security: Deal with upstream percolator changes.
From now on, if field level security and percolator is used then the percolator field needs to be included in the allowed fields. Original commit: elastic/x-pack-elasticsearch@7d39b5caf6
This commit is contained in:
Martijn van Groningen
parent
fb825d7fd3
commit
0c7dff4fa7
|
|
@ -33,6 +33,7 @@ import org.elasticsearch.index.IndexSettings;
|
|||
import org.elasticsearch.index.cache.bitset.BitsetFilterCache;
|
||||
import org.elasticsearch.index.engine.EngineException;
|
||||
import org.elasticsearch.index.mapper.DocumentMapper;
|
||||
import org.elasticsearch.index.mapper.FieldMapper;
|
||||
import org.elasticsearch.index.mapper.MapperService;
|
||||
import org.elasticsearch.index.mapper.internal.ParentFieldMapper;
|
||||
import org.elasticsearch.index.percolator.PercolatorFieldMapper;
|
||||
|
|
@ -135,7 +136,6 @@ public class ShieldIndexSearcherWrapper extends IndexSearcherWrapper {
|
|||
allowedFields.addAll(mapperService.simpleMatchToIndexNames(field));
|
||||
}
|
||||
resolveParentChildJoinFields(allowedFields);
|
||||
resolvePercolatorFields(allowedFields);
|
||||
reader = FieldSubsetReader.wrap(reader, allowedFields);
|
||||
}
|
||||
|
||||
|
|
@ -240,14 +240,6 @@ public class ShieldIndexSearcherWrapper extends IndexSearcherWrapper {
|
|||
}
|
||||
}
|
||||
|
||||
private void resolvePercolatorFields(Set<String> allowedFields) {
|
||||
if (mapperService.hasMapping(PercolatorFieldMapper.TYPE_NAME)) {
|
||||
allowedFields.add(PercolatorFieldMapper.EXTRACTED_TERMS_FULL_FIELD_NAME);
|
||||
allowedFields.add(PercolatorFieldMapper.UNKNOWN_QUERY_FULL_FIELD_NAME);
|
||||
allowedFields.add(PercolatorFieldMapper.EXTRACTED_TERMS_FULL_FIELD_NAME);
|
||||
}
|
||||
}
|
||||
|
||||
static void intersectScorerAndRoleBits(Scorer scorer, SparseFixedBitSet roleBits, LeafCollector collector, Bits acceptDocs) throws
|
||||
IOException {
|
||||
// ConjunctionDISI uses the DocIdSetIterator#cost() to order the iterators, so if roleBits has the lowest cardinality it should
|
||||
|
|
|
|||
|
|
@ -607,9 +607,9 @@ public class DocumentLevelSecurityTests extends ShieldIntegTestCase {
|
|||
|
||||
public void testPercolateApi() {
|
||||
assertAcked(client().admin().indices().prepareCreate("test")
|
||||
.addMapping(".percolator", "field1", "type=text", "field2", "type=text", "field3", "type=text")
|
||||
.addMapping("query", "query", "type=percolator", "field1", "type=text", "field2", "type=text", "field3", "type=text")
|
||||
);
|
||||
client().prepareIndex("test", ".percolator", "1")
|
||||
client().prepareIndex("test", "query", "1")
|
||||
.setSource("{\"query\" : { \"match_all\" : {} }, \"field1\" : \"value1\"}")
|
||||
.setRefresh(true)
|
||||
.get();
|
||||
|
|
@ -618,7 +618,7 @@ public class DocumentLevelSecurityTests extends ShieldIntegTestCase {
|
|||
PercolateResponse response = client()
|
||||
.filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user1", USERS_PASSWD)))
|
||||
.preparePercolate()
|
||||
.setDocumentType("type")
|
||||
.setDocumentType("query")
|
||||
.setPercolateDoc(new PercolateSourceBuilder.DocBuilder().setDoc("{}"))
|
||||
.get();
|
||||
assertThat(response.getCount(), equalTo(1L));
|
||||
|
|
@ -627,7 +627,7 @@ public class DocumentLevelSecurityTests extends ShieldIntegTestCase {
|
|||
response = client()
|
||||
.filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user2", USERS_PASSWD)))
|
||||
.preparePercolate()
|
||||
.setDocumentType("type")
|
||||
.setDocumentType("query")
|
||||
.setPercolateDoc(new PercolateSourceBuilder.DocBuilder().setDoc("{}"))
|
||||
.get();
|
||||
assertThat(response.getCount(), equalTo(0L));
|
||||
|
|
@ -635,7 +635,7 @@ public class DocumentLevelSecurityTests extends ShieldIntegTestCase {
|
|||
response = client()
|
||||
.filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user3", USERS_PASSWD)))
|
||||
.preparePercolate()
|
||||
.setDocumentType("type")
|
||||
.setDocumentType("query")
|
||||
.setPercolateDoc(new PercolateSourceBuilder.DocBuilder().setDoc("{}"))
|
||||
.get();
|
||||
assertThat(response.getCount(), equalTo(1L));
|
||||
|
|
@ -645,7 +645,7 @@ public class DocumentLevelSecurityTests extends ShieldIntegTestCase {
|
|||
// match:
|
||||
response = client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user1", USERS_PASSWD)))
