security: optimize field level security for match all fields

This commit handles the use of `*` as a field in a role as effectively disabling field level security. We do this to take advantage of caches that we disable when field level security is active. See elastic/elasticsearch#2407 Original commit: elastic/x-pack-elasticsearch@d96e18d57c
2016-06-15 15:44:30 -04:00 · 2016-06-15 15:44:30 -04:00 · dd7a43a93f
parent b15753f0cc
commit dd7a43a93f
2 changed files with 17 additions and 1 deletions
--- a/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/permission/IndicesPermission.java
+++ b/elasticsearch/x-pack/shield/src/main/java/org/elasticsearch/shield/authz/permission/IndicesPermission.java
@ -163,7 +163,11 @@ public interface IndicesPermission extends Permission, Iterable<IndicesPermissio
                }
                Set<String> roleFields = rolesFieldsByIndex.get(index);
                if (roleFields != null) {
-                    roleFields = unmodifiableSet(roleFields);
+                    if (roleFields.contains("*")) {
+                        roleFields = null;
+                    } else {
+                        roleFields = unmodifiableSet(roleFields);
+                    }
                }
                indexPermissions.put(index, new IndicesAccessControl.IndexAccessControl(entry.getValue(), roleFields, roleQueries));
            }
--- a/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/accesscontrol/IndicesPermissionTests.java
+++ b/elasticsearch/x-pack/shield/src/test/java/org/elasticsearch/shield/authz/accesscontrol/IndicesPermissionTests.java
@ -19,7 +19,9 @@ import org.elasticsearch.shield.authz.privilege.IndexPrivilege;
 import org.elasticsearch.test.ESTestCase;

 import java.util.Arrays;
+import java.util.Collections;
 import java.util.List;
+import java.util.Set;

 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.notNullValue;
@ -72,6 +74,16 @@ public class IndicesPermissionTests extends ESTestCase {
        assertThat(permissions.getIndexPermissions("_index").getFields().iterator().next(), equalTo("_field"));
        assertThat(permissions.getIndexPermissions("_index").getQueries().size(), equalTo(1));
        assertThat(permissions.getIndexPermissions("_index").getQueries().iterator().next(), equalTo(query));
+
+        // match all fields
+        List<String> allFields = randomFrom(Collections.singletonList("*"), Arrays.asList("foo", "*"),
+                Arrays.asList(randomAsciiOfLengthBetween(1, 10), "*"));
+        role = Role.builder("_role").add(allFields, query, IndexPrivilege.ALL, "_alias").build();
+        permissions = role.authorize(SearchAction.NAME, Sets.newHashSet("_alias"), md);
+        assertThat(permissions.getIndexPermissions("_index"), notNullValue());
+        assertThat(permissions.getIndexPermissions("_index").getFields(), nullValue());
+        assertThat(permissions.getIndexPermissions("_index").getQueries().size(), equalTo(1));
+        assertThat(permissions.getIndexPermissions("_index").getQueries().iterator().next(), equalTo(query));
    }

 }