From 53f2dbe8e6e36f25f07ec93cfd720848d0050d91 Mon Sep 17 00:00:00 2001 From: Lee Hinman Date: Thu, 12 Jan 2017 15:04:57 -0700 Subject: [PATCH] switch shard-level actions to static final vars, use separate method Instead of shoehorning everything into `isCompositeAction`, add a new `isTranslatedToBulkAction` method. Original commit: elastic/x-pack-elasticsearch@053faae505c42e1e32e89e36c23dacffeb7b17af --- .../security/authz/AuthorizationService.java | 36 +++++++++++++------ 1 file changed, 25 insertions(+), 11 deletions(-) diff --git a/elasticsearch/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java b/elasticsearch/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java index 375018d5fe3..f4418bd0af5 100644 --- a/elasticsearch/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java +++ b/elasticsearch/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java @@ -76,6 +76,11 @@ public class AuthorizationService extends AbstractComponent { private static final Predicate MONITOR_INDEX_PREDICATE = IndexPrivilege.MONITOR.predicate(); private static final Predicate SAME_USER_PRIVILEGE = Automatons.predicate(ChangePasswordAction.NAME, AuthenticateAction.NAME); + private static final String INDEX_SUB_REQUEST_PRIMARY = IndexAction.NAME + "[p]"; + private static final String INDEX_SUB_REQUEST_REPLICA = IndexAction.NAME + "[r]"; + private static final String DELETE_SUB_REQUEST_PRIMARY = DeleteAction.NAME + "[p]"; + private static final String DELETE_SUB_REQUEST_REPLICA = DeleteAction.NAME + "[r]"; + private final ClusterService clusterService; private final CompositeRolesStore rolesStore; private final AuditTrailService auditTrail; @@ -178,6 +183,17 @@ public class AuthorizationService extends AbstractComponent { return; } throw denial(authentication, action, request); + } else if (isTranslatedToBulkAction(action)) { + if (request instanceof CompositeIndicesRequest == false) { + throw new IllegalStateException("Bulk translated actions must implement " + CompositeIndicesRequest.class.getSimpleName() + + ", " + request.getClass().getSimpleName() + " doesn't"); + } + // we check if the user can execute the action, without looking at indices, whici will be authorized at the shard level + if (permission.indices().check(action)) { + grant(authentication, action, request); + return; + } + throw denial(authentication, action, request); } // some APIs are indices requests that are not actually associated with indices. For example, @@ -309,19 +325,8 @@ public class AuthorizationService extends AbstractComponent { } } - private static String IndexActionSubRequestPrimary = IndexAction.NAME + "[p]"; - private static String IndexActionSubRequestReplica = IndexAction.NAME + "[r]"; - private static String DeleteActionSubRequestPrimary = DeleteAction.NAME + "[p]"; - private static String DeleteActionSubRequestReplica = DeleteAction.NAME + "[r]"; - private static boolean isCompositeAction(String action) { return action.equals(BulkAction.NAME) || - action.equals(IndexAction.NAME) || - action.equals(DeleteAction.NAME) || - action.equals(IndexActionSubRequestPrimary) || - action.equals(IndexActionSubRequestReplica) || - action.equals(DeleteActionSubRequestPrimary) || - action.equals(DeleteActionSubRequestReplica) || action.equals(MultiGetAction.NAME) || action.equals(MultiTermVectorsAction.NAME) || action.equals(MultiSearchAction.NAME) || @@ -331,6 +336,15 @@ public class AuthorizationService extends AbstractComponent { action.equals("indices:data/write/reindex"); } + private static boolean isTranslatedToBulkAction(String action) { + return action.equals(IndexAction.NAME) || + action.equals(DeleteAction.NAME) || + action.equals(INDEX_SUB_REQUEST_PRIMARY) || + action.equals(INDEX_SUB_REQUEST_REPLICA) || + action.equals(DELETE_SUB_REQUEST_PRIMARY) || + action.equals(DELETE_SUB_REQUEST_REPLICA); + } + private static boolean isScrollRelatedAction(String action) { return action.equals(SearchScrollAction.NAME) || action.equals(SearchTransportService.FETCH_ID_SCROLL_ACTION_NAME) ||