diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/Role.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/Role.java index 3f91049aea228..7a412f33b88a6 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/Role.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/permission/Role.java @@ -34,6 +34,7 @@ import java.util.HashMap; import java.util.List; import java.util.Map; +import java.util.Objects; import java.util.Set; import java.util.function.Predicate; @@ -177,10 +178,6 @@ static Builder builder(RestrictedIndices restrictedIndices, String... names) { return new Builder(restrictedIndices, names); } - static Builder builder(RoleDescriptor rd, FieldPermissionsCache fieldPermissionsCache, RestrictedIndices restrictedIndices) { - return new Builder(rd, fieldPermissionsCache, restrictedIndices); - } - class Builder { private final String[] names; @@ -196,26 +193,6 @@ private Builder(RestrictedIndices restrictedIndices, String[] names) { this.names = names; } - private Builder(RoleDescriptor rd, @Nullable FieldPermissionsCache fieldPermissionsCache, RestrictedIndices restrictedIndices) { - // TODO handle this when we introduce remote index privileges for built-in users and roles. That's the only production code - // using this builder - assert false == rd.hasRemoteIndicesPrivileges(); - this.names = new String[] { rd.getName() }; - cluster(Sets.newHashSet(rd.getClusterPrivileges()), Arrays.asList(rd.getConditionalClusterPrivileges())); - groups.addAll(convertFromIndicesPrivileges(rd.getIndicesPrivileges(), fieldPermissionsCache)); - - final RoleDescriptor.ApplicationResourcePrivileges[] applicationPrivileges = rd.getApplicationPrivileges(); - for (RoleDescriptor.ApplicationResourcePrivileges applicationPrivilege : applicationPrivileges) { - applicationPrivs.add(convertApplicationPrivilege(applicationPrivilege)); - } - - String[] rdRunAs = rd.getRunAs(); - if (rdRunAs != null && rdRunAs.length > 0) { - this.runAs(new Privilege(Sets.newHashSet(rdRunAs), rdRunAs)); - } - this.restrictedIndices = restrictedIndices; - } - public Builder cluster(Set privilegeNames, Iterable configurableClusterPrivileges) { ClusterPermission.Builder builder = ClusterPermission.builder(); if (privilegeNames.isEmpty() == false) { @@ -314,41 +291,6 @@ public SimpleRole build() { return new SimpleRole(names, cluster, indices, applicationPermission, runAs, remoteIndices); } - static List convertFromIndicesPrivileges( - RoleDescriptor.IndicesPrivileges[] indicesPrivileges, - @Nullable FieldPermissionsCache fieldPermissionsCache - ) { - List list = new ArrayList<>(indicesPrivileges.length); - for (RoleDescriptor.IndicesPrivileges privilege : indicesPrivileges) { - final FieldPermissions fieldPermissions; - if (fieldPermissionsCache != null) { - fieldPermissions = fieldPermissionsCache.getFieldPermissions(privilege.getGrantedFields(), privilege.getDeniedFields()); - } else { - fieldPermissions = new FieldPermissions( - new FieldPermissionsDefinition(privilege.getGrantedFields(), privilege.getDeniedFields()) - ); - } - final Set query = privilege.getQuery() == null ? null : Collections.singleton(privilege.getQuery()); - list.add( - new IndicesPermissionGroupDefinition( - IndexPrivilege.get(Sets.newHashSet(privilege.getPrivileges())), - fieldPermissions, - query, - privilege.allowRestrictedIndices(), - privilege.getIndices() - ) - ); - } - return list; - } - - static Tuple> convertApplicationPrivilege(RoleDescriptor.ApplicationResourcePrivileges arp) { - return new Tuple<>( - new ApplicationPrivilege(arp.getApplication(), Sets.newHashSet(arp.getPrivileges()), arp.getPrivileges()), - Sets.newHashSet(arp.getResources()) - ); - } - private static class IndicesPermissionGroupDefinition { private final IndexPrivilege privilege; private final FieldPermissions fieldPermissions; @@ -371,4 +313,52 @@ private IndicesPermissionGroupDefinition( } } } + + static SimpleRole buildFromRoleDescriptor( + final RoleDescriptor roleDescriptor, + final FieldPermissionsCache fieldPermissionsCache, + final RestrictedIndices restrictedIndices + ) { + // TODO handle this when we introduce remote index privileges for built-in users and roles. That's the only production code + // using this builder + assert false == roleDescriptor.hasRemoteIndicesPrivileges(); + Objects.requireNonNull(fieldPermissionsCache); + + final Builder builder = builder(restrictedIndices, roleDescriptor.getName()); + + builder.cluster( + Sets.newHashSet(roleDescriptor.getClusterPrivileges()), + Arrays.asList(roleDescriptor.getConditionalClusterPrivileges()) + ); + + for (RoleDescriptor.IndicesPrivileges