diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/permission/IndicesPermission.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/permission/IndicesPermission.java index 3fab48e5d34..81d76b02592 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/permission/IndicesPermission.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/permission/IndicesPermission.java @@ -163,7 +163,11 @@ public interface IndicesPermission extends Permission, Iterable roleFields = rolesFieldsByIndex.get(index); if (roleFields != null) { - roleFields = unmodifiableSet(roleFields); + if (roleFields.contains("*")) { + roleFields = null; + } else { + roleFields = unmodifiableSet(roleFields); + } } indexPermissions.put(index, new IndicesAccessControl.IndexAccessControl(entry.getValue(), roleFields, roleQueries)); } diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/accesscontrol/IndicesPermissionTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/accesscontrol/IndicesPermissionTests.java index f4d1f2b9332..bdecc86d919 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/accesscontrol/IndicesPermissionTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/accesscontrol/IndicesPermissionTests.java @@ -19,7 +19,9 @@ import org.elasticsearch.shield.authz.privilege.IndexPrivilege; import org.elasticsearch.test.ESTestCase; import java.util.Arrays; +import java.util.Collections; import java.util.List; +import java.util.Set; import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.notNullValue; @@ -72,6 +74,16 @@ public class IndicesPermissionTests extends ESTestCase { assertThat(permissions.getIndexPermissions("_index").getFields().iterator().next(), equalTo("_field")); assertThat(permissions.getIndexPermissions("_index").getQueries().size(), equalTo(1)); assertThat(permissions.getIndexPermissions("_index").getQueries().iterator().next(), equalTo(query)); + + // match all fields + List allFields = randomFrom(Collections.singletonList("*"), Arrays.asList("foo", "*"), + Arrays.asList(randomAsciiOfLengthBetween(1, 10), "*")); + role = Role.builder("_role").add(allFields, query, IndexPrivilege.ALL, "_alias").build(); + permissions = role.authorize(SearchAction.NAME, Sets.newHashSet("_alias"), md); + assertThat(permissions.getIndexPermissions("_index"), notNullValue()); + assertThat(permissions.getIndexPermissions("_index").getFields(), nullValue()); + assertThat(permissions.getIndexPermissions("_index").getQueries().size(), equalTo(1)); + assertThat(permissions.getIndexPermissions("_index").getQueries().iterator().next(), equalTo(query)); } }