Remove aliases resolution limitations when security is enabled (#31952)
Resolving wildcards in aliases expression is challenging as we may end up with no aliases to replace the original expression with, but if we replace with an empty array that means _all which is quite the opposite. Now that we support and serialize the original requested aliases, whenever aliases are replaced we will be able to know what was initially requested. `MetaData#findAliases` can then be updated to not return anything in case it gets empty aliases, but the original aliases were not empty. That means that empty aliases are interpreted as _all only if they were originally requested that way. Relates to #31516
This commit is contained in:
parent
0f0068b91c
commit
00a6ad0e9e
|
@ -79,3 +79,11 @@ the only behavior in 8.0.0, this parameter is deprecated in 7.0.0 for removal in
|
||||||
==== The deprecated stored script contexts have now been removed
|
==== The deprecated stored script contexts have now been removed
|
||||||
When putting stored scripts, support for storing them with the deprecated `template` context or without a context is
|
When putting stored scripts, support for storing them with the deprecated `template` context or without a context is
|
||||||
now removed. Scripts must be stored using the `script` context as mentioned in the documentation.
|
now removed. Scripts must be stored using the `script` context as mentioned in the documentation.
|
||||||
|
|
||||||
|
==== Get Aliases API limitations when {security} is enabled removed
|
||||||
|
|
||||||
|
The behavior and response codes of the get aliases API no longer vary
|
||||||
|
depending on whether {security} is enabled. Previously a
|
||||||
|
404 - NOT FOUND (IndexNotFoundException) could be returned in case the
|
||||||
|
current user was not authorized for any alias. An empty response with
|
||||||
|
status 200 - OK is now returned instead at all times.
|
||||||
|
|
|
@ -32,6 +32,11 @@ public interface AliasesRequest extends IndicesRequest.Replaceable {
|
||||||
*/
|
*/
|
||||||
String[] aliases();
|
String[] aliases();
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Returns the aliases as they were originally requested, before any potential name resolution
|
||||||
|
*/
|
||||||
|
String[] getOriginalAliases();
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Replaces current aliases with the provided aliases.
|
* Replaces current aliases with the provided aliases.
|
||||||
*
|
*
|
||||||
|
|
|
@ -214,6 +214,7 @@ public class IndicesAliasesRequest extends AcknowledgedRequest<IndicesAliasesReq
|
||||||
private final AliasActions.Type type;
|
private final AliasActions.Type type;
|
||||||
private String[] indices;
|
private String[] indices;
|
||||||
private String[] aliases = Strings.EMPTY_ARRAY;
|
private String[] aliases = Strings.EMPTY_ARRAY;
|
||||||
|
private String[] originalAliases = Strings.EMPTY_ARRAY;
|
||||||
private String filter;
|
private String filter;
|
||||||
private String routing;
|
private String routing;
|
||||||
private String indexRouting;
|
private String indexRouting;
|
||||||
|
@ -238,6 +239,9 @@ public class IndicesAliasesRequest extends AcknowledgedRequest<IndicesAliasesReq
|
||||||
if (in.getVersion().onOrAfter(Version.V_6_4_0)) {
|
if (in.getVersion().onOrAfter(Version.V_6_4_0)) {
|
||||||
writeIndex = in.readOptionalBoolean();
|
writeIndex = in.readOptionalBoolean();
|
||||||
}
|
}
|
||||||
|
if (in.getVersion().onOrAfter(Version.V_7_0_0_alpha1)) {
|
||||||
|
originalAliases = in.readStringArray();
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
@ -252,6 +256,9 @@ public class IndicesAliasesRequest extends AcknowledgedRequest<IndicesAliasesReq
|
||||||
if (out.getVersion().onOrAfter(Version.V_6_4_0)) {
|
if (out.getVersion().onOrAfter(Version.V_6_4_0)) {
|
||||||
out.writeOptionalBoolean(writeIndex);
|
out.writeOptionalBoolean(writeIndex);
|
||||||
}
|
}
|
||||||
|
if (out.getVersion().onOrAfter(Version.V_7_0_0_alpha1)) {
|
||||||
|
out.writeStringArray(originalAliases);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -315,6 +322,7 @@ public class IndicesAliasesRequest extends AcknowledgedRequest<IndicesAliasesReq
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
this.aliases = aliases;
|
this.aliases = aliases;
|
||||||
|
this.originalAliases = aliases;
|
||||||
return this;
|
return this;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -329,6 +337,7 @@ public class IndicesAliasesRequest extends AcknowledgedRequest<IndicesAliasesReq
|
||||||
throw new IllegalArgumentException("[alias] can't be empty string");
|
throw new IllegalArgumentException("[alias] can't be empty string");
|
||||||
}
|
}
|
||||||
this.aliases = new String[] {alias};
|
this.aliases = new String[] {alias};
|
||||||
|
this.originalAliases = aliases;
|
||||||
return this;
|
