diff --git a/shield/docs/public/limitations.asciidoc b/shield/docs/public/limitations.asciidoc
index a4171ccb513..a0509549c08 100644
--- a/shield/docs/public/limitations.asciidoc
+++ b/shield/docs/public/limitations.asciidoc
@@ -49,6 +49,13 @@ points to, regardless of the filter that the alias might hold. Keep this behavio
administrative privileges to filtered index aliases. Read
https://github.com/elasticsearch/elasticsearch/issues/2318[Elasticsearch issue #2318] to learn more about this limitation.
+WARNING: A filtered index alias will not provide document-level security for the {ref}/search-suggesters.html[suggesters apis]
+as they do not take into account the filters placed on aliases.
+
+WARNING: A filtered index alias will not provide document-level security when using a
+{ref}/search-aggregations-bucket-children-aggregation.html[Children Aggregation] as the filter from the alias is not used
+when computing the aggregation results.
+
[float]
=== Queries and Filters
diff --git a/shield/pom.xml b/shield/pom.xml
index b56159cf921..3af28bb293b 100644
--- a/shield/pom.xml
+++ b/shield/pom.xml
@@ -106,6 +106,7 @@
true
+ true
diff --git a/shield/src/main/java/org/elasticsearch/shield/authz/InternalAuthorizationService.java b/shield/src/main/java/org/elasticsearch/shield/authz/InternalAuthorizationService.java
index 63703c609f1..6cffbc48b78 100644
--- a/shield/src/main/java/org/elasticsearch/shield/authz/InternalAuthorizationService.java
+++ b/shield/src/main/java/org/elasticsearch/shield/authz/InternalAuthorizationService.java
@@ -17,6 +17,7 @@ import org.elasticsearch.action.admin.indices.create.CreateIndexRequest;
import org.elasticsearch.action.search.ClearScrollAction;
import org.elasticsearch.action.search.SearchScrollAction;
import org.elasticsearch.cluster.ClusterService;
+import org.elasticsearch.cluster.metadata.AliasOrIndex;
import org.elasticsearch.cluster.metadata.MetaData;
import org.elasticsearch.common.component.AbstractComponent;
import org.elasticsearch.common.inject.Inject;
@@ -30,7 +31,7 @@ import org.elasticsearch.shield.authz.indicesresolver.IndicesResolver;
import org.elasticsearch.shield.authz.store.RolesStore;
import org.elasticsearch.transport.TransportRequest;
-import java.util.Iterator;
+import java.util.Map;
import java.util.Set;
import static org.elasticsearch.shield.support.Exceptions.authenticationError;
@@ -76,15 +77,11 @@ public class InternalAuthorizationService extends AbstractComponent implements A
ImmutableList.Builder indicesAndAliases = ImmutableList.builder();
Predicate predicate = Predicates.or(predicates.build());
MetaData metaData = clusterService.state().metaData();
- for (String index : metaData.concreteAllIndices()) {
- if (predicate.apply(index)) {
- indicesAndAliases.add(index);
- }
- }
- for (Iterator iter = metaData.getAliases().keysIt(); iter.hasNext(); ) {
- String alias = iter.next();
- if (predicate.apply(alias)) {
- indicesAndAliases.add(alias);
+ // TODO: can this be done smarter? I think there are usually more indices/aliases in the cluster then indices defined a roles?
+ for (Map.Entry entry : metaData.getAliasAndIndexLookup().entrySet()) {
+ String aliasOrIndex = entry.getKey();
+ if (predicate.apply(aliasOrIndex)) {
+ indicesAndAliases.add(aliasOrIndex);
}
}
return indicesAndAliases.build();
diff --git a/shield/src/main/java/org/elasticsearch/shield/authz/indicesresolver/DefaultIndicesResolver.java b/shield/src/main/java/org/elasticsearch/shield/authz/indicesresolver/DefaultIndicesResolver.java
index 02dbc88324f..1ae839c3ea3 100644
--- a/shield/src/main/java/org/elasticsearch/shield/authz/indicesresolver/DefaultIndicesResolver.java
+++ b/shield/src/main/java/org/elasticsearch/shield/authz/indicesresolver/DefaultIndicesResolver.java
@@ -5,7 +5,6 @@
*/
package org.elasticsearch.shield.authz.indicesresolver;
-import com.carrotsearch.hppc.ObjectLookupContainer;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.Lists;
import com.google.common.collect.Sets;
@@ -13,6 +12,7 @@ import org.elasticsearch.action.AliasesRequest;
import org.elasticsearch.action.CompositeIndicesRequest;
import org.elasticsearch.action.IndicesRequest;
import org.elasticsearch.action.support.IndicesOptions;
+import org.elasticsearch.cluster.metadata.AliasOrIndex;
import org.elasticsearch.cluster.metadata.IndexMetaData;
import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
import org.elasticsearch.cluster.metadata.MetaData;
@@ -99,9 +99,10 @@ public class DefaultIndicesResolver implements IndicesResolver
private List loadAuthorizedAliases(List authorizedIndices, MetaData metaData) {
List authorizedAliases = Lists.newArrayList();
- ObjectLookupContainer existingAliases = metaData.aliases().keys();
+ SortedMap existingAliases = metaData.getAliasAndIndexLookup();
for (String authorizedIndex : authorizedIndices) {
- if (existingAliases.contains(authorizedIndex)) {
+ AliasOrIndex aliasOrIndex = existingAliases.get(authorizedIndex);
+ if (aliasOrIndex != null && aliasOrIndex.isAlias()) {
authorizedAliases.add(authorizedIndex);
}
}
diff --git a/watcher/pom.xml b/watcher/pom.xml
index 14790554541..8cc0761df0c 100644
--- a/watcher/pom.xml
+++ b/watcher/pom.xml
@@ -157,6 +157,7 @@
true
+ true
diff --git a/watcher/src/main/java/org/elasticsearch/watcher/support/secret/SensitiveXContentParser.java b/watcher/src/main/java/org/elasticsearch/watcher/support/secret/SensitiveXContentParser.java
index 9f3c0885749..cc7e0bb36f3 100644
--- a/watcher/src/main/java/org/elasticsearch/watcher/support/secret/SensitiveXContentParser.java
+++ b/watcher/src/main/java/org/elasticsearch/watcher/support/secret/SensitiveXContentParser.java
@@ -230,6 +230,11 @@ public class SensitiveXContentParser implements XContentParser {
return parser.getTokenLocation();
}
+ @Override
+ public boolean isClosed() {
+ return parser.isClosed();
+ }
+
@Override
public void close() throws ElasticsearchException {
parser.close();