"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authz/interceptor/FieldAndDocumentLevelSecurityRequestInterceptor.java" between
elasticsearch-6.8.14-src.tar.gz and elasticsearch-6.8.15-src.tar.gz

About: elasticsearch is a Distributed, RESTful, Search Engine built on top of Apache Lucene. Source package (GitHub).

FieldAndDocumentLevelSecurityRequestInterceptor.java  (elasticsearch-6.8.14-src):FieldAndDocumentLevelSecurityRequestInterceptor.java  (elasticsearch-6.8.15-src)
skipping to change at line 12 skipping to change at line 12
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License; * or more contributor license agreements. Licensed under the Elastic License;
* you may not use this file except in compliance with the Elastic License. * you may not use this file except in compliance with the Elastic License.
*/ */
package org.elasticsearch.xpack.security.authz.interceptor; package org.elasticsearch.xpack.security.authz.interceptor;
import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.Logger;
import org.elasticsearch.action.ActionListener; import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.IndicesRequest; import org.elasticsearch.action.IndicesRequest;
import org.elasticsearch.common.Strings;
import org.elasticsearch.common.util.concurrent.ThreadContext; import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.license.XPackLicenseState;
import org.elasticsearch.transport.TransportActionProxy;
import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine; import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine;
import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.Authoriza tionInfo; import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.Authoriza tionInfo;
import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.RequestIn fo; import org.elasticsearch.xpack.core.security.authz.AuthorizationEngine.RequestIn fo;
import org.elasticsearch.xpack.core.security.authz.AuthorizationServiceField; import org.elasticsearch.xpack.core.security.authz.AuthorizationServiceField;
import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessCo ntrol; import org.elasticsearch.xpack.core.security.authz.accesscontrol.IndicesAccessCo ntrol;
/** /**
* Base class for interceptors that disables features when field level security is configured for indices a request * Base class for interceptors that disables features when field level security is configured for indices a request
* is going to execute on. * is going to execute on.
*/ */
skipping to change at line 39 skipping to change at line 41
FieldAndDocumentLevelSecurityRequestInterceptor(ThreadContext threadContext, XPackLicenseState licenseState) { FieldAndDocumentLevelSecurityRequestInterceptor(ThreadContext threadContext, XPackLicenseState licenseState) {
this.threadContext = threadContext; this.threadContext = threadContext;
this.licenseState = licenseState; this.licenseState = licenseState;
this.logger = LogManager.getLogger(getClass()); this.logger = LogManager.getLogger(getClass());
} }
@Override @Override
public void intercept(RequestInfo requestInfo, AuthorizationEngine authoriza tionEngine, AuthorizationInfo authorizationInfo, public void intercept(RequestInfo requestInfo, AuthorizationEngine authoriza tionEngine, AuthorizationInfo authorizationInfo,
ActionListener<Void> listener) { ActionListener<Void> listener) {
if (requestInfo.getRequest() instanceof IndicesRequest) { if (requestInfo.getRequest() instanceof IndicesRequest && false == Trans portActionProxy.isProxyAction(requestInfo.getAction())) {
IndicesRequest indicesRequest = (IndicesRequest) requestInfo.getRequ est(); IndicesRequest indicesRequest = (IndicesRequest) requestInfo.getRequ est();
if (supports(indicesRequest) && licenseState.isDocumentAndFieldLevel SecurityAllowed()) { if (supports(indicesRequest) && licenseState.isDocumentAndFieldLevel SecurityAllowed()) {
final IndicesAccessControl indicesAccessControl = final IndicesAccessControl indicesAccessControl =
threadContext.getTransient(AuthorizationServiceField.INDICES _PERMISSIONS_KEY); threadContext.getTransient(AuthorizationServiceField.INDICES _PERMISSIONS_KEY);
for (String index : indicesRequest.indices()) { boolean fieldLevelSecurityEnabled = false;
boolean documentLevelSecurityEnabled = false;
final String[] requestIndices = indicesRequest.indices();
for (String index : requestIndices) {
IndicesAccessControl.IndexAccessControl indexAccessControl = indicesAccessControl.getIndexPermissions(index); IndicesAccessControl.IndexAccessControl indexAccessControl = indicesAccessControl.getIndexPermissions(index);
if (indexAccessControl != null) { if (indexAccessControl != null) {
boolean fieldLevelSecurityEnabled = indexAccessControl.g fieldLevelSecurityEnabled =
etFieldPermissions().hasFieldLevelSecurity(); fieldLevelSecurityEnabled || indexAccessControl.getF
boolean documentLevelSecurityEnabled = indexAccessContro ieldPermissions().hasFieldLevelSecurity();
l.getDocumentPermissions().hasDocumentLevelPermissions(); documentLevelSecurityEnabled =
if (fieldLevelSecurityEnabled || documentLevelSecurityEn documentLevelSecurityEnabled || indexAccessControl.g
abled) { etDocumentPermissions().hasDocumentLevelPermissions();
logger.trace("intercepted request for index [{}] wit if (fieldLevelSecurityEnabled && documentLevelSecurityEn
h field level access controls [{}] " + abled) {
"document level access controls [{}]. disabling break;
conflicting features",
index, fieldLevelSecurityEnabled, documentLevelS
ecurityEnabled);
disableFeatures(indicesRequest, fieldLevelSecurityEn
abled, documentLevelSecurityEnabled, listener);
return;
} }
} }
logger.trace("intercepted request for index [{}] without fie ld or document level access controls", index);
} }
if (fieldLevelSecurityEnabled || documentLevelSecurityEnabled) {
logger.trace("intercepted request for indices [{}] with fiel
d level access controls [{}] " +
"document level access controls [{}]. disabling conf
licting features",
Strings.arrayToDelimitedString(requestIndices, ","), fie
ldLevelSecurityEnabled, documentLevelSecurityEnabled);
disableFeatures(indicesRequest, fieldLevelSecurityEnabled, d
ocumentLevelSecurityEnabled, listener);
return;
}
logger.trace("intercepted request for indices [{}] without field
or document level access controls",
Strings.arrayToDelimitedString(requestIndices, ","));
} }
} }
listener.onResponse(null); listener.onResponse(null);
} }
abstract void disableFeatures(IndicesRequest request, boolean fieldLevelSecu rityEnabled, boolean documentLevelSecurityEnabled, abstract void disableFeatures(IndicesRequest request, boolean fieldLevelSecu rityEnabled, boolean documentLevelSecurityEnabled,
ActionListener<Void> listener); ActionListener<Void> listener);
abstract boolean supports(IndicesRequest request); abstract boolean supports(IndicesRequest request);
} }
 End of changes. 7 change blocks. 
18 lines changed or deleted 30 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)