adapt to IndicesAliasesRequest not implementing CompositeIndicesRequest (elastic/elasticsearch#3645)
We need to special case IndicesAliasesRequest as it doesn't implement CompositeIndicesRequest anymore. Note that the similar loop for CompositeIndicesRequests's subrequests will soon go away Relates to elastic/elasticsearch#3638 Original commit: elastic/x-pack-elasticsearch@50d119ff61
This commit is contained in:
Luca Cavanna
GitHub
parent
36c7070217
commit
91a68e9873
|
|
@ -5,21 +5,15 @@
|
||||||
*/
|
*/
|
||||||
package org.elasticsearch.xpack.security.authz;
|
package org.elasticsearch.xpack.security.authz;
|
||||||
|
|
||||||
import java.util.ArrayList;
|
|
||||||
import java.util.Arrays;
|
|
||||||
import java.util.Collections;
|
|
||||||
import java.util.List;
|
|
||||||
import java.util.Map;
|
|
||||||
import java.util.Set;
|
|
||||||
import java.util.function.Predicate;
|
|
||||||
|
|
||||||
import org.elasticsearch.ElasticsearchSecurityException;
|
import org.elasticsearch.ElasticsearchSecurityException;
|
||||||
import org.elasticsearch.action.CompositeIndicesRequest;
|
import org.elasticsearch.action.CompositeIndicesRequest;
|
||||||
import org.elasticsearch.action.IndicesRequest;
|
import org.elasticsearch.action.IndicesRequest;
|
||||||
import org.elasticsearch.action.admin.indices.alias.Alias;
|
import org.elasticsearch.action.admin.indices.alias.Alias;
|
||||||
|
import org.elasticsearch.action.admin.indices.alias.IndicesAliasesRequest;
|
||||||
import org.elasticsearch.action.admin.indices.create.CreateIndexRequest;
|
import org.elasticsearch.action.admin.indices.create.CreateIndexRequest;
|
||||||
import org.elasticsearch.action.search.ClearScrollAction;
|
import org.elasticsearch.action.search.ClearScrollAction;
|
||||||
import org.elasticsearch.action.search.SearchScrollAction;
|
import org.elasticsearch.action.search.SearchScrollAction;
|
||||||
|
import org.elasticsearch.action.search.SearchTransportService;
|
||||||
import org.elasticsearch.action.support.replication.TransportReplicationAction.ConcreteShardRequest;
|
import org.elasticsearch.action.support.replication.TransportReplicationAction.ConcreteShardRequest;
|
||||||
import org.elasticsearch.cluster.ClusterState;
|
import org.elasticsearch.cluster.ClusterState;
|
||||||
import org.elasticsearch.cluster.metadata.AliasOrIndex;
|
import org.elasticsearch.cluster.metadata.AliasOrIndex;
|
||||||
|
|
@ -33,10 +27,10 @@ import org.elasticsearch.common.settings.Setting.Property;
|
||||||
import org.elasticsearch.common.settings.Settings;
|
import org.elasticsearch.common.settings.Settings;
|
||||||
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
||||||
import org.elasticsearch.common.util.set.Sets;
|
import org.elasticsearch.common.util.set.Sets;
|
||||||
import org.elasticsearch.action.search.SearchTransportService;
|
|
||||||
import org.elasticsearch.threadpool.ThreadPool;
|
import org.elasticsearch.threadpool.ThreadPool;
|
||||||
import org.elasticsearch.transport.TransportRequest;
|
import org.elasticsearch.transport.TransportRequest;
|
||||||
import org.elasticsearch.xpack.security.SecurityTemplateService;
|
import org.elasticsearch.xpack.security.SecurityTemplateService;
|
||||||
|
import org.elasticsearch.xpack.security.audit.AuditTrailService;
|
||||||
import org.elasticsearch.xpack.security.authc.Authentication;
|
import org.elasticsearch.xpack.security.authc.Authentication;
|
||||||
import org.elasticsearch.xpack.security.authc.AuthenticationFailureHandler;
|
import org.elasticsearch.xpack.security.authc.AuthenticationFailureHandler;
|
||||||
import org.elasticsearch.xpack.security.authz.accesscontrol.IndicesAccessControl;
|
import org.elasticsearch.xpack.security.authz.accesscontrol.IndicesAccessControl;
|
||||||
|
|
@ -51,12 +45,19 @@ import org.elasticsearch.xpack.security.authz.permission.SuperuserRole;
|
||||||
import org.elasticsearch.xpack.security.authz.privilege.ClusterPrivilege;
|
import org.elasticsearch.xpack.security.authz.privilege.ClusterPrivilege;
|
||||||
import org.elasticsearch.xpack.security.authz.privilege.IndexPrivilege;
|
import org.elasticsearch.xpack.security.authz.privilege.IndexPrivilege;
|
||||||
import org.elasticsearch.xpack.security.authz.store.CompositeRolesStore;
|
import org.elasticsearch.xpack.security.authz.store.CompositeRolesStore;
|
||||||
import org.elasticsearch.xpack.security.audit.AuditTrailService;
|
|
||||||
import org.elasticsearch.xpack.security.user.AnonymousUser;
|
import org.elasticsearch.xpack.security.user.AnonymousUser;
|
||||||
import org.elasticsearch.xpack.security.user.SystemUser;
|
import org.elasticsearch.xpack.security.user.SystemUser;
|
||||||
import org.elasticsearch.xpack.security.user.User;
|
import org.elasticsearch.xpack.security.user.User;
|
||||||
import org.elasticsearch.xpack.security.user.XPackUser;
|
import org.elasticsearch.xpack.security.user.XPackUser;
|
||||||
|
|
||||||
|
import java.util.ArrayList;
|
||||||
|
import java.util.Arrays;
|
||||||
|
import java.util.Collections;
|
||||||
|
import java.util.List;
|
||||||
|
import java.util.Map;
|
||||||
|
import java.util.Set;
|
||||||
|
import java.util.function.Predicate;
|
||||||
|
|
||||||
import static org.elasticsearch.xpack.security.Security.setting;
|
import static org.elasticsearch.xpack.security.Security.setting;
|
||||||
import static org.elasticsearch.xpack.security.support.Exceptions.authorizationError;
|
import static org.elasticsearch.xpack.security.support.Exceptions.authorizationError;
|
||||||
|
|
||||||
|
|
@ -234,7 +235,8 @@ public class AuthorizationService extends AbstractComponent {
|
||||||
// the scroll... and we rely on the signed scroll id to provide security over this request).
