From 0c7dff4fa72f86d94437e1b78797183e5e481666 Mon Sep 17 00:00:00 2001 From: Martijn van Groningen Date: Tue, 19 Apr 2016 11:23:04 +0200 Subject: [PATCH] security: Deal with upstream percolator changes. From now on, if field level security and percolator is used then the percolator field needs to be included in the allowed fields. Original commit: elastic/x-pack-elasticsearch@7d39b5caf68f19f655bc5f6058acad62f3baf652 --- .../ShieldIndexSearcherWrapper.java | 10 +--------- .../DocumentLevelSecurityTests.java | 18 +++++++++--------- .../integration/FieldLevelSecurityTests.java | 12 ++++++------ 3 files changed, 16 insertions(+), 24 deletions(-) diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/accesscontrol/ShieldIndexSearcherWrapper.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/accesscontrol/ShieldIndexSearcherWrapper.java index 83229f46b44..0fcae47b741 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/accesscontrol/ShieldIndexSearcherWrapper.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/accesscontrol/ShieldIndexSearcherWrapper.java @@ -33,6 +33,7 @@ import org.elasticsearch.index.IndexSettings; import org.elasticsearch.index.cache.bitset.BitsetFilterCache; import org.elasticsearch.index.engine.EngineException; import org.elasticsearch.index.mapper.DocumentMapper; +import org.elasticsearch.index.mapper.FieldMapper; import org.elasticsearch.index.mapper.MapperService; import org.elasticsearch.index.mapper.internal.ParentFieldMapper; import org.elasticsearch.index.percolator.PercolatorFieldMapper; @@ -135,7 +136,6 @@ public class ShieldIndexSearcherWrapper extends IndexSearcherWrapper { allowedFields.addAll(mapperService.simpleMatchToIndexNames(field)); } resolveParentChildJoinFields(allowedFields); - resolvePercolatorFields(allowedFields); reader = FieldSubsetReader.wrap(reader, allowedFields); } @@ -240,14 +240,6 @@ public class ShieldIndexSearcherWrapper extends IndexSearcherWrapper { } } - private void resolvePercolatorFields(Set allowedFields) { - if (mapperService.hasMapping(PercolatorFieldMapper.TYPE_NAME)) { - allowedFields.add(PercolatorFieldMapper.EXTRACTED_TERMS_FULL_FIELD_NAME); - allowedFields.add(PercolatorFieldMapper.UNKNOWN_QUERY_FULL_FIELD_NAME); - allowedFields.add(PercolatorFieldMapper.EXTRACTED_TERMS_FULL_FIELD_NAME); - } - } - static void intersectScorerAndRoleBits(Scorer scorer, SparseFixedBitSet roleBits, LeafCollector collector, Bits acceptDocs) throws IOException { // ConjunctionDISI uses the DocIdSetIterator#cost() to order the iterators, so if roleBits has the lowest cardinality it should diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentLevelSecurityTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentLevelSecurityTests.java index 1b02791285e..1f2e9c2efcf 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentLevelSecurityTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/DocumentLevelSecurityTests.java @@ -607,9 +607,9 @@ public class DocumentLevelSecurityTests extends ShieldIntegTestCase { public void testPercolateApi() { assertAcked(client().admin().indices().prepareCreate("test") - .addMapping(".percolator", "field1", "type=text", "field2", "type=text", "field3", "type=text") + .addMapping("query", "query", "type=percolator", "field1", "type=text", "field2", "type=text", "field3", "type=text") ); - client().prepareIndex("test", ".percolator", "1") + client().prepareIndex("test", "query", "1") .setSource("{\"query\" : { \"match_all\" : {} }, \"field1\" : \"value1\"}") .setRefresh(true) .get(); @@ -618,7 +618,7 @@ public class DocumentLevelSecurityTests extends ShieldIntegTestCase { PercolateResponse response = client() .filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user1", USERS_PASSWD))) .preparePercolate() - .setDocumentType("type") + .setDocumentType("query") .setPercolateDoc(new PercolateSourceBuilder.DocBuilder().setDoc("{}")) .get(); assertThat(response.getCount(), equalTo(1L)); @@ -627,7 +627,7 @@ public class DocumentLevelSecurityTests extends ShieldIntegTestCase { response = client() .filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user2", USERS_PASSWD))) .preparePercolate() - .setDocumentType("type") + .setDocumentType("query") .setPercolateDoc(new PercolateSourceBuilder.DocBuilder().setDoc("{}")) .get(); assertThat(response.getCount(), equalTo(0L)); @@ -635,7 +635,7 @@ public