switch shard-level actions to static final vars, use separate method
Instead of shoehorning everything into `isCompositeAction`, add a new `isTranslatedToBulkAction` method. Original commit: elastic/x-pack-elasticsearch@053faae505
This commit is contained in:
parent
a21f64fef2
commit
53f2dbe8e6
|
@ -76,6 +76,11 @@ public class AuthorizationService extends AbstractComponent {
|
||||||
private static final Predicate<String> MONITOR_INDEX_PREDICATE = IndexPrivilege.MONITOR.predicate();
|
private static final Predicate<String> MONITOR_INDEX_PREDICATE = IndexPrivilege.MONITOR.predicate();
|
||||||
private static final Predicate<String> SAME_USER_PRIVILEGE = Automatons.predicate(ChangePasswordAction.NAME, AuthenticateAction.NAME);
|
private static final Predicate<String> SAME_USER_PRIVILEGE = Automatons.predicate(ChangePasswordAction.NAME, AuthenticateAction.NAME);
|
||||||
|
|
||||||
|
private static final String INDEX_SUB_REQUEST_PRIMARY = IndexAction.NAME + "[p]";
|
||||||
|
private static final String INDEX_SUB_REQUEST_REPLICA = IndexAction.NAME + "[r]";
|
||||||
|
private static final String DELETE_SUB_REQUEST_PRIMARY = DeleteAction.NAME + "[p]";
|
||||||
|
private static final String DELETE_SUB_REQUEST_REPLICA = DeleteAction.NAME + "[r]";
|
||||||
|
|
||||||
private final ClusterService clusterService;
|
private final ClusterService clusterService;
|
||||||
private final CompositeRolesStore rolesStore;
|
private final CompositeRolesStore rolesStore;
|
||||||
private final AuditTrailService auditTrail;
|
private final AuditTrailService auditTrail;
|
||||||
|
@ -178,6 +183,17 @@ public class AuthorizationService extends AbstractComponent {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
throw denial(authentication, action, request);
|
throw denial(authentication, action, request);
|
||||||
|
} else if (isTranslatedToBulkAction(action)) {
|
||||||
|
if (request instanceof CompositeIndicesRequest == false) {
|
||||||
|
throw new IllegalStateException("Bulk translated actions must implement " + CompositeIndicesRequest.class.getSimpleName()
|
||||||
|
+ ", " + request.getClass().getSimpleName() + " doesn't");
|
||||||
|
}
|
||||||
|
// we check if the user can execute the action, without looking at indices, whici will be authorized at the shard level
|
||||||
|
if (permission.indices().check(action)) {
|
||||||
|
grant(authentication, action, request);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
throw denial(authentication, action, request);
|
||||||
}
|
}
|
||||||
|
|
||||||
// some APIs are indices requests that are not actually associated with indices. For example,
|
// some APIs are indices requests that are not actually associated with indices. For example,
|
||||||
|
@ -309,19 +325,8 @@ public class AuthorizationService extends AbstractComponent {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private static String IndexActionSubRequestPrimary = IndexAction.NAME + "[p]";
|
|
||||||
private static String IndexActionSubRequestReplica = IndexAction.NAME + "[r]";
|
|
||||||
private static String DeleteActionSubRequestPrimary = DeleteAction.NAME + "[p]";
|
|
||||||
private static String DeleteActionSubRequestReplica = DeleteAction.NAME + "[r]";
|
|
||||||
|
|
||||||
private static boolean isCompositeAction(String action) {
|
private static boolean isCompositeAction(String action) {
|
||||||
return action.equals(BulkAction.NAME) ||
|
return action.equals(BulkAction.NAME) ||
|
||||||
action.equals(IndexAction.NAME) ||
|
|
||||||
action.equals(DeleteAction.NAME) ||
|
|
||||||
action.equals(IndexActionSubRequestPrimary) ||
|
|
||||||
action.equals(IndexActionSubRequestReplica) ||
|
|
||||||
action.equals(DeleteActionSubRequestPrimary) ||
|
|
||||||
action.equals(DeleteActionSubRequestReplica) ||
|
|
||||||
action.equals(MultiGetAction.NAME) ||
|
action.equals(MultiGetAction.NAME) ||
|
||||||
action.equals(MultiTermVectorsAction.NAME) ||
|
action.equals(MultiTermVectorsAction.NAME) ||
|
||||||
action.equals(MultiSearchAction.NAME) ||
|
action.equals(MultiSearchAction.NAME) ||
|
||||||
|
@ -331,6 +336,15 @@ public class AuthorizationService extends AbstractComponent {
|
||||||
action.equals("indices:data/write/reindex");
|
action.equals("indices:data/write/reindex");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private static boolean isTranslatedToBulkAction(String action) {
|
||||||
|
return action.equals(IndexAction.NAME) ||
|
||||||
|
action.equals(DeleteAction.NAME) ||
|
||||||
|
action.equals(INDEX_SUB_REQUEST_PRIMARY) ||
|
||||||
|
action.equals(INDEX_SUB_REQUEST_REPLICA) ||
|
||||||
|
action.equals(DELETE_SUB_REQUEST_PRIMARY) ||
|
||||||
|
action.equals(DELETE_SUB_REQUEST_REPLICA);
|
||||||
|
}
|
||||||
|
|
||||||
private static boolean isScrollRelatedAction(String action) {
|
private static boolean isScrollRelatedAction(String action) {
|
||||||
return action.equals(SearchScrollAction.NAME) ||
|
return action.equals(SearchScrollAction.NAME) ||
|
||||||
action.equals(SearchTransportService.FETCH_ID_SCROLL_ACTION_NAME) ||
|
action.equals(SearchTransportService.FETCH_ID_SCROLL_ACTION_NAME) ||
|
||||||
|
|
Loading…
Reference in New Issue