honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into feature/account-settings 

Original commit: elastic/x-pack-elasticsearch@148cf99339
This commit is contained in:
Lukas Olson 2016-06-15 15:05:21 -07:00
parent f22f73bcf3 f92314ba00
commit 9b3dcf07aa
6 changed files with 49 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/ShieldActionModule.java
View File

@ -9,6 +9,7 @@ import org.elasticsearch.common.inject.multibindings.Multibinder;
import org.elasticsearch.common.settings.Settings; import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.shield.action.filter.ShieldActionFilter; import org.elasticsearch.shield.action.filter.ShieldActionFilter;
import org.elasticsearch.shield.action.interceptor.BulkRequestInterceptor; import org.elasticsearch.shield.action.interceptor.BulkRequestInterceptor;
import org.elasticsearch.shield.action.interceptor.FieldStatsRequestInterceptor;
import org.elasticsearch.shield.action.interceptor.RealtimeRequestInterceptor; import org.elasticsearch.shield.action.interceptor.RealtimeRequestInterceptor;
import org.elasticsearch.shield.action.interceptor.RequestInterceptor; import org.elasticsearch.shield.action.interceptor.RequestInterceptor;
import org.elasticsearch.shield.action.interceptor.SearchRequestInterceptor; import org.elasticsearch.shield.action.interceptor.SearchRequestInterceptor;
@ -34,5 +35,6 @@ public class ShieldActionModule extends AbstractShieldModule.Node {
multibinder.addBinding().to(SearchRequestInterceptor.class); multibinder.addBinding().to(SearchRequestInterceptor.class);
multibinder.addBinding().to(UpdateRequestInterceptor.class); multibinder.addBinding().to(UpdateRequestInterceptor.class);
multibinder.addBinding().to(BulkRequestInterceptor.class); multibinder.addBinding().to(BulkRequestInterceptor.class);
multibinder.addBinding().to(FieldStatsRequestInterceptor.class);
} }
} }

16
elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/interceptor/FieldAndDocumentLevelSecurityRequestInterceptor.java
View File

@ -47,12 +47,14 @@ public abstract class FieldAndDocumentLevelSecurityRequestInterceptor<Request> e
for (String index : indicesRequest.indices()) { for (String index : indicesRequest.indices()) {
IndicesAccessControl.IndexAccessControl indexAccessControl = indicesAccessControl.getIndexPermissions(index); IndicesAccessControl.IndexAccessControl indexAccessControl = indicesAccessControl.getIndexPermissions(index);
if (indexAccessControl != null) { if (indexAccessControl != null) {
boolean fls = indexAccessControl.getFields() != null; boolean fieldLevelSecurityEnabled = indexAccessControl.getFields() != null;
boolean dls = indexAccessControl.getQueries() != null; boolean documentLevelSecurityEnabled = indexAccessControl.getQueries() != null;
if (fls || dls) { if (fieldLevelSecurityEnabled || documentLevelSecurityEnabled) {
logger.debug("intercepted request for index [{}] with field level or document level security enabled, " + if (logger.isDebugEnabled()) {
"disabling features", index); logger.debug("intercepted request for index [{}] with field level [{}] or document level [{}] security "
disableFeatures(request); + "enabled, disabling features", index, fieldLevelSecurityEnabled, documentLevelSecurityEnabled);
}
disableFeatures(request, fieldLevelSecurityEnabled, documentLevelSecurityEnabled);
return; return;
} }
} }
@ -62,6 +64,6 @@ public abstract class FieldAndDocumentLevelSecurityRequestInterceptor<Request> e
} }
} }
protected abstract void disableFeatures(Request request); protected abstract void disableFeatures(Request request, boolean fieldLevelSecurityEnabled, boolean documentLevelSecurityEnabled);
} }

34
elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/interceptor/FieldStatsRequestInterceptor.java Normal file
View File

@ -0,0 +1,34 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License.
*/
package org.elasticsearch.shield.action.interceptor;
import org.elasticsearch.action.fieldstats.FieldStatsRequest;
import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.threadpool.ThreadPool;
import org.elasticsearch.transport.TransportRequest;
/**
* Intercepts requests to shards to field level stats and strips fields that the user is not allowed to access from the response.
*/
public class FieldStatsRequestInterceptor extends FieldAndDocumentLevelSecurityRequestInterceptor<FieldStatsRequest> {
@Inject
public FieldStatsRequestInterceptor(Settings settings, ThreadPool threadPool) {
super(settings, threadPool.getThreadContext());
}
@Override
public boolean supports(TransportRequest request) {
return request instanceof FieldStatsRequest;
}
@Override
protected void disableFeatures(FieldStatsRequest request, boolean fieldLevelSecurityEnabled, boolean documentLevelSecurityEnabled) {
if (fieldLevelSecurityEnabled) {
request.setUseCache(false);
}
}
}

3
elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/interceptor/RealtimeRequestInterceptor.java
View File

@ -23,7 +23,8 @@ public class RealtimeRequestInterceptor extends FieldAndDocumentLevelSecurityReq
} }
@Override @Override
protected void disableFeatures(RealtimeRequest realtimeRequest) { protected void disableFeatures(RealtimeRequest realtimeRequest, boolean fieldLevelSecurityEnabled,
boolean documentLevelSecurityEnabled) {
realtimeRequest.realtime(false); realtimeRequest.realtime(false);
} }

2
elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/interceptor/SearchRequestInterceptor.java
View File

@ -22,7 +22,7 @@ public class SearchRequestInterceptor extends FieldAndDocumentLevelSecurityReque
} }
@Override @Override
public void disableFeatures(SearchRequest request) { public void disableFeatures(SearchRequest request, boolean fieldLevelSecurityEnabled, boolean documentLevelSecurityEnabled) {
request.requestCache(false); request.requestCache(false);
} }

2
elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/action/interceptor/UpdateRequestInterceptor.java
View File

@ -28,7 +28,7 @@ public class UpdateRequestInterceptor extends FieldAndDocumentLevelSecurityReque
} }
@Override @Override
protected void disableFeatures(UpdateRequest updateRequest) { protected void disableFeatures(UpdateRequest updateRequest, boolean fieldLevelSecurityEnabled, boolean documentLevelSecurityEnabled) {
throw new ElasticsearchSecurityException("Can't execute an update request if field or document level security is enabled", throw new ElasticsearchSecurityException("Can't execute an update request if field or document level security is enabled",
RestStatus.BAD_REQUEST); RestStatus.BAD_REQUEST);
} }