diff --git a/plugin/src/main/java/org/elasticsearch/xpack/security/authz/accesscontrol/SecurityIndexSearcherWrapper.java b/plugin/src/main/java/org/elasticsearch/xpack/security/authz/accesscontrol/SecurityIndexSearcherWrapper.java index 5cc2c1bc80a..cb07f1ed4e2 100644 --- a/plugin/src/main/java/org/elasticsearch/xpack/security/authz/accesscontrol/SecurityIndexSearcherWrapper.java +++ b/plugin/src/main/java/org/elasticsearch/xpack/security/authz/accesscontrol/SecurityIndexSearcherWrapper.java @@ -50,6 +50,7 @@ import org.elasticsearch.index.query.ParsedQuery; import org.elasticsearch.index.query.QueryBuilder; import org.elasticsearch.index.query.QueryRewriteContext; import org.elasticsearch.index.query.QueryShardContext; +import org.elasticsearch.index.query.Rewriteable; import org.elasticsearch.index.query.TermsQueryBuilder; import org.elasticsearch.index.query.functionscore.FunctionScoreQueryBuilder; import org.elasticsearch.index.shard.IndexSearcherWrapper; @@ -137,7 +138,7 @@ public class SecurityIndexSearcherWrapper extends IndexSearcherWrapper { .createParser(queryShardContext.getXContentRegistry(), templateResult)) { QueryBuilder queryBuilder = queryShardContext.parseInnerQueryBuilder(parser); verifyRoleQuery(queryBuilder); - failIfQueryUsesClient(scriptService, queryBuilder, queryShardContext); + failIfQueryUsesClient(queryBuilder, queryShardContext); ParsedQuery parsedQuery = queryShardContext.toFilter(queryBuilder); filter.add(parsedQuery.query(), SHOULD); } @@ -348,18 +349,13 @@ public class SecurityIndexSearcherWrapper extends IndexSearcherWrapper { * the DLS query until the get thread pool has been exhausted: * https://github.com/elastic/x-plugins/issues/3145 */ - static void failIfQueryUsesClient(ScriptService scriptService, QueryBuilder queryBuilder, QueryRewriteContext original) + static void failIfQueryUsesClient(QueryBuilder queryBuilder, QueryRewriteContext original) throws IOException { - Client client = new FilterClient(original.getClient()) { - @Override - protected > - void doExecute(Action action, Request request, ActionListener listener) { - throw new IllegalStateException("role queries are not allowed to execute additional requests"); - } - }; QueryRewriteContext copy = new QueryRewriteContext( - original.getXContentRegistry(), client, original::nowInMillis); - queryBuilder.rewrite(copy); + original.getXContentRegistry(), null, original::nowInMillis); + Rewriteable.rewrite(queryBuilder, copy); + if (copy.hasAsyncActions()) { + throw new IllegalStateException("role queries are not allowed to execute additional requests"); + } } } diff --git a/plugin/src/test/java/org/elasticsearch/xpack/security/authz/accesscontrol/SecurityIndexSearcherWrapperUnitTests.java b/plugin/src/test/java/org/elasticsearch/xpack/security/authz/accesscontrol/SecurityIndexSearcherWrapperUnitTests.java index 8d4c20dc62c..8656c716da6 100644 --- a/plugin/src/test/java/org/elasticsearch/xpack/security/authz/accesscontrol/SecurityIndexSearcherWrapperUnitTests.java +++ b/plugin/src/test/java/org/elasticsearch/xpack/security/authz/accesscontrol/SecurityIndexSearcherWrapperUnitTests.java @@ -682,11 +682,11 @@ public class SecurityIndexSearcherWrapperUnitTests extends ESTestCase { QueryRewriteContext context = new QueryRewriteContext(xContentRegistry(), client, () -> nowInMillis); QueryBuilder queryBuilder1 = new TermsQueryBuilder("field", "val1", "val2"); - SecurityIndexSearcherWrapper.failIfQueryUsesClient(scriptService, queryBuilder1, context); + SecurityIndexSearcherWrapper.failIfQueryUsesClient(queryBuilder1, context); QueryBuilder queryBuilder2 = new TermsQueryBuilder("field", new TermsLookup("_index", "_type", "_id", "_path")); Exception e = expectThrows(IllegalStateException.class, - () -> SecurityIndexSearcherWrapper.failIfQueryUsesClient(scriptService, queryBuilder2, context)); + () -> SecurityIndexSearcherWrapper.failIfQueryUsesClient(queryBuilder2, context)); assertThat(e.getMessage(), equalTo("role queries are not allowed to execute additional requests")); }