return this;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -432,6 +441,11 @@ public class IndicesAliasesRequest extends AcknowledgedRequest<IndicesAliasesReq
|
||||||
this.aliases = aliases;
|
this.aliases = aliases;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String[] getOriginalAliases() {
|
||||||
|
return originalAliases;
|
||||||
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public boolean expandAliasesWildcards() {
|
public boolean expandAliasesWildcards() {
|
||||||
//remove operations support wildcards among aliases, add operations don't
|
//remove operations support wildcards among aliases, add operations don't
|
||||||
|
@ -579,7 +593,7 @@ public class IndicesAliasesRequest extends AcknowledgedRequest<IndicesAliasesReq
|
||||||
}, AliasActions.PARSER, new ParseField("actions"));
|
}, AliasActions.PARSER, new ParseField("actions"));
|
||||||
}
|
}
|
||||||
|
|
||||||
public static IndicesAliasesRequest fromXContent(XContentParser parser) throws IOException {
|
public static IndicesAliasesRequest fromXContent(XContentParser parser) {
|
||||||
return PARSER.apply(parser, null);
|
return PARSER.apply(parser, null);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -95,7 +95,7 @@ public class TransportIndicesAliasesAction extends TransportMasterNodeAction<Ind
|
||||||
Set<String> aliases = new HashSet<>();
|
Set<String> aliases = new HashSet<>();
|
||||||
for (AliasActions action : actions) {
|
for (AliasActions action : actions) {
|
||||||
String[] concreteIndices = indexNameExpressionResolver.concreteIndexNames(state, request.indicesOptions(), action.indices());
|
String[] concreteIndices = indexNameExpressionResolver.concreteIndexNames(state, request.indicesOptions(), action.indices());
|
||||||
Collections.addAll(aliases, action.aliases());
|
Collections.addAll(aliases, action.getOriginalAliases());
|
||||||
for (String index : concreteIndices) {
|
for (String index : concreteIndices) {
|
||||||
switch (action.actionType()) {
|
switch (action.actionType()) {
|
||||||
case ADD:
|
case ADD:
|
||||||
|
@ -142,7 +142,7 @@ public class TransportIndicesAliasesAction extends TransportMasterNodeAction<Ind
|
||||||
if (action.expandAliasesWildcards()) {
|
if (action.expandAliasesWildcards()) {
|
||||||
//for DELETE we expand the aliases
|
//for DELETE we expand the aliases
|
||||||
String[] indexAsArray = {concreteIndex};
|
String[] indexAsArray = {concreteIndex};
|
||||||
ImmutableOpenMap<String, List<AliasMetaData>> aliasMetaData = metaData.findAliases(action.aliases(), indexAsArray);
|
ImmutableOpenMap<String, List<AliasMetaData>> aliasMetaData = metaData.findAliases(action, indexAsArray);
|
||||||
List<String> finalAliases = new ArrayList<>();
|
List<String> finalAliases = new ArrayList<>();
|
||||||
for (ObjectCursor<List<AliasMetaData>> curAliases : aliasMetaData.values()) {
|
for (ObjectCursor<List<AliasMetaData>> curAliases : aliasMetaData.values()) {
|
||||||
for (AliasMetaData aliasMeta: curAliases.value) {
|
for (AliasMetaData aliasMeta: curAliases.value) {
|
||||||
|
|
|
@ -63,7 +63,7 @@ public class TransportGetAliasesAction extends TransportMasterNodeReadAction<Get
|
||||||
@Override
|
@Override
|
||||||
protected void masterOperation(GetAliasesRequest request, ClusterState state, ActionListener<GetAliasesResponse> listener) {
|
protected void masterOperation(GetAliasesRequest request, ClusterState state, ActionListener<GetAliasesResponse> listener) {
|
||||||
String[] concreteIndices = indexNameExpressionResolver.concreteIndexNames(state, request);
|
String[] concreteIndices = indexNameExpressionResolver.concreteIndexNames(state, request);
|
||||||
ImmutableOpenMap<String, List<AliasMetaData>> aliases = state.metaData().findAliases(request.aliases(), concreteIndices);
|
ImmutableOpenMap<String, List<AliasMetaData>> aliases = state.metaData().findAliases(request, concreteIndices);
|
||||||
listener.onResponse(new GetAliasesResponse(postProcess(request, concreteIndices, aliases)));
|
listener.onResponse(new GetAliasesResponse(postProcess(request, concreteIndices, aliases)));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -32,15 +32,14 @@ import org.elasticsearch.cluster.metadata.IndexMetaData;
|
||||||
import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
|
import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
|
||||||
import org.elasticsearch.cluster.metadata.MappingMetaData;
|
import org.elasticsearch.cluster.metadata.MappingMetaData;
|
||||||
import org.elasticsearch.cluster.service.ClusterService;
|
import org.elasticsearch.cluster.service.ClusterService;
|
||||||
import org.elasticsearch.common.Strings;
|
|
||||||
import org.elasticsearch.common.collect.ImmutableOpenMap;
|
import org.elasticsearch.common.collect.ImmutableOpenMap;
|
||||||
import org.elasticsearch.common.inject.Inject;
|
import org.elasticsearch.common.inject.Inject;
|
||||||
|
import org.elasticsearch.common.settings.IndexScopedSettings;
