o gZh@sHddlZddlmZddlmZddlmZmZm Z GdddeZ dS)N)ObjectApiResponse)NamespacedClient) SKIP_IN_PATH_quote_rewrite_parametersc@s(eZdZedddddddddddejdefdejedejed ejejeej efd ejed ejed ejed ejede ej fddZ eddddddejed ejejeej efd ejed ejede ej f ddZ edddddddddddd ejedejed ejejeej efd ejed ejedejed ejedejejdeefde ej fddZeddddddejeej efdejed ejejeej efd ejed ejede ej f ddZeddddddedejed ejejeej efd ejed ejede ej f ddZedddddd d!ejeej efdejed ejejeej efd ejed ejed"ejej ede ej fd#d$Zedddddd%ejeej efdejed ejejeej efd ejed ejede ej f d&d'Zedddddd(ed)ed%ejeej efdejed ejejeej efd ejed ejede ej fd*d+Zedddddddddddd, dejed-ejejd.d/efd ejejeej efd ejed0ejejeej fd%ejed ejedejejdeefd1ejejeejeej ffde ej fd2d3Zeddddddd4d(ed)ed%ejedejed ejejeej efd ejed ejedejejdeefde ej fd5d6Zedddddd7ded%ejeej efdejed ejejeej efd ejed ejedejejdeefde ej fd8d9Zedddddd7d%edejed ejejeej efd ejed ejedejejdeefde ej fd:d;Zedddddd7d%edejed ejejeej efd ejed ejedejejdeefde ej fdd?Zedddddd7d edejed ejejeej efd ejed ejedejejdeefde ej fd@dAZedddddd7d edejed ejejeej efd ejed ejedejejdeefde ej fdBdCZedddddd7dDedejed ejejeej efd ejed ejedejejdeefde ej fdEdFZedddddd7d edejed ejejeej efd ejed ejedejejdeefde ej fdGdHZedddddd7dDedejed ejejeej efd ejed ejedejejdeefde ej fdIdJZeddddddejed ejejeej efd ejed ejede ej f dKdLZ eddddddejed ejejeej efd ejed ejede ej f dMdNZ!edddddddddddO dejed ejejeej efd ejedPejed%ejedQejed ejedRejed ejedSejede ej fdTdUZ"eddddddejed ejejeej efd ejed ejede ej f dVdWZ#edddddddXdejed%ejejeej efdejed ejejeej efd ejed ejede ej fdYdZZ$edddddd[d%ejejeej efdejed ejejeej efd ejed ejede ej f d\d]Z%edddddd[d%ejejeej efdejed ejejeej efd ejed ejede ej f d^d_Z&eddddddd`d(ejed)ejedejed ejejeej efd ejed ejede ej fdadbZ'edddddd(ed)edejed ejejeej efd ejed ejede ej fdcddZ(eddddddddddddde dejed ejejeej efdejejdfefd ejedgejed ejed ejedhejediejed ejede ej fdjdkZ)edddddddld ejejeej efdejed ejejeej efd ejed ejedmejede ej fdndoZ*eddddddddpdejedejed ejejeej efd ejed ejedqejed ejejdefde ej fdrdsZ+eddddddtdDejeej efduejejeej efdejed ejejeej efd ejed ejede ej fdvdwZ,eddxhdydddddddddzdxejeej fdejdefdejedejed ejejeej efd ejed ejed ejed{ejed ejede ej fd|d}Z-eddddddddddd~dejedejej ejeej fdejej ejdefdejed ejejeej efd ejedejej ejeej fd ejede ej fddZ.eddddddddejeej fdej edejed ejejeej efd ejed ejede ej fddZ/eddddddddddddd dejed ejejeej efd ejedPejedejej ed%ejedQejed ejedRejed ejede ej fddZ0eddddddddddddejed ejejeej efd ejed ejedRejedhejedejed ejede ej fddZ1edddddddd7dejeejeejeej fffdejed ejejeej efd ejed ejedejejdeefde ej fddZ2edddidddddddddddddd d%edejej ejeej fdejej ejdefdejed ejejeej efdejejeej fd ejedejej ejeej fd0ejejeej fd ejedejejdeefd{ejej edejejeej fde ej fddZ3edddddddddddddd d%edejedejed ejejeej efd ejed0ejejeej fd ejedejejdeefdejej ejeej fdejej edejejeej fd{ejej ede ej fddZ4eddddddddddddddd d edejejdefdejedejed ejejeej efdejejdefd ejed0ejejeej fd ejedejed ejedejejdeefdejej ede ej fddZ5edddidddddddddddd dejed ejejeej efdeje6d ejed ejedejejeej fdejej ejdee7e6eej fdeje6dejejej ejeejeej ffejeejeej fffdSejede ej fddZ8edddddddddedejeej efdejed ejejeej efd ejed ejedejede ej fddZ9eddddddddddejeej efdedejedejed ejejeej efd ejed ejedejede ej fddZ:eddddddddddedejedejed ejejeej efd ejed ejedejede ej fddZ;edddddddddedejed ejejeej efd ejed ejedhejede ej fddZedddddddddddǜduejejeej efdejed ejejeej efdejejeej fd ejed%ejed ejedeje6de ej fddʄZ?eddddddddd˜dPedejed ejejeej efd ejed0ejejeej fd ejed1ejejeejeej ffde ej fdd̈́Z@eddddddddddddΜ dDeduejejeej fdejed ejejeej efd ejedeje6deje6dejejeej fd ejedejejdeefde ej fddӄZAdS)SecurityClientT) body_fieldsN) access_token error_trace filter_pathhumanpasswordprettyusername grant_typez%t.Literal['access_token', 'password']r r r r rrrreturnc Cs|durtdd} i} i} |dur|| d<|dur|| d<|dur&|| d<|dur.|| d<|dur6|| d<|dur>|| d <|durF|| d <|durN|| d <d d d } |jd| | | | dS)a. Creates or updates the user profile on behalf of another user. ``_ :param grant_type: :param access_token: :param password: :param username: N-Empty value passed for parameter 'grant_type'z/_security/profile/_activaterr r r r rrrapplication/jsonaccept content-typePOSTparamsheadersbody ValueErrorperform_request) selfrr r r r rrr_SecurityClient__path_SecurityClient__body_SecurityClient__query_SecurityClient__headersr%Z/var/www/html/lang_env/lib/python3.10/site-packages/elasticsearch/_sync/client/security.pyactivate_user_profiles2  z$SecurityClient.activate_user_profile)r r r rcCbd}i}|dur ||d<|dur||d<|dur||d<|dur$||d<ddi}|jd |||d S) z Enables authentication as a user and retrieve information about the authenticated user. ``_ z/_security/_authenticateNr r r rrrGETrrrr r r r rr!r#r$r%r%r& authenticateNzSecurityClient.authenticate)rr r r r password_hashrrefreshr/r0z&t.Literal['false', 'true', 'wait_for']c Cs|tvr dt|d} nd} i} i} |dur|| d<|dur#|| d<|dur+|| d<|dur3|| d<|dur;|| d <|durC|| d <|durK|| d <d d d } |jd| | | | dS)a Changes the passwords of users in the native realm and built-in users. ``_ :param username: The user whose password you want to change. If you do not specify this