indexPrivilege : roleDescriptor.getIndicesPrivileges()) { + builder.add( + fieldPermissionsCache.getFieldPermissions( + new FieldPermissionsDefinition(indexPrivilege.getGrantedFields(), indexPrivilege.getDeniedFields()) + ), + indexPrivilege.getQuery() == null ? null : Collections.singleton(indexPrivilege.getQuery()), + IndexPrivilege.get(Sets.newHashSet(indexPrivilege.getPrivileges())), + indexPrivilege.allowRestrictedIndices(), + indexPrivilege.getIndices() + ); + } + + for (RoleDescriptor.ApplicationResourcePrivileges applicationPrivilege : roleDescriptor.getApplicationPrivileges()) { + builder.addApplicationPrivilege( + new ApplicationPrivilege( + applicationPrivilege.getApplication(), + Sets.newHashSet(applicationPrivilege.getPrivileges()), + applicationPrivilege.getPrivileges() + ), + Sets.newHashSet(applicationPrivilege.getResources()) + ); + } + + final String[] rdRunAs = roleDescriptor.getRunAs(); + if (rdRunAs != null && rdRunAs.length > 0) { + builder.runAs(new Privilege(Sets.newHashSet(rdRunAs), rdRunAs)); + } + + return builder.build(); + } } diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/permission/SimpleRoleTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/permission/SimpleRoleTests.java index 5f427998be364..6f2f9bfb69ba2 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/permission/SimpleRoleTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/permission/SimpleRoleTests.java @@ -28,11 +28,11 @@ public void testEmptyRoleHasNoEmptyListOfNames() { } public void testHasPrivilegesCache() throws ExecutionException { - final SimpleRole role = Role.builder( + final SimpleRole role = Role.buildFromRoleDescriptor( new RoleDescriptor(randomAlphaOfLengthBetween(3, 8), new String[] { "monitor" }, null, null), - null, + new FieldPermissionsCache(Settings.EMPTY), RESTRICTED_INDICES - ).build(); + ); // cache is null to begin with assertThat(role.getHasPrivilegesCache(), nullValue()); diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index 17844049c7c20..36508470897c0 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -278,7 +278,8 @@ public void testSnapshotUserRole() { assertNotNull(roleDescriptor); assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true)); - Role snapshotUserRole = Role.builder(roleDescriptor, null, RESTRICTED_INDICES).build(); + FieldPermissionsCache fieldPermissionsCache = new FieldPermissionsCache(Settings.EMPTY); + Role snapshotUserRole = Role.buildFromRoleDescriptor(roleDescriptor, fieldPermissionsCache, RESTRICTED_INDICES); assertThat(snapshotUserRole.cluster().check(GetRepositoriesAction.NAME, request, authentication), is(true)); assertThat(snapshotUserRole.cluster().check(CreateSnapshotAction.NAME, request, authentication), is(true)); assertThat(snapshotUserRole.cluster().check(SnapshotsStatusAction.NAME, request, authentication), is(true)); @@ -352,7 +353,7 @@ public void testIngestAdminRole() { assertNotNull(roleDescriptor); assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true)); - Role ingestAdminRole = Role.builder(roleDescriptor, null, RESTRICTED_INDICES).build(); + Role ingestAdminRole = Role.buildFromRoleDescriptor(roleDescriptor, new FieldPermissionsCache(Settings.EMPTY), RESTRICTED_INDICES); assertThat(ingestAdminRole.cluster().check(PutIndexTemplateAction.NAME, request, authentication), is(true)); assertThat(ingestAdminRole.cluster().check(GetIndexTemplatesAction.NAME, request, authentication), is(true)); assertThat(ingestAdminRole.cluster().check(DeleteIndexTemplateAction.NAME, request, authentication), is(true)); @@ -394,7 +395,7 @@ public void testKibanaSystemRole() { assertNotNull(roleDescriptor); assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true)); - Role kibanaRole = Role.builder(roleDescriptor, null, RESTRICTED_INDICES).build(); + Role kibanaRole = Role.buildFromRoleDescriptor(roleDescriptor, new FieldPermissionsCache(Settings.EMPTY), RESTRICTED_INDICES); assertThat(kibanaRole.cluster().check(ClusterHealthAction.NAME, request, authentication), is(true)); assertThat(kibanaRole.cluster().check(ClusterStateAction.NAME, request, authentication), is(true)); assertThat(kibanaRole.cluster().check(ClusterStatsAction.NAME, request, authentication), is(true)); @@ -1141,7 +1142,7 @@ public void testKibanaAdminRole() { assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true)); assertThat(roleDescriptor.getMetadata(), not(hasEntry("_deprecated", true))); - Role kibanaAdminRole = Role.builder(roleDescriptor, null, RESTRICTED_INDICES).build(); + Role kibanaAdminRole = Role.buildFromRoleDescriptor(roleDescriptor, new