Simplify FieldAndDocumentLevelSecurityRequestInterceptor
FieldAndDocumentLevelSecurityRequestInterceptor really support intercepting only subclasses of IndicesRequests, we shouldn't have logic that is never used around intercepting CompositeIndicesRequest. Also we can guarantee at compile time, using generics, that only supported subclasses are intercepted through it, no need to verify that at runtime. Original commit: elastic/x-pack-elasticsearch@6ab6e2d50e
This commit is contained in:
parent
4bb6e856f3
commit
3dbea2f4c2
|
@ -5,25 +5,20 @@
|
|||
*/
|
||||
package org.elasticsearch.xpack.security.action.interceptor;
|
||||
|
||||
import org.elasticsearch.action.CompositeIndicesRequest;
|
||||
import org.elasticsearch.action.IndicesRequest;
|
||||
import org.elasticsearch.common.component.AbstractComponent;
|
||||
import org.elasticsearch.common.logging.LoggerMessageFormat;
|
||||
import org.elasticsearch.common.settings.Settings;
|
||||
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
||||
import org.elasticsearch.license.XPackLicenseState;
|
||||
import org.elasticsearch.xpack.security.user.User;
|
||||
import org.elasticsearch.xpack.security.authz.AuthorizationService;
|
||||
import org.elasticsearch.xpack.security.authz.accesscontrol.IndicesAccessControl;
|
||||
|
||||
import java.util.Collections;
|
||||
import java.util.List;
|
||||
import org.elasticsearch.xpack.security.user.User;
|
||||
|
||||
/**
|
||||
* Base class for interceptors that disables features when field level security is configured for indices a request
|
||||
* is going to execute on.
|
||||
*/
|
||||
abstract class FieldAndDocumentLevelSecurityRequestInterceptor<Request> extends AbstractComponent implements
|
||||
abstract class FieldAndDocumentLevelSecurityRequestInterceptor<Request extends IndicesRequest> extends AbstractComponent implements
|
||||
RequestInterceptor<Request> {
|
||||
|
||||
private final ThreadContext threadContext;
|
||||
|
@ -40,19 +35,8 @@ abstract class FieldAndDocumentLevelSecurityRequestInterceptor<Request> extends
|
|||
if (licenseState.isDocumentAndFieldLevelSecurityAllowed() == false) {
|
||||
return;
|
||||
}
|
||||
|
||||
List<? extends IndicesRequest> indicesRequests;
|
||||
if (request instanceof CompositeIndicesRequest) {
|
||||
indicesRequests = ((CompositeIndicesRequest) request).subRequests();
|
||||
} else if (request instanceof IndicesRequest) {
|
||||
indicesRequests = Collections.singletonList((IndicesRequest) request);
|
||||
} else {
|
||||
throw new IllegalArgumentException(LoggerMessageFormat.format("expected a request of type [{}] or [{}] but got [{}] instead",
|
||||
CompositeIndicesRequest.class, IndicesRequest.class, request.getClass()));
|
||||
}
|
||||
IndicesAccessControl indicesAccessControl = threadContext.getTransient(AuthorizationService.INDICES_PERMISSIONS_KEY);
|
||||
for (IndicesRequest indicesRequest : indicesRequests) {
|
||||
for (String index : indicesRequest.indices()) {
|
||||
for (String index : request.indices()) {
|
||||
IndicesAccessControl.IndexAccessControl indexAccessControl = indicesAccessControl.getIndexPermissions(index);
|
||||
if (indexAccessControl != null) {
|
||||
boolean fieldLevelSecurityEnabled = indexAccessControl.getFieldPermissions().hasFieldLevelSecurity();
|
||||
|
@ -70,7 +54,6 @@ abstract class FieldAndDocumentLevelSecurityRequestInterceptor<Request> extends
|
|||
logger.trace("intercepted request for index [{}] without field or document level access controls", index);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
protected abstract void disableFeatures(Request request, boolean fieldLevelSecurityEnabled, boolean documentLevelSecurityEnabled);
|
||||
|
||||
|
|
Loading…
Reference in New Issue