parameter, the password is changed for the current user. :param password: The new password value. Passwords must be at least 6 characters long. :param password_hash: A hash of the new password value. This must be produced using the same hashing algorithm as has been configured for password storage. For more details, see the explanation of the `xpack.security.authc.password_hashing.algorithm` setting. :param refresh: If `true` (the default) then refresh the affected shards to make this operation visible to search, if `wait_for` then wait for a refresh to make this operation visible to search, if `false` then do nothing with refreshes. /_security/user/z /_passwordz/_security/user/_passwordNr r r rr/rr0rrPUTrrrr) r rr r r rr/rr0r!r#r"r$r%r%r&change_passwordls."  zSecurityClient.change_passwordidsc C~|tvrtddt|d}i}|dur||d<|dur"||d<|dur*||d<|dur2||d<d d i}|jd |||d S) ah Clear a subset or all entries from the API key cache. ``_ :param ids: Comma-separated list of API key IDs to evict from the API key cache. To evict all API keys, use `*`. Does not support other wildcard patterns. &Empty value passed for parameter 'ids'/_security/api_key/ /_clear_cacheNr r r rrrrr*rrrr) r r5r r r rr!r#r$r%r%r&clear_api_key_caches z"SecurityClient.clear_api_key_cache applicationc Cr6) a Evicts application privileges from the native application privileges cache. ``_ :param application: A comma-separated list of application names .Empty value passed for parameter 'application'/_security/privilege/r9Nr r r rrrrr*r:) r r<r r r rr!r#r$r%r%r&clear_cached_privileges z&SecurityClient.clear_cached_privileges)r r r r usernamesrealmsrAc C|tvrtddt|d}i}|dur||d<|dur"||d<|dur*||d<|dur2||d<|dur:||d <d d i} |jd ||| d S)ap Evicts users from the user cache. Can completely clear the cache or evict specific users. ``_ :param realms: Comma-separated list of realms to clear :param usernames: Comma-separated list of usernames to clear from the cache z)Empty value passed for parameter 'realms'z/_security/realm/r9Nr r r rrArrrr*r:) r rBr r r rrAr!r#r$r%r%r&clear_cached_realmss$z"SecurityClient.clear_cached_realmsnamec Cr6) z Evicts roles from the native role cache. ``_ :param name: Role name 'Empty value passed for parameter 'name'/_security/role/r9Nr r r rrrrr*r: r rEr r r rr!r#r$r%r%r&clear_cached_rolesr@z!SecurityClient.clear_cached_roles namespaceservicec Cs|tvrtd|tvrtd|tvrtddt|dt|dt|d}i} |dur4|| d <|dur<|| d <|durD|| d <|durL|| d <d di} |jd|| | dS)aw Evicts tokens from the service account token caches. ``_ :param namespace: An identifier for the namespace :param service: An identifier for the service name :param name: A comma-separated list of service token names ,Empty value passed for parameter 'namespace'*Empty value passed for parameter 'service'rF/_security/service///credential/token/r9Nr r r rrrrr*r:) r rJrKrEr r r rr!r#r$r%r%r&clear_cached_service_tokens5s($z*SecurityClient.clear_cached_service_tokens) r expirationr r metadatarErr0role_descriptorsrRz t.Literal[-1]z t.Literal[0]rSrTc Csd} i} i} |dur|| d<|dur|| d<|dur|| d<|dur&|| d<|dur.|| d<|dur6|| d<|dur>|| d <|durF|| d <| durN| | d <d d d } |jd| | | | dS)u Creates an API key for access without requiring basic authentication. ``_ :param expiration: Expiration time for the API key. By default, API keys never expire. :param metadata: Arbitrary metadata that you want to associate with the API key. It supports nested data structure. Within the metadata object, keys beginning with `_` are reserved for system usage. :param name: Specifies the name for this API key. :param refresh: If `true` (the default) then refresh the affected shards to make this operation visible to search, if `wait_for` then wait for a refresh to make this operation visible to search, if `false` then do nothing with refreshes. :param role_descriptors: An array of role descriptors for this API key. This parameter is optional. When it is not specified or is an empty array, then the API key will have a point in time snapshot of permissions of the authenticated user. If you supply role descriptors then the resultant permissions would be an intersection of API keys permissions and authenticated user’s permissions thereby limiting the access scope for API keys. The structure of role descriptor is the same as the request for create role API. For more details, see create or update roles API. /_security/api_keyNr rRr r rSrErr0rTrrr2rr+)r r rRr r rSrErr0rTr!r#r"r$r%r%r&create_api_key_s2)  zSecurityClient.create_api_key)rEr r r rr0c Cs|tvrtd|tvrtd|tvr0|tvr0|tvr0dt|dt|dt|} d} n|tvrH|tvrHdt|dt|d} d} ntd i} |d urV|| d <|d ur^|| d <|d urf|| d <|d urn|| d<|d urv|| d<ddi} |j| | | | dS)a Creates a service account token for access without requiring basic authentication. ``_ :param namespace: An identifier for the namespace :param service: An identifier for the service name :param name: An identifier for the token name :param refresh: If `true` then refresh the affected shards to make this operation visible to search, if `wait_for` (the default) then wait for a refresh to make this operation visible to search, if `false` then do nothing with refreshes. rLrMrNrOrPr2z/credential/tokenrz-Couldn't find a path for the given parametersNr r r rr0rrr*r:) r rJrKrEr r r rr0r!Z_SecurityClient__methodr#r$r%r%r&create_service_tokens8"z#SecurityClient.create_service_token)r r r rr0c Cs|tvrtd|tvrtddt|dt|}i} |dur&|| d<|dur.