diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/IndicesAccessControl.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/IndicesAccessControl.java index de2e50095ca1e..112702dc8db67 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/IndicesAccessControl.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/IndicesAccessControl.java @@ -30,7 +30,6 @@ */ public class IndicesAccessControl { - public static final IndicesAccessControl ALLOW_ALL = new IndicesAccessControl(true, Collections.emptyMap()); public static final IndicesAccessControl ALLOW_NO_INDICES = new IndicesAccessControl(true, Collections.singletonMap(IndicesAndAliasesResolverField.NO_INDEX_PLACEHOLDER, new IndicesAccessControl.IndexAccessControl(true, new FieldPermissions(), DocumentPermissions.allowAll()))); @@ -249,6 +248,12 @@ public int hashCode() { * @return {@link IndicesAccessControl} */ public IndicesAccessControl limitIndicesAccessControl(IndicesAccessControl limitedByIndicesAccessControl) { + if (this instanceof AllowAllIndicesAccessControl) { + return limitedByIndicesAccessControl; + } else if (limitedByIndicesAccessControl instanceof AllowAllIndicesAccessControl) { + return this; + } + final boolean granted; if (this.granted == limitedByIndicesAccessControl.granted) { granted = this.granted; @@ -275,4 +280,35 @@ public String toString() { ", indexPermissions=" + indexPermissions + '}'; } + + public static IndicesAccessControl allowAll() { + return AllowAllIndicesAccessControl.INSTANCE; + } + + private static class AllowAllIndicesAccessControl extends IndicesAccessControl { + + private static final IndicesAccessControl INSTANCE = new AllowAllIndicesAccessControl(); + + private final IndexAccessControl allowAllIndexAccessControl = new IndexAccessControl(true, null, null); + + private AllowAllIndicesAccessControl() { + super(true, null); + } + + @Override + public IndexAccessControl getIndexPermissions(String index) { + return allowAllIndexAccessControl; + } + + @Override + public boolean isGranted() { + return true; + } + + @Override + public Collection getDeniedIndices() { + return Set.of(); + } + } + } diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java index 4652ee23eb6d9..238c186c36bbd 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java @@ -345,12 +345,16 @@ public boolean canHaveBackingIndices() { /** * Authorizes the provided action against the provided indices, given the current cluster metadata */ - public Map authorize( + public IndicesAccessControl authorize( String action, Set requestedIndicesOrAliases, Map lookup, FieldPermissionsCache fieldPermissionsCache ) { + // Short circuit if the indicesPermission allows all access to every index + if (Arrays.stream(groups).anyMatch(Group::isTotal)) { + return IndicesAccessControl.allowAll(); + } final List resources = new ArrayList<>(requestedIndicesOrAliases.size()); int totalResourceCount = 0; @@ -469,6 +473,7 @@ public Map authorize( } } + boolean overallGranted = true; Map indexPermissions = new HashMap<>(grantedBuilder.size()); for (Map.Entry entry : grantedBuilder.entrySet()) { String index = entry.getKey(); @@ -488,10 +493,13 @@ public Map authorize( } else { fieldPermissions = FieldPermissions.DEFAULT; } + if (entry.getValue() == false) { + overallGranted = false; + } indexPermissions.put(index, new IndicesAccessControl.IndexAccessControl(entry.getValue(), fieldPermissions, (roleQueries != null) ? DocumentPermissions.filteredBy(roleQueries) : DocumentPermissions.allowAll())); } - return unmodifiableMap(indexPermissions); + return new IndicesAccessControl(overallGranted, unmodifiableMap(indexPermissions)); } private boolean isConcreteRestrictedIndex(String indexPattern) { @@ -515,7 +523,7 @@ public static class Group { private final IndexPrivilege privilege; private final Predicate actionMatcher; private final String[] indices; - private final Predicate indexNameMatcher; + private final StringMatcher indexNameMatcher; private final Supplier indexNameAutomaton; private final FieldPermissions fieldPermissions; private final Set query; @@ -583,6 +591,14 @@ public boolean allowRestrictedIndices() { public Automaton getIndexMatcherAutomaton() { return indexNameAutomaton.get(); } + + boolean isTotal() { + return allowRestrictedIndices + && indexNameMatcher.isTotal() + && privilege == IndexPrivilege.ALL + && query == null + && false == fieldPermissions.hasFieldLevelSecurity(); + } } private static class DocumentLevelPermissions { diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/LimitedRole.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/LimitedRole.java index 0f39ea44e661d..b17704ba15389 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/LimitedRole.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/LimitedRole.java @@ -89,7 +89,6 @@ public IndicesAccessControl authorize(String action, Set requestedIndice super.authorize(action, requestedIndicesOrAliases, aliasAndIndexLookup, fieldPermissionsCache); IndicesAccessControl limitedByIndicesAccessControl = limitedBy.authorize(action, requestedIndicesOrAliases, aliasAndIndexLookup, fieldPermissionsCache); - return indicesAccessControl.limitIndicesAccessControl(limitedByIndicesAccessControl); } diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/Role.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/Role.java index 203e39112ed75..c314dc98ff14f 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/Role.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/Role.java @@ -183,19 +183,7 @@ public ResourcePrivilegesMap checkApplicationResourcePrivileges(final String app public IndicesAccessControl authorize(String action, Set requestedIndicesOrAliases, Map aliasAndIndexLookup, FieldPermissionsCache fieldPermissionsCache) { - Map indexPermissions = indices.authorize( - action, requestedIndicesOrAliases, aliasAndIndexLookup, fieldPermissionsCache - ); - - // At least one role / indices permission set need to match with all the requested indices/aliases: - boolean granted = true; - for (Map.Entry entry : indexPermissions.entrySet()) { - if (entry.getValue().isGranted() == false) { - granted = false; - break; - } - } - return new IndicesAccessControl(granted, indexPermissions); + return indices.authorize(action, requestedIndicesOrAliases, aliasAndIndexLookup, fieldPermissionsCache); } @Override diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/support/StringMatcher.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/support/StringMatcher.java index 0c4bb51f7628a..23c6ab9b40066 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/support/StringMatcher.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/support/StringMatcher.java @@ -69,6 +69,10 @@ public boolean test(String s) { return predicate.test(s); } + public boolean isTotal() { + return predicate == ALWAYS_TRUE_PREDICATE; + } + // For testing Predicate getPredicate() { return predicate; diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index fc4033eadde74..ea57084a76b74 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -96,6 +96,7 @@ import org.elasticsearch.xpack.core.security.action.CreateApiKeyRequest; import org.elasticsearch.xpack.core.security.action.GetApiKeyRequest; import org.elasticsearch.xpack.core.security.action.apikey.QueryApiKeyRequest; +import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl; import org.elasticsearch.xpack.core.textstructure.action.FindStructureAction; import