|
||||||
import org.elasticsearch.common.settings.Settings;
|
import org.elasticsearch.common.settings.Settings;
|
||||||
import org.elasticsearch.common.settings.SettingsFilter;
|
import org.elasticsearch.common.settings.SettingsFilter;
|
||||||
import org.elasticsearch.indices.IndicesService;
|
import org.elasticsearch.indices.IndicesService;
|
||||||
import org.elasticsearch.threadpool.ThreadPool;
|
import org.elasticsearch.threadpool.ThreadPool;
|
||||||
import org.elasticsearch.transport.TransportService;
|
import org.elasticsearch.transport.TransportService;
|
||||||
import org.elasticsearch.common.settings.IndexScopedSettings;
|
|
||||||
|
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
|
@ -110,7 +109,7 @@ public class TransportGetIndexAction extends TransportClusterInfoAction<GetIndex
|
||||||
break;
|
break;
|
||||||
case ALIASES:
|
case ALIASES:
|
||||||
if (!doneAliases) {
|
if (!doneAliases) {
|
||||||
aliasesResult = state.metaData().findAliases(Strings.EMPTY_ARRAY, concreteIndices);
|
aliasesResult = state.metaData().findAllAliases(concreteIndices);
|
||||||
doneAliases = true;
|
doneAliases = true;
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
|
|
@ -24,6 +24,7 @@ import com.carrotsearch.hppc.cursors.ObjectCursor;
|
||||||
import com.carrotsearch.hppc.cursors.ObjectObjectCursor;
|
import com.carrotsearch.hppc.cursors.ObjectObjectCursor;
|
||||||
import org.apache.logging.log4j.Logger;
|
import org.apache.logging.log4j.Logger;
|
||||||
import org.apache.lucene.util.CollectionUtil;
|
import org.apache.lucene.util.CollectionUtil;
|
||||||
|
import org.elasticsearch.action.AliasesRequest;
|
||||||
import org.elasticsearch.cluster.ClusterState;
|
import org.elasticsearch.cluster.ClusterState;
|
||||||
import org.elasticsearch.cluster.ClusterState.FeatureAware;
|
import org.elasticsearch.cluster.ClusterState.FeatureAware;
|
||||||
import org.elasticsearch.cluster.Diff;
|
import org.elasticsearch.cluster.Diff;
|
||||||
|
@ -248,21 +249,53 @@ public class MetaData implements Iterable<IndexMetaData>, Diffable<MetaData>, To
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Finds the specific index aliases that match with the specified aliases directly or partially via wildcards and
|
* Finds the specific index aliases that point to the specified concrete indices or match partially with the indices via wildcards.
|
||||||
* that point to the specified concrete indices or match partially with the indices via wildcards.
|
|
||||||
*
|
*
|
||||||
* @param aliases The names of the index aliases to find
|
|
||||||
* @param concreteIndices The concrete indexes the index aliases must point to order to be returned.
|
* @param concreteIndices The concrete indexes the index aliases must point to order to be returned.
|
||||||
* @return a map of index to a list of alias metadata, the list corresponding to a concrete index will be empty if no aliases are
|
* @return a map of index to a list of alias metadata, the list corresponding to a concrete index will be empty if no aliases are
|
||||||
* present for that index
|
* present for that index
|
||||||
*/
|
*/
|
||||||
public ImmutableOpenMap<String, List<AliasMetaData>> findAliases(final String[] aliases, String[] concreteIndices) {
|
public ImmutableOpenMap<String, List<AliasMetaData>> findAllAliases(String[] concreteIndices) {
|
||||||
|
return findAliases(Strings.EMPTY_ARRAY, Strings.EMPTY_ARRAY, concreteIndices);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Finds the specific index aliases that match with the specified aliases directly or partially via wildcards and
|
||||||
|
* that point to the specified concrete indices or match partially with the indices via wildcards.
|
||||||
|
*
|
||||||
|
* @param aliasesRequest The request to find aliases for
|
||||||
|
* @param concreteIndices The concrete indexes the index aliases must point to order to be returned.
|
||||||
|
* @return a map of index to a list of alias metadata, the list corresponding to a concrete index will be empty if no aliases are
|
||||||
|
* present for that index
|
||||||
|
*/
|
||||||
|
public ImmutableOpenMap<String, List<AliasMetaData>> findAliases(final AliasesRequest aliasesRequest, String[] concreteIndices) {
|
||||||
|
return findAliases(aliasesRequest.getOriginalAliases(), aliasesRequest.aliases(), concreteIndices);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Finds the specific index aliases that match with the specified aliases directly or partially via wildcards and
|
||||||
|
* that point to the specified concrete indices or match partially with the indices via wildcards.
|
||||||
|
*
|
||||||
|
* @param aliases The aliases to look for
|
||||||
|
* @param originalAliases The original aliases that the user originally requested
|
||||||
|
* @param concreteIndices The concrete indexes the index aliases must point to order to be returned.