|| d<|dur6|| d<|dur>|| d <|durF|| d <d d i} |jd || | dS)a Removes application privileges. ``_ :param application: Application name :param name: Privilege name :param refresh: If `true` (the default) then refresh the affected shards to make this operation visible to search, if `wait_for` then wait for a refresh to make this operation visible to search, if `false` then do nothing with refreshes. r=rFr>rONr r r rr0rrDELETEr*r:) r r<rEr r r rr0r!r#r$r%r%r&delete_privilegess(z SecurityClient.delete_privilegesc C|tvrtddt|}i}|dur||d<|dur!||d<|dur)||d<|dur1||d<|dur9||d<d d i} |jd ||| d S) a Removes roles in the native realm. ``_ :param name: Role name :param refresh: If `true` (the default) then refresh the affected shards to make this operation visible to search, if `wait_for` then wait for a refresh to make this operation visible to search, if `false` then do nothing with refreshes. rFrGNr r r rr0rrrXr*r: r rEr r r rr0r!r#r$r%r%r& delete_role $zSecurityClient.delete_rolec CrZ) a Removes role mappings. ``_ :param name: Role-mapping name :param refresh: If `true` (the default) then refresh the affected shards to make this operation visible to search, if `wait_for` then wait for a refresh to make this operation visible to search, if `false` then do nothing with refreshes. rF/_security/role_mapping/Nr r r rr0rrrXr*r:r[r%r%r&delete_role_mapping5r]z"SecurityClient.delete_role_mappingc Cs|tvrtd|tvrtd|tvrtddt|dt|dt|} i} |dur3|| d<|dur;|| d <|durC|| d <|durK|| d <|durS|| d <d di} |jd| | | dS)a^ Deletes a service account token. ``_ :param namespace: An identifier for the namespace :param service: An identifier for the service name :param name: An identifier for the token name :param refresh: If `true` then refresh the affected shards to make this operation visible to search, if `wait_for` (the default) then wait for a refresh to make this operation visible to search, if `false` then do nothing with refreshes. rLrMrFrNrOrPNr r r rr0rrrXr*r:) r rJrKrEr r r rr0r!r#r$r%r%r&delete_service_token_s,"z#SecurityClient.delete_service_tokenc CrZ) a Deletes users from the native realm. ``_ :param username: username :param refresh: If `true` (the default) then refresh the affected shards to make this operation visible to search, if `wait_for` then wait for a refresh to make this operation visible to search, if `false` then do nothing with refreshes. +Empty value passed for parameter 'username'r1Nr r r rr0rrrXr*r: r rr r r rr0r!r#r$r%r%r& delete_userr]zSecurityClient.delete_userc CrC)a Disables users in the native realm. ``_ :param username: The username of the user to disable :param refresh: If `true` (the default) then refresh the affected shards to make this operation visible to search, if `wait_for` then wait for a refresh to make this operation visible to search, if `false` then do nothing with refreshes. rar1 /_disableNr r r rr0rrr2r*r:rbr%r%r& disable_user$zSecurityClient.disable_useruidc CrC)a  Disables a user profile so it's not visible in user profile searches. ``_ :param uid: Unique identifier for the user profile. :param refresh: If 'true', Elasticsearch refreshes the affected shards to make this operation visible to search, if 'wait_for' then wait for a refresh to make this operation visible to search, if 'false' do nothing with refreshes. &Empty value passed for parameter 'uid'/_security/profile/rdNr r r rr0rrr2r*r: r rgr r r rr0r!r#r$r%r%r&disable_user_profilerfz#SecurityClient.disable_user_profilec CrC)a Enables users in the native realm. ``_ :param username: The username of the user to enable :param refresh: If `true` (the default) then refresh the affected shards to make this operation visible to search, if `wait_for` then wait for a refresh to make this operation visible to search, if `false` then do nothing with refreshes. rar1/_enableNr r r rr0rrr2r*r:rbr%r%r& enable_userrfzSecurityClient.enable_userc CrC)a Enables a user profile so it's visible in user profile searches. ``_ :param uid: Unique identifier for the user profile. :param refresh: If 'true', Elasticsearch refreshes the affected shards to make this operation visible to search, if 'wait_for' then wait for a refresh to make this operation visible to search, if 'false' do nothing with refreshes. rhrirlNr r r rr0rrr2r*r:rjr%r%r&enable_user_profile9rfz"SecurityClient.enable_user_profilecCr() z Allows a kibana instance to configure itself to communicate with a secured elasticsearch cluster. ``_ z/_security/enroll/kibanaNr r r rrrr)r*r+r,r%r%r& enroll_kibanacr.zSecurityClient.enroll_kibanacCr() z Allows a new node to enroll to an existing cluster with security