|
||||
.preparePercolate()
|
||||
.setDocumentType("type")
|
||||
.setDocumentType("query")
|
||||
.setPercolateQuery(termQuery("field1", "value1"))
|
||||
.setPercolateDoc(new PercolateSourceBuilder.DocBuilder().setDoc("{}"))
|
||||
.get();
|
||||
|
|
@ -656,7 +656,7 @@ public class DocumentLevelSecurityTests extends ShieldIntegTestCase {
|
|||
// is no match:
|
||||
response = client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user2", USERS_PASSWD)))
|
||||
.preparePercolate()
|
||||
.setDocumentType("type")
|
||||
.setDocumentType("query")
|
||||
.setPercolateQuery(termQuery("field1", "value1"))
|
||||
.setPercolateDoc(new PercolateSourceBuilder.DocBuilder().setDoc("{}"))
|
||||
.get();
|
||||
|
|
@ -664,7 +664,7 @@ public class DocumentLevelSecurityTests extends ShieldIntegTestCase {
|
|||
|
||||
response = client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user3", USERS_PASSWD)))
|
||||
.preparePercolate()
|
||||
.setDocumentType("type")
|
||||
.setDocumentType("query")
|
||||
.setPercolateQuery(termQuery("field1", "value1"))
|
||||
.setPercolateDoc(new PercolateSourceBuilder.DocBuilder().setDoc("{}"))
|
||||
.get();
|
||||
|
|
@ -678,7 +678,7 @@ public class DocumentLevelSecurityTests extends ShieldIntegTestCase {
|
|||
// Ensure that the query loading that happens at startup has permissions to load the percolator queries:
|
||||
response = client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user1", USERS_PASSWD)))
|
||||
.preparePercolate()
|
||||
.setDocumentType("type")
|
||||
.setDocumentType("query")
|
||||
.setPercolateDoc(new PercolateSourceBuilder.DocBuilder().setDoc("{}"))
|
||||
.get();
|
||||
assertThat(response.getCount(), equalTo(1L));
|
||||
|
|
|
|||
|
|
@ -97,7 +97,7 @@ public class FieldLevelSecurityTests extends ShieldIntegTestCase {
|
|||
" indices:\n" +
|
||||
" - names: '*'\n" +
|
||||
" privileges: [ ALL ]\n" +
|
||||
" fields: [ field2 ]\n" +
|
||||
" fields: [ field2, query* ]\n" +
|
||||
"role4:\n" +
|
||||
" cluster: [ all ]\n" +
|
||||
" indices:\n" +
|
||||
|
|
@ -1122,9 +1122,9 @@ public class FieldLevelSecurityTests extends ShieldIntegTestCase {
|
|||
|
||||
public void testPercolateApi() {
|
||||
assertAcked(client().admin().indices().prepareCreate("test")
|
||||
.addMapping(".percolator", "field1", "type=text", "field2", "type=text")
|
||||
.addMapping("query", "query", "type=percolator", "field1", "type=text", "field2", "type=text")
|
||||
);
|
||||
client().prepareIndex("test", ".percolator", "1")
|
||||
client().prepareIndex("test", "query", "1")
|
||||
.setSource("{\"query\" : { \"match_all\" : {} }, \"field1\" : \"value1\"}")
|
||||
.setRefresh(true)
|
||||
.get();
|
||||
|
|
@ -1133,7 +1133,7 @@ public class FieldLevelSecurityTests extends ShieldIntegTestCase {
|
|||
PercolateResponse response = client()
|
||||
.filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user2", USERS_PASSWD)))
|
||||
.preparePercolate()
|
||||
.setDocumentType("type")
|
||||
.setDocumentType("query")
|
||||
.setPercolateDoc(new PercolateSourceBuilder.DocBuilder().setDoc("{}"))
|
||||
.get();
|
||||
assertThat(response.getCount(), equalTo(1L));
|
||||
|
|
@ -1143,7 +1143,7 @@ public class FieldLevelSecurityTests extends ShieldIntegTestCase {
|
|||
// no match:
|
||||
response = client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user2", USERS_PASSWD)))
|
||||
.preparePercolate()
|
||||
.setDocumentType("type")
|
||||
.setDocumentType("query")
|
||||
.setPercolateQuery(termQuery("field1", "value1"))
|
||||
.setPercolateDoc(new PercolateSourceBuilder.DocBuilder().setDoc("{}"))
|
||||
.get();
|
||||
|
|
@ -1156,7 +1156,7 @@ public class FieldLevelSecurityTests extends ShieldIntegTestCase {
|
|||
// Ensure that the query loading that happens at startup has permissions to load the percolator queries:
|
||||
response = client().filterWithHeader(Collections.singletonMap(BASIC_AUTH_HEADER, basicAuthHeaderValue("user2", USERS_PASSWD)))
|
||||
.preparePercolate()
|
||||
.setDocumentType("type")
|
||||
.setDocumentType("query")
|
||||
.setPercolateDoc(new PercolateSourceBuilder.DocBuilder().setDoc("{}"))
|
||||
.get();
|
||||
assertThat(response.getCount(), equalTo(1L));
|
||||
|
|
|
|||
Loading…
Reference in New Issue