class DocumentLevelSecurityTests extends ShieldIntegTestCase { response = client() .filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user3", USERS_PASSWD))) .preparePercolate() - .setDocumentType("type") + .setDocumentType("query") .setPercolateDoc(new PercolateSourceBuilder.DocBuilder().setDoc("{}")) .get(); assertThat(response.getCount(), equalTo(1L)); @@ -645,7 +645,7 @@ public class DocumentLevelSecurityTests extends ShieldIntegTestCase { // match: response = client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user1", USERS_PASSWD))) .preparePercolate() - .setDocumentType("type") + .setDocumentType("query") .setPercolateQuery(termQuery("field1", "value1")) .setPercolateDoc(new PercolateSourceBuilder.DocBuilder().setDoc("{}")) .get(); @@ -656,7 +656,7 @@ public class DocumentLevelSecurityTests extends ShieldIntegTestCase { // is no match: response = client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user2", USERS_PASSWD))) .preparePercolate() - .setDocumentType("type") + .setDocumentType("query") .setPercolateQuery(termQuery("field1", "value1")) .setPercolateDoc(new PercolateSourceBuilder.DocBuilder().setDoc("{}")) .get(); @@ -664,7 +664,7 @@ public class DocumentLevelSecurityTests extends ShieldIntegTestCase { response = client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user3", USERS_PASSWD))) .preparePercolate() - .setDocumentType("type") + .setDocumentType("query") .setPercolateQuery(termQuery("field1", "value1")) .setPercolateDoc(new PercolateSourceBuilder.DocBuilder().setDoc("{}")) .get(); @@ -678,7 +678,7 @@ public class DocumentLevelSecurityTests extends ShieldIntegTestCase { // Ensure that the query loading that happens at startup has permissions to load the percolator queries: response = client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user1", USERS_PASSWD))) .preparePercolate() - .setDocumentType("type") + .setDocumentType("query") .setPercolateDoc(new PercolateSourceBuilder.DocBuilder().setDoc("{}")) .get(); assertThat(response.getCount(), equalTo(1L)); diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityTests.java index 1585d33b9e4..40081fdf81f 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/integration/FieldLevelSecurityTests.java @@ -97,7 +97,7 @@ public class FieldLevelSecurityTests extends ShieldIntegTestCase { " indices:\n" + " - names: '*'\n" + " privileges: [ ALL ]\n" + - " fields: [ field2 ]\n" + + " fields: [ field2, query* ]\n" + "role4:\n" + " cluster: [ all ]\n" + " indices:\n" + @@ -1122,9 +1122,9 @@ public class FieldLevelSecurityTests extends ShieldIntegTestCase { public void testPercolateApi() { assertAcked(client().admin().indices().prepareCreate("test") - .addMapping(".percolator", "field1", "type=text", "field2", "type=text") + .addMapping("query", "query", "type=percolator", "field1", "type=text", "field2", "type=text") ); - client().prepareIndex("test", ".percolator", "1") + client().prepareIndex("test", "query", "1") .setSource("{\"query\" : { \"match_all\" : {} }, \"field1\" : \"value1\"}") .setRefresh(true) .get(); @@ -1133,7 +1133,7 @@ public class FieldLevelSecurityTests extends ShieldIntegTestCase { PercolateResponse response = client() .filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user2", USERS_PASSWD))) .preparePercolate() - .setDocumentType("type") + .setDocumentType("query") .setPercolateDoc(new PercolateSourceBuilder.DocBuilder().setDoc("{}")) .get(); assertThat(response.getCount(), equalTo(1L)); @@ -1143,7 +1143,7 @@ public class FieldLevelSecurityTests extends ShieldIntegTestCase { // no match: response = client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user2", USERS_PASSWD))) .preparePercolate() - .setDocumentType("type") + .setDocumentType("query") .setPercolateQuery(termQuery("field1", "value1")) .setPercolateDoc(new PercolateSourceBuilder.DocBuilder().setDoc("{}")) .get(); @@ -1156,7 +1156,7 @@ public class FieldLevelSecurityTests extends ShieldIntegTestCase { // Ensure that the query loading that happens at startup has permissions to load the percolator queries: response = client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user2", USERS_PASSWD))) .preparePercolate() - .setDocumentType("type") + .setDocumentType("query") .setPercolateDoc(new PercolateSourceBuilder.DocBuilder().setDoc("{}")) .get(); assertThat(response.getCount(), equalTo(1L));