From dd7a43a93fa236e2cabe9cb48c29e8fa04853593 Mon Sep 17 00:00:00 2001 From: jaymode Date: Wed, 15 Jun 2016 15:44:30 -0400 Subject: [PATCH] security: optimize field level security for match all fields This commit handles the use of `*` as a field in a role as effectively disabling field level security. We do this to take advantage of caches that we disable when field level security is active. See elastic/elasticsearch#2407 Original commit: elastic/x-pack-elasticsearch@d96e18d57c2baddb6648ec81ff8aa50a4e7143f4 --- .../shield/authz/permission/IndicesPermission.java | 6 +++++- .../authz/accesscontrol/IndicesPermissionTests.java | 12 ++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/permission/IndicesPermission.java b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/permission/IndicesPermission.java index 3fab48e5d34..81d76b02592 100644 --- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/permission/IndicesPermission.java +++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/permission/IndicesPermission.java @@ -163,7 +163,11 @@ public interface IndicesPermission extends Permission, Iterable roleFields = rolesFieldsByIndex.get(index); if (roleFields != null) { - roleFields = unmodifiableSet(roleFields); + if (roleFields.contains("*")) { + roleFields = null; + } else { + roleFields = unmodifiableSet(roleFields); + } } indexPermissions.put(index, new IndicesAccessControl.IndexAccessControl(entry.getValue(), roleFields, roleQueries)); } diff --git a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/accesscontrol/IndicesPermissionTests.java b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/accesscontrol/IndicesPermissionTests.java index f4d1f2b9332..bdecc86d919 100644 --- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/accesscontrol/IndicesPermissionTests.java +++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/accesscontrol/IndicesPermissionTests.java @@ -19,7 +19,9 @@ import org.elasticsearch.shield.authz.privilege.IndexPrivilege; import org.elasticsearch.test.ESTestCase; import java.util.Arrays; +import java.util.Collections; import java.util.List; +import java.util.Set; import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.notNullValue; @@ -72,6 +74,16 @@ public class IndicesPermissionTests extends ESTestCase { assertThat(permissions.getIndexPermissions("_index").getFields().iterator().next(), equalTo("_field")); assertThat(permissions.getIndexPermissions("_index").getQueries().size(), equalTo(1)); assertThat(permissions.getIndexPermissions("_index").getQueries().iterator().next(), equalTo(query)); + + // match all fields + List allFields = randomFrom(Collections.singletonList("*"), Arrays.asList("foo", "*"), + Arrays.asList(randomAsciiOfLengthBetween(1, 10), "*")); + role = Role.builder("_role").add(allFields, query, IndexPrivilege.ALL, "_alias").build(); + permissions = role.authorize(SearchAction.NAME, Sets.newHashSet("_alias"), md); + assertThat(permissions.getIndexPermissions("_index"), notNullValue()); + assertThat(permissions.getIndexPermissions("_index").getFields(), nullValue()); + assertThat(permissions.getIndexPermissions("_index").getQueries().size(), equalTo(1)); + assertThat(permissions.getIndexPermissions("_index").getQueries().iterator().next(), equalTo(query)); } }