org.elasticsearch.xpack.core.ml.action.FlushJobAction; import org.elasticsearch.xpack.core.ml.action.ForecastJobAction; @@ -167,7 +168,6 @@ import org.elasticsearch.xpack.core.security.action.user.PutUserAction; import org.elasticsearch.xpack.core.security.authc.Authentication; import org.elasticsearch.xpack.core.security.authz.RoleDescriptor; -import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl.IndexAccessControl; import org.elasticsearch.xpack.core.security.authz.permission.FieldPermissionsCache; import org.elasticsearch.xpack.core.security.authz.permission.Role; import org.elasticsearch.xpack.core.security.authz.privilege.ApplicationPrivilege; @@ -214,7 +214,6 @@ import java.util.Collection; import java.util.Collections; import java.util.List; -import java.util.Map; import java.util.SortedMap; import static org.elasticsearch.xpack.core.security.test.TestRestrictedIndices.RESTRICTED_INDICES_AUTOMATON; @@ -1135,12 +1134,12 @@ private void assertMonitoringOnRestrictedIndices(Role role) { GetSettingsAction.NAME, IndicesShardStoresAction.NAME, RecoveryAction.NAME); for (final String indexMonitoringActionName : indexMonitoringActionNamesList) { String asyncSearchIndex = XPackPlugin.ASYNC_RESULTS_INDEX + randomAlphaOfLengthBetween(0, 2); - final Map authzMap = role.indices().authorize(indexMonitoringActionName, + final IndicesAccessControl iac = role.indices().authorize(indexMonitoringActionName, Sets.newHashSet(internalSecurityIndex, RestrictedIndicesNames.SECURITY_MAIN_ALIAS, asyncSearchIndex), metadata.getIndicesLookup(), fieldPermissionsCache); - assertThat(authzMap.get(internalSecurityIndex).isGranted(), is(true)); - assertThat(authzMap.get(RestrictedIndicesNames.SECURITY_MAIN_ALIAS).isGranted(), is(true)); - assertThat(authzMap.get(asyncSearchIndex).isGranted(), is(true)); + assertThat(iac.getIndexPermissions(internalSecurityIndex).isGranted(), is(true)); + assertThat(iac.getIndexPermissions(RestrictedIndicesNames.SECURITY_MAIN_ALIAS).isGranted(), is(true)); + assertThat(iac.getIndexPermissions(asyncSearchIndex).isGranted(), is(true)); } } @@ -1233,25 +1232,25 @@ public void testSuperuserRole() { FieldPermissionsCache fieldPermissionsCache = new FieldPermissionsCache(Settings.EMPTY); SortedMap lookup = metadata.getIndicesLookup(); - Map authzMap = + IndicesAccessControl iac = superuserRole.indices().authorize(SearchAction.NAME, Sets.newHashSet("a1", "ba"), lookup, fieldPermissionsCache); - assertThat(authzMap.get("a1").isGranted(), is(true)); - assertThat(authzMap.get("b").isGranted(), is(true)); - authzMap = + assertThat(iac.getIndexPermissions("a1").isGranted(), is(true)); + assertThat(iac.getIndexPermissions("b").isGranted(), is(true)); + iac = superuserRole.indices().authorize(DeleteIndexAction.NAME, Sets.newHashSet("a1", "ba"), lookup, fieldPermissionsCache); - assertThat(authzMap.get("a1").isGranted(), is(true)); - assertThat(authzMap.get("b").isGranted(), is(true)); - authzMap = superuserRole.indices().authorize(IndexAction.NAME, Sets.newHashSet("a2", "ba"), lookup, fieldPermissionsCache); - assertThat(authzMap.get("a2").isGranted(), is(true)); - assertThat(authzMap.get("b").isGranted(), is(true)); - authzMap = superuserRole.indices() + assertThat(iac.getIndexPermissions("a1").isGranted(), is(true)); + assertThat(iac.getIndexPermissions("b").isGranted(), is(true)); + iac = superuserRole.indices().authorize(IndexAction.NAME, Sets.newHashSet("a2", "ba"), lookup, fieldPermissionsCache); + assertThat(iac.getIndexPermissions("a2").isGranted(), is(true)); + assertThat(iac.getIndexPermissions("b").isGranted(), is(true)); + iac = superuserRole.indices() .authorize(UpdateSettingsAction.NAME, Sets.newHashSet("aaaaaa", "ba"), lookup, fieldPermissionsCache); - assertThat(authzMap.get("aaaaaa").isGranted(), is(true)); - assertThat(authzMap.get("b").isGranted(), is(true)); - authzMap = superuserRole.indices().authorize(randomFrom(IndexAction.NAME, DeleteIndexAction.NAME, SearchAction.NAME), + assertThat(iac.getIndexPermissions("aaaaaa").isGranted(), is(true)); + assertThat(iac.getIndexPermissions("b").isGranted(), is(true)); + iac = superuserRole.indices().authorize(randomFrom(IndexAction.NAME, DeleteIndexAction.NAME, SearchAction.NAME), Sets.newHashSet(RestrictedIndicesNames.SECURITY_MAIN_ALIAS), lookup, fieldPermissionsCache); - assertThat(authzMap.get(RestrictedIndicesNames.SECURITY_MAIN_ALIAS).isGranted(), is(true)); - assertThat(authzMap.get(internalSecurityIndex).isGranted(), is(true)); + assertThat(iac.getIndexPermissions(RestrictedIndicesNames.SECURITY_MAIN_ALIAS).isGranted(), is(true)); + assertThat(iac.getIndexPermissions(internalSecurityIndex).isGranted(), is(true)); assertTrue(superuserRole.indices().check(SearchAction.NAME)); assertFalse(superuserRole.indices().check("unknown")); diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java index 0b4724a2e337d..579dc6a0528c2 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java @@ -336,7 +336,7 @@ private void authorizeAction(final RequestInfo requestInfo, final String request if (ClusterPrivilegeResolver.isClusterAction(action)) { final ActionListener clusterAuthzListener = wrapPreservingContext(new AuthorizationResultListener<>(result -> { - threadContext.putTransient(INDICES_PERMISSIONS_KEY, IndicesAccessControl.ALLOW_ALL); + threadContext.putTransient(INDICES_PERMISSIONS_KEY, IndicesAccessControl.allowAll()); listener.onResponse(null); }, listener::onFailure, requestInfo, requestId, authzInfo), threadContext); authzEngine.authorizeClusterAction(requestInfo, authzInfo, ActionListener.wrap(result -> { @@ -512,7 +512,7 @@ private void authorizeSystemUser(final Authentication authentication, final Stri final TransportRequest request, final ActionListener listener) { final AuditTrail auditTrail = auditTrailService.get(); if (SystemUser.isAuthorized(action)) { - threadContext.putTransient(INDICES_PERMISSIONS_KEY, IndicesAccessControl.ALLOW_ALL); + threadContext.putTransient(INDICES_PERMISSIONS_KEY, IndicesAccessControl.allowAll()); threadContext.putTransient(AUTHORIZATION_INFO_KEY, SYSTEM_AUTHZ_INFO); auditTrail.accessGranted(requestId, authentication, action, request, SYSTEM_AUTHZ_INFO); listener.onResponse(null); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/accesscontrol/IndicesPermissionTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/accesscontrol/IndicesPermissionTests.java index cc32af5cb4717..9b75714511540 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/accesscontrol/IndicesPermissionTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/accesscontrol/IndicesPermissionTests.java @@ -39,7 +39,6 @@ import java.util.ArrayList; import java.util.Collections; import java.util.List; -import java.util.Map; import java.util.Set; import java.util.SortedMap; import java.util.stream.Collectors; @@ -258,12 +257,12 @@ public void testCorePermissionAuthorize() { randomBoolean(), "a1") .build(); - Map authzMap = + IndicesAccessControl iac = core.authorize(SearchAction.NAME, Sets.newHashSet("a1", "ba"), lookup, fieldPermissionsCache); - assertTrue(authzMap.get("a1").getFieldPermissions().grantsAccessTo("denied_field")); - assertTrue(authzMap.get("a1").getFieldPermissions().grantsAccessTo(randomAlphaOfLength(5))); + assertTrue(iac.getIndexPermissions("a1").getFieldPermissions().grantsAccessTo("denied_field")); + assertTrue(iac.getIndexPermissions("a1").getFieldPermissions().grantsAccessTo(randomAlphaOfLength(5))); // did not define anything for ba so we allow all - assertFalse(authzMap.get("ba").getFieldPermissions().hasFieldLevelSecurity()); + assertFalse(iac.getIndexPermissions("ba").getFieldPermissions().hasFieldLevelSecurity()); assertTrue(core.check(SearchAction.NAME)); assertTrue(core.check(PutMappingAction.NAME)); @@ -292,13 +291,13 @@ public void testCorePermissionAuthorize() { randomBoolean(), "a2") .build(); - authzMap = core.authorize(SearchAction.NAME, Sets.newHashSet("a1", "a2"), lookup, fieldPermissionsCache); - assertFalse(authzMap.get("a1").getFieldPermissions().hasFieldLevelSecurity()); - assertFalse(authzMap.get("a2").getFieldPermissions().grantsAccessTo("denied_field2")); - assertFalse(authzMap.get("a2").getFieldPermissions().grantsAccessTo("denied_field")); - assertTrue(authzMap.get("a2").getFieldPermissions().grantsAccessTo(randomAlphaOfLength(5) + "_field")); - assertTrue(authzMap.get("a2").getFieldPermissions().grantsAccessTo(randomAlphaOfLength(5) + "_field2")); - assertTrue(authzMap.get("a2").getFieldPermissions().hasFieldLevelSecurity()); + iac = core.authorize(SearchAction.NAME, Sets.newHashSet("a1", "a2"), lookup, fieldPermissionsCache); + assertFalse(iac.getIndexPermissions("a1").getFieldPermissions().hasFieldLevelSecurity()); + assertFalse(iac.getIndexPermissions("a2").getFieldPermissions().grantsAccessTo("denied_field2")); + assertFalse(iac.getIndexPermissions("a2").getFieldPermissions().grantsAccessTo("denied_field")); + assertTrue(iac.getIndexPermissions("a2").getFieldPermissions().grantsAccessTo(randomAlphaOfLength(5) + "_field")); + assertTrue(iac.getIndexPermissions("a2").getFieldPermissions().grantsAccessTo(randomAlphaOfLength(5) + "_field2")); + assertTrue(iac.getIndexPermissions("a2").getFieldPermissions().hasFieldLevelSecurity()); assertTrue(core.check(SearchAction.NAME)); assertTrue(core.check(PutMappingAction.NAME)); @@ -339,21 +338,21 @@ public void testSecurityIndicesPermissions() { IndicesPermission indicesPermission = new IndicesPermission.Builder(RESTRICTED_INDICES_AUTOMATON) .addGroup(IndexPrivilege.ALL, new FieldPermissions(), null, false, "*") .build(); - Map authzMap = indicesPermission.authorize(SearchAction.NAME, + IndicesAccessControl iac = indicesPermission.authorize(SearchAction.NAME, Sets.newHashSet(internalSecurityIndex, RestrictedIndicesNames.SECURITY_MAIN_ALIAS), lookup, fieldPermissionsCache); - assertThat(authzMap.get(internalSecurityIndex).isGranted(), is(false)); - assertThat(authzMap.get(RestrictedIndicesNames.SECURITY_MAIN_ALIAS).isGranted(), is(false)); + assertThat(iac.getIndexPermissions(internalSecurityIndex).isGranted(), is(false)); + assertThat(iac.getIndexPermissions(RestrictedIndicesNames.SECURITY_MAIN_ALIAS).isGranted(), is(false)); // allow_restricted_indices: true indicesPermission = new IndicesPermission.Builder(RESTRICTED_INDICES_AUTOMATON) .addGroup(IndexPrivilege.ALL, new FieldPermissions(), null, true, "*") .build(); - authzMap = indicesPermission.authorize(SearchAction.NAME, + iac = indicesPermission.authorize(SearchAction.NAME, Sets.newHashSet(internalSecurityIndex, RestrictedIndicesNames.SECURITY_MAIN_ALIAS), lookup, fieldPermissionsCache); - assertThat(authzMap.get(internalSecurityIndex).isGranted(), is(true)); - assertThat(authzMap.get(RestrictedIndicesNames.SECURITY_MAIN_ALIAS).isGranted(), is(true)); + assertThat(iac.getIndexPermissions(internalSecurityIndex).isGranted(), is(true)); + assertThat(iac.getIndexPermissions(RestrictedIndicesNames.SECURITY_MAIN_ALIAS).isGranted(), is(true)); } public void testAsyncSearchIndicesPermissions() { @@ -373,17 +372,17 @@ public void