honeymoose/OpenSearch
1
0
Fork 0
mirror of https://github.com/honeymoose/OpenSearch.git synced 2025-02-26 14:54:56 +00:00
Code Issues Packages Projects Releases Wiki Activity

Refactor handling of bind permissions

Browse Source 
This commit refactors the handling of bind permissions, which is in need
of a little cleanup. For example, in its current state, the code for
handling permissions for transport profiles is split across two
methods. This commit refactors this code hopefully making it easier to
work with in future changes. This change is mostly mechanical, no
functionality is changed.

Relates #21742
This commit is contained in:
Jason Tedor 2016-11-22 18:39:14 -05:00 committed by GitHub
parent 1576eaba25
commit 41ae784a6f
1 changed files with 35 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
core/src/main/java/org/elasticsearch/bootstrap/Security.java
View File

@ -274,33 +274,8 @@ final class Security {
*/ */
static void addBindPermissions(Permissions policy, Settings settings) { static void addBindPermissions(Permissions policy, Settings settings) {
addSocketPermissionForHttp(policy, settings); addSocketPermissionForHttp(policy, settings);
// transport is waaaay overengineered addSocketPermissionForTransportProfiles(policy, settings);
Map<String, Settings> profiles = TransportSettings.TRANSPORT_PROFILES_SETTING.get(settings).getAsGroups(); addSocketPermissionForTribeNodes(policy, settings);
if (!profiles.containsKey(TransportSettings.DEFAULT_PROFILE)) {
profiles = new HashMap<>(profiles);
profiles.put(TransportSettings.DEFAULT_PROFILE, Settings.EMPTY);
}
// loop through all profiles and add permissions for each one, if its valid.
// (otherwise Netty transports are lenient and ignores it)
for (Map.Entry<String, Settings> entry : profiles.entrySet()) {
Settings profileSettings = entry.getValue();
String name = entry.getKey();
// a profile is only valid if its the default profile, or if it has an actual name and specifies a port
boolean valid = TransportSettings.DEFAULT_PROFILE.equals(name) || (Strings.hasLength(name) && profileSettings.get("port") != null);
if (valid) {
addSocketPermissionForTransportProfile(policy, profileSettings, settings);
}
}
for (final Settings tribeNodeSettings : settings.getGroups("tribe", true).values()) {
// tribe nodes have HTTP disabled by default, so we check if HTTP is enabled before granting
if (NetworkModule.HTTP_ENABLED.exists(tribeNodeSettings) && NetworkModule.HTTP_ENABLED.get(tribeNodeSettings)) {
addSocketPermissionForHttp(policy, tribeNodeSettings);
}
addSocketPermissionForTransport(policy, tribeNodeSettings);
}
} }
/** /**
@ -320,13 +295,26 @@ final class Security {
* the transport profile specified by {@code profileSettings} and will fall back to {@code settings}. * the transport profile specified by {@code profileSettings} and will fall back to {@code settings}.
* *
* @param policy the {@link Permissions} instance to apply the dynamic {@link SocketPermission}s to * @param policy the {@link Permissions} instance to apply the dynamic {@link SocketPermission}s to
* @param profileSettings the {@link Settings} to read the transport profile from
* @param settings the {@link Settings} instance to read the transport settings from * @param settings the {@link Settings} instance to read the transport settings from
*/ */
private static void addSocketPermissionForTransportProfile( private static void addSocketPermissionForTransportProfiles(
final Permissions policy, final Permissions policy,
final Settings profileSettings,
final Settings settings) { final Settings settings) {
// transport is way over-engineered
final Map<String, Settings> profiles = new HashMap<>(TransportSettings.TRANSPORT_PROFILES_SETTING.get(settings).getAsGroups());
profiles.putIfAbsent(TransportSettings.DEFAULT_PROFILE, Settings.EMPTY);
// loop through all profiles and add permissions for each one, if it's valid; otherwise Netty transports are lenient and ignores it
for (final Map.Entry<String, Settings> entry : profiles.entrySet()) {
final Settings profileSettings = entry.getValue();
final String name = entry.getKey();
// a profile is only valid if it's the default profile, or if it has an actual name and specifies a port
// TODO: can this leniency be removed?
final boolean valid =
TransportSettings.DEFAULT_PROFILE.equals(name) ||
(name != null && name.length() > 0 && profileSettings.get("port") != null);
if (valid) {
final String transportRange = profileSettings.get("port"); final String transportRange = profileSettings.get("port");
if (transportRange != null) { if (transportRange != null) {
addSocketPermissionForPortRange(policy, transportRange); addSocketPermissionForPortRange(policy, transportRange);
@ -334,6 +322,8 @@ final class Security {
addSocketPermissionForTransport(policy, settings); addSocketPermissionForTransport(policy, settings);
} }
} }
}
}
/** /**
* Add dynamic {@link SocketPermission} based on transport settings. * Add dynamic {@link SocketPermission} based on transport settings.
@ -346,6 +336,16 @@ final class Security {
addSocketPermissionForPortRange(policy, transportRange); addSocketPermissionForPortRange(policy, transportRange);
} }
private static void addSocketPermissionForTribeNodes(final Permissions policy, final Settings settings) {
for (final Settings tribeNodeSettings : settings.getGroups("tribe", true).values()) {
// tribe nodes have HTTP disabled by default, so we check if HTTP is enabled before granting
if (NetworkModule.HTTP_ENABLED.exists(tribeNodeSettings) && NetworkModule.HTTP_ENABLED.get(tribeNodeSettings)) {
addSocketPermissionForHttp(policy, tribeNodeSettings);
}
addSocketPermissionForTransport(policy, tribeNodeSettings);
}
}
/** /**
* Add dynamic {@link SocketPermission} for the specified port range. * Add dynamic {@link SocketPermission} for the specified port range.
* *