Summary
elastic es security currently covers API keys, roles, authenticate, has-privileges, and get-builtin-privileges — but is missing most of the security API surface: user management, role mappings, tokens, SAML, OIDC, service accounts, realm/cache operations, and enrollment. This blocks the majority of the elasticsearch-authn, elasticsearch-authz, and elasticsearch-security-troubleshooting agent-skills from migrating off curl.
Current surface
$ elastic es security --help
Commands:
authenticate
create-api-key
delete-role
get-api-key
get-builtin-privileges
get-role
has-privileges
invalidate-api-key
put-role
query-api-keys
query-role
update-api-key
Missing endpoints
User management
| CLI command |
REST endpoint |
put-user |
PUT /_security/user/{username} |
get-user |
GET /_security/user/{username} |
delete-user |
DELETE /_security/user/{username} |
enable-user |
PUT /_security/user/{username}/_enable |
disable-user |
PUT /_security/user/{username}/_disable |
change-password |
POST /_security/user/{username}/_password |
get-user-privileges |
GET /_security/user/_privileges |
Role mappings
| CLI command |
REST endpoint |
put-role-mapping |
PUT /_security/role_mapping/{name} |
get-role-mapping |
GET /_security/role_mapping/{name} |
delete-role-mapping |
DELETE /_security/role_mapping/{name} |
Tokens
| CLI command |
REST endpoint |
get-token |
POST /_security/oauth2/token |
invalidate-token |
DELETE /_security/oauth2/token |
Service accounts
| CLI command |
REST endpoint |
get-service-accounts |
GET /_security/service/{namespace}/{service} |
get-service-credentials |
GET /_security/service/{namespace}/{service}/credential |
create-service-token |
POST /_security/service/{namespace}/{service}/credential/token/{name} |
delete-service-token |
DELETE /_security/service/{namespace}/{service}/credential/token/{name} |
clear-cached-service-tokens |
POST /_security/service/{namespace}/{service}/credential/token/{name}/_clear_cache |
SAML
| CLI command |
REST endpoint |
saml-prepare-authentication |
POST /_security/saml/prepare |
saml-authenticate |
POST /_security/saml/authenticate |
saml-complete-logout |
POST /_security/saml/complete_logout |
saml-invalidate |
POST /_security/saml/invalidate |
saml-logout |
POST /_security/saml/logout |
saml-service-provider-metadata |
GET /_security/saml/metadata/{realm_name} |
OIDC
| CLI command |
REST endpoint |
oidc-prepare-authentication |
POST /_security/oidc/prepare |
oidc-authenticate |
POST /_security/oidc/authenticate |
oidc-logout |
POST /_security/oidc/logout |
Realm / cache operations
| CLI command |
REST endpoint |
clear-realm-cache |
POST /_security/realm/{realms}/_clear_cache |
clear-roles-cache |
POST /_security/role/{name}/_clear_cache |
clear-api-key-cache |
POST /_security/api_key/{ids}/_clear_cache |
clear-cached-privileges |
POST /_security/privilege/{application}/_clear_cache |
Cross-cluster API keys
| CLI command |
REST endpoint |
create-cross-cluster-api-key |
POST /_security/cross_cluster/api_key |
update-cross-cluster-api-key |
PUT /_security/cross_cluster/api_key/{id} |
Enrollment
| CLI command |
REST endpoint |
enroll-kibana |
GET /_security/enroll/kibana |
enroll-node |
GET /_security/enroll/node |
Privileges
| CLI command |
REST endpoint |
put-privileges |
PUT /_security/privilege |
get-privileges |
GET /_security/privilege/{application}/{name} |
delete-privileges |
DELETE /_security/privilege/{application}/{name} |
Motivation / use case
These skills are blocked on this surface:
Codegen note
All of these are stable documented endpoints in the ES OpenAPI spec. If the CLI is code-generated (cf. #79) with a filter, please consider expanding it.
Environment
Summary
elastic es securitycurrently covers API keys, roles,authenticate,has-privileges, andget-builtin-privileges— but is missing most of the security API surface: user management, role mappings, tokens, SAML, OIDC, service accounts, realm/cache operations, and enrollment. This blocks the majority of theelasticsearch-authn,elasticsearch-authz, andelasticsearch-security-troubleshootingagent-skills from migrating offcurl.Current surface
Missing endpoints
User management
put-userPUT /_security/user/{username}get-userGET /_security/user/{username}delete-userDELETE /_security/user/{username}enable-userPUT /_security/user/{username}/_enabledisable-userPUT /_security/user/{username}/_disablechange-passwordPOST /_security/user/{username}/_passwordget-user-privilegesGET /_security/user/_privilegesRole mappings
put-role-mappingPUT /_security/role_mapping/{name}get-role-mappingGET /_security/role_mapping/{name}delete-role-mappingDELETE /_security/role_mapping/{name}Tokens
get-tokenPOST /_security/oauth2/tokeninvalidate-tokenDELETE /_security/oauth2/tokenService accounts
get-service-accountsGET /_security/service/{namespace}/{service}get-service-credentialsGET /_security/service/{namespace}/{service}/credentialcreate-service-tokenPOST /_security/service/{namespace}/{service}/credential/token/{name}delete-service-tokenDELETE /_security/service/{namespace}/{service}/credential/token/{name}clear-cached-service-tokensPOST /_security/service/{namespace}/{service}/credential/token/{name}/_clear_cacheSAML
saml-prepare-authenticationPOST /_security/saml/preparesaml-authenticatePOST /_security/saml/authenticatesaml-complete-logoutPOST /_security/saml/complete_logoutsaml-invalidatePOST /_security/saml/invalidatesaml-logoutPOST /_security/saml/logoutsaml-service-provider-metadataGET /_security/saml/metadata/{realm_name}OIDC
oidc-prepare-authenticationPOST /_security/oidc/prepareoidc-authenticatePOST /_security/oidc/authenticateoidc-logoutPOST /_security/oidc/logoutRealm / cache operations
clear-realm-cachePOST /_security/realm/{realms}/_clear_cacheclear-roles-cachePOST /_security/role/{name}/_clear_cacheclear-api-key-cachePOST /_security/api_key/{ids}/_clear_cacheclear-cached-privilegesPOST /_security/privilege/{application}/_clear_cacheCross-cluster API keys
create-cross-cluster-api-keyPOST /_security/cross_cluster/api_keyupdate-cross-cluster-api-keyPUT /_security/cross_cluster/api_key/{id}Enrollment
enroll-kibanaGET /_security/enroll/kibanaenroll-nodeGET /_security/enroll/nodePrivileges
put-privilegesPUT /_security/privilegeget-privilegesGET /_security/privilege/{application}/{name}delete-privilegesDELETE /_security/privilege/{application}/{name}Motivation / use case
These skills are blocked on this surface:
elasticsearch-authn: realm troubleshooting, token issuance, SAML/OIDC flows.elasticsearch-authz: native user + role mapping management is the core of the skill.elasticsearch-security-troubleshooting:clear-*-cacheand token introspection are first-line diagnostics for 401/403 failures.Codegen note
All of these are stable documented endpoints in the ES OpenAPI spec. If the CLI is code-generated (cf. #79) with a filter, please consider expanding it.
Environment
0.1.0-alpha.1