FieldPermissionsCache(Settings.EMPTY), RESTRICTED_INDICES); assertThat(kibanaAdminRole.cluster().check(ClusterHealthAction.NAME, request, authentication), is(false)); assertThat(kibanaAdminRole.cluster().check(ClusterStateAction.NAME, request, authentication), is(false)); assertThat(kibanaAdminRole.cluster().check(ClusterStatsAction.NAME, request, authentication), is(false)); @@ -1185,7 +1186,7 @@ public void testKibanaUserRole() { assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true)); assertThat(roleDescriptor.getMetadata(), hasEntry("_deprecated", true)); - Role kibanaUserRole = Role.builder(roleDescriptor, null, RESTRICTED_INDICES).build(); + Role kibanaUserRole = Role.buildFromRoleDescriptor(roleDescriptor, new FieldPermissionsCache(Settings.EMPTY), RESTRICTED_INDICES); assertThat(kibanaUserRole.cluster().check(ClusterHealthAction.NAME, request, authentication), is(false)); assertThat(kibanaUserRole.cluster().check(ClusterStateAction.NAME, request, authentication), is(false)); assertThat(kibanaUserRole.cluster().check(ClusterStatsAction.NAME, request, authentication), is(false)); @@ -1229,7 +1230,11 @@ public void testMonitoringUserRole() { assertNotNull(roleDescriptor); assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true)); - Role monitoringUserRole = Role.builder(roleDescriptor, null, RESTRICTED_INDICES).build(); + Role monitoringUserRole = Role.buildFromRoleDescriptor( + roleDescriptor, + new FieldPermissionsCache(Settings.EMPTY), + RESTRICTED_INDICES + ); assertThat(monitoringUserRole.cluster().check(MainAction.NAME, request, authentication), is(true)); assertThat(monitoringUserRole.cluster().check(XPackInfoAction.NAME, request, authentication), is(true)); assertThat(monitoringUserRole.cluster().check(RemoteInfoAction.NAME, request, authentication), is(true)); @@ -1318,7 +1323,11 @@ public void testRemoteMonitoringAgentRole() { assertNotNull(roleDescriptor); assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true)); - Role remoteMonitoringAgentRole = Role.builder(roleDescriptor, null, RESTRICTED_INDICES).build(); + Role remoteMonitoringAgentRole = Role.buildFromRoleDescriptor( + roleDescriptor, + new FieldPermissionsCache(Settings.EMPTY), + RESTRICTED_INDICES + ); assertThat(remoteMonitoringAgentRole.cluster().check(ClusterHealthAction.NAME, request, authentication), is(true)); assertThat(remoteMonitoringAgentRole.cluster().check(ClusterStateAction.NAME, request, authentication), is(true)); assertThat(remoteMonitoringAgentRole.cluster().check(ClusterStatsAction.NAME, request, authentication), is(true)); @@ -1493,7 +1502,11 @@ public void testRemoteMonitoringCollectorRole() { assertNotNull(roleDescriptor); assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true)); - Role remoteMonitoringCollectorRole = Role.builder(roleDescriptor, null, RESTRICTED_INDICES).build(); + Role remoteMonitoringCollectorRole = Role.buildFromRoleDescriptor( + roleDescriptor, + new FieldPermissionsCache(Settings.EMPTY), + RESTRICTED_INDICES + ); assertThat(remoteMonitoringCollectorRole.cluster().check(ClusterHealthAction.NAME, request, authentication), is(true)); assertThat(remoteMonitoringCollectorRole.cluster().check(ClusterStateAction.NAME, request, authentication), is(true)); assertThat(remoteMonitoringCollectorRole.cluster().check(ClusterStatsAction.NAME, request, authentication), is(true)); @@ -1759,7 +1772,11 @@ public void testReportingUserRole() { assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true)); assertThat(roleDescriptor.getMetadata(), hasEntry("_deprecated", true)); - Role reportingUserRole = Role.builder(roleDescriptor, null, RESTRICTED_INDICES).build(); + Role reportingUserRole = Role.buildFromRoleDescriptor( + roleDescriptor, + new FieldPermissionsCache(Settings.EMPTY), + RESTRICTED_INDICES + ); assertThat(reportingUserRole.cluster().check(ClusterHealthAction.NAME, request, authentication), is(false)); assertThat(reportingUserRole.cluster().check(ClusterStateAction.NAME, request, authentication), is(false)); assertThat(reportingUserRole.cluster().check(ClusterStatsAction.NAME, request, authentication), is(false)); @@ -1810,7 +1827,7 @@ public void testSuperuserRole() { assertNotNull(roleDescriptor); assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true)); - Role superuserRole = Role.builder(roleDescriptor, null, RESTRICTED_INDICES).build(); + Role superuserRole = Role.buildFromRoleDescriptor(roleDescriptor, new FieldPermissionsCache(Settings.EMPTY), RESTRICTED_INDICES); assertThat(superuserRole.cluster().check(ClusterHealthAction.NAME, request, authentication), is(true)); assertThat(superuserRole.cluster().check(ClusterUpdateSettingsAction.NAME, request, authentication), is(true)); assertThat(superuserRole.cluster().check(PutUserAction.NAME, request, authentication), is(true)); @@ -1937,7 +1954,11 @@ public void testLogstashSystemRole() { assertNotNull(roleDescriptor); assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true)); - Role logstashSystemRole = Role.builder(roleDescriptor, null, RESTRICTED_INDICES).build(); + Role logstashSystemRole = Role.buildFromRoleDescriptor( + roleDescriptor, + new FieldPermissionsCache(Settings.EMPTY), + RESTRICTED_INDICES + ); assertThat(logstashSystemRole.cluster().check(ClusterHealthAction.NAME, request, authentication), is(true)); assertThat(logstashSystemRole.cluster().check(ClusterStateAction.NAME, request, authentication), is(true)); assertThat(logstashSystemRole.cluster().check(ClusterStatsAction.NAME, request, authentication), is(true)); @@ -1971,7 +1992,11 @@ public void testBeatsAdminRole() { assertNotNull(roleDescriptor); assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true)); - final Role beatsAdminRole = Role.builder(roleDescriptor, null, RESTRICTED_INDICES).build(); + final Role beatsAdminRole = Role.buildFromRoleDescriptor( + roleDescriptor, + new FieldPermissionsCache(Settings.EMPTY), + RESTRICTED_INDICES + ); assertThat(beatsAdminRole.cluster().check(ClusterHealthAction.NAME, request, authentication), is(false)); assertThat(beatsAdminRole.cluster().check(ClusterStateAction.NAME, request, authentication), is(false)); assertThat(beatsAdminRole.cluster().check(ClusterStatsAction.NAME, request, authentication), is(false)); @@ -2018,7 +2043,7 @@ public void testBeatsSystemRole() { assertNotNull(roleDescriptor); assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true)); - Role beatsSystemRole = Role.builder(roleDescriptor, null, RESTRICTED_INDICES).build(); + Role beatsSystemRole = Role.buildFromRoleDescriptor(roleDescriptor, new FieldPermissionsCache(Settings.EMPTY), RESTRICTED_INDICES); assertThat(beatsSystemRole.cluster().check(ClusterHealthAction.NAME, request, authentication), is(true)); assertThat(beatsSystemRole.cluster().check(ClusterStateAction.NAME, request, authentication), is(true)); assertThat(beatsSystemRole.cluster().check(ClusterStatsAction.NAME, request, authentication), is(true)); @@ -2060,7 +2085,7 @@ public void testAPMSystemRole() { assertNotNull(roleDescriptor); assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true)); - Role APMSystemRole = Role.builder(roleDescriptor, null, RESTRICTED_INDICES).build(); + Role APMSystemRole = Role.buildFromRoleDescriptor(roleDescriptor, new FieldPermissionsCache(Settings.EMPTY), RESTRICTED_INDICES); assertThat(APMSystemRole.cluster().check(ClusterHealthAction.NAME, request, authentication), is(true)); assertThat(APMSystemRole.cluster().check(ClusterStateAction.NAME, request, authentication), is(true)); assertThat(APMSystemRole.cluster().check(ClusterStatsAction.NAME, request, authentication), is(true)); @@ -2113,7 +2138,7 @@ public void testAPMUserRole() { assertNotNull(roleDescriptor); assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true)); - Role role = Role.builder(roleDescriptor, null, RESTRICTED_INDICES).build(); + Role role = Role.buildFromRoleDescriptor(roleDescriptor, new FieldPermissionsCache(Settings.EMPTY), RESTRICTED_INDICES); assertThat(role.cluster().check(DelegatePkiAuthenticationAction.NAME, request, authentication), is(false)); assertThat(role.runAs().check(randomAlphaOfLengthBetween(1, 12)), is(false)); @@ -2165,7 +2190,8 @@ public void testMachineLearningAdminRole() { assertNotNull(roleDescriptor); assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true)); - Role role = Role.builder(roleDescriptor, null, RESTRICTED_INDICES).build(); + FieldPermissionsCache fieldPermissionsCache = new FieldPermissionsCache(Settings.EMPTY); + Role role = Role.buildFromRoleDescriptor(roleDescriptor, fieldPermissionsCache, RESTRICTED_INDICES); assertRoleHasManageMl(role); assertThat(role.cluster().check(DelegatePkiAuthenticationAction.NAME, request, authentication), is(false)); @@ -2275,7 +2301,8 @@ public void testMachineLearningUserRole() { assertNotNull(roleDescriptor); assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true)); - Role role = Role.builder(roleDescriptor, null, RESTRICTED_INDICES).build(); + FieldPermissionsCache fieldPermissionsCache = new FieldPermissionsCache(Settings.EMPTY); + Role role = Role.buildFromRoleDescriptor(roleDescriptor, fieldPermissionsCache, RESTRICTED_INDICES); assertThat(role.cluster().check(CloseJobAction.NAME, request, authentication), is(false)); assertThat(role.cluster().check(DeleteCalendarAction.NAME, request, authentication), is(false)); assertThat(role.cluster().check(DeleteCalendarEventAction.NAME, request, authentication), is(false)); @@ -2378,7 +2405,7 @@ public void testTransformAdminRole() { assertThat(roleDescriptor.getMetadata(), not(hasEntry("_deprecated", true))); } - Role role = Role.builder(roleDescriptor, null, RESTRICTED_INDICES).build(); + Role role = Role.buildFromRoleDescriptor(roleDescriptor, new FieldPermissionsCache(Settings.EMPTY), RESTRICTED_INDICES); assertThat(role.cluster().check(DeleteTransformAction.NAME, request, authentication), is(true)); assertThat(role.cluster().check(GetTransformAction.NAME, request, authentication), is(true)); assertThat(role.cluster().check(GetTransformStatsAction.NAME, request, authentication), is(true)); @@ -2441,7 +2468,7 @@ public void testTransformUserRole() { assertThat(roleDescriptor.getMetadata(), not(hasEntry("_deprecated", true))); } - Role role = Role.builder(roleDescriptor, null, RESTRICTED_INDICES).build(); + Role role = Role.buildFromRoleDescriptor(roleDescriptor, new FieldPermissionsCache(Settings.EMPTY), RESTRICTED_INDICES); assertThat(role.cluster().check(DeleteTransformAction.NAME, request, authentication), is(false)); assertThat(role.cluster().check(GetTransformAction.NAME, request, authentication), is(true)); assertThat(role.cluster().check(GetTransformStatsAction.NAME, request, authentication), is(true)); @@ -2500,7 +2527,7 @@ public void testWatcherAdminRole() { assertNotNull(roleDescriptor); assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true)); - Role role = Role.builder(roleDescriptor, null, RESTRICTED_INDICES).build(); + Role role = Role.buildFromRoleDescriptor(roleDescriptor, new FieldPermissionsCache(Settings.EMPTY), RESTRICTED_INDICES); assertThat(role.cluster().check(PutWatchAction.NAME, request, authentication), is(true)); assertThat(role.cluster().check(GetWatchAction.NAME, request, authentication), is(true)); assertThat(role.cluster().check(DeleteWatchAction.NAME, request, authentication), is(true)); @@ -2531,7 +2558,7 @@ public void testWatcherUserRole() { assertNotNull(roleDescriptor); assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true)); - Role role = Role.builder(roleDescriptor, null, RESTRICTED_INDICES).build(); + Role role = Role.buildFromRoleDescriptor(roleDescriptor, new FieldPermissionsCache(Settings.EMPTY), RESTRICTED_INDICES); assertThat(role.cluster().check(PutWatchAction.NAME, request, authentication), is(false)); assertThat(role.cluster().check(GetWatchAction.NAME, request, authentication), is(true)); assertThat(role.cluster().check(DeleteWatchAction.NAME, request, authentication), is(false)); @@ -2566,7 +2593,7 @@ public void testPredefinedViewerRole() { assertNotNull(roleDescriptor); assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true)); - Role role = Role.builder(roleDescriptor, null, RESTRICTED_INDICES).build(); + Role role = Role.buildFromRoleDescriptor(roleDescriptor, new FieldPermissionsCache(Settings.EMPTY), RESTRICTED_INDICES); // No cluster privileges assertThat(role.cluster().check(ClusterHealthAction.NAME, request, authentication), is(false)); assertThat(role.cluster().check(ClusterStateAction.NAME, request, authentication), is(false)); @@ -2624,7 +2651,7 @@ public void testPredefinedEditorRole() { assertNotNull(roleDescriptor); assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true)); - Role role = Role.builder(roleDescriptor, null, RESTRICTED_INDICES).build(); + Role role = Role.buildFromRoleDescriptor(roleDescriptor, new FieldPermissionsCache(Settings.EMPTY), RESTRICTED_INDICES); // No cluster privileges assertThat(role.cluster().check(ClusterHealthAction.NAME, request, authentication), is(false)); @@ -2778,7 +2805,11 @@ public void testLogstashAdminRole() { assertNotNull(roleDescriptor); assertThat(roleDescriptor.getMetadata(), hasEntry("_reserved", true)); - Role logstashAdminRole = Role.builder(roleDescriptor, null, RESTRICTED_INDICES).build(); + Role logstashAdminRole = Role.buildFromRoleDescriptor( + roleDescriptor, + new FieldPermissionsCache(Settings.EMPTY), + RESTRICTED_INDICES + ); assertThat(logstashAdminRole.cluster().check(ClusterHealthAction.NAME, request, authentication), is(false)); assertThat(logstashAdminRole.cluster().check(PutIndexTemplateAction.NAME, request, authentication), is(false)); assertThat(logstashAdminRole.cluster().check(ClusterRerouteAction.NAME, request, authentication), is(false)); diff --git a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authc/esnative/NativeRealmIntegTests.java