enabled. ``_ z/_security/enroll/nodeNr r r rrrr)r*r+r,r%r%r& enroll_nodeszSecurityClient.enroll_node) r r r idrEownerr realm_namerwith_limited_byrqrrrsrtc Csd} i} |dur || d<|dur|| d<|dur|| d<|dur$|| d<|dur,|| d<|dur4|| d<|dur<|| d <|durD|| d <| durL| | d <| durT| | d <d di} |jd| | | dS)aV Retrieves information for one or more API keys. ``_ :param id: An API key id. This parameter cannot be used with any of `name`, `realm_name` or `username`. :param name: An API key name. This parameter cannot be used with any of `id`, `realm_name` or `username`. It supports prefix search with wildcard. :param owner: A boolean flag that can be used to query API keys owned by the currently authenticated user. The `realm_name` or `username` parameters cannot be specified when this parameter is set to `true` as they are assumed to be the currently authenticated ones. :param realm_name: The name of an authentication realm. This parameter cannot be used with either `id` or `name` or when `owner` flag is set to `true`. :param username: The username of a user. This parameter cannot be used with either `id` or `name` or when `owner` flag is set to `true`. :param with_limited_by: Return the snapshot of the owner user's role descriptors associated with the API key. An API key's actual permission is the intersection of its assigned role descriptors and the owner user's role descriptors. rUNr r r rqrErrrrsrrtrrr)r*r+)r r r r rqrErrrrsrrtr!r#r$r%r%r& get_api_keys4$zSecurityClient.get_api_keycCr() a Retrieves the list of cluster privileges and index privileges that are available in this version of Elasticsearch. ``_ z/_security/privilege/_builtinNr r r rrrr)r*r+r,r%r%r&get_builtin_privilegesr.z%SecurityClient.get_builtin_privileges)r<rEr r r rc C|tvr|tvrdt|dt|}n|tvr!dt|}nd}i}|dur-||d<|dur5||d<|dur=||d<|durE||d<d d i} |jd ||| d S) z Retrieves application privileges. ``_ :param application: Application name :param name: Privilege name r>rO/_security/privilegeNr r r rrrr)r*r3) r r<rEr r r rr!r#r$r%r%r&get_privilegess$zSecurityClient.get_privileges)rEr r r rc Cz|tvr dt|}nd}i}|dur||d<|dur ||d<|dur(||d<|dur0||d<dd i}|jd |||d S) am Retrieves roles in the native realm. ``_ :param name: The name of the role. You can specify multiple roles as a comma-separated list. If you do not specify this parameter, the API returns information about all roles. rGz/_security/roleNr r r rrrr)r*r3rHr%r%r&get_role"s zSecurityClient.get_rolec Crz) a: Retrieves role mappings. ``_ :param name: The distinct name that identifies the role mapping. The name is used solely as an identifier to facilitate interaction via the API; it does not affect the behavior of the mapping in any way. You can specify multiple mapping names as a comma-separated list. If you do not specify this parameter, the API returns information about all role mappings. r^z/_security/role_mappingNr r r rrrr)r*r3rHr%r%r&get_role_mappingGs zSecurityClient.get_role_mapping)rJrKr r r rc Crw) a: Retrieves information about service accounts. ``_ :param namespace: Name of the namespace. Omit this parameter to retrieve information about all service accounts. If you omit this parameter, you must also omit the `service` parameter. :param service: Name of the service name. Omit this parameter to retrieve information about all service accounts that belong to the specified `namespace`. rNrOz/_security/serviceNr r r rrrr)r*r3 r rJrKr r r rr!r#r$r%r%r&get_service_accountsns$z#SecurityClient.get_service_accountsc Cs|tvrtd|tvrtddt|dt|d}i}|dur'||d<|dur/||d<|dur7||d <|dur?||d <d d i} |jd ||| dS)a2 Retrieves information of all service credentials for a service account. ``_ :param namespace: Name of the namespace. :param service: Name of the service name. rLrMrNrOz /credentialNr r r rrrr)r*r:r}r%r%r&get_service_credentialss$z&SecurityClient.get_service_credentials) r r rr kerberos_ticketrr refresh_tokenscoperzIt.Literal['_kerberos', 'client_credentials', 'password', 'refresh_token']rrrc Csd} i} i} |dur|| d<|dur|| d<|dur|| d<|dur&|| d<|dur.|| d<|dur6|| d<|dur>|| d <|durF|| d <| durN| | d <| durV| | d <d d d}|jd| | || dS)ad Creates a bearer token for access without requiring basic authentication. ``_ :param grant_type: :param kerberos_ticket: :param password: :param refresh_token: :param scope: :param username: /_security/oauth2/tokenNr r rr rrrrrrrrrrr+)r r r rr rrrrrrr!r#r"r$r%r%r& get_tokens6"  zSecurityClient.get_token)rr r r rwith_profile_uidrc Cs|tvr dt|}nd}i}|dur||d<|dur ||d<|dur(||d<|dur0||d<|dur8||d<d d i} |jd ||| d S) a Retrieves information about users in the native realm and built-in users. ``_ :param username: An identifier for the user. You can specify multiple usernames as a comma-separated list. If you omit this parameter, the API retrieves information about all users. :param with_profile_uid: If true will return the User Profile ID for a user, if any. r1z/_security/userNr r r rrrrr)r*r3) r rr r r rrr!r#r$r%r%r&get_users$zSecurityClient.get_user)r<r r r r priviledgerrc Csd}i} |dur || d<|dur|| d<|dur|| d<|dur$|| d<|dur,|| d<|dur4|| d<|dur<|| d <d d i} |jd || | d S)a Retrieves security privileges for the logged in user. ``_ :param application: The name of the application. Application privileges are always associated with exactly one application. If you do not specify this parameter, the API returns information about all privileges for all applications. :param priviledge: The name of the privilege. If you do not specify this parameter, the API returns information about all privileges for the requested application. :param username: z/_security/user/_privilegesNr<r r r rrrrrr)r*r+) r r<r r r rrrr!r#r$r%r%r&get_user_privileges&s(z"SecurityClient.get_user_privileges)datar r r rrc CrZ) a Retrieves user profiles for the given unique ID(s). ``_ :param uid: A unique identifier for the user profile. :param data: List of filters for the `data` field of the profile document. To return all content use `data=*`. To return a subset of content use `data=` to retrieve content nested under the specified ``. By default returns no `data` content. rhriNrr r r rrrr)r*r:) r rgrr r r rr!r#r$r%r%r&get_user_profileSs$zSecurityClient.get_user_profileapi_key)r Zignore_deprecated_options)r r r r rrrun_asrrc Cs|durtd|durtdd} i} i} |dur|| d<|dur&|| d<|dur.|| d<|dur6|| d<|dur>|| d <|durF|| d <|durN|| d <|durV|| d <| dur^| | d <| durf| | d<ddd}|jd| | || dS)u Creates an API key on behalf of another user. ``_ :param api_key: Defines the API key. :param grant_type: The type of grant. Supported grant types are: `access_token`, `password`. :param access_token: The user’s access token. If you specify the `access_token` grant type, this parameter is required. It is not valid with other grant types. :param password: The user’s password. If you specify the `password` grant type, this parameter is required. It is not valid with other grant types. :param run_as: The name of the user to be impersonated. :param username: The user name that identifies the user. If you specify the `password` grant type, this parameter is required. It is not valid with other grant types. Nz*Empty value passed for parameter 'api_key'rz/_security/api_key/grantrrr r r r rrrrrrrrr)r rrr r r r rrrrr!r"r#r$r%r%r& grant_api_key|s>$  zSecurityClient.grant_api_key)userr<clusterr r r indexrrrat.Literal['all', 'cancel_task', 'create_snapshot', 'grant_api_key', 'manage', 'manage_api_key', 'manage_ccr', 'manage_enrich', 'manage_ilm', 'manage_index_templates', 'manage_ingest_pipelines', 'manage_logstash_pipelines', 'manage_ml', 'manage_oidc', 'manage_own_api_key', 'manage_pipeline', 'manage_rollup', 'manage_saml', 'manage_security', 'manage_service_account', 'manage_slm', 'manage_token', 'manage_transform', 'manage_user_profile', 'manage_watcher', 'monitor', 'monitor_ml', 'monitor_rollup', 'monitor_snapshot', 'monitor_text_structure', 'monitor_transform', 'monitor_watcher', 'read_ccr', 'read_ilm', 'read_pipeline', 'read_slm', 'transport_client']rc Cs|tvr dt|d} nd} i} i} |dur|| d<|dur#|| d<|dur+|| d<|dur3|| d<|dur;|| d <|durC|| d <|durK|| d <d d d } |jd| | | | dS)ai Determines whether the specified user has a specified list of privileges. ``_ :param user: Username :param application: :param cluster: A list of the cluster privileges that you want to check. :param index: r1z/_has_privilegesz/_security/user/_has_privilegesNr<rr r r rrrrrrr3) r rr<rr r r rrr!r"r#r$r%r%r&has_privilegess.   zSecurityClient.has_privileges privilegesuidsc Cs|durtd|durtdd}i}i} |dur||d<|dur&||d<|dur.|| d<|dur6|| d<|dur>|| d <|durF|| d <d d d } |jd || | |dS)a Determines whether the users associated with the specified profile IDs have all the requested privileges. ``_ :param privileges: :param uids: A list of profile IDs. The privileges are checked for associated users of the profiles. N-Empty value passed for parameter 'privileges'z'Empty value passed for parameter 'uids'z"/_security/profile/_has_privilegesrrr r r rrrrrr) r rrr r r rr!r"r#r$r%r%r&has_privileges_user_profiles.  z*SecurityClient.has_privileges_user_profile) r r r rqr5rErrrrsrc Csd} i} i} |dur|| d<|dur|| d<|dur|| d<|dur&|| d<|dur.|| d<|dur6|| d<|dur>|| d <|durF|| d <| durN| | d <| durV| | d <d d d}|jd| | || dS)a+ Invalidates one or more API keys. ``_ :param id: :param ids: A list of API key ids. This parameter cannot be used with any of `name`, `realm_name`, or `username`. :param name: An API key name. This parameter cannot be used with any of `ids`, `realm_name` or `username`. :param owner: Can be used to query API keys owned by the currently authenticated user. The `realm_name` or `username` parameters cannot be specified when this parameter is set to `true` as they are assumed to be the currently authenticated ones. :param realm_name: The name of an authentication realm. This parameter cannot be used with either `ids` or `name`, or when `owner` flag is set to `true`. :param username: The username of a user. This parameter cannot be used with either `ids` or `name`, or when `owner` flag is set to `true`. rUNr r r rqr5rErrrrsrrrrXrr+)r r r r rqr5rErrrrsrr!r#r"r$r%r%r&invalidate_api_key(s6$  z!SecurityClient.invalidate_api_key)r r r rrsrtokenrrc Csd} i} i} |dur|| d<|dur|| d<|dur|| d<|dur&|| d<|dur.