Support audit ignore policy by index privileges

Addressing review feedback

Author: BigPandaToo

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/ClusterPermission.java

@@ -47,16 +47,6 @@ public boolean check(final String action, final TransportRequest request, final
         return checks.stream().anyMatch(permission -> permission.check(action, request, authentication));
     }
 
-    /**
-     * Checks permission to a cluster action.
-     *
-     * @param action  cluster action
-     * @return {@code true} if the specified action execution can be granted by given permission else returns {@code false}
-     */
-    public boolean check(final String action) {
-        return checks.stream().anyMatch(permission -> permission.check(action));
-    }
-
     /**
      * Checks if the specified {@link ClusterPermission}'s actions are implied by this {@link ClusterPermission}
      *
@@ -156,14 +146,6 @@ public interface PermissionCheck {
          */
         boolean check(String action, TransportRequest request, Authentication authentication);
 
-        /**
-         * Checks permission to a cluster action regardless of the request and authentication context.
-         *
-         * @param action  action name
-         * @return {@code true} if the specified action execution can be granted by given permission else returns {@code false}
-         */
-        boolean check(String action);
-
         /**
          * Checks whether specified {@link PermissionCheck} is implied by this {@link PermissionCheck}.<br>
          * This is important method to be considered during implementation as it compares {@link PermissionCheck}s.
@@ -196,11 +178,6 @@ public final boolean check(final String action, final TransportRequest request,
             return actionPredicate.test(action) && extendedCheck(action, request, authentication);
         }
 
-        @Override
-        public final boolean check(final String action) {
-            return actionPredicate.test(action);
-        }
-
         protected abstract boolean extendedCheck(String action, TransportRequest request, Authentication authentication);
 
         @Override

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java

@@ -242,20 +242,6 @@ public static Collection<String> findPrivilegesThatGrant(String action, Transpor
             .collect(Collectors.toUnmodifiableList());
     }
 
-    /**
-     * Returns the names of privileges that grant the specified action.
-     * @return A collection of names, ordered (to the extent possible) from least privileged (e.g. {@link #MONITOR})
-     * to most privileged (e.g. {@link #ALL})
-     * @see #sortByAccessLevel(Collection)
-     * @see org.elasticsearch.xpack.core.security.authz.permission.ClusterPermission#check(String)
-     */
-    public static Collection<String> findPrivilegesThatGrant(String action) {
-        return VALUES.entrySet().stream()
-            .filter(e -> e.getValue().permission().check(action))
-            .map(Map.Entry::getKey)
-            .collect(Collectors.toUnmodifiableList());
-    }
-
     /**
      * Sorts the collection of privileges from least-privilege to most-privilege (to the extent possible),
      * returning them in a sorted map keyed by name.

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/privilege/ManageOwnApiKeyClusterPrivilege.java

@@ -57,6 +57,11 @@ private ManageOwnClusterPermissionCheck() {
 
         @Override
         protected boolean extendedCheck(String action, TransportRequest request, Authentication authentication) {
+            if (request == null || authentication == null) {
+                throw new IllegalArgumentException(
+                    "manage own cluster permission check only supported in context of request and authentication");
+            }
+
             if (request instanceof CreateApiKeyRequest) {
                 return true;
             } else if (request instanceof GetApiKeyRequest) {