From 3dbea2f4c217d634864abb3b4ffdfcdf813f6328 Mon Sep 17 00:00:00 2001 From: javanna Date: Wed, 5 Oct 2016 14:24:40 +0200 Subject: [PATCH] Simplify FieldAndDocumentLevelSecurityRequestInterceptor FieldAndDocumentLevelSecurityRequestInterceptor really support intercepting only subclasses of IndicesRequests, we shouldn't have logic that is never used around intercepting CompositeIndicesRequest. Also we can guarantee at compile time, using generics, that only supported subclasses are intercepted through it, no need to verify that at runtime. Original commit: elastic/x-pack-elasticsearch@6ab6e2d50e7e3eb95e1d1c79c9554d13edd254c7 --- ...cumentLevelSecurityRequestInterceptor.java | 45 ++++++------------- 1 file changed, 14 insertions(+), 31 deletions(-) diff --git a/elasticsearch/src/main/java/org/elasticsearch/xpack/security/action/interceptor/FieldAndDocumentLevelSecurityRequestInterceptor.java b/elasticsearch/src/main/java/org/elasticsearch/xpack/security/action/interceptor/FieldAndDocumentLevelSecurityRequestInterceptor.java index 1e490bcddcd..854886c6dcd 100644 --- a/elasticsearch/src/main/java/org/elasticsearch/xpack/security/action/interceptor/FieldAndDocumentLevelSecurityRequestInterceptor.java +++ b/elasticsearch/src/main/java/org/elasticsearch/xpack/security/action/interceptor/FieldAndDocumentLevelSecurityRequestInterceptor.java @@ -5,25 +5,20 @@ */ package org.elasticsearch.xpack.security.action.interceptor; -import org.elasticsearch.action.CompositeIndicesRequest; import org.elasticsearch.action.IndicesRequest; import org.elasticsearch.common.component.AbstractComponent; -import org.elasticsearch.common.logging.LoggerMessageFormat; import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.license.XPackLicenseState; -import org.elasticsearch.xpack.security.user.User; import org.elasticsearch.xpack.security.authz.AuthorizationService; import org.elasticsearch.xpack.security.authz.accesscontrol.IndicesAccessControl; - -import java.util.Collections; -import java.util.List; +import org.elasticsearch.xpack.security.user.User; /** * Base class for interceptors that disables features when field level security is configured for indices a request * is going to execute on. */ -abstract class FieldAndDocumentLevelSecurityRequestInterceptor extends AbstractComponent implements +abstract class FieldAndDocumentLevelSecurityRequestInterceptor extends AbstractComponent implements RequestInterceptor { private final ThreadContext threadContext; @@ -40,35 +35,23 @@ abstract class FieldAndDocumentLevelSecurityRequestInterceptor extends if (licenseState.isDocumentAndFieldLevelSecurityAllowed() == false) { return; } - - List indicesRequests; - if (request instanceof CompositeIndicesRequest) { - indicesRequests = ((CompositeIndicesRequest) request).subRequests(); - } else if (request instanceof IndicesRequest) { - indicesRequests = Collections.singletonList((IndicesRequest) request); - } else { - throw new IllegalArgumentException(LoggerMessageFormat.format("expected a request of type [{}] or [{}] but got [{}] instead", - CompositeIndicesRequest.class, IndicesRequest.class, request.getClass())); - } IndicesAccessControl indicesAccessControl = threadContext.getTransient(AuthorizationService.INDICES_PERMISSIONS_KEY); - for (IndicesRequest indicesRequest : indicesRequests) { - for (String index : indicesRequest.indices()) { - IndicesAccessControl.IndexAccessControl indexAccessControl = indicesAccessControl.getIndexPermissions(index); - if (indexAccessControl != null) { - boolean fieldLevelSecurityEnabled = indexAccessControl.getFieldPermissions().hasFieldLevelSecurity(); - boolean documentLevelSecurityEnabled = indexAccessControl.getQueries() != null; + for (String index : request.indices()) { + IndicesAccessControl.IndexAccessControl indexAccessControl = indicesAccessControl.getIndexPermissions(index); + if (indexAccessControl != null) { + boolean fieldLevelSecurityEnabled = indexAccessControl.getFieldPermissions().hasFieldLevelSecurity(); + boolean documentLevelSecurityEnabled = indexAccessControl.getQueries() != null; + if (fieldLevelSecurityEnabled || documentLevelSecurityEnabled) { if (fieldLevelSecurityEnabled || documentLevelSecurityEnabled) { - if (fieldLevelSecurityEnabled || documentLevelSecurityEnabled) { - logger.trace("intercepted request for index [{}] with field level access controls [{}] document level access " + - "controls [{}]. disabling conflicting features", index, fieldLevelSecurityEnabled, - documentLevelSecurityEnabled); - } - disableFeatures(request, fieldLevelSecurityEnabled, documentLevelSecurityEnabled); - return; + logger.trace("intercepted request for index [{}] with field level access controls [{}] document level access " + + "controls [{}]. disabling conflicting features", index, fieldLevelSecurityEnabled, + documentLevelSecurityEnabled); } + disableFeatures(request, fieldLevelSecurityEnabled, documentLevelSecurityEnabled); + return; } - logger.trace("intercepted request for index [{}] without field or document level access controls", index); } + logger.trace("intercepted request for index [{}] without field or document level access controls", index); } }