|| d<|dur6|| d<|dur>|| d <|durF|| d <d d d } |jd | | | | dS)a! Invalidates one or more access tokens or refresh tokens. ``_ :param realm_name: :param refresh_token: :param token: :param username: rNr r r rrsrrrrrrXrr+) r r r r rrsrrrr!r#r"r$r%r%r&invalidate_tokenhs.  zSecurityClient.invalidate_token)Z body_namec Cs|durtdd}i}|dur||d<|dur||d<|dur$||d<|dur,||d<|dur4||d<|} d d d } |jd ||| | d S) a Adds or updates application privileges. ``_ :param privileges: :param refresh: If `true` (the default) then refresh the affected shards to make this operation visible to search, if `wait_for` then wait for a refresh to make this operation visible to search, if `false` then do nothing with refreshes. Nrrxr r r rr0rrr2rr) r rr r r rr0r!r#r"r$r%r%r&put_privilegess&  zSecurityClient.put_privilegesglobalglobal_)r Zparameter_aliases) applicationsrr r rr indicesrSrr0rtransient_metadatarrrc Cs|tvrtddt|}i}i}|dur||d<|dur#||d<|dur+||d<|dur3||d<|dur;||d<|durC||d <|durK||d <| durS| |d <| dur[| |d <| durc| |d <| durk| |d<| durs| |d<ddd}|jd||||dS)u Adds and updates roles in the native realm. ``_ :param name: The name of the role. :param applications: A list of application privilege entries. :param cluster: A list of cluster privileges. These privileges define the cluster-level actions for users with this role. :param global_: An object defining global privileges. A global privilege is a form of cluster privilege that is request-aware. Support for global privileges is currently limited to the management of application privileges. :param indices: A list of indices permissions entries. :param metadata: Optional metadata. Within the metadata object, keys that begin with an underscore (`_`) are reserved for system use. :param refresh: If `true` (the default) then refresh the affected shards to make this operation visible to search, if `wait_for` then wait for a refresh to make this operation visible to search, if `false` then do nothing with refreshes. :param run_as: A list of users that the owners of this role can impersonate. :param transient_metadata: Indicates roles that might be incompatible with the current cluster license, specifically roles with document and field level security. When the cluster license doesn’t allow certain features for a given role, this parameter is updated dynamically to list the incompatible features. If `enabled` is `false`, the role is ignored, but is still listed in the response from the authenticate API. rFrGNrrr r rr rrSrr0rrrrr2rr:)r rErrr r rr rrSrr0rrr!r"r#r$r%r%r&put_rolesB8  zSecurityClient.put_role) enabledr r r rSrr0role_templatesrolesrulesrrrrrc Cs|tvrtddt|} i}i}|dur||d<|dur#||d<|dur+||d<|dur3||d<|dur;||d<|durC||d <|durK||d <| durS| |d <| dur[| |d <| durc| |d <| durk| |d<ddd}|jd| |||dS)ak Creates and updates role mappings. ``_ :param name: Role-mapping name :param enabled: :param metadata: :param refresh: If `true` (the default) then refresh the affected shards to make this operation visible to search, if `wait_for` then wait for a refresh to make this operation visible to search, if `false` then do nothing with refreshes. :param role_templates: :param roles: :param rules: :param run_as: rFr^Nrr r r rSrr0rrrrrrr2rr:)r rErr r r rSrr0rrrrr!r"r#r$r%r%r&put_role_mapping s>%  zSecurityClient.put_role_mapping) emailrr r full_namer rSrr/rr0rrrc Cs|tvrtddt|}i}i}|dur||d<|dur#||d<|dur+||d<|dur3||d<|dur;||d<|durC||d <|durK||d <| durS| |d <| dur[| |d <| durc| |d <| durk| |d<| durs| |d<ddd}|jd||||dS)a Adds and updates users in the native realm. These users are commonly referred to as native users. ``_ :param username: The username of the User :param email: :param enabled: :param full_name: :param metadata: :param password: :param password_hash: :param refresh: If `true` (the default) then refresh the affected shards to make this operation visible to search, if `wait_for` then wait for a refresh to make this operation visible to search, if `false` then do nothing with refreshes. :param roles: rar1Nrrr r rr rSrr/rr0rrrr2rr:)r rrrr r rr rSrr/rr0rr!r"r#r$r%r%r&put_useresB(  zSecurityClient.put_userfromfrom_) r r rr rquery search_aftersizesortrtrrrrc Cs8d} i} i} | dur2t| trd| vs,t| ttfr2tdd| Dr2tdd| Dr2| | d<d} |dur:|| d<|durB|| d <|durJ|| d <|durR|| d <|durZ|| d <|durb|| d <|durj|| d<|durr|| d<| durz| | d<| dur| | d<| sd} ddi}| durd|d<|jd| | || dS)a Retrieves information for API keys using a subset of query DSL ``_ :param from_: Starting document offset. By default, you cannot page through more than 10,000 hits using the from and size parameters. To page through more hits, use the `search_after` parameter. :param query: A query to filter which API keys to return. The query supports a subset of query types, including `match_all`, `bool`, `term`, `terms`, `ids`, `prefix`, `wildcard`, and `range`. You can query