Don't inject SecurityIndexManager

albertzaharovits · Jun 18, 2024 · b9978be · b9978be
1 parent 8f28047
commit b9978be
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 26 deletions.
diff --git a/.../java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java b/.../java/org/elasticsearch/xpack/core/security/authz/privilege/ClusterPrivilegeResolver.java
@@ -41,6 +41,7 @@
 import org.elasticsearch.xpack.core.security.action.profile.GetProfilesAction;
 import org.elasticsearch.xpack.core.security.action.profile.SuggestProfilesAction;
 import org.elasticsearch.xpack.core.security.action.role.GetRolesAction;
+import org.elasticsearch.xpack.core.security.action.role.QueryRoleAction;
 import org.elasticsearch.xpack.core.security.action.rolemapping.GetRoleMappingsAction;
 import org.elasticsearch.xpack.core.security.action.saml.SamlSpMetadataAction;
 import org.elasticsearch.xpack.core.security.action.service.GetServiceAccountAction;
@@ -262,6 +263,7 @@ public class ClusterPrivilegeResolver {
             ProfileHasPrivilegesAction.NAME,
             SuggestProfilesAction.NAME,
             GetRolesAction.NAME,
+            QueryRoleAction.NAME,
             GetRoleMappingsAction.NAME,
             GetServiceAccountAction.NAME,
             GetServiceAccountCredentialsAction.NAME + "*",

diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/Security.java
@@ -165,6 +165,7 @@
 import org.elasticsearch.xpack.core.security.action.role.GetRolesAction;
 import org.elasticsearch.xpack.core.security.action.role.PutRoleAction;
 import org.elasticsearch.xpack.core.security.action.role.PutRoleRequestBuilderFactory;
+import org.elasticsearch.xpack.core.security.action.role.QueryRoleAction;
 import org.elasticsearch.xpack.core.security.action.rolemapping.DeleteRoleMappingAction;
 import org.elasticsearch.xpack.core.security.action.rolemapping.GetRoleMappingsAction;
 import org.elasticsearch.xpack.core.security.action.rolemapping.PutRoleMappingAction;
@@ -257,6 +258,7 @@
 import org.elasticsearch.xpack.security.action.role.TransportDeleteRoleAction;
 import org.elasticsearch.xpack.security.action.role.TransportGetRolesAction;
 import org.elasticsearch.xpack.security.action.role.TransportPutRoleAction;
+import org.elasticsearch.xpack.security.action.role.TransportQueryRoleAction;
 import org.elasticsearch.xpack.security.action.rolemapping.ReservedRoleMappingAction;
 import org.elasticsearch.xpack.security.action.rolemapping.TransportDeleteRoleMappingAction;
 import org.elasticsearch.xpack.security.action.rolemapping.TransportGetRoleMappingsAction;
@@ -1515,6 +1517,7 @@ public void onIndexModule(IndexModule module) {
             new ActionHandler<>(PutUserAction.INSTANCE, TransportPutUserAction.class),
             new ActionHandler<>(DeleteUserAction.INSTANCE, TransportDeleteUserAction.class),
             new ActionHandler<>(GetRolesAction.INSTANCE, TransportGetRolesAction.class),
+            new ActionHandler<>(QueryRoleAction.INSTANCE, TransportQueryRoleAction.class),
             new ActionHandler<>(PutRoleAction.INSTANCE, TransportPutRoleAction.class),
             new ActionHandler<>(DeleteRoleAction.INSTANCE, TransportDeleteRoleAction.class),
             new ActionHandler<>(TransportChangePasswordAction.TYPE, TransportChangePasswordAction.class),

diff --git a/.../src/main/java/org/elasticsearch/xpack/security/action/role/TransportQueryRoleAction.java b/.../src/main/java/org/elasticsearch/xpack/security/action/role/TransportQueryRoleAction.java
@@ -9,7 +9,6 @@
 
 import org.elasticsearch.ElasticsearchStatusException;
 import org.elasticsearch.action.ActionListener;
-import org.elasticsearch.action.search.SearchRequest;
 import org.elasticsearch.action.support.ActionFilters;
 import org.elasticsearch.action.support.TransportAction;
 import org.elasticsearch.common.inject.Inject;
@@ -23,29 +22,19 @@
 import org.elasticsearch.xpack.security.authz.store.NativeRolesStore;
 import org.elasticsearch.xpack.security.support.FieldNameTranslators;
 import org.elasticsearch.xpack.security.support.RoleBoolQueryBuilder;
-import org.elasticsearch.xpack.security.support.SecurityIndexManager;
 
 import java.util.concurrent.atomic.AtomicBoolean;
 
 import static org.elasticsearch.xpack.security.support.FieldNameTranslators.ROLE_FIELD_NAME_TRANSLATORS;
-import static org.elasticsearch.xpack.security.support.SecurityMigrations.ROLE_METADATA_FLATTENED_MIGRATION_VERSION;
-import static org.elasticsearch.xpack.security.support.SecuritySystemIndices.SECURITY_MAIN_ALIAS;
 
 public class TransportQueryRoleAction extends TransportAction<QueryRoleRequest, QueryRoleResponse> {
 
     private final NativeRolesStore nativeRolesStore;
-    private final SecurityIndexManager securityIndex;
 