|
||||||
|
* @return a map of index to a list of alias metadata, the list corresponding to a concrete index will be empty if no aliases are
|
||||||
|
* present for that index
|
||||||
|
*/
|
||||||
|
private ImmutableOpenMap<String, List<AliasMetaData>> findAliases(String[] originalAliases, String[] aliases,
|
||||||
|
String[] concreteIndices) {
|
||||||
assert aliases != null;
|
assert aliases != null;
|
||||||
|
assert originalAliases != null;
|
||||||
assert concreteIndices != null;
|
assert concreteIndices != null;
|
||||||
if (concreteIndices.length == 0) {
|
if (concreteIndices.length == 0) {
|
||||||
return ImmutableOpenMap.of();
|
return ImmutableOpenMap.of();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
//if aliases were provided but they got replaced with empty aliases, return empty map
|
||||||
|
if (originalAliases.length > 0 && aliases.length == 0) {
|
||||||
|
return ImmutableOpenMap.of();
|
||||||
|
}
|
||||||
|
|
||||||
boolean matchAllAliases = matchAllAliases(aliases);
|
boolean matchAllAliases = matchAllAliases(aliases);
|
||||||
ImmutableOpenMap.Builder<String, List<AliasMetaData>> mapBuilder = ImmutableOpenMap.builder();
|
ImmutableOpenMap.Builder<String, List<AliasMetaData>> mapBuilder = ImmutableOpenMap.builder();
|
||||||
for (String index : concreteIndices) {
|
for (String index : concreteIndices) {
|
||||||
|
|
|
@ -20,6 +20,7 @@
|
||||||
package org.elasticsearch.cluster.metadata;
|
package org.elasticsearch.cluster.metadata;
|
||||||
|
|
||||||
import org.elasticsearch.Version;
|
import org.elasticsearch.Version;
|
||||||
|
import org.elasticsearch.action.admin.indices.alias.get.GetAliasesRequest;
|
||||||
import org.elasticsearch.cluster.ClusterModule;
|
import org.elasticsearch.cluster.ClusterModule;
|
||||||
import org.elasticsearch.common.Strings;
|
import org.elasticsearch.common.Strings;
|
||||||
import org.elasticsearch.common.UUIDs;
|
import org.elasticsearch.common.UUIDs;
|
||||||
|
@ -41,6 +42,7 @@ import org.elasticsearch.test.ESTestCase;
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.util.HashMap;
|
import java.util.HashMap;
|
||||||
import java.util.HashSet;
|
import java.util.HashSet;
|
||||||
|
import java.util.List;
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
import java.util.Set;
|
import java.util.Set;
|
||||||
|
|
||||||
|
@ -50,6 +52,63 @@ import static org.hamcrest.Matchers.startsWith;
|
||||||
|
|
||||||
public class MetaDataTests extends ESTestCase {
|
public class MetaDataTests extends ESTestCase {
|
||||||
|
|
||||||
|
public void testFindAliases() {
|
||||||
|
MetaData metaData = MetaData.builder().put(IndexMetaData.builder("index")
|
||||||
|
.settings(Settings.builder().put(IndexMetaData.SETTING_VERSION_CREATED, Version.CURRENT))
|
||||||
|
.numberOfShards(1)
|
||||||
|
.numberOfReplicas(0)
|
||||||
|
.putAlias(AliasMetaData.builder("alias1").build())
|
||||||
|
.putAlias(AliasMetaData.builder("alias2").build())).build();
|
||||||
|
|
||||||
|
{
|
||||||
|
ImmutableOpenMap<String, List<AliasMetaData>> aliases = metaData.findAliases(new GetAliasesRequest(), Strings.EMPTY_ARRAY);
|
||||||
|
assertThat(aliases.size(), equalTo(0));
|
||||||
|
}
|
||||||
|
{
|
||||||
|
ImmutableOpenMap<String, List<AliasMetaData>> aliases = metaData.findAliases(new GetAliasesRequest(), new String[]{"index"});
|
||||||
|
assertThat(aliases.size(), equalTo(1));
|
||||||
|
List<AliasMetaData> aliasMetaDataList = aliases.get("index");
|
||||||
|
assertThat(aliasMetaDataList.size(), equalTo(2));
|
||||||
|
assertThat(aliasMetaDataList.get(0).alias(), equalTo("alias1"));
|
||||||
|
assertThat(aliasMetaDataList.get(1).alias(), equalTo("alias2"));
|
||||||
|
}
|
||||||
|
{
|
||||||
|
GetAliasesRequest getAliasesRequest = new GetAliasesRequest("alias1");
|
||||||
|
getAliasesRequest.replaceAliases(Strings.EMPTY_ARRAY);
|
||||||
|
ImmutableOpenMap<String, List<AliasMetaData>> aliases = metaData.findAliases(getAliasesRequest, new String[]{"index"});
|
||||||
|
assertThat(aliases.size(), equalTo(0));
|
||||||
|
}
|
||||||
|
{
|
||||||
|
ImmutableOpenMap<String, List<AliasMetaData>> aliases =
|
||||||
|
metaData.findAliases(new GetAliasesRequest("alias*"), new String[]{"index"});
|
||||||
|
assertThat(aliases.size(), equalTo(1));
|
||||||
|
List<AliasMetaData> aliasMetaDataList = aliases.get("index");
|
||||||
|
assertThat(aliasMetaDataList.size(), equalTo(2));
|
||||||
|
assertThat(aliasMetaDataList.get(0).alias(), equalTo("alias1"));
|
||||||
|
assertThat(aliasMetaDataList.get(1).alias(), equalTo("alias2"));
|
||||||
|
}
|
||||||
|
{
|
||||||
|
ImmutableOpenMap<String, List<AliasMetaData>> aliases =
|
||||||
|
metaData.findAliases(new GetAliasesRequest("alias1"), new String[]{"index"});
|
||||||
|
assertThat(aliases.size(), equalTo(1));
|
||||||
|
List<AliasMetaData> aliasMetaDataList = aliases.get("index");
|
||||||
|
assertThat(aliasMetaDataList.size(), equalTo(1));
|
||||||
|
assertThat(aliasMetaDataList.get(0).alias(), equalTo("alias1"));
|
||||||
|
}
|
||||||
|
{
|
||||||
|
ImmutableOpenMap<String, List<AliasMetaData>> aliases = metaData.findAllAliases(new String[]{"index"});
|
||||||
|
assertThat(aliases.size(), equalTo(1));
|
||||||
|
List<AliasMetaData> aliasMetaDataList = aliases.get("index");
|
||||||
|
assertThat(aliasMetaDataList.size(), equalTo(2));
|
||||||
|
assertThat(aliasMetaDataList.get(0).alias(), equalTo("alias1"));
|
||||||
|
assertThat(aliasMetaDataList.get(1).alias(), equalTo("alias2"));
|
||||||
|
}
|
||||||
|
{
|
||||||
|
ImmutableOpenMap<String, List<AliasMetaData>> aliases = metaData.findAllAliases(Strings.EMPTY_ARRAY);
|
||||||
|
assertThat(aliases.size(), equalTo(0));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
public void testIndexAndAliasWithSameName() {
|
public void testIndexAndAliasWithSameName() {
|
||||||
IndexMetaData.Builder builder = IndexMetaData.builder("index")
|
IndexMetaData.Builder builder = IndexMetaData.builder("index")
|
||||||
.settings(Settings.builder().put(IndexMetaData.SETTING_VERSION_CREATED, Version.CURRENT))
|
.settings(Settings.builder().put(IndexMetaData.SETTING_VERSION_CREATED, Version.CURRENT))
|
||||||
|
|
|
@ -19,8 +19,6 @@ with {security} enabled.