all public information associated with an API key. :param search_after: Search after definition :param size: The number of hits to return. By default, you cannot page through more than 10,000 hits using the `from` and `size` parameters. To page through more hits, use the `search_after` parameter. :param sort: Other than `id`, all public fields of an API key are eligible for sorting. In addition, sort can also be applied to the `_doc` field to sort by index order. :param with_limited_by: Return the snapshot of the owner user's role descriptors associated with the API key. An API key's actual permission is the intersection of its assigned role descriptors and the owner user's role descriptors. z/_security/_query/api_keyN:css|]}t|tVqdS)N) isinstancestr.0Z_xr%r%r& sz0SecurityClient.query_api_keys..css|]}d|vVqdS)rNr%rr%r%r&rsrr r rr rrrrrtrrrrr)rrlisttupleallanyr)r r r rr rrrrrrtr!r#r"r$r%r%r&query_api_keyssV0  zSecurityClient.query_api_keys)r r r rrealmcontentrc Cs|durtd|durtdd}i} i} |dur|| d<|dur&|| d<|dur.|| d<|dur6|| d<|dur>|| d <|durF|| d <|durN|| d <d d d } |jd|| | | dS)u Exchanges a SAML Response message for an Elasticsearch access token and refresh token pair ``_ :param content: The SAML response as it was sent by the user’s browser, usually a Base64 encoded XML document. :param ids: A json array with all the valid SAML Request Ids that the caller of the API has for the current user. :param realm: The name of the realm that should authenticate the SAML response. Useful in cases where many SAML realms are defined. Nz*Empty value passed for parameter 'content'r7z/_security/saml/authenticaterr5r r r rrrrrrr) r rr5r r r rrr!r"r#r$r%r%r&saml_authenticate s2  z SecurityClient.saml_authenticate)rr r r r query_stringrc Cs|durtd|durtdd} i} i} |dur|| d<|dur&|| d<|dur.|| d<|dur6|| d<|dur>|| d <|durF|| d <|durN|| d <|durV|| d <d d d} |jd| | | | dS)aY Verifies the logout response sent from the SAML IdP ``_ :param ids: A json array with all the valid SAML Request Ids that the caller of the API has for the current user. :param realm: The name of the SAML realm in Elasticsearch for which the configuration is used to verify the logout response. :param content: If the SAML IdP sends the logout response with the HTTP-Post binding, this field must be set to the value of the SAMLResponse form parameter from the logout response. :param query_string: If the SAML IdP sends the logout response with the HTTP-Redirect binding, this field must be set to the query string of the redirect URI. Nr7z(Empty value passed for parameter 'realm'z/_security/saml/complete_logoutr5rrr r r rrrrrrr) r r5rrr r r rrr!r"r#r$r%r%r&saml_complete_logout?s6  z#SecurityClient.saml_complete_logout)acsr r r rrrc Cs|durtdd}i} i} |dur|| d<|dur|| d<|dur&|| d<|dur.|| d<|dur6|| d<|dur>|| d <|durF|| d <d d d } |jd || | | dS)uT Consumes a SAML LogoutRequest ``_ :param query_string: The query part of the URL that the user was redirected to by the SAML IdP to initiate the Single Logout. This query should include a single parameter named SAMLRequest that contains a SAML logout request that is deflated and Base64 encoded. If the SAML IdP has signed the logout request, the URL should include two extra parameters named SigAlg and Signature that contain the algorithm used for the signature and the signature value itself. In order for Elasticsearch to be able to verify the IdP’s signature, the value of the query_string field must be an exact match to the string provided by the browser. The client application must not attempt to parse or process the string in any way. :param acs: The Assertion Consumer Service URL that matches the one of the SAML realm in Elasticsearch that should be used. You must specify either this parameter or the realm parameter. :param realm: The name of the SAML realm in Elasticsearch the configuration. You must specify either this parameter or the acs parameter. Nz/Empty value passed for parameter 'query_string'z/_security/saml/invalidaterrr r r rrrrrrr) r rrr r r rrr!r"r#r$r%r%r&saml_invalidateys.#  zSecurityClient.saml_invalidate)r r r rrc Cs|durtdd}i}i} |dur||d<|dur|| d<|dur&|| d<|dur.|| d<|dur6|| d<|dur>||d <d d d } |jd || | |d S)a Invalidates an access token and a refresh token that were generated via the SAML Authenticate API ``_ :param token: The access token that was returned as a response to calling the SAML authenticate API. Alternatively, the most recent token that was received after refreshing the original one by using a refresh_token. :param refresh_token: The refresh token that was returned as a response to calling the SAML authenticate API. Alternatively, the most recent refresh token that was received after refreshing the original access token. Nz(Empty value passed for parameter 'token'z/_security/saml/logoutrr r r rrrrrrr) r rr r r rrr!r"r#r$r%r%r& saml_logouts*  zSecurityClient.saml_logout)rr r r rr relay_staterc Csd}i} i} |dur|| d<|dur|| d<|dur|| d<|dur&|| d<|dur.