adapt to IndicesAliasesRequest not implementing CompositeIndicesRequest (elastic/elasticsearch#3645)
We need to special case IndicesAliasesRequest as it doesn't implement CompositeIndicesRequest anymore. Note that the similar loop for CompositeIndicesRequests's subrequests will soon go away Relates to elastic/elasticsearch#3638 Original commit: elastic/x-pack-elasticsearch@50d119ff61
This commit is contained in:
Luca Cavanna
GitHub
parent
36c7070217
commit
91a68e9873
|
|
@ -5,21 +5,15 @@
|
|||
*/
|
||||
package org.elasticsearch.xpack.security.authz;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.Arrays;
|
||||
import java.util.Collections;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.Set;
|
||||
import java.util.function.Predicate;
|
||||
|
||||
import org.elasticsearch.ElasticsearchSecurityException;
|
||||
import org.elasticsearch.action.CompositeIndicesRequest;
|
||||
import org.elasticsearch.action.IndicesRequest;
|
||||
import org.elasticsearch.action.admin.indices.alias.Alias;
|
||||
import org.elasticsearch.action.admin.indices.alias.IndicesAliasesRequest;
|
||||
import org.elasticsearch.action.admin.indices.create.CreateIndexRequest;
|
||||
import org.elasticsearch.action.search.ClearScrollAction;
|
||||
import org.elasticsearch.action.search.SearchScrollAction;
|
||||
import org.elasticsearch.action.search.SearchTransportService;
|
||||
import org.elasticsearch.action.support.replication.TransportReplicationAction.ConcreteShardRequest;
|
||||
import org.elasticsearch.cluster.ClusterState;
|
||||
import org.elasticsearch.cluster.metadata.AliasOrIndex;
|
||||
|
|
@ -33,10 +27,10 @@ import org.elasticsearch.common.settings.Setting.Property;
|
|||
import org.elasticsearch.common.settings.Settings;
|
||||
import org.elasticsearch.common.util.concurrent.ThreadContext;
|
||||
import org.elasticsearch.common.util.set.Sets;
|
||||
import org.elasticsearch.action.search.SearchTransportService;
|
||||
import org.elasticsearch.threadpool.ThreadPool;
|
||||
import org.elasticsearch.transport.TransportRequest;
|
||||
import org.elasticsearch.xpack.security.SecurityTemplateService;
|
||||
import org.elasticsearch.xpack.security.audit.AuditTrailService;
|
||||
import org.elasticsearch.xpack.security.authc.Authentication;
|
||||
import org.elasticsearch.xpack.security.authc.AuthenticationFailureHandler;
|
||||
import org.elasticsearch.xpack.security.authz.accesscontrol.IndicesAccessControl;
|
||||
|
|
@ -51,12 +45,19 @@ import org.elasticsearch.xpack.security.authz.permission.SuperuserRole;
|
|||
import org.elasticsearch.xpack.security.authz.privilege.ClusterPrivilege;
|
||||
import org.elasticsearch.xpack.security.authz.privilege.IndexPrivilege;
|
||||
import org.elasticsearch.xpack.security.authz.store.CompositeRolesStore;
|
||||
import org.elasticsearch.xpack.security.audit.AuditTrailService;
|
||||
import org.elasticsearch.xpack.security.user.AnonymousUser;
|
||||
import org.elasticsearch.xpack.security.user.SystemUser;
|
||||
import org.elasticsearch.xpack.security.user.User;
|
||||
import org.elasticsearch.xpack.security.user.XPackUser;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.Arrays;
|
||||
import java.util.Collections;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.Set;
|
||||
import java.util.function.Predicate;
|
||||
|
||||
import static org.elasticsearch.xpack.security.Security.setting;
|
||||
import static org.elasticsearch.xpack.security.support.Exceptions.authorizationError;
|
||||
|
||||
|
|
@ -234,7 +235,8 @@ public class AuthorizationService extends AbstractComponent {
|
|||
// the scroll... and we rely on the signed scroll id to provide security over this request).
|
||||
// so we only check indices if indeed the request is an actual IndicesRequest, if it's not,
|
||||
// we just grant it if it's a scroll, deny otherwise
|
||||
if (!(request instanceof IndicesRequest) && !(request instanceof CompositeIndicesRequest)) {
|
||||
if (request instanceof IndicesRequest == false && request instanceof CompositeIndicesRequest == false
|
||||
&& request instanceof IndicesAliasesRequest == false) {
|
||||
if (isScrollRelatedAction(action)) {
|
||||
//note that clear scroll shard level actions can originate from a clear scroll all, which doesn't require any
|
||||
//indices permission as it's categorized under cluster. This is why the scroll check is performed
|
||||
|
|
|
|||
|
|
@ -8,6 +8,7 @@ package org.elasticsearch.xpack.security.authz.indicesresolver;
|
|||
import org.elasticsearch.action.AliasesRequest;
|
||||
import org.elasticsearch.action.CompositeIndicesRequest;
|
||||
import org.elasticsearch.action.IndicesRequest;
|
||||
import org.elasticsearch.action.admin.indices.alias.IndicesAliasesRequest;
|
||||
import org.elasticsearch.action.admin.indices.mapping.put.PutMappingRequest;
|
||||
import org.elasticsearch.action.support.IndicesOptions;
|
||||
import org.elasticsearch.cluster.metadata.AliasOrIndex;
|
||||
|
|
@ -17,9 +18,9 @@ import org.elasticsearch.cluster.metadata.MetaData;
|
|||
import org.elasticsearch.common.regex.Regex;
|
||||
import org.elasticsearch.common.util.set.Sets;
|
||||
import org.elasticsearch.index.IndexNotFoundException;
|
||||
import org.elasticsearch.transport.TransportRequest;
|
||||
import org.elasticsearch.xpack.security.authz.AuthorizationService;
|
||||
import org.elasticsearch.xpack.security.user.User;
|
||||
import org.elasticsearch.transport.TransportRequest;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.Arrays;
|
||||
|
|
@ -49,6 +50,15 @@ public class DefaultIndicesAndAliasesResolver implements IndicesAndAliasesResolv
|
|||
|
||||
@Override
|
||||
public Set<String> resolve(User user, String action, TransportRequest request, MetaData metaData) {
|
||||
if (request instanceof IndicesAliasesRequest) {
|
||||
Set<String> indices = new HashSet<>();
|
||||
IndicesAliasesRequest indicesAliasesRequest = (IndicesAliasesRequest) request;
|
||||
for (IndicesRequest indicesRequest : indicesAliasesRequest.getAliasActions()) {
|
||||
indices.addAll(resolveIndicesAndAliases(user, action, indicesRequest, metaData));
|
||||
}
|
||||
return indices;
|
||||
}
|
||||
|
||||
boolean isIndicesRequest = request instanceof CompositeIndicesRequest || request instanceof IndicesRequest;
|
||||
// if for some reason we are missing an action... just for safety we'll reject
|
||||
if (isIndicesRequest == false) {
|
||||
|
|
|
|||
Loading…
Reference in New Issue