switch shard-level actions to static final vars, use separate method

Instead of shoehorning everything into `isCompositeAction`, add a new
`isTranslatedToBulkAction` method.

Original commit: elastic/x-pack-elasticsearch@053faae505
This commit is contained in:
Lee Hinman 2017-01-12 15:04:57 -07:00
parent a21f64fef2
commit 53f2dbe8e6
1 changed files with 25 additions and 11 deletions

View File

@ -76,6 +76,11 @@ public class AuthorizationService extends AbstractComponent {
private static final Predicate<String> MONITOR_INDEX_PREDICATE = IndexPrivilege.MONITOR.predicate(); private static final Predicate<String> MONITOR_INDEX_PREDICATE = IndexPrivilege.MONITOR.predicate();
private static final Predicate<String> SAME_USER_PRIVILEGE = Automatons.predicate(ChangePasswordAction.NAME, AuthenticateAction.NAME); private static final Predicate<String> SAME_USER_PRIVILEGE = Automatons.predicate(ChangePasswordAction.NAME, AuthenticateAction.NAME);
private static final String INDEX_SUB_REQUEST_PRIMARY = IndexAction.NAME + "[p]";
private static final String INDEX_SUB_REQUEST_REPLICA = IndexAction.NAME + "[r]";
private static final String DELETE_SUB_REQUEST_PRIMARY = DeleteAction.NAME + "[p]";
private static final String DELETE_SUB_REQUEST_REPLICA = DeleteAction.NAME + "[r]";
private final ClusterService clusterService; private final ClusterService clusterService;
private final CompositeRolesStore rolesStore; private final CompositeRolesStore rolesStore;
private final AuditTrailService auditTrail; private final AuditTrailService auditTrail;
@ -178,6 +183,17 @@ public class AuthorizationService extends AbstractComponent {
return; return;
} }
throw denial(authentication, action, request); throw denial(authentication, action, request);
} else if (isTranslatedToBulkAction(action)) {
if (request instanceof CompositeIndicesRequest == false) {
throw new IllegalStateException("Bulk translated actions must implement " + CompositeIndicesRequest.class.getSimpleName()
+ ", " + request.getClass().getSimpleName() + " doesn't");
}
// we check if the user can execute the action, without looking at indices, whici will be authorized at the shard level
if (permission.indices().check(action)) {
grant(authentication, action, request);
return;
}
throw denial(authentication, action, request);
} }
// some APIs are indices requests that are not actually associated with indices. For example, // some APIs are indices requests that are not actually associated with indices. For example,
@ -309,19 +325,8 @@ public class AuthorizationService extends AbstractComponent {
} }
} }
private static String IndexActionSubRequestPrimary = IndexAction.NAME + "[p]";
private static String IndexActionSubRequestReplica = IndexAction.NAME + "[r]";
private static String DeleteActionSubRequestPrimary = DeleteAction.NAME + "[p]";
private static String DeleteActionSubRequestReplica = DeleteAction.NAME + "[r]";
private static boolean isCompositeAction(String action) { private static boolean isCompositeAction(String action) {
return action.equals(BulkAction.NAME) || return action.equals(BulkAction.NAME) ||
action.equals(IndexAction.NAME) ||
action.equals(DeleteAction.NAME) ||
action.equals(IndexActionSubRequestPrimary) ||
action.equals(IndexActionSubRequestReplica) ||
action.equals(DeleteActionSubRequestPrimary) ||
action.equals(DeleteActionSubRequestReplica) ||
action.equals(MultiGetAction.NAME) || action.equals(MultiGetAction.NAME) ||
action.equals(MultiTermVectorsAction.NAME) || action.equals(MultiTermVectorsAction.NAME) ||
action.equals(MultiSearchAction.NAME) || action.equals(MultiSearchAction.NAME) ||
@ -331,6 +336,15 @@ public class AuthorizationService extends AbstractComponent {
action.equals("indices:data/write/reindex"); action.equals("indices:data/write/reindex");
} }
private static boolean isTranslatedToBulkAction(String action) {
return action.equals(IndexAction.NAME) ||
action.equals(DeleteAction.NAME) ||
action.equals(INDEX_SUB_REQUEST_PRIMARY) ||
action.equals(INDEX_SUB_REQUEST_REPLICA) ||
action.equals(DELETE_SUB_REQUEST_PRIMARY) ||
action.equals(DELETE_SUB_REQUEST_REPLICA);
}
private static boolean isScrollRelatedAction(String action) { private static boolean isScrollRelatedAction(String action) {
return action.equals(SearchScrollAction.NAME) || return action.equals(SearchScrollAction.NAME) ||
action.equals(SearchTransportService.FETCH_ID_SCROLL_ACTION_NAME) || action.equals(SearchTransportService.FETCH_ID_SCROLL_ACTION_NAME) ||