b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authc/esnative/NativeRealmIntegTests.java index acd39af39f362..cdf7b532fda33 100644 --- a/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authc/esnative/NativeRealmIntegTests.java +++ b/x-pack/plugin/security/src/internalClusterTest/java/org/elasticsearch/xpack/security/authc/esnative/NativeRealmIntegTests.java @@ -55,6 +55,7 @@ import org.elasticsearch.xpack.core.security.authc.support.Hasher; import org.elasticsearch.xpack.core.security.authz.RestrictedIndices; import org.elasticsearch.xpack.core.security.authz.RoleDescriptor; +import org.elasticsearch.xpack.core.security.authz.permission.FieldPermissionsCache; import org.elasticsearch.xpack.core.security.authz.permission.Role; import org.elasticsearch.xpack.core.security.authz.store.ReservedRolesStore; import org.elasticsearch.xpack.core.security.support.Automatons; @@ -432,10 +433,11 @@ public void testCreateAndUpdateRole() { assertTrue("test_role does not exist!", getRolesResponse.hasRoles()); assertTrue( "any cluster permission should be authorized", - Role.builder(getRolesResponse.roles()[0], null, EMPTY_RESTRICTED_INDICES) - .build() - .cluster() - .check("cluster:admin/foo", request, authentication) + Role.buildFromRoleDescriptor( + getRolesResponse.roles()[0], + new FieldPermissionsCache(Settings.EMPTY), + EMPTY_RESTRICTED_INDICES + ).cluster().check("cluster:admin/foo", request, authentication) ); preparePutRole("test_role").cluster("none") @@ -453,10 +455,11 @@ public void testCreateAndUpdateRole() { assertFalse( "no cluster permission should be authorized", - Role.builder(getRolesResponse.roles()[0], null, EMPTY_RESTRICTED_INDICES) - .build() - .cluster() - .check("cluster:admin/bar", request, authentication) + Role.buildFromRoleDescriptor( + getRolesResponse.roles()[0], + new FieldPermissionsCache(Settings.EMPTY), + EMPTY_RESTRICTED_INDICES + ).cluster().check("cluster:admin/bar", request, authentication) ); } } diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/store/CompositeRolesStore.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/store/CompositeRolesStore.java index 4138447bfcff9..10b8df8410fa5 100644 --- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/store/CompositeRolesStore.java +++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/store/CompositeRolesStore.java @@ -153,12 +153,27 @@ public void providersChanged() { } this.negativeLookupCache = nlcBuilder.build(); this.restrictedIndices = restrictedIndices; - this.superuserRole = Role.builder(ReservedRolesStore.SUPERUSER_ROLE_DESCRIPTOR, fieldPermissionsCache, this.restrictedIndices) - .build(); - xpackSecurityRole = Role.builder(XPackSecurityUser.ROLE_DESCRIPTOR, fieldPermissionsCache, this.restrictedIndices).build(); - securityProfileRole = Role.builder(SecurityProfileUser.ROLE_DESCRIPTOR, fieldPermissionsCache, this.restrictedIndices).build(); - xpackUserRole = Role.builder(XPackUser.ROLE_DESCRIPTOR, fieldPermissionsCache, this.restrictedIndices).build(); - asyncSearchUserRole = Role.builder(AsyncSearchUser.ROLE_DESCRIPTOR, fieldPermissionsCache, this.restrictedIndices).build(); + this.superuserRole = Role.buildFromRoleDescriptor( + ReservedRolesStore.SUPERUSER_ROLE_DESCRIPTOR, + fieldPermissionsCache, + this.restrictedIndices + ); + this.xpackSecurityRole = Role.buildFromRoleDescriptor( + XPackSecurityUser.ROLE_DESCRIPTOR, + fieldPermissionsCache, + this.restrictedIndices + ); + this.securityProfileRole = Role.buildFromRoleDescriptor( + SecurityProfileUser.ROLE_DESCRIPTOR, + fieldPermissionsCache, + this.restrictedIndices + ); + this.xpackUserRole = Role.buildFromRoleDescriptor(XPackUser.ROLE_DESCRIPTOR, fieldPermissionsCache, this.restrictedIndices); + this.asyncSearchUserRole = Role.buildFromRoleDescriptor( + AsyncSearchUser.ROLE_DESCRIPTOR, + fieldPermissionsCache, + this.restrictedIndices + ); this.roleReferenceResolver = new RoleDescriptorStore( roleProviders, diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/service/ElasticServiceAccountsTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/service/ElasticServiceAccountsTests.java index 549d0968e0447..3088631f9117b 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/service/ElasticServiceAccountsTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/service/ElasticServiceAccountsTests.java @@ -29,6 +29,7 @@ import org.elasticsearch.action.update.UpdateAction; import org.elasticsearch.cluster.metadata.IndexAbstraction; import org.elasticsearch.common.Strings; +import org.elasticsearch.common.settings.Settings; import org.elasticsearch.test.ESTestCase; import