Skip to content

Extract Role interface and allow multiple level of limiting #81403

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Jan 19, 2022
Merged

Extract Role interface and allow multiple level of limiting #81403

merged 4 commits into from
Jan 19, 2022

Conversation

@ywangd
Copy link
Member

@ywangd ywangd commented Dec 7, 2021

This PR extract an interface from the Role class. This helped to rework
the LimitedRole class so it no longer has the constraint of one level of
limiting.

Resolves: #81192
Relates: #80117

@ywangd
Extract Role interface and allow multiple level of limiting
7334e7f 
This PR extract an interface from the Role class. This helped to rework
the LimitedRole class so it no longer has the constraint of one level of
limiting.

Resolves: elastic#81192
Relates: elastic#80117
@ywangd ywangd added >refactoring :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC v8.1.0 labels Dec 7, 2021
@ywangd ywangd requested a review from tvernum December 7, 2021 05:04
@elasticmachine elasticmachine added the Team:Security Meta label for security team label Dec 7, 2021
@elasticmachine
Copy link
Collaborator

elasticmachine commented Dec 7, 2021

Pinging @elastic/es-security (Team:Security)

@ywangd
Copy link
Member Author

ywangd commented Dec 7, 2021

I think we can have a separate work to decide what should be the textual representation of (multi-level) limitedRole. Decision on this topic may help implementing the cluster(), indices() methods on LimitedRole.

tvernum
tvernum approved these changes Jan 18, 2022
View reviewed changes
Copy link
Contributor

@tvernum tvernum left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ywangd ywangd merged commit c491279 into elastic:master Jan 19, 2022
This was referenced Oct 27, 2022
Merged
Merged
elasticsearchmachine pushed a commit that referenced this pull request Nov 2, 2022
@ywangd
Support intersecting multi-sets of queries with DocumentPermissions (#…
1465b99 
…91151)

Since #81403, the Role class has been able to support multi-levels of
limiting (intersections). However, it was an oversight that the
underlying DocumentPermissions and FieldPermissions still do not support
it. They are still hardcoded to support up to 2 levels of intersection.
This PR now updates DocumentPermissions so it can support multi-level of
intersections. The similar change for FieldPermissions will be done in a
separate PR.
ywangd added a commit that referenced this pull request Nov 2, 2022
@ywangd
Support multi-intersection for FieldPermissions (#91169)
ecae222 
This PR is the 2nd half of updating DocumentPermissions and FieldPermissions
 to support multi-level of limiting similar to LimitedRole (since #81403). 
Instead of hard coding fieldsDefinition and limitedByFieldsDefinition, 
this PR replaces them with a list of fieldsDefinitions which can accomodate 
multiple of them (more than 2).

Relates: #91151
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tvernum tvernum tvernum approved these changes

Assignees

No one assigned

Labels

>refactoring :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Security Meta label for security team v8.1.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Rework Role and LimitedRole to support more general limiting

3 participants

@ywangd @elasticmachine @tvernum