testAsyncSearchIndicesPermissions() { IndicesPermission indicesPermission = new IndicesPermission.Builder(RESTRICTED_INDICES_AUTOMATON) .addGroup(IndexPrivilege.ALL, new FieldPermissions(), null, false, "*") .build(); - Map authzMap = indicesPermission.authorize(SearchAction.NAME, + IndicesAccessControl iac = indicesPermission.authorize(SearchAction.NAME, Sets.newHashSet(asyncSearchIndex), lookup, fieldPermissionsCache); - assertThat(authzMap.get(asyncSearchIndex).isGranted(), is(false)); + assertThat(iac.getIndexPermissions(asyncSearchIndex).isGranted(), is(false)); // allow_restricted_indices: true indicesPermission = new IndicesPermission.Builder(RESTRICTED_INDICES_AUTOMATON) .addGroup(IndexPrivilege.ALL, new FieldPermissions(), null, true, "*") .build(); - authzMap = indicesPermission.authorize(SearchAction.NAME, + iac = indicesPermission.authorize(SearchAction.NAME, Sets.newHashSet(asyncSearchIndex), lookup, fieldPermissionsCache); - assertThat(authzMap.get(asyncSearchIndex).isGranted(), is(true)); + assertThat(iac.getIndexPermissions(asyncSearchIndex).isGranted(), is(true)); } public void testAuthorizationForBackingIndices() { @@ -407,27 +406,27 @@ public void testAuthorizationForBackingIndices() { IndicesPermission indicesPermission = new IndicesPermission.Builder(RESTRICTED_INDICES_AUTOMATON) .addGroup(IndexPrivilege.READ, new FieldPermissions(), null, false, dataStreamName) .build(); - Map authzMap = indicesPermission.authorize( + IndicesAccessControl iac = indicesPermission.authorize( SearchAction.NAME, Sets.newHashSet(backingIndices.stream().map(im -> im.getIndex().getName()).collect(Collectors.toList())), lookup, fieldPermissionsCache); for (IndexMetadata im : backingIndices) { - assertThat(authzMap.get(im.getIndex().getName()).isGranted(), is(true)); + assertThat(iac.getIndexPermissions(im.getIndex().getName()).isGranted(), is(true)); } indicesPermission = new IndicesPermission.Builder(RESTRICTED_INDICES_AUTOMATON) .addGroup(IndexPrivilege.CREATE_DOC, new FieldPermissions(), null, false, dataStreamName) .build(); - authzMap = indicesPermission.authorize( + iac = indicesPermission.authorize( randomFrom(PutMappingAction.NAME, AutoPutMappingAction.NAME), Sets.newHashSet(backingIndices.stream().map(im -> im.getIndex().getName()).collect(Collectors.toList())), lookup, fieldPermissionsCache); for (IndexMetadata im : backingIndices) { - assertThat(authzMap.get(im.getIndex().getName()).isGranted(), is(false)); + assertThat(iac.getIndexPermissions(im.getIndex().getName()).isGranted(), is(false)); } } @@ -461,10 +460,10 @@ public void testAuthorizationForMappingUpdates() { randomBoolean(), "test_write*") .build(); - Map authzMap = + IndicesAccessControl iac = core.authorize(PutMappingAction.NAME, Sets.newHashSet("test1", "test_write1"), lookup, fieldPermissionsCache); - assertThat(authzMap.get("test1").isGranted(), is(true)); - assertThat(authzMap.get("test_write1").isGranted(), is(true)); + assertThat(iac.getIndexPermissions("test1").isGranted(), is(true)); + assertThat(iac.getIndexPermissions("test_write1").isGranted(), is(true)); assertWarnings("the index privilege [index] allowed the update mapping action [" + PutMappingAction.NAME + "] on " + "index [test1], this privilege will not permit mapping updates in the next major release - " + "users who require access to update mappings must be granted explicit privileges", @@ -475,32 +474,32 @@ public void testAuthorizationForMappingUpdates() { "index [test_write1], this privilege will not permit mapping updates in the next major release - " + "users who require access to update mappings must be granted explicit privileges" ); - authzMap = core.authorize(AutoPutMappingAction.NAME, Sets.newHashSet("test1", "test_write1"), lookup, fieldPermissionsCache); - assertThat(authzMap.get("test1").isGranted(), is(true)); - assertThat(authzMap.get("test_write1").isGranted(), is(true)); + iac = core.authorize(AutoPutMappingAction.NAME, Sets.newHashSet("test1", "test_write1"), lookup, fieldPermissionsCache); + assertThat(iac.getIndexPermissions("test1").isGranted(), is(true)); + assertThat(iac.getIndexPermissions("test_write1").isGranted(), is(true)); assertWarnings("the index privilege [index] allowed the update mapping action [" + AutoPutMappingAction.NAME + "] on " + "index [test1], this privilege will not permit mapping updates in the next major release - " + "users who require access to update mappings must be granted explicit privileges"); - authzMap = core.authorize(AutoPutMappingAction.NAME, Sets.newHashSet("test_write2"), lookup, fieldPermissionsCache); - assertThat(authzMap.get("test_write2").isGranted(), is(true)); - authzMap = core.authorize(PutMappingAction.NAME, Sets.newHashSet("test_write2"), lookup, fieldPermissionsCache); - assertThat(authzMap.get("test_write2").isGranted(), is(false)); - authzMap = core.authorize( + iac = core.authorize(AutoPutMappingAction.NAME, Sets.newHashSet("test_write2"), lookup, fieldPermissionsCache); + assertThat(iac.getIndexPermissions("test_write2").isGranted(), is(true)); + iac = core.authorize(PutMappingAction.NAME, Sets.newHashSet("test_write2"), lookup, fieldPermissionsCache); + assertThat(iac.getIndexPermissions("test_write2").isGranted(), is(false)); + iac = core.authorize( AutoPutMappingAction.NAME, Sets.newHashSet(backingIndices.stream().map(im -> im.getIndex().getName()).collect(Collectors.toList())), lookup, fieldPermissionsCache); for (IndexMetadata im : backingIndices) { - assertThat(authzMap.get(im.getIndex().getName()).isGranted(), is(true)); + assertThat(iac.getIndexPermissions(im.getIndex().getName()).isGranted(), is(true)); } - authzMap = core.authorize( + iac = core.authorize( PutMappingAction.NAME, Sets.newHashSet(backingIndices.stream().map(im -> im.getIndex().getName()).collect(Collectors.toList())), lookup, fieldPermissionsCache); for (IndexMetadata im : backingIndices) { - assertThat(authzMap.get(im.getIndex().getName()).isGranted(), is(false)); + assertThat(iac.getIndexPermissions(im.getIndex().getName()).isGranted(), is(false)); } } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/CompositeRolesStoreTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/CompositeRolesStoreTests.java index 5dabc78f5bd00..f1e65f2556aa6 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/CompositeRolesStoreTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/CompositeRolesStoreTests.java @@ -608,12 +608,11 @@ public void testMergingRolesWithFls() { .settings(Settings.builder().put("index.version.created", Version.CURRENT).build()) .numberOfShards(1).numberOfReplicas(0).build(), true) .build(); - Map acls = role.indices().authorize("indices:data/read/search", + IndicesAccessControl iac = role.indices().authorize("indices:data/read/search", Collections.singleton("test"), metadata.getIndicesLookup(), cache); - assertFalse(acls.isEmpty()); - assertTrue(acls.get("test").getFieldPermissions().grantsAccessTo("L1.foo")); - assertFalse(acls.get("test").getFieldPermissions().grantsAccessTo("L2.foo")); - assertTrue(acls.get("test").getFieldPermissions().grantsAccessTo("L3.foo")); + assertTrue(iac.getIndexPermissions("test").getFieldPermissions().grantsAccessTo("L1.foo")); + assertFalse(iac.getIndexPermissions("test").getFieldPermissions().grantsAccessTo("L2.foo")); + assertTrue(iac.getIndexPermissions("test").getFieldPermissions().grantsAccessTo("L3.foo")); } public void testMergingBasicRoles() {