     @Inject
-    public TransportQueryRoleAction(
-        ActionFilters actionFilters,
-        NativeRolesStore nativeRolesStore,
-        SecurityIndexManager securityIndex,
-        TransportService transportService
-    ) {
+    public TransportQueryRoleAction(ActionFilters actionFilters, NativeRolesStore nativeRolesStore, TransportService transportService) {
         super(QueryRoleAction.NAME, actionFilters, transportService.getTaskManager());
         this.nativeRolesStore = nativeRolesStore;
-        this.securityIndex = securityIndex;
     }
 
     @Override
@@ -63,26 +52,23 @@ protected void doExecute(Task task, QueryRoleRequest request, ActionListener<Que
                 isQueryingMetadata.set(true);
             }
         }));
-        if (isQueryingMetadata.get()) {
-            if (securityIndex.isMigrationsVersionAtLeast(ROLE_METADATA_FLATTENED_MIGRATION_VERSION) == false) {
-                listener.onFailure(
-                    new ElasticsearchStatusException(
-                        "Cannot query role metadata until automatic migration completed",
-                        RestStatus.SERVICE_UNAVAILABLE
-                    )
-                );
-                return;
-            }
+        if (isQueryingMetadata.get() && nativeRolesStore.isQueryByMetadataAvailable() == false) {
+            listener.onFailure(
+                new ElasticsearchStatusException(
+                    "Cannot query role metadata until automatic migration completed",
+                    RestStatus.SERVICE_UNAVAILABLE
+                )
+            );
+            return;
         }
         if (request.getFieldSortBuilders() != null) {
             ROLE_FIELD_NAME_TRANSLATORS.translateFieldSortBuilders(request.getFieldSortBuilders(), searchSourceBuilder, null);
         }
         if (request.getSearchAfterBuilder() != null) {
             searchSourceBuilder.searchAfter(request.getSearchAfterBuilder().getSortValues());
         }
-        SearchRequest searchRequest = new SearchRequest(new String[] { SECURITY_MAIN_ALIAS }, searchSourceBuilder);
         nativeRolesStore.queryRoleDescriptors(
-            searchRequest,
+            searchSourceBuilder,
             ActionListener.wrap(
                 queryRoleResults -> listener.onResponse(new QueryRoleResponse(queryRoleResults.total(), queryRoleResults.items())),
                 listener::onFailure

diff --git a/...security/src/main/java/org/elasticsearch/xpack/security/authz/store/NativeRolesStore.java b/...security/src/main/java/org/elasticsearch/xpack/security/authz/store/NativeRolesStore.java
@@ -37,6 +37,7 @@
 import org.elasticsearch.license.LicenseUtils;
 import org.elasticsearch.license.XPackLicenseState;
 import org.elasticsearch.search.SearchHit;
+import org.elasticsearch.search.builder.SearchSourceBuilder;
 import org.elasticsearch.xcontent.ToXContent;
 import org.elasticsearch.xcontent.XContentBuilder;
 import org.elasticsearch.xcontent.XContentType;
@@ -77,6 +78,7 @@
 import static org.elasticsearch.xpack.core.security.authz.RoleDescriptor.ROLE_TYPE;
 import static org.elasticsearch.xpack.security.support.SecurityIndexManager.Availability.PRIMARY_SHARDS;
 import static org.elasticsearch.xpack.security.support.SecurityIndexManager.Availability.SEARCH_SHARDS;
+import static org.elasticsearch.xpack.security.support.SecurityMigrations.ROLE_METADATA_FLATTENED_MIGRATION_VERSION;
 import static org.elasticsearch.xpack.security.support.SecuritySystemIndices.SECURITY_MAIN_ALIAS;
 import static org.elasticsearch.xpack.security.support.SecuritySystemIndices.SECURITY_ROLES_METADATA_FLATTENED;
 
@@ -220,8 +222,13 @@ public void getRoleDescriptors(Set<String> names, final ActionListener<RoleRetri
         }
     }
 
-    public void queryRoleDescriptors(SearchRequest searchRequest, ActionListener<QueryRoleResult> listener) {
-        final SecurityIndexManager frozenSecurityIndex = securityIndex.defensiveCopy();
+    public boolean isQueryByMetadataAvailable() {
+        return securityIndex.isMigrationsVersionAtLeast(ROLE_METADATA_FLATTENED_MIGRATION_VERSION);
+    }
+
+    public void queryRoleDescriptors(SearchSourceBuilder searchSourceBuilder, ActionListener<QueryRoleResult> listener) {
+        SearchRequest searchRequest = new SearchRequest(new String[] { SECURITY_MAIN_ALIAS }, searchSourceBuilder);
+        SecurityIndexManager frozenSecurityIndex = securityIndex.defensiveCopy();
         if (frozenSecurityIndex.indexExists() == false) {
             logger.debug("security index does not exist");
             listener.onResponse(QueryRoleResult.EMPTY);