org.elasticsearch.transport.TransportRequest; import org.elasticsearch.xpack.core.ilm.action.GetLifecycleAction; @@ -107,6 +108,7 @@ import org.elasticsearch.xpack.core.security.authc.Authentication; import org.elasticsearch.xpack.core.security.authc.AuthenticationTestHelper; import org.elasticsearch.xpack.core.security.authz.RoleDescriptor; +import org.elasticsearch.xpack.core.security.authz.permission.FieldPermissionsCache; import org.elasticsearch.xpack.core.security.authz.permission.Role; import org.elasticsearch.xpack.core.security.authz.privilege.ApplicationPrivilege; import org.elasticsearch.xpack.core.security.authz.store.ReservedRolesStore; @@ -145,11 +147,11 @@ public void testKibanaSystemPrivileges() { } public void testElasticFleetServerPrivileges() { - final Role role = Role.builder( + final Role role = Role.buildFromRoleDescriptor( ElasticServiceAccounts.ACCOUNTS.get("elastic/fleet-server").roleDescriptor(), - null, + new FieldPermissionsCache(Settings.EMPTY), RESTRICTED_INDICES - ).build(); + ); final Authentication authentication = AuthenticationTestHelper.builder().serviceAccount().build(); assertThat( role.cluster() @@ -305,11 +307,11 @@ public void testElasticServiceAccount() { } public void testElasticEnterpriseSearchServerAccount() { - final Role role = Role.builder( + final Role role = Role.buildFromRoleDescriptor( ElasticServiceAccounts.ACCOUNTS.get("elastic/enterprise-search-server").roleDescriptor(), - null, + new FieldPermissionsCache(Settings.EMPTY), RESTRICTED_INDICES - ).build(); + ); final Authentication authentication = AuthenticationTestHelper.builder().serviceAccount().build(); final TransportRequest request = mock(TransportRequest.class); diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolverTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolverTests.java index 446dcd8f31327..8620681ec2033 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolverTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolverTests.java @@ -354,17 +354,19 @@ public void setup() { @SuppressWarnings("unchecked") ActionListener listener = (ActionListener) i.getArguments()[1]; if (XPackUser.is(user)) { - listener.onResponse(Role.builder(XPackUser.ROLE_DESCRIPTOR, fieldPermissionsCache, RESTRICTED_INDICES).build()); + listener.onResponse(Role.buildFromRoleDescriptor(XPackUser.ROLE_DESCRIPTOR, fieldPermissionsCache, RESTRICTED_INDICES)); return Void.TYPE; } if (XPackSecurityUser.is(user)) { listener.onResponse( - Role.builder(ReservedRolesStore.SUPERUSER_ROLE_DESCRIPTOR, fieldPermissionsCache, RESTRICTED_INDICES).build() + Role.buildFromRoleDescriptor(ReservedRolesStore.SUPERUSER_ROLE_DESCRIPTOR, fieldPermissionsCache, RESTRICTED_INDICES) ); return Void.TYPE; } if (AsyncSearchUser.is(user)) { - listener.onResponse(Role.builder(AsyncSearchUser.ROLE_DESCRIPTOR, fieldPermissionsCache, RESTRICTED_INDICES).build()); + listener.onResponse( + Role.buildFromRoleDescriptor(AsyncSearchUser.ROLE_DESCRIPTOR, fieldPermissionsCache, RESTRICTED_INDICES) + ); return Void.TYPE; } diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/FileRolesStoreTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/FileRolesStoreTests.java index 398ce79605fb2..86f92790cc149 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/FileRolesStoreTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authz/store/FileRolesStoreTests.java @@ -31,6 +31,7 @@ import org.elasticsearch.xpack.core.security.authz.RestrictedIndices; import org.elasticsearch.xpack.core.security.authz.RoleDescriptor; import org.elasticsearch.xpack.core.security.authz.permission.ClusterPermission; +import org.elasticsearch.xpack.core.security.authz.permission.FieldPermissionsCache; import org.elasticsearch.xpack.core.security.authz.permission.IndicesPermission; import org.elasticsearch.xpack.core.security.authz.permission.Role; import org.elasticsearch.xpack.core.security.authz.permission.RunAsPermission; @@ -101,7 +102,7 @@ public void testParseFile() throws Exception { RoleDescriptor descriptor = roles.get("role1"); assertNotNull(descriptor); - Role role = Role.builder(descriptor, null, restrictedIndices).build(); + Role role = Role.buildFromRoleDescriptor(descriptor, new FieldPermissionsCache(Settings.EMPTY), restrictedIndices); assertThat(role, notNullValue()); assertThat(role.names(), equalTo(new String[] { "role1" })); assertThat(role.cluster(), notNullValue()); @@ -129,7 +130,7 @@ public void testParseFile() throws Exception { descriptor = roles.get("role1.ab"); assertNotNull(descriptor); - role = Role.builder(descriptor, null, restrictedIndices).build(); + role = Role.buildFromRoleDescriptor(descriptor, new FieldPermissionsCache(Settings.EMPTY), restrictedIndices); assertThat(role, notNullValue()); assertThat(role.names(), equalTo(new String[] { "role1.ab" })); assertThat(role.cluster(), notNullValue()); @@ -141,7 +142,7 @@ public void testParseFile() throws Exception { descriptor = roles.get("role2"); assertNotNull(descriptor); - role = Role.builder(descriptor, null, restrictedIndices).build(); + role = Role.buildFromRoleDescriptor(descriptor, new FieldPermissionsCache(Settings.EMPTY), restrictedIndices); assertThat(role, notNullValue()); assertThat(role.names(), equalTo(new String[] { "role2" })); assertThat(role.cluster(), notNullValue()); @@ -152,7 +153,7 @@ public void testParseFile() throws Exception { descriptor = roles.get("role3"); assertNotNull(descriptor); - role = Role.builder(descriptor, null, restrictedIndices).build(); + role = Role.buildFromRoleDescriptor(descriptor, new FieldPermissionsCache(Settings.EMPTY), restrictedIndices); assertThat(role, notNullValue()); assertThat(role.names(), equalTo(new String[] { "role3" })); assertThat(role.cluster(), notNullValue()); @@ -182,7 +183,7 @@ public void testParseFile() throws Exception { descriptor = roles.get("role_run_as"); assertNotNull(descriptor); - role = Role.builder(descriptor, null, restrictedIndices).build(); + role = Role.buildFromRoleDescriptor(descriptor, new FieldPermissionsCache(Settings.EMPTY), restrictedIndices); assertThat(role, notNullValue()); assertThat(role.names(), equalTo(new String[] { "role_run_as" })); assertThat(role.cluster(), notNullValue()); @@ -195,7 +196,7 @@ public void testParseFile() throws Exception { descriptor = roles.get("role_run_as1"); assertNotNull(descriptor); - role = Role.builder(descriptor, null, restrictedIndices).build(); + role = Role.buildFromRoleDescriptor(descriptor, new FieldPermissionsCache(Settings.EMPTY), restrictedIndices); assertThat(role, notNullValue()); assertThat(role.names(), equalTo(new String[] { "role_run_as1" })); assertThat(role.cluster(), notNullValue()); @@ -208,7 +209,7 @@ public void testParseFile() throws Exception { descriptor = roles.get("role_fields"); assertNotNull(descriptor); - role = Role.builder(descriptor, null, restrictedIndices).build(); + role = Role.buildFromRoleDescriptor(descriptor, new FieldPermissionsCache(Settings.EMPTY), restrictedIndices); assertThat(role, notNullValue()); assertThat(role.names(), equalTo(new String[] { "role_fields" })); assertThat(role.cluster(), notNullValue()); @@ -230,7 +231,7 @@ public void testParseFile() throws Exception { descriptor = roles.get("role_query"); assertNotNull(descriptor); - role = Role.builder(descriptor, null, restrictedIndices).build(); + role = Role.buildFromRoleDescriptor(descriptor, new FieldPermissionsCache(Settings.EMPTY), restrictedIndices); assertThat(role, notNullValue()); assertThat(role.names(), equalTo(new String[] { "role_query" })); assertThat(role.cluster(), notNullValue()); @@ -251,7 +252,7 @@ public void testParseFile() throws Exception { descriptor = roles.get("role_query_fields"); assertNotNull(descriptor); - role = Role.builder(descriptor, null, restrictedIndices).build(); + role = Role.buildFromRoleDescriptor(descriptor, new FieldPermissionsCache(Settings.EMPTY), restrictedIndices); assertThat(role, notNullValue()); assertThat(role.names(), equalTo(new String[] { "role_query_fields" })); assertThat(role.cluster(), notNullValue()); @@ -442,7 +443,11 @@ public void testAutoReload() throws Exception { descriptors = store.roleDescriptors(Collections.singleton("role5")); assertThat(descriptors, notNullValue()); assertEquals(1, descriptors.size()); - Role role = Role.builder(descriptors.iterator().next(), null, restrictedIndices).build(); + Role role = Role.buildFromRoleDescriptor( + descriptors.iterator().next(), + new FieldPermissionsCache(Settings.EMPTY), + restrictedIndices + ); assertThat(role, notNullValue()); assertThat(role.names(), equalTo(new String[] { "role5" })); assertThat(role.cluster().check("cluster:monitor/foo/bar", request, authentication), is(true)); @@ -539,7 +544,7 @@ public void testThatInvalidRoleDefinitions() throws Exception { assertThat(roles, hasKey("valid_role")); RoleDescriptor descriptor = roles.get("valid_role"); assertNotNull(descriptor); - Role role = Role.builder(descriptor, null, restrictedIndices).build(); + Role role = Role.buildFromRoleDescriptor(descriptor, new FieldPermissionsCache(Settings.EMPTY), restrictedIndices); assertThat(role, notNullValue()); assertThat(role.names(), equalTo(new String[] { "valid_role" }));