|
// the scroll... and we rely on the signed scroll id to provide security over this request).
|
||||||
// so we only check indices if indeed the request is an actual IndicesRequest, if it's not,
|
// so we only check indices if indeed the request is an actual IndicesRequest, if it's not,
|
||||||
// we just grant it if it's a scroll, deny otherwise
|
// we just grant it if it's a scroll, deny otherwise
|
||||||
if (!(request instanceof IndicesRequest) && !(request instanceof CompositeIndicesRequest)) {
|
if (request instanceof IndicesRequest == false && request instanceof CompositeIndicesRequest == false
|
||||||
|
&& request instanceof IndicesAliasesRequest == false) {
|
||||||
if (isScrollRelatedAction(action)) {
|
if (isScrollRelatedAction(action)) {
|
||||||
//note that clear scroll shard level actions can originate from a clear scroll all, which doesn't require any
|
//note that clear scroll shard level actions can originate from a clear scroll all, which doesn't require any
|
||||||
//indices permission as it's categorized under cluster. This is why the scroll check is performed
|
//indices permission as it's categorized under cluster. This is why the scroll check is performed
|
||||||
|
|
|
||||||
|
|
@ -8,6 +8,7 @@ package org.elasticsearch.xpack.security.authz.indicesresolver;
|
||||||
import org.elasticsearch.action.AliasesRequest;
|
import org.elasticsearch.action.AliasesRequest;
|
||||||
import org.elasticsearch.action.CompositeIndicesRequest;
|
import org.elasticsearch.action.CompositeIndicesRequest;
|
||||||
import org.elasticsearch.action.IndicesRequest;
|
import org.elasticsearch.action.IndicesRequest;
|
||||||
|
import org.elasticsearch.action.admin.indices.alias.IndicesAliasesRequest;
|
||||||
import org.elasticsearch.action.admin.indices.mapping.put.PutMappingRequest;
|
import org.elasticsearch.action.admin.indices.mapping.put.PutMappingRequest;
|
||||||
import org.elasticsearch.action.support.IndicesOptions;
|
import org.elasticsearch.action.support.IndicesOptions;
|
||||||
import org.elasticsearch.cluster.metadata.AliasOrIndex;
|
import org.elasticsearch.cluster.metadata.AliasOrIndex;
|
||||||
|
|
@ -17,9 +18,9 @@ import org.elasticsearch.cluster.metadata.MetaData;
|
||||||
import org.elasticsearch.common.regex.Regex;
|
import org.elasticsearch.common.regex.Regex;
|
||||||
import org.elasticsearch.common.util.set.Sets;
|
import org.elasticsearch.common.util.set.Sets;
|
||||||
import org.elasticsearch.index.IndexNotFoundException;
|
import org.elasticsearch.index.IndexNotFoundException;
|
||||||
|
import org.elasticsearch.transport.TransportRequest;
|
||||||
import org.elasticsearch.xpack.security.authz.AuthorizationService;
|
import org.elasticsearch.xpack.security.authz.AuthorizationService;
|
||||||
import org.elasticsearch.xpack.security.user.User;
|
import org.elasticsearch.xpack.security.user.User;
|
||||||
import org.elasticsearch.transport.TransportRequest;
|
|
||||||
|
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
import java.util.Arrays;
|
import java.util.Arrays;
|
||||||
|
|
@ -49,6 +50,15 @@ public class DefaultIndicesAndAliasesResolver implements IndicesAndAliasesResolv
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public Set<String> resolve(User user, String action, TransportRequest request, MetaData metaData) {
|
public Set<String> resolve(User user, String action, TransportRequest request, MetaData metaData) {
|
||||||
|
if (request instanceof IndicesAliasesRequest) {
|
||||||
|
Set<String> indices = new HashSet<>();
|
||||||
|
IndicesAliasesRequest indicesAliasesRequest = (IndicesAliasesRequest) request;
|
||||||
|
for (IndicesRequest indicesRequest : indicesAliasesRequest.getAliasActions()) {
|
||||||
|
indices.addAll(resolveIndicesAndAliases(user, action, indicesRequest, metaData));
|
||||||
|
}
|
||||||
|
return indices;
|
||||||
|
}
|
||||||
|
|
||||||
boolean isIndicesRequest = request instanceof CompositeIndicesRequest || request instanceof IndicesRequest;
|
boolean isIndicesRequest = request instanceof CompositeIndicesRequest || request instanceof IndicesRequest;
|
||||||
// if for some reason we are missing an action... just for safety we'll reject
|
// if for some reason we are missing an action... just for safety we'll reject
|
||||||
if (isIndicesRequest == false) {
|
if (isIndicesRequest == false) {
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue