From f09ccbc6cbf4eb3cf0d727b8d6db3709a17fa77a Mon Sep 17 00:00:00 2001 From: Luca Cavanna Date: Tue, 6 Jun 2017 11:02:07 +0200 Subject: [PATCH] Adapt indices resolution to new ignoreAliases index option (elastic/x-pack-elasticsearch#1622) ignoreAliases allows to resolve index expressions against concrete indices only, rather than against indices and aliases. It is used for now only in IndicesAliasesRequest and the indices resolution code in the security plugin needs to be adapted accordingly. Original commit: elastic/x-pack-elasticsearch@ae964eade90c919de4f59868a302203f7ec4614e --- .../authz/IndicesAndAliasesResolver.java | 28 +++++++++---------- .../authz/IndicesAndAliasesResolverTests.java | 26 ++++++++--------- 2 files changed, 27 insertions(+), 27 deletions(-) diff --git a/plugin/src/main/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolver.java b/plugin/src/main/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolver.java index 2f71bc2cce3..61bb47e0f81 100644 --- a/plugin/src/main/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolver.java +++ b/plugin/src/main/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolver.java @@ -334,20 +334,20 @@ public class IndicesAndAliasesResolver { } private static boolean isIndexVisible(String index, IndicesOptions indicesOptions, MetaData metaData, boolean dateMathExpression) { - if (metaData.hasConcreteIndex(index)) { - IndexMetaData indexMetaData = metaData.index(index); - if (indexMetaData == null) { - //it's an alias, ignore expandWildcardsOpen and expandWildcardsClosed. - //complicated to support those options with aliases pointing to multiple indices... - //TODO investigate supporting expandWildcards option for aliases too, like es core does. - return true; - } - if (indexMetaData.getState() == IndexMetaData.State.CLOSE && (indicesOptions.expandWildcardsClosed() || dateMathExpression)) { - return true; - } - if (indexMetaData.getState() == IndexMetaData.State.OPEN && (indicesOptions.expandWildcardsOpen() || dateMathExpression)) { - return true; - } + AliasOrIndex aliasOrIndex = metaData.getAliasAndIndexLookup().get(index); + if (aliasOrIndex.isAlias()) { + //it's an alias, ignore expandWildcardsOpen and expandWildcardsClosed. + //complicated to support those options with aliases pointing to multiple indices... + //TODO investigate supporting expandWildcards option for aliases too, like es core does. + return indicesOptions.ignoreAliases() == false; + } + assert aliasOrIndex.getIndices().size() == 1 : "concrete index must point to a single index"; + IndexMetaData indexMetaData = aliasOrIndex.getIndices().get(0); + if (indexMetaData.getState() == IndexMetaData.State.CLOSE && (indicesOptions.expandWildcardsClosed() || dateMathExpression)) { + return true; + } + if (indexMetaData.getState() == IndexMetaData.State.OPEN && (indicesOptions.expandWildcardsOpen() || dateMathExpression)) { + return true; } return false; } diff --git a/plugin/src/test/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolverTests.java b/plugin/src/test/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolverTests.java index 09791ca3f4c..d73c12be5ae 100644 --- a/plugin/src/test/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolverTests.java +++ b/plugin/src/test/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolverTests.java @@ -601,16 +601,16 @@ public class IndicesAndAliasesResolverTests extends ESTestCase { public void testResolveWildcardsIndicesAliasesRequest() { IndicesAliasesRequest request = new IndicesAliasesRequest(); - request.addAliasAction(AliasActions.add().alias("alias1").index("foo*")); + request.addAliasAction(AliasActions.add().alias("foo-alias").index("foo*")); request.addAliasAction(AliasActions.add().alias("alias2").index("bar*")); Set indices = defaultIndicesResolver.resolve(request, metaData, buildAuthorizedIndices(user, IndicesAliasesAction.NAME)); //the union of all resolved indices and aliases gets returned, based on indices and aliases that user is authorized for - String[] expectedIndices = new String[]{"alias1", "alias2", "foofoo", "foofoobar", "bar"}; + String[] expectedIndices = new String[]{"foo-alias", "alias2", "foofoo", "bar"}; assertThat(indices.size(), equalTo(expectedIndices.length)); assertThat(indices, hasItems(expectedIndices)); //wildcards get replaced on each single action - assertThat(request.getAliasActions().get(0).indices(), arrayContainingInAnyOrder("foofoobar", "foofoo")); - assertThat(request.getAliasActions().get(0).aliases(), arrayContainingInAnyOrder("alias1")); + assertThat(request.getAliasActions().get(0).indices(), arrayContainingInAnyOrder("foofoo")); + assertThat(request.getAliasActions().get(0).aliases(), arrayContainingInAnyOrder("foo-alias")); assertThat(request.getAliasActions().get(1).indices(), arrayContainingInAnyOrder("bar")); assertThat(request.getAliasActions().get(1).aliases(), arrayContainingInAnyOrder("alias2")); } @@ -631,10 +631,10 @@ public class IndicesAndAliasesResolverTests extends ESTestCase { request.addAliasAction(AliasActions.add().alias("alias2").index("_all")); Set indices = defaultIndicesResolver.resolve(request, metaData, buildAuthorizedIndices(user, IndicesAliasesAction.NAME)); //the union of all resolved indices and aliases gets returned - String[] expectedIndices = new String[]{"bar", "foofoobar", "foofoo", "alias1", "alias2"}; + String[] expectedIndices = new String[]{"bar", "foofoo", "alias1", "alias2"}; assertThat(indices.size(), equalTo(expectedIndices.length)); assertThat(indices, hasItems(expectedIndices)); - String[] replacedIndices = new String[]{"bar", "foofoobar", "foofoo"}; + String[] replacedIndices = new String[]{"bar", "foofoo"}; //_all gets replaced with all indices that user is authorized for, on each single action assertThat(request.getAliasActions().get(0).indices(), arrayContainingInAnyOrder(replacedIndices)); assertThat(request.getAliasActions().get(0).aliases(), arrayContainingInAnyOrder("alias1")); @@ -698,7 +698,7 @@ public class IndicesAndAliasesResolverTests extends ESTestCase { assertThat(indices.size(), equalTo(expectedIndices.length)); assertThat(indices, hasItems(expectedIndices)); //wildcards get replaced within each single action - assertThat(request.getAliasActions().get(0).indices(), arrayContainingInAnyOrder("foofoobar", "foofoo")); + assertThat(request.getAliasActions().get(0).indices(), arrayContainingInAnyOrder("foofoo")); assertThat(request.getAliasActions().get(0).aliases(), arrayContainingInAnyOrder("foofoobar")); assertThat(request.getAliasActions().get(1).indices(), arrayContainingInAnyOrder("bar")); assertThat(request.getAliasActions().get(1).aliases(), arrayContainingInAnyOrder("barbaz")); @@ -716,9 +716,9 @@ public class IndicesAndAliasesResolverTests extends ESTestCase { assertThat(indices.size(), equalTo(expectedIndices.length)); assertThat(indices, hasItems(expectedIndices)); //alias foofoobar on both sides, that's fine, es core would do the same, same as above - assertThat(request.getAliasActions().get(0).indices(), arrayContainingInAnyOrder("bar", "foofoobar", "foofoo")); + assertThat(request.getAliasActions().get(0).indices(), arrayContainingInAnyOrder("bar", "foofoo")); assertThat(request.getAliasActions().get(0).aliases(), arrayContainingInAnyOrder("foofoobar")); - assertThat(request.getAliasActions().get(1).indices(), arrayContainingInAnyOrder("bar", "foofoobar")); + assertThat(request.getAliasActions().get(1).indices(), arrayContainingInAnyOrder("bar")); assertThat(request.getAliasActions().get(1).aliases(), arrayContainingInAnyOrder("foofoobar")); } @@ -734,9 +734,9 @@ public class IndicesAndAliasesResolverTests extends ESTestCase { assertThat(indices.size(), equalTo(expectedIndices.length)); assertThat(indices, hasItems(expectedIndices)); //alias foofoobar on both sides, that's fine, es core would do the same, same as above - assertThat(request.getAliasActions().get(0).indices(), arrayContainingInAnyOrder("bar", "foofoobar", "foofoo")); + assertThat(request.getAliasActions().get(0).indices(), arrayContainingInAnyOrder("bar", "foofoo")); assertThat(request.getAliasActions().get(0).aliases(), arrayContainingInAnyOrder("foofoobar")); - assertThat(request.getAliasActions().get(0).indices(), arrayContainingInAnyOrder("bar", "foofoobar", "foofoo")); + assertThat(request.getAliasActions().get(0).indices(), arrayContainingInAnyOrder("bar", "foofoo")); assertThat(request.getAliasActions().get(1).aliases(), arrayContainingInAnyOrder("foofoobar", "explicit")); } @@ -759,7 +759,7 @@ public class IndicesAndAliasesResolverTests extends ESTestCase { assertThat(indices.size(), equalTo(expectedIndices.length)); assertThat(indices, hasItems(expectedIndices)); //every single action has its indices replaced with matching (authorized) ones - assertThat(request.getAliasActions().get(0).indices(), arrayContainingInAnyOrder("foofoobar", "foofoo")); + assertThat(request.getAliasActions().get(0).indices(), arrayContainingInAnyOrder("foofoo")); assertThat(request.getAliasActions().get(0).aliases(), arrayContainingInAnyOrder("foofoobar")); assertThat(request.getAliasActions().get(1).indices(), arrayContainingInAnyOrder("bar")); assertThat(request.getAliasActions().get(1).aliases(), arrayContainingInAnyOrder("foofoobar")); @@ -1146,7 +1146,7 @@ public class IndicesAndAliasesResolverTests extends ESTestCase { } { IndicesAliasesRequest aliasesRequest = new IndicesAliasesRequest(); - aliasesRequest.addAliasAction(AliasActions.add().alias("security_alias").index("*")); + aliasesRequest.addAliasAction(AliasActions.add().alias("security_alias").index(SecurityLifecycleService.SECURITY_INDEX_NAME)); Set indices = defaultIndicesResolver.resolve(aliasesRequest, metaData, buildAuthorizedIndices(XPackUser.INSTANCE, IndicesAliasesAction.NAME)); assertThat(indices, hasItem(SecurityLifecycleService.SECURITY_INDEX_NAME));