security: optimize field level security for match all fields

This commit handles the use of `*` as a field in a role as effectively disabling field level
security. We do this to take advantage of caches that we disable when field level security
is active.

See elastic/elasticsearch#2407

Original commit: elastic/x-pack-elasticsearch@d96e18d57c
This commit is contained in:
jaymode 2016-06-15 15:44:30 -04:00
parent b15753f0cc
commit dd7a43a93f
2 changed files with 17 additions and 1 deletions

View File

@ -163,7 +163,11 @@ public interface IndicesPermission extends Permission, Iterable<IndicesPermissio
} }
Set<String> roleFields = rolesFieldsByIndex.get(index); Set<String> roleFields = rolesFieldsByIndex.get(index);
if (roleFields != null) { if (roleFields != null) {
roleFields = unmodifiableSet(roleFields); if (roleFields.contains("*")) {
roleFields = null;
} else {
roleFields = unmodifiableSet(roleFields);
}
} }
indexPermissions.put(index, new IndicesAccessControl.IndexAccessControl(entry.getValue(), roleFields, roleQueries)); indexPermissions.put(index, new IndicesAccessControl.IndexAccessControl(entry.getValue(), roleFields, roleQueries));
} }

View File

@ -19,7 +19,9 @@ import org.elasticsearch.shield.authz.privilege.IndexPrivilege;
import org.elasticsearch.test.ESTestCase; import org.elasticsearch.test.ESTestCase;
import java.util.Arrays; import java.util.Arrays;
import java.util.Collections;
import java.util.List; import java.util.List;
import java.util.Set;
import static org.hamcrest.Matchers.equalTo; import static org.hamcrest.Matchers.equalTo;
import static org.hamcrest.Matchers.notNullValue; import static org.hamcrest.Matchers.notNullValue;
@ -72,6 +74,16 @@ public class IndicesPermissionTests extends ESTestCase {
assertThat(permissions.getIndexPermissions("_index").getFields().iterator().next(), equalTo("_field")); assertThat(permissions.getIndexPermissions("_index").getFields().iterator().next(), equalTo("_field"));
assertThat(permissions.getIndexPermissions("_index").getQueries().size(), equalTo(1)); assertThat(permissions.getIndexPermissions("_index").getQueries().size(), equalTo(1));
assertThat(permissions.getIndexPermissions("_index").getQueries().iterator().next(), equalTo(query)); assertThat(permissions.getIndexPermissions("_index").getQueries().iterator().next(), equalTo(query));
// match all fields
List<String> allFields = randomFrom(Collections.singletonList("*"), Arrays.asList("foo", "*"),
Arrays.asList(randomAsciiOfLengthBetween(1, 10), "*"));
role = Role.builder("_role").add(allFields, query, IndexPrivilege.ALL, "_alias").build();
permissions = role.authorize(SearchAction.NAME, Sets.newHashSet("_alias"), md);
assertThat(permissions.getIndexPermissions("_index"), notNullValue());
assertThat(permissions.getIndexPermissions("_index").getFields(), nullValue());
assertThat(permissions.getIndexPermissions("_index").getQueries().size(), equalTo(1));
assertThat(permissions.getIndexPermissions("_index").getQueries().iterator().next(), equalTo(query));
} }
} }