diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListener.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListener.java index d290382232250..f4520c9e24724 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListener.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/SecuritySearchOperationListener.java @@ -29,7 +29,7 @@ /** * A {@link SearchOperationListener} that is used to provide authorization for scroll requests. - * + *

* In order to identify the user associated with a scroll request, we replace the {@link ReaderContext} * on creation with a custom implementation that holds the {@link Authentication} object. When * this context is accessed again in {@link SearchOperationListener#onPreQueryPhase(SearchContext)} @@ -82,7 +82,7 @@ public void validateSearchContext(ReaderContext readerContext, TransportRequest if (null == securityContext.getThreadContext().getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY)) { // fill in the DLS and FLS permissions for the scroll search action from the scroll context IndicesAccessControl scrollIndicesAccessControl = - readerContext.getFromContext(AuthorizationServiceField.INDICES_PERMISSIONS_KEY); + readerContext.getFromContext(AuthorizationServiceField.INDICES_PERMISSIONS_KEY); assert scrollIndicesAccessControl != null : "scroll does not contain index access control"; securityContext.getThreadContext().putTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY, scrollIndicesAccessControl); @@ -93,24 +93,22 @@ public void validateSearchContext(ReaderContext readerContext, TransportRequest @Override public void onPreFetchPhase(SearchContext searchContext) { - ensureIndicesAccessControlForScrollThreadContext(searchContext.readerContext()); + ensureIndicesAccessControlForScrollThreadContext(searchContext); } @Override public void onPreQueryPhase(SearchContext searchContext) { - ensureIndicesAccessControlForScrollThreadContext(searchContext.readerContext()); + ensureIndicesAccessControlForScrollThreadContext(searchContext); } - void ensureIndicesAccessControlForScrollThreadContext(ReaderContext readerContext) { - if (licenseState.isSecurityEnabled() && readerContext.scrollContext() != null) { - IndicesAccessControl scrollIndicesAccessControl = - readerContext.getFromContext(AuthorizationServiceField.INDICES_PERMISSIONS_KEY); + void ensureIndicesAccessControlForScrollThreadContext(SearchContext searchContext) { + if (licenseState.isSecurityEnabled() && searchContext.readerContext().scrollContext() != null) { IndicesAccessControl threadIndicesAccessControl = securityContext.getThreadContext().getTransient(AuthorizationServiceField.INDICES_PERMISSIONS_KEY); - if (scrollIndicesAccessControl != threadIndicesAccessControl) { - throw new ElasticsearchSecurityException("[" + readerContext.id() + "] expected scroll indices access control [" + - scrollIndicesAccessControl.toString() + "] but found [" + threadIndicesAccessControl.toString() + "] in thread " + - "context"); + if (null == threadIndicesAccessControl) { + throw new ElasticsearchSecurityException("Unexpected null indices access control for search context [" + + searchContext.id() + "] for request [" + searchContext.request().getDescription() + "] with source [" + + searchContext.source() + "]"); } } } @@ -131,7 +129,7 @@ static void ensureAuthenticatedUserIsSame(Authentication original, Authenticatio if (original.getUser().isRunAs()) { if (current.getUser().isRunAs()) { sameRealmType = original.getLookedUpBy().getType().equals(current.getLookedUpBy().getType()); - } else { + } else { sameRealmType = original.getLookedUpBy().getType().equals(current.getAuthenticatedBy().getType()); } } else if (current.getUser().isRunAs()) {