, + } + ); + + testSecurityConfig( + `protected route returns forbidden if user doesn't have required privileges with complex config`, + { + security: { + authz: { + requiredPrivileges: [ + { + // (privilege1 OR privilege2) AND (privilege3 OR privilege4) + // AND ((privilege5 AND privilege6) OR (privilege7 AND privilege8)) + allRequired: [ + { anyOf: ['privilege1', 'privilege2'] }, + { anyOf: ['privilege3', 'privilege4'] }, + ], + anyRequired: [ + { allOf: ['privilege5', 'privilege6'] }, + { allOf: ['privilege7', 'privilege8'] }, + ], + }, + ], + }, + }, + kibanaPrivilegesResponse: { + privileges: { + kibana: [ + { privilege: 'api:privilege1', authorized: true }, + { privilege: 'api:privilege2', authorized: false }, + { privilege: 'api:privilege3', authorized: false }, + { privilege: 'api:privilege4', authorized: true }, + { privilege: 'api:privilege5', authorized: false }, + { privilege: 'api:privilege6', authorized: false }, + { privilege: 'api:privilege7', authorized: true }, + { privilege: 'api:privilege8', authorized: false }, + ], + }, + }, + kibanaPrivilegesRequestActions: [ + 'privilege1', + 'privilege2', + 'privilege3', + 'privilege4', + 'privilege5', + 'privilege6', + 'privilege7', + 'privilege8', + ], + asserts: { + forbidden: true, + }, + } + ); + + testSecurityConfig( + `protected route returns forbidden if user doesn't have required privileges requested with complex anyRequired config`, + { + security: { + authz: { + requiredPrivileges: [ + { + anyRequired: [ + { allOf: ['privilege1', 'privilege2'] }, + { allOf: ['privilege3', 'privilege4'] }, + ], + }, + ], + }, + }, + kibanaPrivilegesResponse: { + privileges: { + kibana: [ + { privilege: 'api:privilege1', authorized: true }, + { privilege: 'api:privilege2', authorized: false }, + { privilege: 'api:privilege3', authorized: false }, + { privilege: 'api:privilege4', authorized: true }, + ], + }, + }, + kibanaPrivilegesRequestActions: ['privilege1', 'privilege2', 'privilege3', 'privilege4'], + asserts: { + forbidden: true, + }, + } + ); + testSecurityConfig(`route returns next if route has authz disabled`, { security: { authz: { diff --git a/x-pack/platform/plugins/shared/security/server/authorization/api_authorization.ts b/x-pack/platform/plugins/shared/security/server/authorization/api_authorization.ts index dbfc8d03000e..70d5f10a6776 100644 --- a/x-pack/platform/plugins/shared/security/server/authorization/api_authorization.ts +++ b/x-pack/platform/plugins/shared/security/server/authorization/api_authorization.ts @@ -7,6 +7,8 @@ import { ReservedPrivilegesSet } from '@kbn/core/server'; import type { + AllRequiredCondition, + AnyRequiredCondition, AuthzDisabled, AuthzEnabled, HttpServiceSetup, @@ -16,6 +18,7 @@ import type { PrivilegeSet, RouteAuthz, } from '@kbn/core/server'; +import { unwindNestedSecurityPrivileges } from '@kbn/core-security-server'; import type { AuthenticatedUser } from '@kbn/security-plugin-types-common'; import type { AuthorizationServiceSetup, @@ -116,7 +119,14 @@ export function initAPIAuthorization( (acc, privilegeEntry) => { const privileges = typeof privilegeEntry === 'object' - ? [...(privilegeEntry.allRequired ?? []), ...(privilegeEntry.anyRequired ?? [])] + ? [ + ...unwindNestedSecurityPrivileges( + privilegeEntry.allRequired ?? [] + ), + ...unwindNestedSecurityPrivileges( + privilegeEntry.anyRequired ?? [] + ), + ] : [privilegeEntry]; for (const privilege of privileges) { @@ -173,9 +183,23 @@ export function initAPIAuthorization( const anyRequired = kbPrivilege.anyRequired ?? []; return ( - allRequired.every((privilege: string) => kibanaPrivileges[privilege]) && + allRequired.every((privilege) => + typeof privilege === 'string' + ? kibanaPrivileges[privilege] + : // checking composite privileges + privilege.anyOf.some( + (anyPrivilegeEntry: Privilege) => kibanaPrivileges[anyPrivilegeEntry] + ) + ) && (!anyRequired.length || - anyRequired.some((privilege: string) => kibanaPrivileges[privilege])) + anyRequired.some((privilege) => + typeof privilege === 'string' + ? kibanaPrivileges[privilege] + : // checking composite privileges + privilege.allOf.every( + (allPrivilegeEntry: Privilege) => kibanaPrivileges[allPrivilegeEntry] + ) + )) ); } diff --git a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.test.ts b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.test.ts index a23673071ea6..32efcb32fd70 100644 --- a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.test.ts +++ b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.test.ts @@ -400,6 +400,25 @@ describe('ProductFeaturesService', () => { expect(toolkit.next).toHaveBeenCalledTimes(1); }); + it('should allow access when all actions are registered with nested anyOf', async () => { + const req = getReq([ + { + allRequired: [ + { anyOf: ['securitySolution-enabled', 'securitySolution-enabled2'] }, + 'securitySolution-enabled3', + ], + }, + ]); + await lastRegisteredFn(req, res, toolkit); + + expect(mockIsActionRegistered).toHaveBeenCalledTimes(2); + expect(mockIsActionRegistered).toHaveBeenCalledWith('api:securitySolution-enabled'); + expect(mockIsActionRegistered).toHaveBeenCalledWith('api:securitySolution-enabled3'); + + expect(res.notFound).not.toHaveBeenCalled(); + expect(toolkit.next).toHaveBeenCalledTimes(1); + }); + it('should restrict access if one action is not registered', async () => { const req = getReq([ { @@ -445,6 +464,25 @@ describe('ProductFeaturesService', () => { expect(res.notFound).toHaveBeenCalledTimes(1); expect(toolkit.next).not.toHaveBeenCalled(); }); + + it('should restrict only based on security privileges and ignore non-security with nested anyOf', async () => { + const req = getReq([ + { + allRequired: [ + { anyOf: ['securitySolution-disabled', 'securitySolution-disabled2'] }, + 'notSecurityPrivilege', + ], + }, + ]); + await lastRegisteredFn(req, res, toolkit); + + expect(mockIsActionRegistered).toHaveBeenCalledTimes(2); + expect(mockIsActionRegistered).toHaveBeenCalledWith('api:securitySolution-disabled'); + expect(mockIsActionRegistered).toHaveBeenCalledWith('api:securitySolution-disabled2'); + + expect(res.notFound).toHaveBeenCalledTimes(1); + expect(toolkit.next).not.toHaveBeenCalled(); + }); }); describe('when using anyRequired', () => { @@ -468,6 +506,26 @@ describe('ProductFeaturesService', () => { expect(toolkit.next).toHaveBeenCalledTimes(1); }); + it('should allow access when one action is registered with nested allOf', async () => { + const req = getReq([ + { + anyRequired: [ + { allOf: ['securitySolution-disabled2', 'securitySolution-disabled'] }, + 'securitySolution-enabled', + 'securitySolution-notCalled', + ], + }, + ]); + await lastRegisteredFn(req, res, toolkit); + + expect(mockIsActionRegistered).toHaveBeenCalledTimes(2); + expect(mockIsActionRegistered).toHaveBeenCalledWith('api:securitySolution-disabled2'); + expect(mockIsActionRegistered).toHaveBeenCalledWith('api:securitySolution-enabled'); + + expect(res.notFound).not.toHaveBeenCalled(); + expect(toolkit.next).toHaveBeenCalledTimes(1); + }); + it('should restrict access when no action is registered', async () => { const req = getReq([ { @@ -484,6 +542,25 @@ describe('ProductFeaturesService', () => { expect(toolkit.next).not.toHaveBeenCalled(); }); + it('should restrict access when no action is registered with nested allOf', async () => { + const req = getReq([ + { + anyRequired: [ + { allOf: ['notSecurityPrivilege', 'securitySolution-disabled2'] }, + { allOf: ['notSecurityPrivilege2', 'securitySolution-disabled'] }, + ], + }, + ]); + await lastRegisteredFn(req, res, toolkit); + + expect(mockIsActionRegistered).toHaveBeenCalledTimes(2); + expect(mockIsActionRegistered).toHaveBeenCalledWith('api:securitySolution-disabled'); + expect(mockIsActionRegistered).toHaveBeenCalledWith('api:securitySolution-disabled2'); + + expect(res.notFound).toHaveBeenCalledTimes(1); + expect(toolkit.next).not.toHaveBeenCalled(); + }); + it('should restrict only based on security privileges and allow when non-security privilege is present', async () => { const req = getReq([ { diff --git a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.ts b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.ts index 72d8e8ed3900..819581273c64 100644 --- a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.ts +++ b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.ts @@ -290,12 +290,24 @@ export class ProductFeaturesService { const disabled = authz.requiredPrivileges.some((privilegeEntry) => { if (typeof privilegeEntry === 'object') { if (privilegeEntry.allRequired) { - if (privilegeEntry.allRequired.some(isApiPrivilegeSecurityAndDisabled)) { + if ( + privilegeEntry.allRequired.some((entry) => + typeof entry === 'string' + ? isApiPrivilegeSecurityAndDisabled(entry) + : entry.anyOf.every(isApiPrivilegeSecurityAndDisabled) + ) + ) { return true; } } if (privilegeEntry.anyRequired) { - if (privilegeEntry.anyRequired.every(isApiPrivilegeSecurityAndDisabled)) { + if ( + privilegeEntry.anyRequired.every((entry) => + typeof entry === 'string' + ? isApiPrivilegeSecurityAndDisabled(entry) + : entry.allOf.some(isApiPrivilegeSecurityAndDisabled) + ) + ) { return true; } }