|
||||||
Elasticsearch clusters with {security} enabled apply the `/_all` wildcard, and
|
Elasticsearch clusters with {security} enabled apply the `/_all` wildcard, and
|
||||||
all other wildcards, to the indices that the current user has privileges for, not
|
all other wildcards, to the indices that the current user has privileges for, not
|
||||||
the set of all indices on the cluster.
|
the set of all indices on the cluster.
|
||||||
While creating or retrieving aliases by providing wildcard expressions for alias names, if there are no existing authorized aliases
|
|
||||||
that match the wildcard expression provided an IndexNotFoundException is returned.
|
|
||||||
|
|
||||||
[float]
|
[float]
|
||||||
=== Multi Document APIs
|
=== Multi Document APIs
|
||||||
|
|
|
@ -20,7 +20,6 @@ import org.elasticsearch.cluster.metadata.IndexMetaData;
|
||||||
import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
|
import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
|
||||||
import org.elasticsearch.cluster.metadata.MetaData;
|
import org.elasticsearch.cluster.metadata.MetaData;
|
||||||
import org.elasticsearch.cluster.service.ClusterService;
|
import org.elasticsearch.cluster.service.ClusterService;
|
||||||
import org.elasticsearch.common.Strings;
|
|
||||||
import org.elasticsearch.common.collect.ImmutableOpenMap;
|
import org.elasticsearch.common.collect.ImmutableOpenMap;
|
||||||
import org.elasticsearch.common.regex.Regex;
|
import org.elasticsearch.common.regex.Regex;
|
||||||
import org.elasticsearch.common.settings.ClusterSettings;
|
import org.elasticsearch.common.settings.ClusterSettings;
|
||||||
|
@ -200,6 +199,8 @@ class IndicesAndAliasesResolver {
|
||||||
if (aliasesRequest.expandAliasesWildcards()) {
|
if (aliasesRequest.expandAliasesWildcards()) {
|
||||||
List<String> aliases = replaceWildcardsWithAuthorizedAliases(aliasesRequest.aliases(),
|
List<String> aliases = replaceWildcardsWithAuthorizedAliases(aliasesRequest.aliases(),
|
||||||
loadAuthorizedAliases(authorizedIndices.get(), metaData));
|
loadAuthorizedAliases(authorizedIndices.get(), metaData));
|
||||||
|
//it may be that we replace aliases with an empty array, in case there are no authorized aliases for the action.
|
||||||
|
//MetaData#findAliases will return nothing when some alias was originally requested, which was replaced with empty.
|
||||||
aliasesRequest.replaceAliases(aliases.toArray(new String[aliases.size()]));
|
aliasesRequest.replaceAliases(aliases.toArray(new String[aliases.size()]));
|
||||||
}
|
}
|
||||||
if (indicesReplacedWithNoIndices) {
|
if (indicesReplacedWithNoIndices) {
|
||||||
|
@ -240,8 +241,7 @@ class IndicesAndAliasesResolver {
|
||||||
} else {
|
} else {
|
||||||
// the user is not authorized to put mappings for this index, but could have been
|
// the user is not authorized to put mappings for this index, but could have been
|
||||||
// authorized for a write using an alias that triggered a dynamic mapping update
|
// authorized for a write using an alias that triggered a dynamic mapping update
|
||||||
ImmutableOpenMap<String, List<AliasMetaData>> foundAliases =
|
ImmutableOpenMap<String, List<AliasMetaData>> foundAliases = metaData.findAllAliases(new String[] { concreteIndexName });
|
||||||
metaData.findAliases(Strings.EMPTY_ARRAY, new String[] { concreteIndexName });
|
|
||||||
List<AliasMetaData> aliasMetaData = foundAliases.get(concreteIndexName);
|
List<AliasMetaData> aliasMetaData = foundAliases.get(concreteIndexName);
|
||||||
if (aliasMetaData != null) {
|
if (aliasMetaData != null) {
|
||||||
Optional<String> foundAlias = aliasMetaData.stream()
|
Optional<String> foundAlias = aliasMetaData.stream()
|
||||||
|
@ -279,14 +279,12 @@ class IndicesAndAliasesResolver {
|
||||||
List<String> finalAliases = new ArrayList<>();
|
List<String> finalAliases = new ArrayList<>();
|
||||||
|
|
||||||
//IndicesAliasesRequest doesn't support empty aliases (validation fails) but GetAliasesRequest does (in which case empty means _all)
|
//IndicesAliasesRequest doesn't support empty aliases (validation fails) but GetAliasesRequest does (in which case empty means _all)
|
||||||
boolean matchAllAliases = aliases.length == 0;
|
if (aliases.length == 0) {
|
||||||
if (matchAllAliases) {
|
|
||||||
finalAliases.addAll(authorizedAliases);
|
finalAliases.addAll(authorizedAliases);
|
||||||
}
|
}
|
||||||
|
|
||||||
for (String aliasPattern : aliases) {
|
for (String aliasPattern : aliases) {
|
||||||
if (aliasPattern.equals(MetaData.ALL)) {
|
if (aliasPattern.equals(MetaData.ALL)) {
|
||||||
matchAllAliases = true;
|
|
||||||
finalAliases.addAll(authorizedAliases);
|
finalAliases.addAll(authorizedAliases);
|
||||||
} else if (Regex.isSimpleMatchPattern(aliasPattern)) {
|
} else if (Regex.isSimpleMatchPattern(aliasPattern)) {
|
||||||
for (String authorizedAlias : authorizedAliases) {
|
for (String authorizedAlias : authorizedAliases) {
|
||||||
|
@ -298,16 +296,6 @@ class IndicesAndAliasesResolver {
|
||||||
finalAliases.add(aliasPattern);
|
finalAliases.add(aliasPattern);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
//Throw exception if the wildcards expansion to authorized aliases resulted in no indices.
