security: optimize field level security for match all fields
This commit handles the use of `*` as a field in a role as effectively disabling field level security. We do this to take advantage of caches that we disable when field level security is active. See elastic/elasticsearch#2407 Original commit: elastic/x-pack-elasticsearch@d96e18d57c
This commit is contained in:
parent
b15753f0cc
commit
dd7a43a93f
|
@ -163,8 +163,12 @@ public interface IndicesPermission extends Permission, Iterable<IndicesPermissio
|
|||
}
|
||||
Set<String> roleFields = rolesFieldsByIndex.get(index);
|
||||
if (roleFields != null) {
|
||||
if (roleFields.contains("*")) {
|
||||
roleFields = null;
|
||||
} else {
|
||||
roleFields = unmodifiableSet(roleFields);
|
||||
}
|
||||
}
|
||||
indexPermissions.put(index, new IndicesAccessControl.IndexAccessControl(entry.getValue(), roleFields, roleQueries));
|
||||
}
|
||||
return unmodifiableMap(indexPermissions);
|
||||
|
|
|
@ -19,7 +19,9 @@ import org.elasticsearch.shield.authz.privilege.IndexPrivilege;
|
|||
import org.elasticsearch.test.ESTestCase;
|
||||
|
||||
import java.util.Arrays;
|
||||
import java.util.Collections;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
|
||||
import static org.hamcrest.Matchers.equalTo;
|
||||
import static org.hamcrest.Matchers.notNullValue;
|
||||
|
@ -72,6 +74,16 @@ public class IndicesPermissionTests extends ESTestCase {
|
|||
assertThat(permissions.getIndexPermissions("_index").getFields().iterator().next(), equalTo("_field"));
|
||||
assertThat(permissions.getIndexPermissions("_index").getQueries().size(), equalTo(1));
|
||||
assertThat(permissions.getIndexPermissions("_index").getQueries().iterator().next(), equalTo(query));
|
||||
|
||||
// match all fields
|
||||
List<String> allFields = randomFrom(Collections.singletonList("*"), Arrays.asList("foo", "*"),
|
||||
Arrays.asList(randomAsciiOfLengthBetween(1, 10), "*"));
|
||||
role = Role.builder("_role").add(allFields, query, IndexPrivilege.ALL, "_alias").build();
|
||||
permissions = role.authorize(SearchAction.NAME, Sets.newHashSet("_alias"), md);
|
||||
assertThat(permissions.getIndexPermissions("_index"), notNullValue());
|
||||
assertThat(permissions.getIndexPermissions("_index").getFields(), nullValue());
|
||||
assertThat(permissions.getIndexPermissions("_index").getQueries().size(), equalTo(1));
|
||||
assertThat(permissions.getIndexPermissions("_index").getQueries().iterator().next(), equalTo(query));
|
||||
}
|
||||
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue