From 3fcdac1acd0a484beb6aca7a00f9a9e1d4303327 Mon Sep 17 00:00:00 2001 From: Yang Wang Date: Mon, 18 Oct 2021 17:48:34 +1100 Subject: [PATCH] AllowAll for indicesAccessControl (#78498) This PR adds a fast path for computing indicesAccessControl if the role has all access to all indices. A role is considered to have all access to all indices if any of its IndicesPermission#Group satisfy the following criteria: 1. Any of the index patterns is a simple match-all wildcard, i.e. "*" 2. It allows access to restricted indices 3. It grants the "all" index privilege 4. It has no DLS or FLS An example of such role is the builtin superuser role. Note the fastpath does not apply to roles that have "effective" but not direct "all access of all indices". For example, if the "effective" access is achieved by combining multiple Groups belong to the role, or combining multiple index patterns within a single Group. This fast path is provided so that we have a reference baseline for authorization related performance which is useful for both production use and troubleshooting. --- .../accesscontrol/IndicesAccessControl.java | 38 ++++++++- .../authz/permission/IndicesPermission.java | 22 ++++- .../authz/permission/LimitedRole.java | 1 - .../core/security/authz/permission/Role.java | 14 +--- .../core/security/support/StringMatcher.java | 4 + .../authz/store/ReservedRolesStoreTests.java | 41 +++++----- .../security/authz/AuthorizationService.java | 4 +- .../accesscontrol/IndicesPermissionTests.java | 80 +++++++++---------- .../authz/store/CompositeRolesStoreTests.java | 9 +-- 9 files changed, 126 insertions(+), 87 deletions(-) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/IndicesAccessControl.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/IndicesAccessControl.java index a8af1a51ce480..168d2e9300ad1 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/IndicesAccessControl.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/accesscontrol/IndicesAccessControl.java @@ -30,7 +30,6 @@ */ public class IndicesAccessControl { - public static final IndicesAccessControl ALLOW_ALL = new IndicesAccessControl(true, Collections.emptyMap()); public static final IndicesAccessControl ALLOW_NO_INDICES = new IndicesAccessControl(true, Collections.singletonMap(IndicesAndAliasesResolverField.NO_INDEX_PLACEHOLDER, new IndicesAccessControl.IndexAccessControl(true, new FieldPermissions(), DocumentPermissions.allowAll()))); @@ -249,6 +248,12 @@ public int hashCode() { * @return {@link IndicesAccessControl} */ public IndicesAccessControl limitIndicesAccessControl(IndicesAccessControl limitedByIndicesAccessControl) { + if (this instanceof AllowAllIndicesAccessControl) { + return limitedByIndicesAccessControl; + } else if (limitedByIndicesAccessControl instanceof AllowAllIndicesAccessControl) { + return this; + } + final boolean granted; if (this.granted == limitedByIndicesAccessControl.granted) { granted = this.granted; @@ -275,4 +280,35 @@ public String toString() { ", indexPermissions=" + indexPermissions + '}'; } + + public static IndicesAccessControl allowAll() { + return AllowAllIndicesAccessControl.INSTANCE; + } + + private static class AllowAllIndicesAccessControl extends IndicesAccessControl { + + private static final IndicesAccessControl INSTANCE = new AllowAllIndicesAccessControl(); + + private final IndexAccessControl allowAllIndexAccessControl = new IndexAccessControl(true, null, null); + + private AllowAllIndicesAccessControl() { + super(true, null); + } + + @Override + public IndexAccessControl getIndexPermissions(String index) { + return allowAllIndexAccessControl; + } + + @Override + public boolean isGranted() { + return true; + } + + @Override + public Collection getDeniedIndices() { + return org.elasticsearch.core.Set.of(); + } + } + } diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java index 386beb0d20596..df4b94730ea27 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/IndicesPermission.java @@ -274,12 +274,16 @@ public boolean canHaveBackingIndices() { /** * Authorizes the provided action against the provided indices, given the current cluster metadata */ - public Map authorize( + public IndicesAccessControl authorize( String action, Set requestedIndicesOrAliases, Map lookup, FieldPermissionsCache fieldPermissionsCache ) { + // Short circuit if the indicesPermission allows all access to every index + if (Arrays.stream(groups).anyMatch(Group::isTotal)) { + return IndicesAccessControl.allowAll(); + } final List resources = new ArrayList<>(requestedIndicesOrAliases.size()); int totalResourceCount = 0; @@ -405,6 +409,7 @@ public Map authorize( } } + boolean overallGranted = true; Map indexPermissions = new HashMap<>(grantedBuilder.size()); for (Map.Entry entry : grantedBuilder.entrySet()) { String index = entry.getKey(); @@ -424,10 +429,13 @@ public Map authorize( } else { fieldPermissions = FieldPermissions.DEFAULT; } + if (entry.getValue() == false) { + overallGranted = false; + } indexPermissions.put(index, new IndicesAccessControl.IndexAccessControl(entry.getValue(), fieldPermissions, (roleQueries != null) ? DocumentPermissions.filteredBy(roleQueries) : DocumentPermissions.allowAll())); } - return unmodifiableMap(indexPermissions); + return new IndicesAccessControl(overallGranted, unmodifiableMap(indexPermissions)); } private boolean isConcreteRestrictedIndex(String indexPattern) { @@ -449,7 +457,7 @@ public static class Group { private final IndexPrivilege privilege; private final Predicate actionMatcher; private final String[] indices; - private final Predicate indexNameMatcher; + private final StringMatcher indexNameMatcher; private final FieldPermissions fieldPermissions; private final Set query; // by default certain restricted indices are exempted when granting privileges, as they should generally be hidden for ordinary @@ -545,6 +553,14 @@ private static Predicate buildIndexMatcherPredicateForAction(S bwcSpecialCaseMatcher.test(indexAbstraction.getName())); }; } + + boolean isTotal() { + return allowRestrictedIndices + && indexNameMatcher.isTotal() + && privilege == IndexPrivilege.ALL + && query == null + && false == fieldPermissions.hasFieldLevelSecurity(); + } } private static class DocumentLevelPermissions { diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/LimitedRole.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/LimitedRole.java index 0f39ea44e661d..b17704ba15389 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/LimitedRole.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/LimitedRole.java @@ -89,7 +89,6 @@ public IndicesAccessControl authorize(String action, Set requestedIndice super.authorize(action, requestedIndicesOrAliases, aliasAndIndexLookup, fieldPermissionsCache); IndicesAccessControl limitedByIndicesAccessControl = limitedBy.authorize(action, requestedIndicesOrAliases, aliasAndIndexLookup, fieldPermissionsCache); - return indicesAccessControl.limitIndicesAccessControl(limitedByIndicesAccessControl); } diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/Role.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/Role.java index 238d25ccffa9c..0bd38832b6504 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/Role.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/Role.java @@ -175,19 +175,7 @@ public ResourcePrivilegesMap checkApplicationResourcePrivileges(final String app public IndicesAccessControl authorize(String action, Set requestedIndicesOrAliases, Map aliasAndIndexLookup, FieldPermissionsCache fieldPermissionsCache) { - Map indexPermissions = indices.authorize( - action, requestedIndicesOrAliases, aliasAndIndexLookup, fieldPermissionsCache - ); - - // At least one role / indices permission set need to match with all the requested indices/aliases: - boolean granted = true; - for (Map.Entry entry : indexPermissions.entrySet()) { - if (entry.getValue().isGranted() == false) { - granted = false; - break; - } - } - return new IndicesAccessControl(granted, indexPermissions); + return indices.authorize(action, requestedIndicesOrAliases, aliasAndIndexLookup, fieldPermissionsCache); } @Override diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/support/StringMatcher.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/support/StringMatcher.java index 0c4bb51f7628a..23c6ab9b40066 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/support/StringMatcher.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/support/StringMatcher.java @@ -69,6 +69,10 @@ public boolean test(String s) { return predicate.test(s); } + public boolean isTotal() { + return predicate == ALWAYS_TRUE_PREDICATE; + } + // For testing Predicate getPredicate() { return predicate; diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index 42a509fa053a9..afa184a7bb0e6 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -96,6 +96,7 @@ import org.elasticsearch.xpack.core.security.action.CreateApiKeyRequest; import org.elasticsearch.xpack.core.security.action.GetApiKeyRequest; import org.elasticsearch.xpack.core.security.action.apikey.QueryApiKeyRequest; +import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl; import org.elasticsearch.xpack.core.textstructure.action.FindStructureAction; import org.elasticsearch.xpack.core.ml.action.FlushJobAction; import org.elasticsearch.xpack.core.ml.action.ForecastJobAction; @@ -167,7 +168,6 @@ import org.elasticsearch.xpack.core.security.action.user.PutUserAction; import org.elasticsearch.xpack.core.security.authc.Authentication; import org.elasticsearch.xpack.core.security.authz.RoleDescriptor; -import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessControl.IndexAccessControl; import org.elasticsearch.xpack.core.security.authz.permission.FieldPermissionsCache; import org.elasticsearch.xpack.core.security.authz.permission.Role; import org.elasticsearch.xpack.core.security.authz.privilege.ApplicationPrivilege; @@ -216,7 +216,6 @@ import java.util.Collection; import java.util.Collections; import java.util.List; -import java.util.Map; import java.util.SortedMap; import static org.hamcrest.Matchers.hasEntry; @@ -1130,12 +1129,12 @@ private void assertMonitoringOnRestrictedIndices(Role role) { GetSettingsAction.NAME, IndicesShardStoresAction.NAME, UpgradeStatusAction.NAME, RecoveryAction.NAME); for (final String indexMonitoringActionName : indexMonitoringActionNamesList) { String asyncSearchIndex = RestrictedIndicesNames.ASYNC_SEARCH_PREFIX + randomAlphaOfLengthBetween(0, 2); - final Map authzMap = role.indices().authorize(indexMonitoringActionName, + final IndicesAccessControl iac = role.indices().authorize(indexMonitoringActionName, Sets.newHashSet(internalSecurityIndex, RestrictedIndicesNames.SECURITY_MAIN_ALIAS, asyncSearchIndex), metadata.getIndicesLookup(), fieldPermissionsCache); - assertThat(authzMap.get(internalSecurityIndex).isGranted(), is(true)); - assertThat(authzMap.get(RestrictedIndicesNames.SECURITY_MAIN_ALIAS).isGranted(), is(true)); - assertThat(authzMap.get(asyncSearchIndex).isGranted(), is(true)); + assertThat(iac.getIndexPermissions(internalSecurityIndex).isGranted(), is(true)); + assertThat(iac.getIndexPermissions(RestrictedIndicesNames.SECURITY_MAIN_ALIAS).isGranted(), is(true)); + assertThat(iac.getIndexPermissions(asyncSearchIndex).isGranted(), is(true)); } } @@ -1266,25 +1265,25 @@ public void testSuperuserRole() { FieldPermissionsCache fieldPermissionsCache = new FieldPermissionsCache(Settings.EMPTY); SortedMap lookup = metadata.getIndicesLookup(); - Map authzMap = + IndicesAccessControl iac = superuserRole.indices().authorize(SearchAction.NAME, Sets.newHashSet("a1", "ba"), lookup, fieldPermissionsCache); - assertThat(authzMap.get("a1").isGranted(), is(true)); - assertThat(authzMap.get("b").isGranted(), is(true)); - authzMap = + assertThat(iac.getIndexPermissions("a1").isGranted(), is(true)); + assertThat(iac.getIndexPermissions("b").isGranted(), is(true)); + iac = superuserRole.indices().authorize(DeleteIndexAction.NAME, Sets.newHashSet("a1", "ba"), lookup, fieldPermissionsCache); - assertThat(authzMap.get("a1").isGranted(), is(true)); - assertThat(authzMap.get("b").isGranted(), is(true)); - authzMap = superuserRole.indices().authorize(IndexAction.NAME, Sets.newHashSet("a2", "ba"), lookup, fieldPermissionsCache); - assertThat(authzMap.get("a2").isGranted(), is(true)); - assertThat(authzMap.get("b").isGranted(), is(true)); - authzMap = superuserRole.indices() + assertThat(iac.getIndexPermissions("a1").isGranted(), is(true)); + assertThat(iac.getIndexPermissions("b").isGranted(), is(true)); + iac = superuserRole.indices().authorize(IndexAction.NAME, Sets.newHashSet("a2", "ba"), lookup, fieldPermissionsCache); + assertThat(iac.getIndexPermissions("a2").isGranted(), is(true)); + assertThat(iac.getIndexPermissions("b").isGranted(), is(true)); + iac = superuserRole.indices() .authorize(UpdateSettingsAction.NAME, Sets.newHashSet("aaaaaa", "ba"), lookup, fieldPermissionsCache); - assertThat(authzMap.get("aaaaaa").isGranted(), is(true)); - assertThat(authzMap.get("b").isGranted(), is(true)); - authzMap = superuserRole.indices().authorize(randomFrom(IndexAction.NAME, DeleteIndexAction.NAME, SearchAction.NAME), + assertThat(iac.getIndexPermissions("aaaaaa").isGranted(), is(true)); + assertThat(iac.getIndexPermissions("b").isGranted(), is(true)); + iac = superuserRole.indices().authorize(randomFrom(IndexAction.NAME, DeleteIndexAction.NAME, SearchAction.NAME), Sets.newHashSet(RestrictedIndicesNames.SECURITY_MAIN_ALIAS), lookup, fieldPermissionsCache); - assertThat(authzMap.get(RestrictedIndicesNames.SECURITY_MAIN_ALIAS).isGranted(), is(true)); - assertThat(authzMap.get(internalSecurityIndex).isGranted(), is(true)); + assertThat(iac.getIndexPermissions(RestrictedIndicesNames.SECURITY_MAIN_ALIAS).isGranted(), is(true)); + assertThat(iac.getIndexPermissions(internalSecurityIndex).isGranted(), is(true)); assertTrue(superuserRole.indices().check(SearchAction.NAME)); assertFalse(superuserRole.indices().check("unknown")); diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java index f0dacb97fd90a..eb2ca53ca8ba7 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/AuthorizationService.java @@ -337,7 +337,7 @@ private void authorizeAction(final RequestInfo requestInfo, final String request if (ClusterPrivilegeResolver.isClusterAction(action)) { final ActionListener clusterAuthzListener = wrapPreservingContext(new AuthorizationResultListener<>(result -> { - threadContext.putTransient(INDICES_PERMISSIONS_KEY, IndicesAccessControl.ALLOW_ALL); + threadContext.putTransient(INDICES_PERMISSIONS_KEY, IndicesAccessControl.allowAll()); listener.onResponse(null); }, listener::onFailure, requestInfo, requestId, authzInfo), threadContext); authzEngine.authorizeClusterAction(requestInfo, authzInfo, ActionListener.wrap(result -> { @@ -513,7 +513,7 @@ private void authorizeSystemUser(final Authentication authentication, final Stri final TransportRequest request, final ActionListener listener) { final AuditTrail auditTrail = auditTrailService.get(); if (SystemUser.isAuthorized(action)) { - threadContext.putTransient(INDICES_PERMISSIONS_KEY, IndicesAccessControl.ALLOW_ALL); + threadContext.putTransient(INDICES_PERMISSIONS_KEY, IndicesAccessControl.allowAll()); threadContext.putTransient(AUTHORIZATION_INFO_KEY, SYSTEM_AUTHZ_INFO); auditTrail.accessGranted(requestId, authentication, action, request, SYSTEM_AUTHZ_INFO); listener.onResponse(null); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/accesscontrol/IndicesPermissionTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/accesscontrol/IndicesPermissionTests.java index 54e5c05385e72..1bf8e280741d9 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/accesscontrol/IndicesPermissionTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/accesscontrol/IndicesPermissionTests.java @@ -38,7 +38,6 @@ import java.util.ArrayList; import java.util.Collections; import java.util.List; -import java.util.Map; import java.util.Set; import java.util.SortedMap; import java.util.stream.Collectors; @@ -50,7 +49,6 @@ import static org.hamcrest.Matchers.is; import static org.hamcrest.Matchers.notNullValue; import static org.hamcrest.Matchers.nullValue; -import static org.hamcrest.Matchers.is; public class IndicesPermissionTests extends ESTestCase { @@ -251,12 +249,12 @@ public void testCorePermissionAuthorize() { IndicesPermission.Group group2 = new IndicesPermission.Group(IndexPrivilege.READ, new FieldPermissions(fieldPermissionDef(null, new String[]{"denied_field"})), null, randomBoolean(), "a1"); IndicesPermission core = new IndicesPermission(group1, group2); - Map authzMap = + IndicesAccessControl iac = core.authorize(SearchAction.NAME, Sets.newHashSet("a1", "ba"), lookup, fieldPermissionsCache); - assertTrue(authzMap.get("a1").getFieldPermissions().grantsAccessTo("denied_field")); - assertTrue(authzMap.get("a1").getFieldPermissions().grantsAccessTo(randomAlphaOfLength(5))); + assertTrue(iac.getIndexPermissions("a1").getFieldPermissions().grantsAccessTo("denied_field")); + assertTrue(iac.getIndexPermissions("a1").getFieldPermissions().grantsAccessTo(randomAlphaOfLength(5))); // did not define anything for ba so we allow all - assertFalse(authzMap.get("ba").getFieldPermissions().hasFieldLevelSecurity()); + assertFalse(iac.getIndexPermissions("ba").getFieldPermissions().hasFieldLevelSecurity()); assertTrue(core.check(SearchAction.NAME)); assertTrue(core.check(PutMappingAction.NAME)); @@ -274,13 +272,13 @@ public void testCorePermissionAuthorize() { new FieldPermissions(fieldPermissionDef(new String[] { "*_field2" }, new String[] { "denied_field2" })), null, randomBoolean(), "a2"); core = new IndicesPermission(group1, group2, group3, group4); - authzMap = core.authorize(SearchAction.NAME, Sets.newHashSet("a1", "a2"), lookup, fieldPermissionsCache); - assertFalse(authzMap.get("a1").getFieldPermissions().hasFieldLevelSecurity()); - assertFalse(authzMap.get("a2").getFieldPermissions().grantsAccessTo("denied_field2")); - assertFalse(authzMap.get("a2").getFieldPermissions().grantsAccessTo("denied_field")); - assertTrue(authzMap.get("a2").getFieldPermissions().grantsAccessTo(randomAlphaOfLength(5) + "_field")); - assertTrue(authzMap.get("a2").getFieldPermissions().grantsAccessTo(randomAlphaOfLength(5) + "_field2")); - assertTrue(authzMap.get("a2").getFieldPermissions().hasFieldLevelSecurity()); + iac = core.authorize(SearchAction.NAME, Sets.newHashSet("a1", "a2"), lookup, fieldPermissionsCache); + assertFalse(iac.getIndexPermissions("a1").getFieldPermissions().hasFieldLevelSecurity()); + assertFalse(iac.getIndexPermissions("a2").getFieldPermissions().grantsAccessTo("denied_field2")); + assertFalse(iac.getIndexPermissions("a2").getFieldPermissions().grantsAccessTo("denied_field")); + assertTrue(iac.getIndexPermissions("a2").getFieldPermissions().grantsAccessTo(randomAlphaOfLength(5) + "_field")); + assertTrue(iac.getIndexPermissions("a2").getFieldPermissions().grantsAccessTo(randomAlphaOfLength(5) + "_field2")); + assertTrue(iac.getIndexPermissions("a2").getFieldPermissions().hasFieldLevelSecurity()); assertTrue(core.check(SearchAction.NAME)); assertTrue(core.check(PutMappingAction.NAME)); @@ -319,19 +317,19 @@ public void testSecurityIndicesPermissions() { // allow_restricted_indices: false IndicesPermission.Group group = new IndicesPermission.Group(IndexPrivilege.ALL, new FieldPermissions(), null, false, "*"); - Map authzMap = new IndicesPermission(group).authorize(SearchAction.NAME, + IndicesAccessControl iac = new IndicesPermission(group).authorize(SearchAction.NAME, Sets.newHashSet(internalSecurityIndex, RestrictedIndicesNames.SECURITY_MAIN_ALIAS), lookup, fieldPermissionsCache); - assertThat(authzMap.get(internalSecurityIndex).isGranted(), is(false)); - assertThat(authzMap.get(RestrictedIndicesNames.SECURITY_MAIN_ALIAS).isGranted(), is(false)); + assertThat(iac.getIndexPermissions(internalSecurityIndex).isGranted(), is(false)); + assertThat(iac.getIndexPermissions(RestrictedIndicesNames.SECURITY_MAIN_ALIAS).isGranted(), is(false)); // allow_restricted_indices: true group = new IndicesPermission.Group(IndexPrivilege.ALL, new FieldPermissions(), null, true, "*"); - authzMap = new IndicesPermission(group).authorize(SearchAction.NAME, + iac = new IndicesPermission(group).authorize(SearchAction.NAME, Sets.newHashSet(internalSecurityIndex, RestrictedIndicesNames.SECURITY_MAIN_ALIAS), lookup, fieldPermissionsCache); - assertThat(authzMap.get(internalSecurityIndex).isGranted(), is(true)); - assertThat(authzMap.get(RestrictedIndicesNames.SECURITY_MAIN_ALIAS).isGranted(), is(true)); + assertThat(iac.getIndexPermissions(internalSecurityIndex).isGranted(), is(true)); + assertThat(iac.getIndexPermissions(RestrictedIndicesNames.SECURITY_MAIN_ALIAS).isGranted(), is(true)); } public void testAsyncSearchIndicesPermissions() { @@ -349,15 +347,15 @@ public void testAsyncSearchIndicesPermissions() { // allow_restricted_indices: false IndicesPermission.Group group = new IndicesPermission.Group(IndexPrivilege.ALL, new FieldPermissions(), null, false, "*"); - Map authzMap = new IndicesPermission(group).authorize(SearchAction.NAME, + IndicesAccessControl iac = new IndicesPermission(group).authorize(SearchAction.NAME, Sets.newHashSet(asyncSearchIndex), lookup, fieldPermissionsCache); - assertThat(authzMap.get(asyncSearchIndex).isGranted(), is(false)); + assertThat(iac.getIndexPermissions(asyncSearchIndex).isGranted(), is(false)); // allow_restricted_indices: true group = new IndicesPermission.Group(IndexPrivilege.ALL, new FieldPermissions(), null, true, "*"); - authzMap = new IndicesPermission(group).authorize(SearchAction.NAME, + iac = new IndicesPermission(group).authorize(SearchAction.NAME, Sets.newHashSet(asyncSearchIndex), lookup, fieldPermissionsCache); - assertThat(authzMap.get(asyncSearchIndex).isGranted(), is(true)); + assertThat(iac.getIndexPermissions(asyncSearchIndex).isGranted(), is(true)); } public void testAuthorizationForBackingIndices() { @@ -380,25 +378,25 @@ public void testAuthorizationForBackingIndices() { SortedMap lookup = metadata.getIndicesLookup(); IndicesPermission.Group group = new IndicesPermission.Group(IndexPrivilege.READ, new FieldPermissions(), null, false, dataStreamName); - Map authzMap = new IndicesPermission(group).authorize( + IndicesAccessControl iac = new IndicesPermission(group).authorize( SearchAction.NAME, Sets.newHashSet(backingIndices.stream().map(im -> im.getIndex().getName()).collect(Collectors.toList())), lookup, fieldPermissionsCache); for (IndexMetadata im : backingIndices) { - assertThat(authzMap.get(im.getIndex().getName()).isGranted(), is(true)); + assertThat(iac.getIndexPermissions(im.getIndex().getName()).isGranted(), is(true)); } group = new IndicesPermission.Group(IndexPrivilege.CREATE_DOC, new FieldPermissions(), null, false, dataStreamName); - authzMap = new IndicesPermission(group).authorize( + iac = new IndicesPermission(group).authorize( randomFrom(PutMappingAction.NAME, AutoPutMappingAction.NAME), Sets.newHashSet(backingIndices.stream().map(im -> im.getIndex().getName()).collect(Collectors.toList())), lookup, fieldPermissionsCache); for (IndexMetadata im : backingIndices) { - assertThat(authzMap.get(im.getIndex().getName()).isGranted(), is(false)); + assertThat(iac.getIndexPermissions(im.getIndex().getName()).isGranted(), is(false)); } } @@ -428,10 +426,10 @@ public void testAuthorizationForMappingUpdates() { IndicesPermission.Group group2 = new IndicesPermission.Group(IndexPrivilege.WRITE, new FieldPermissions(fieldPermissionDef(null, new String[]{"denied_field"})), null, randomBoolean(), "test_write*"); IndicesPermission core = new IndicesPermission(group1, group2); - Map authzMap = + IndicesAccessControl iac = core.authorize(PutMappingAction.NAME, Sets.newHashSet("test1", "test_write1"), lookup, fieldPermissionsCache); - assertThat(authzMap.get("test1").isGranted(), is(true)); - assertThat(authzMap.get("test_write1").isGranted(), is(true)); + assertThat(iac.getIndexPermissions("test1").isGranted(), is(true)); + assertThat(iac.getIndexPermissions("test_write1").isGranted(), is(true)); assertWarnings("the index privilege [index] allowed the update mapping action [" + PutMappingAction.NAME + "] on " + "index [test1], this privilege will not permit mapping updates in the next major release - " + "users who require access to update mappings must be granted explicit privileges", @@ -442,32 +440,32 @@ public void testAuthorizationForMappingUpdates() { "index [test_write1], this privilege will not permit mapping updates in the next major release - " + "users who require access to update mappings must be granted explicit privileges" ); - authzMap = core.authorize(AutoPutMappingAction.NAME, Sets.newHashSet("test1", "test_write1"), lookup, fieldPermissionsCache); - assertThat(authzMap.get("test1").isGranted(), is(true)); - assertThat(authzMap.get("test_write1").isGranted(), is(true)); + iac = core.authorize(AutoPutMappingAction.NAME, Sets.newHashSet("test1", "test_write1"), lookup, fieldPermissionsCache); + assertThat(iac.getIndexPermissions("test1").isGranted(), is(true)); + assertThat(iac.getIndexPermissions("test_write1").isGranted(), is(true)); assertWarnings("the index privilege [index] allowed the update mapping action [" + AutoPutMappingAction.NAME + "] on " + "index [test1], this privilege will not permit mapping updates in the next major release - " + "users who require access to update mappings must be granted explicit privileges"); - authzMap = core.authorize(AutoPutMappingAction.NAME, Sets.newHashSet("test_write2"), lookup, fieldPermissionsCache); - assertThat(authzMap.get("test_write2").isGranted(), is(true)); - authzMap = core.authorize(PutMappingAction.NAME, Sets.newHashSet("test_write2"), lookup, fieldPermissionsCache); - assertThat(authzMap.get("test_write2").isGranted(), is(false)); - authzMap = core.authorize( + iac = core.authorize(AutoPutMappingAction.NAME, Sets.newHashSet("test_write2"), lookup, fieldPermissionsCache); + assertThat(iac.getIndexPermissions("test_write2").isGranted(), is(true)); + iac = core.authorize(PutMappingAction.NAME, Sets.newHashSet("test_write2"), lookup, fieldPermissionsCache); + assertThat(iac.getIndexPermissions("test_write2").isGranted(), is(false)); + iac = core.authorize( AutoPutMappingAction.NAME, Sets.newHashSet(backingIndices.stream().map(im -> im.getIndex().getName()).collect(Collectors.toList())), lookup, fieldPermissionsCache); for (IndexMetadata im : backingIndices) { - assertThat(authzMap.get(im.getIndex().getName()).isGranted(), is(true)); + assertThat(iac.getIndexPermissions(im.getIndex().getName()).isGranted(), is(true)); } - authzMap = core.authorize( + iac = core.authorize( PutMappingAction.NAME, Sets.newHashSet(backingIndices.stream().map(im -> im.getIndex().getName()).collect(Collectors.toList())), lookup, fieldPermissionsCache); for (IndexMetadata im : backingIndices) { - assertThat(authzMap.get(im.getIndex().getName()).isGranted(), is(false)); + assertThat(iac.getIndexPermissions(im.getIndex().getName()).isGranted(), is(false)); } } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/CompositeRolesStoreTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/CompositeRolesStoreTests.java index 4058355852b4b..6ad75eb75af2c 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/CompositeRolesStoreTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/CompositeRolesStoreTests.java @@ -566,12 +566,11 @@ public void testMergingRolesWithFls() { .settings(Settings.builder().put("index.version.created", Version.CURRENT).build()) .numberOfShards(1).numberOfReplicas(0).build(), true) .build(); - Map acls = role.indices().authorize("indices:data/read/search", + IndicesAccessControl iac = role.indices().authorize("indices:data/read/search", Collections.singleton("test"), metadata.getIndicesLookup(), cache); - assertFalse(acls.isEmpty()); - assertTrue(acls.get("test").getFieldPermissions().grantsAccessTo("L1.foo")); - assertFalse(acls.get("test").getFieldPermissions().grantsAccessTo("L2.foo")); - assertTrue(acls.get("test").getFieldPermissions().grantsAccessTo("L3.foo")); + assertTrue(iac.getIndexPermissions("test").getFieldPermissions().grantsAccessTo("L1.foo")); + assertFalse(iac.getIndexPermissions("test").getFieldPermissions().grantsAccessTo("L2.foo")); + assertTrue(iac.getIndexPermissions("test").getFieldPermissions().grantsAccessTo("L3.foo")); } public void testMergingBasicRoles() {