|
|
||||||
//We always need to replace wildcards for security reasons, to make sure that the operation is executed on the aliases that we
|
|
||||||
//authorized it to execute on. Empty set gets converted to _all by es core though, and unlike with indices, here we don't have
|
|
||||||
//a special expression to replace empty set with, which gives us the guarantee that nothing will be returned.
|
|
||||||
//This is because existing aliases can contain all kinds of special characters, they are only validated since 5.1.
|
|
||||||
if (finalAliases.isEmpty()) {
|
|
||||||
String indexName = matchAllAliases ? MetaData.ALL : Arrays.toString(aliases);
|
|
||||||
throw new IndexNotFoundException(indexName);
|
|
||||||
}
|
|
||||||
return finalAliases;
|
return finalAliases;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -15,6 +15,7 @@ import org.elasticsearch.action.support.IndicesOptions;
|
||||||
import org.elasticsearch.client.Client;
|
import org.elasticsearch.client.Client;
|
||||||
import org.elasticsearch.common.settings.SecureString;
|
import org.elasticsearch.common.settings.SecureString;
|
||||||
import org.elasticsearch.index.IndexNotFoundException;
|
import org.elasticsearch.index.IndexNotFoundException;
|
||||||
|
import org.elasticsearch.rest.action.admin.indices.AliasesNotFoundException;
|
||||||
import org.elasticsearch.test.SecurityIntegTestCase;
|
import org.elasticsearch.test.SecurityIntegTestCase;
|
||||||
import org.junit.Before;
|
import org.junit.Before;
|
||||||
|
|
||||||
|
@ -235,15 +236,19 @@ public class IndexAliasesTests extends SecurityIntegTestCase {
|
||||||
//ok: user has manage_aliases on test_*
|
//ok: user has manage_aliases on test_*
|
||||||
assertAcked(client().filterWithHeader(headers).admin().indices().prepareAliases().removeAlias("test_1", "test_alias_*").get());
|
assertAcked(client().filterWithHeader(headers).admin().indices().prepareAliases().removeAlias("test_1", "test_alias_*").get());
|
||||||
|
|
||||||
//fails: all aliases have been deleted, no existing aliases match test_alias_*
|
{
|
||||||
IndexNotFoundException indexNotFoundException = expectThrows(IndexNotFoundException.class,
|
//fails: all aliases have been deleted, no existing aliases match test_alias_*
|
||||||
|
AliasesNotFoundException exception = expectThrows(AliasesNotFoundException.class,
|
||||||
client().filterWithHeader(headers).admin().indices().prepareAliases().removeAlias("test_1", "test_alias_*")::get);
|
client().filterWithHeader(headers).admin().indices().prepareAliases().removeAlias("test_1", "test_alias_*")::get);
|
||||||
assertThat(indexNotFoundException.toString(), containsString("[test_alias_*]"));
|
assertThat(exception.getMessage(), equalTo("aliases [test_alias_*] missing"));
|
||||||
|
}
|
||||||
|
|
||||||
//fails: all aliases have been deleted, no existing aliases match _all
|
{
|
||||||
indexNotFoundException = expectThrows(IndexNotFoundException.class,
|
//fails: all aliases have been deleted, no existing aliases match _all
|
||||||
|
AliasesNotFoundException exception = expectThrows(AliasesNotFoundException.class,
|
||||||
client().filterWithHeader(headers).admin().indices().prepareAliases().removeAlias("test_1", "_all")::get);
|
client().filterWithHeader(headers).admin().indices().prepareAliases().removeAlias("test_1", "_all")::get);
|
||||||
assertThat(indexNotFoundException.toString(), containsString("[_all]"));
|
assertThat(exception.getMessage(), equalTo("aliases [_all] missing"));
|
||||||
|
}
|
||||||
|
|
||||||
//fails: user doesn't have manage_aliases on alias_1
|
//fails: user doesn't have manage_aliases on alias_1
|
||||||
assertThrowsAuthorizationException(client().filterWithHeader(headers).admin().indices().prepareAliases()
|
assertThrowsAuthorizationException(client().filterWithHeader(headers).admin().indices().prepareAliases()
|
||||||
|
@ -383,24 +388,27 @@ public class IndexAliasesTests extends SecurityIntegTestCase {
|
||||||
getAliasesResponse = client.admin().indices().prepareGetAliases().setAliases("test_alias").get();
|
getAliasesResponse = client.admin().indices().prepareGetAliases().setAliases("test_alias").get();
|
||||||
assertEquals(0, getAliasesResponse.getAliases().size());
|
assertEquals(0, getAliasesResponse.getAliases().size());
|
||||||
|
|
||||||
//fails: no existing aliases to replace wildcards
|
{
|
||||||
IndexNotFoundException indexNotFoundException = expectThrows(IndexNotFoundException.class,
|
