Revert "Relax the index access control check for scroll searches (#61446)"

albertzaharovits · albertzaharovits · commit 00aecf8fc519 · 2020-08-27T21:40:45.000+03:00
This reverts commit 9a42f3f.
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListener.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListener.java
@@ -96,12 +96,14 @@ public void onPreQueryPhase(SearchContext searchContext) {
 
     void ensureIndicesAccessControlForScrollThreadContext(SearchContext searchContext) {
         if (licenseState.isAuthAllowed() && searchContext.scrollContext() != null) {
+            IndicesAccessControl scrollIndicesAccessControl =
+                    searchContext.scrollContext().getFromContext(AuthorizationServiceField.INDICES_PERMISSIONS_KEY);
             IndicesAccessControl threadIndicesAccessControl =
                     threadContext.getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY);
-            if (null == threadIndicesAccessControl) {
-                throw new ElasticsearchSecurityException("Unexpected null indices access control for search context [" +
-                        searchContext.id() + "] for request [" + searchContext.request().getDescription() + "] with source [" +
-                        searchContext.source() + "]");
+            if (scrollIndicesAccessControl != threadIndicesAccessControl) {
+                throw new ElasticsearchSecurityException("[" + searchContext.id() + "] expected scroll indices access control [" +
+                        scrollIndicesAccessControl.toString() + "] but found [" + threadIndicesAccessControl.toString() + "] in thread " +
+                        "context");
             }
         }
     }
@@ -122,7 +124,7 @@ static void ensureAuthenticatedUserIsSame(Authentication original, Authenticatio
         if (original.getUser().isRunAs()) {
             if (current.getUser().isRunAs()) {
                 sameRealmType = original.getLookedUpBy().getType().equals(current.getLookedUpBy().getType());
-            } else {
+            }  else {
                 sameRealmType = original.getLookedUpBy().getType().equals(current.getAuthenticatedBy().getType());
             }
         } else if (current.getUser().isRunAs()) {
