Is it possible to require a subset of scopes in operation security?

[msevcenko]

I am confused how the security setting for an operation actually works. In the swagger editor example, some operations have security settings:

      security:
        - petstore_auth:
            - write:pets
            - read:pets

unfortunately there is no example with a subset of scopes. What this really mean? Why GET operation findByStatus requires write:pets scope?

Anyway, if I change this to read:pets only, and generate the server code e.g. as jaxrs-jersey, I do get in PetApi.java:

    @GET
    @Path("/findByStatus")
    @Produces({ "application/json", "application/xml" })
    @Operation(summary = "Finds Pets by status", description = "Multiple status values can be provided with comma separated strings", security = {
        @SecurityRequirement(name = "petstore_auth", scopes = {
            "write:pets",
"read:pets"        })    }, tags={ "pet" }) 

i.e. both scopes are listed. Is this correct? What did the setting

      security:
        - petstore_auth:
            - read:pets

actually do?

If I omit whole security section from the operation definition, the whole scopes parameter is omitted from the annotation, but I fail to generate subset of scopes for an operation.