//fails: no existing aliases to replace wildcards
|
||||||
client.admin().indices().prepareGetAliases().setIndices("test_1").setAliases("test_*")::get);
|
assertThrowsAuthorizationException(
|
||||||
assertThat(indexNotFoundException.toString(), containsString("[test_*]"));
|
client.admin().indices().prepareGetAliases().setIndices("test_1").setAliases("test_*")::get,
|
||||||
|
GetAliasesAction.NAME, "create_test_aliases_alias");
|
||||||
//fails: no existing aliases to replace _all
|
}
|
||||||
indexNotFoundException = expectThrows(IndexNotFoundException.class,
|
{
|
||||||
client.admin().indices().prepareGetAliases().setIndices("test_1").setAliases("_all")::get);
|
//fails: no existing aliases to replace _all
|
||||||
assertThat(indexNotFoundException.toString(), containsString("[_all]"));
|
assertThrowsAuthorizationException(client.admin().indices().prepareGetAliases().setIndices("test_1").setAliases("_all")::get,
|
||||||
|
GetAliasesAction.NAME, "create_test_aliases_alias");
|
||||||
//fails: no existing aliases to replace empty aliases
|
}
|
||||||
indexNotFoundException = expectThrows(IndexNotFoundException.class,
|
{
|
||||||
client.admin().indices().prepareGetAliases().setIndices("test_1")::get);
|
//fails: no existing aliases to replace empty aliases
|
||||||
assertThat(indexNotFoundException.toString(), containsString("[_all]"));
|
assertThrowsAuthorizationException(client.admin().indices().prepareGetAliases().setIndices("test_1")::get,
|
||||||
|
GetAliasesAction.NAME, "create_test_aliases_alias");
|
||||||
//fails: no existing aliases to replace empty aliases
|
}
|
||||||
indexNotFoundException = expectThrows(IndexNotFoundException.class, client.admin().indices().prepareGetAliases()::get);
|
{
|
||||||
assertThat(indexNotFoundException.toString(), containsString("[_all]"));
|
//fails: no existing aliases to replace empty aliases
|
||||||
|
GetAliasesResponse response = client.admin().indices().prepareGetAliases().get();
|
||||||
|
assertThat(response.getAliases().size(), equalTo(0));
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testCreateIndexThenAliasesCreateAndAliasesPermission3() {
|
public void testCreateIndexThenAliasesCreateAndAliasesPermission3() {
|
||||||
|
@ -447,9 +455,9 @@ public class IndexAliasesTests extends SecurityIntegTestCase {
|
||||||
assertAcked(client.admin().indices().prepareAliases().removeAlias("test_*", "_all"));
|
assertAcked(client.admin().indices().prepareAliases().removeAlias("test_*", "_all"));
|
||||||
|
|
||||||
//fails: all aliases have been deleted, _all can't be resolved to any existing authorized aliases
|
//fails: all aliases have been deleted, _all can't be resolved to any existing authorized aliases
|
||||||
IndexNotFoundException indexNotFoundException = expectThrows(IndexNotFoundException.class,
|
AliasesNotFoundException exception = expectThrows(AliasesNotFoundException.class,
|
||||||
client.admin().indices().prepareAliases().removeAlias("test_1", "_all")::get);
|
client.admin().indices().prepareAliases().removeAlias("test_1", "_all")::get);
|
||||||
assertThat(indexNotFoundException.toString(), containsString("[_all]"));
|
assertThat(exception.getMessage(), equalTo("aliases [_all] missing"));
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testGetAliasesCreateAndAliasesPermission3() {
|
public void testGetAliasesCreateAndAliasesPermission3() {
|
||||||
|
|
|
@ -80,6 +80,7 @@ import java.util.Set;
|
||||||
import static org.elasticsearch.xpack.security.support.SecurityIndexManager.SECURITY_INDEX_NAME;
|
import static org.elasticsearch.xpack.security.support.SecurityIndexManager.SECURITY_INDEX_NAME;
|
||||||
import static org.hamcrest.Matchers.arrayContaining;
|
import static org.hamcrest.Matchers.arrayContaining;
|
||||||
import static org.hamcrest.Matchers.arrayContainingInAnyOrder;
|
import static org.hamcrest.Matchers.arrayContainingInAnyOrder;
|
||||||
|
import static org.hamcrest.Matchers.contains;
|
||||||
import static org.hamcrest.Matchers.containsInAnyOrder;
|
import static org.hamcrest.Matchers.containsInAnyOrder;
|
||||||
import static org.hamcrest.Matchers.emptyIterable;
|
import static org.hamcrest.Matchers.emptyIterable;
|
||||||
import static org.hamcrest.Matchers.equalTo;
|
import static org.hamcrest.Matchers.equalTo;
|
||||||
|
@ -781,10 +782,11 @@ public class IndicesAndAliasesResolverTests extends ESTestCase {
|
||||||
public void testResolveAliasesWildcardsIndicesAliasesRequestDeleteActionsNoAuthorizedIndices() {