|| d<|dur6|| d<|dur>|| d <d d d } |jd || | | d S)a Creates a SAML authentication request ``_ :param acs: The Assertion Consumer Service URL that matches the one of the SAML realms in Elasticsearch. The realm is used to generate the authentication request. You must specify either this parameter or the realm parameter. :param realm: The name of the SAML realm in Elasticsearch for which the configuration is used to generate the authentication request. You must specify either this parameter or the acs parameter. :param relay_state: A string that will be included in the redirect URL that this API returns as the RelayState query parameter. If the Authentication Request is signed, this value is used as part of the signature computation. z/_security/saml/prepareNrr r r rrrrrrrr+) r rr r r rrrr!r"r#r$r%r%r&saml_prepare_authentications*  z*SecurityClient.saml_prepare_authenticationc Cs||tvrtddt|}i}|dur||d<|dur!||d<|dur)||d<|dur1||d<dd i}|jd |||d S) a Generates SAML metadata for the Elastic stack SAML 2.0 Service Provider ``_ :param realm_name: The name of the SAML realm in Elasticsearch. z-Empty value passed for parameter 'realm_name'z/_security/saml/metadata/Nr r r rrrr)r*r:) r rsr r r rr!r#r$r%r%r&saml_service_provider_metadata s z-SecurityClient.saml_service_provider_metadata)rr r hintr rErrrc Csd} i} i} |dur|| d<|dur|| d<|dur|| d<|dur&|| d<|dur.|| d<|dur6|| d<|dur>|| d <|durF|| d <| sJd} d d i} | durVd | d <|jd| | | | dS)a" Get suggestions for user profiles that match specified search criteria. ``_ :param data: List of filters for the `data` field of the profile document. To return all content use `data=*`. To return a subset of content use `data=` to retrieve content nested under the specified ``. By default returns no `data` content. :param hint: Extra search criteria to improve relevance of the suggestion result. Profiles matching the spcified hint are ranked higher in the response. Profiles not matching the hint don't exclude the profile from the response as long as the profile matches the `name` field query. :param name: Query string used to match name-related fields in user profile documents. Name-related fields are the user's `username`, `full_name`, and `email`. :param size: Number of profiles to return. z/_security/profile/_suggestNrr r rr rErrrrrrrr+) r rr r rr rErrr!r"r#r$r%r%r&suggest_user_profiles9 s6  z$SecurityClient.suggest_user_profiles)r r r rSrrTc Cs|tvrtddt|}i} i} |dur|| d<|dur#|| d<|dur+|| d<|dur3|| d<|dur;|| d<|durC|| d <| sGd} d d i} | durSd | d <|jd || | | dS)uX Updates attributes of an existing API key. ``_ :param id: The ID of the API key to update. :param metadata: Arbitrary metadata that you want to associate with the API key. It supports nested data structure. Within the metadata object, keys beginning with _ are reserved for system usage. :param role_descriptors: An array of role descriptors for this API key. This parameter is optional. When it is not specified or is an empty array, then the API key will have a point in time snapshot of permissions of the authenticated user. If you supply role descriptors then the resultant permissions would be an intersection of API keys permissions and authenticated user’s permissions thereby limiting the access scope for API keys. The structure of role descriptor is the same as the request for create role API. For more details, see create or update roles API. z%Empty value passed for parameter 'id'r8Nr r r rSrrTrrrr2rr:) r rqr r r rSrrTr!r#r"r$r%r%r&update_api_keyu s2  zSecurityClient.update_api_key) rr r r if_primary_term if_seq_nolabelsrr0rrrc Cs|tvrtddt|d} i} i} |dur|| d<|dur$|| d<|dur,|| d<|dur4|| d<|dur<|| d <|durD|| d <|durL|| d <| durT| | d <| dur\| | d <ddd}|jd| | || dS)a Update application specific data for the user profile of the given unique ID. ``_ :param uid: A unique identifier for the user profile. :param data: Non-searchable data that you want to associate with the user profile. This field supports a nested data structure. :param if_primary_term: Only perform the operation if the document has this primary term. :param if_seq_no: Only perform the operation if the document has this sequence number. :param labels: Searchable data that you want to associate with the user profile. This field supports a nested data structure. :param refresh: If 'true', Elasticsearch refreshes the affected shards to make this operation visible to search, if 'wait_for' then wait for a refresh to make this operation visible to search, if 'false' do nothing with refreshes. rhriz/_dataNrr r r rrrrr0rrr2rr:)r rgrr r r rrrrr0r!r"r#r$r%r%r&update_user_profile_data s6%  z'SecurityClient.update_user_profile_data)B__name__ __module__ __qualname__rtUnionrOptionalboolSequencerAnyr'r-r4r;r?rDrIrQMappingrVrWrYr\r_r`rcrerkrmrnrorprurvryr{r|r~rrrrrrrrrrrrrrintfloatrrrrrrrrrrr%r%r%r&rs     0    8 " ! & !  )    @   :  - ) )   1 ) ) ) ) )       >  & $ & ) %    ; )  , (       @  6 ,     =   ." *  V    B      G    W  2   7  8 -  0 !   9  7    r) typingrZelastic_transportr_baserutilsrrrrr%r%r%r&s