Simplify FieldAndDocumentLevelSecurityRequestInterceptor

FieldAndDocumentLevelSecurityRequestInterceptor really support intercepting only subclasses of IndicesRequests, we shouldn't have logic that is never used around intercepting CompositeIndicesRequest. Also we can guarantee at compile time, using generics, that only supported subclasses are intercepted through it, no need to verify that at runtime.

Original commit: elastic/x-pack-elasticsearch@6ab6e2d50e
This commit is contained in:
javanna 2016-10-05 14:24:40 +02:00 committed by Luca Cavanna
parent 4bb6e856f3
commit 3dbea2f4c2
1 changed files with 14 additions and 31 deletions

View File

@ -5,25 +5,20 @@
*/ */
package org.elasticsearch.xpack.security.action.interceptor; package org.elasticsearch.xpack.security.action.interceptor;
import org.elasticsearch.action.CompositeIndicesRequest;
import org.elasticsearch.action.IndicesRequest; import org.elasticsearch.action.IndicesRequest;
import org.elasticsearch.common.component.AbstractComponent; import org.elasticsearch.common.component.AbstractComponent;
import org.elasticsearch.common.logging.LoggerMessageFormat;
import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.xpack.security.user.User;
import org.elasticsearch.xpack.security.authz.AuthorizationService; import org.elasticsearch.xpack.security.authz.AuthorizationService;
import org.elasticsearch.xpack.security.authz.accesscontrol.IndicesAccessControl; import org.elasticsearch.xpack.security.authz.accesscontrol.IndicesAccessControl;
import org.elasticsearch.xpack.security.user.User;
import java.util.Collections;
import java.util.List;
/** /**
* Base class for interceptors that disables features when field level security is configured for indices a request * Base class for interceptors that disables features when field level security is configured for indices a request
* is going to execute on. * is going to execute on.
*/ */
abstract class FieldAndDocumentLevelSecurityRequestInterceptor<Request> extends AbstractComponent implements abstract class FieldAndDocumentLevelSecurityRequestInterceptor<Request extends IndicesRequest> extends AbstractComponent implements
RequestInterceptor<Request> { RequestInterceptor<Request> {
private final ThreadContext threadContext; private final ThreadContext threadContext;
@ -40,19 +35,8 @@ abstract class FieldAndDocumentLevelSecurityRequestInterceptor<Request> extends
if (licenseState.isDocumentAndFieldLevelSecurityAllowed() == false) { if (licenseState.isDocumentAndFieldLevelSecurityAllowed() == false) {
return; return;
} }
List<? extends IndicesRequest> indicesRequests;
if (request instanceof CompositeIndicesRequest) {
indicesRequests = ((CompositeIndicesRequest) request).subRequests();
} else if (request instanceof IndicesRequest) {
indicesRequests = Collections.singletonList((IndicesRequest) request);
} else {
throw new IllegalArgumentException(LoggerMessageFormat.format("expected a request of type [{}] or [{}] but got [{}] instead",
CompositeIndicesRequest.class, IndicesRequest.class, request.getClass()));
}
IndicesAccessControl indicesAccessControl = threadContext.getTransient(AuthorizationService.INDICES_PERMISSIONS_KEY); IndicesAccessControl indicesAccessControl = threadContext.getTransient(AuthorizationService.INDICES_PERMISSIONS_KEY);
for (IndicesRequest indicesRequest : indicesRequests) { for (String index : request.indices()) {
for (String index : indicesRequest.indices()) {
IndicesAccessControl.IndexAccessControl indexAccessControl = indicesAccessControl.getIndexPermissions(index); IndicesAccessControl.IndexAccessControl indexAccessControl = indicesAccessControl.getIndexPermissions(index);
if (indexAccessControl != null) { if (indexAccessControl != null) {
boolean fieldLevelSecurityEnabled = indexAccessControl.getFieldPermissions().hasFieldLevelSecurity(); boolean fieldLevelSecurityEnabled = indexAccessControl.getFieldPermissions().hasFieldLevelSecurity();
@ -70,7 +54,6 @@ abstract class FieldAndDocumentLevelSecurityRequestInterceptor<Request> extends
logger.trace("intercepted request for index [{}] without field or document level access controls", index); logger.trace("intercepted request for index [{}] without field or document level access controls", index);
} }
} }
}
protected abstract void disableFeatures(Request request, boolean fieldLevelSecurityEnabled, boolean documentLevelSecurityEnabled); protected abstract void disableFeatures(Request request, boolean fieldLevelSecurityEnabled, boolean documentLevelSecurityEnabled);