honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

alway return reserved roles when parsing roles file 

Today, if the roles.yml file does not exist the roles that are defined programmatically are not
available. This is incorrect because the reserved roles should always be available and not depend
on the parsing of the file. This change ensures that the reserved roles are made available even
when the roles.yml file is missing.

Closes elastic/elasticsearch#602

Original commit: elastic/x-pack-elasticsearch@ee2fd2ddbf
This commit is contained in:
jaymode 2015-09-09 14:11:04 -04:00
parent a5d9c45dd3
commit 52c31d8c08
2 changed files with 42 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
shield/src/main/java/org/elasticsearch/shield/authz/store/FileRolesStore.java
View File

@ -121,30 +121,25 @@ public class FileRolesStore extends AbstractLifecycleComponent<RolesStore> imple
logger = NoOpLogger.INSTANCE;
}
logger.trace("reading roles file located at [{}]", path.toAbsolutePath());
if (!Files.exists(path)) {
return ImmutableMap.of();
}
Map<String, Permission.Global.Role> roles = new HashMap<>();
try {
List<String> roleSegments = roleSegments(path);
for (String segment : roleSegments) {
Permission.Global.Role role = parseRole(segment, path, logger, resolvePermission);
if (role != null) {
if (SystemRole.NAME.equals(role.name())) {
logger.warn("role [{}] is reserved to the system. the relevant role definition in the mapping file will be ignored", SystemRole.NAME);
} else {
roles.put(role.name(), role);
logger.trace("attempted to read roles file located at [{}]", path.toAbsolutePath());
if (Files.exists(path)) {
try {
List<String> roleSegments = roleSegments(path);
for (String segment : roleSegments) {
Permission.Global.Role role = parseRole(segment, path, logger, resolvePermission);
if (role != null) {
if (SystemRole.NAME.equals(role.name())) {
logger.warn("role [{}] is reserved to the system. the relevant role definition in the mapping file will be ignored", SystemRole.NAME);
} else {
roles.put(role.name(), role);
}
}
}
}
} catch (IOException ioe) {
logger.error("failed to read roles file [{}]. skipping all roles...", ioe, path.toAbsolutePath());
} catch (IOException ioe) {
logger.error("failed to read roles file [{}]. skipping all roles...", ioe, path.toAbsolutePath());
}
}
// we now add all the fixed roles (overriding any attempts to override the fixed roles in the file)

27
shield/src/test/java/org/elasticsearch/shield/authz/store/FileRolesStoreTests.java
View File

@ -291,4 +291,31 @@ public class FileRolesStoreTests extends ESTestCase {
// we overriden the configured reserved role without index privs. (was configured with index priv on "index_a_*" indices)
assertThat(reserved.indices().isEmpty(), is(true));
}
@Test
public void testReservedRolesNonExistentRolesFile() throws Exception {
Set<Permission.Global.Role> reservedRoles = ImmutableSet.<Permission.Global.Role>builder()
.add(Permission.Global.Role.builder("reserved")
.cluster(Privilege.Cluster.ALL)
.build())
.build();
CapturingLogger logger = new CapturingLogger(CapturingLogger.Level.INFO);
Path path = createTempFile();
Files.delete(path);
assertThat(Files.exists(path), is(false));
Map<String, Permission.Global.Role> roles = FileRolesStore.parseFile(path, reservedRoles, logger);
assertThat(roles, notNullValue());
assertThat(roles.size(), is(1));
assertThat(roles, hasKey("reserved"));
Permission.Global.Role reserved = roles.get("reserved");
List<CapturingLogger.Msg> messages = logger.output(CapturingLogger.Level.WARN);
assertThat(messages, notNullValue());
assertThat(messages, hasSize(0));
assertThat(reserved.cluster().check("cluster:admin/test"), is(true));
assertThat(reserved.indices().isEmpty(), is(true));
}
}