|
public void testResolveAliasesWildcardsIndicesAliasesRequestDeleteActionsNoAuthorizedIndices() {
|
||||||
IndicesAliasesRequest request = new IndicesAliasesRequest();
|
IndicesAliasesRequest request = new IndicesAliasesRequest();
|
||||||
request.addAliasAction(AliasActions.remove().index("foo*").alias("foo*"));
|
request.addAliasAction(AliasActions.remove().index("foo*").alias("foo*"));
|
||||||
//no authorized aliases match bar*, hence this action fails and makes the whole request fail
|
//no authorized aliases match bar*, hence aliases are replaced with empty string for that action
|
||||||
request.addAliasAction(AliasActions.remove().index("*bar").alias("bar*"));
|
request.addAliasAction(AliasActions.remove().index("*bar").alias("bar*"));
|
||||||
expectThrows(IndexNotFoundException.class, () -> resolveIndices(
|
resolveIndices(request, buildAuthorizedIndices(user, IndicesAliasesAction.NAME));
|
||||||
request, buildAuthorizedIndices(user, IndicesAliasesAction.NAME)));
|
assertThat(request.getAliasActions().get(0).aliases().length, equalTo(1));
|
||||||
|
assertThat(request.getAliasActions().get(1).aliases().length, equalTo(0));
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testResolveWildcardsIndicesAliasesRequestAddAndDeleteActions() {
|
public void testResolveWildcardsIndicesAliasesRequestAddAndDeleteActions() {
|
||||||
|
@ -1086,12 +1088,11 @@ public class IndicesAndAliasesResolverTests extends ESTestCase {
|
||||||
|
|
||||||
public void testResolveAliasesWildcardsGetAliasesRequestNoAuthorizedIndices() {
|
public void testResolveAliasesWildcardsGetAliasesRequestNoAuthorizedIndices() {
|
||||||
GetAliasesRequest request = new GetAliasesRequest();
|
GetAliasesRequest request = new GetAliasesRequest();
|
||||||
//no authorized aliases match bar*, hence the request fails
|
//no authorized aliases match bar*, hence aliases are replaced with empty array
|
||||||
request.aliases("bar*");
|
request.aliases("bar*");
|
||||||
request.indices("*bar");
|
request.indices("*bar");
|
||||||
IndexNotFoundException e = expectThrows(IndexNotFoundException.class,
|
resolveIndices(request, buildAuthorizedIndices(user, GetAliasesAction.NAME));
|
||||||
() -> resolveIndices(request, buildAuthorizedIndices(user, GetAliasesAction.NAME)));
|
assertThat(request.aliases().length, equalTo(0));
|
||||||
assertEquals("no such index", e.getMessage());
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testResolveAliasesAllGetAliasesRequestNoAuthorizedIndices() {
|
public void testResolveAliasesAllGetAliasesRequestNoAuthorizedIndices() {
|
||||||
|
@ -1100,10 +1101,10 @@ public class IndicesAndAliasesResolverTests extends ESTestCase {
|
||||||
request.aliases("_all");
|
request.aliases("_all");
|
||||||
}
|
}
|
||||||
request.indices("non_existing");
|
request.indices("non_existing");
|
||||||
//current user is not authorized for any index, foo* resolves to no indices, the request fails
|
//current user is not authorized for any index, foo* resolves to no indices, aliases are replaced with empty array
|
||||||
IndexNotFoundException e = expectThrows(IndexNotFoundException.class,
|
ResolvedIndices resolvedIndices = resolveIndices(request, buildAuthorizedIndices(userNoIndices, GetAliasesAction.NAME));
|
||||||
() -> resolveIndices(request, buildAuthorizedIndices(userNoIndices, GetAliasesAction.NAME)));
|
assertThat(resolvedIndices.getLocal(), contains("non_existing"));
|
||||||
assertEquals("no such index", e.getMessage());
|
assertThat(request.aliases().length, equalTo(0));
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
@ -12,10 +12,9 @@ integTest {
|
||||||
|
|
||||||
integTestRunner {
|
integTestRunner {
|
||||||
systemProperty 'tests.rest.blacklist',
|
systemProperty 'tests.rest.blacklist',
|
||||||
['cat.aliases/10_basic/Empty cluster',
|
[
|
||||||
'index/10_with_id/Index with ID',
|
'index/10_with_id/Index with ID',
|
||||||
'indices.get_alias/10_basic/Get alias against closed indices',
|
'indices.get_alias/10_basic/Get alias against closed indices'
|
||||||
'indices.get_alias/20_empty/Check empty aliases when getting all aliases via /_alias',
|
|
||||||
].join(',')
|
].join(',')
|
||||||
|
|
||||||
systemProperty 'tests.rest.cluster.username', System.getProperty('tests.rest.cluster.username', 'test_user')
|
systemProperty 'tests.rest.cluster.username', System.getProperty('tests.rest.cluster.username', 'test_user')
|
||||||
|
|
Loading…
Reference in New Issue