integrated indices related request change added to es core and added wildcard expansion

Original commit: elastic/x-pack-elasticsearch@1192d0e7f8
This commit is contained in:
javanna 2014-07-25 11:39:30 +02:00 committed by Luca Cavanna
parent 9bb9fb478d
commit 0b751b12f1
2 changed files with 44 additions and 20 deletions

View File

@ -1,14 +0,0 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.shield.authz;
/**
*
*/
public interface IndicesRelatedRequest {
String[] relatedIndices();
}

View File

@ -5,13 +5,19 @@
*/
package org.elasticsearch.shield.authz;
import com.google.common.collect.Sets;
import org.apache.lucene.util.automaton.Automaton;
import org.apache.lucene.util.automaton.RegExp;
import org.elasticsearch.action.CompositeIndicesRequest;
import org.elasticsearch.action.IndicesRequest;
import org.elasticsearch.cluster.metadata.MetaData;
import org.elasticsearch.common.base.Predicate;
import org.elasticsearch.shield.support.AutomatonPredicate;
import org.elasticsearch.transport.TransportRequest;
import java.util.Collections;
import java.util.Set;
/**
*
*/
@ -53,22 +59,54 @@ public abstract class Permission {
return false;
}
assert request instanceof IndicesRelatedRequest :
"the only requests passing the action matcher should be IndexRelatedRequests";
boolean isIndicesRequest = request instanceof CompositeIndicesRequest || request instanceof IndicesRequest;
// if for some reason we missing an action... just for safety we'll reject
if (!(request instanceof IndicesRelatedRequest)) {
assert isIndicesRequest : "the only requests passing the action matcher should be IndicesRequests";
// if for some reason we are missing an action... just for safety we'll reject
if (!isIndicesRequest) {
return false;
}
IndicesRelatedRequest req = (IndicesRelatedRequest) request;
for (String index : req.relatedIndices()) {
Set<String> indices = Sets.newHashSet();
if (request instanceof CompositeIndicesRequest) {
CompositeIndicesRequest compositeIndicesRequest = (CompositeIndicesRequest) request;
for (IndicesRequest indicesRequest : compositeIndicesRequest.subRequests()) {
Collections.addAll(indices, explodeWildcards(indicesRequest, metaData));
}
} else {
Collections.addAll(indices, explodeWildcards((IndicesRequest) request, metaData));
}
for (String index : indices) {
if (!indicesMatcher.apply(index)) {
return false;
}
}
return true;
}
private String[] explodeWildcards(IndicesRequest indicesRequest, MetaData metaData) {
if (indicesRequest.indicesOptions().expandWildcardsOpen() || indicesRequest.indicesOptions().expandWildcardsClosed()) {
if (MetaData.isAllIndices(indicesRequest.indices())) {
return new String[]{"_all"};
/* the following is an alternative to requiring explicit privileges for _all, we just expand it, we could potentially extract
this code fragment to a separate method in MetaData#concreteIndices in the open source and just use it here]
if (indicesRequest.indicesOptions().expandWildcardsOpen() && indicesRequest.indicesOptions().expandWildcardsClosed()) {
return metaData.concreteAllIndices();
} else if (indicesRequest.indicesOptions().expandWildcardsOpen()) {
return metaData.concreteAllOpenIndices();
} else {
return metaData.concreteAllClosedIndices();
}*/
}
return metaData.convertFromWildcards(indicesRequest.indices(), indicesRequest.indicesOptions());
}
return indicesRequest.indices();
}
}
public static class Cluster extends Permission {