Skip to content

Commit

Permalink
ActionPrivileges fixes
Browse files Browse the repository at this point in the history
Signed-off-by: Nils Bandener <nils.bandener@eliatra.com>
  • Loading branch information
nibix committed Jul 2, 2024
1 parent 31e617f commit b5ff5c8
Showing 1 changed file with 12 additions and 17 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -116,12 +116,9 @@ public PrivilegesEvaluatorResponse hasIndexPrivilege(
Set<String> actions,
IndexResolverReplacer.Resolved resolvedIndices
) {
if (resolvedIndices.isLocalAll()) {
PrivilegesEvaluatorResponse response = this.index.providesWildcardPrivilege(context, actions);

if (response != null) {
return response;
}
PrivilegesEvaluatorResponse response = this.index.providesWildcardPrivilege(context, actions);
if (response != null) {
return response;
}

if (resolvedIndices.getAllIndices().isEmpty()) {
Expand Down Expand Up @@ -593,20 +590,17 @@ PrivilegesEvaluatorResponse providesPrivilege(
*/
PrivilegesEvaluatorResponse providesWildcardPrivilege(PrivilegesEvaluationContext context, Set<String> actions) {
ImmutableSet<String> effectiveRoles = context.getMappedRoles();
CheckTable<String, String> checkTable = CheckTable.create(ImmutableSet.of("*"), actions);

for (String action : actions) {
ImmutableSet<String> rolesWithWildcardIndexPrivileges = this.actionToRolesWithWildcardIndexPrivileges.get(action);

if (rolesWithWildcardIndexPrivileges != null
&& CollectionUtils.containsAny(rolesWithWildcardIndexPrivileges, effectiveRoles)) {
if (checkTable.check("*", action)) {
return PrivilegesEvaluatorResponse.ok();
}
if (rolesWithWildcardIndexPrivileges == null
|| !CollectionUtils.containsAny(rolesWithWildcardIndexPrivileges, effectiveRoles)) {
return null;
}
}

return null;
return PrivilegesEvaluatorResponse.ok();
}

PrivilegesEvaluatorResponse providesExplicitPrivilege(
Expand Down Expand Up @@ -810,18 +804,19 @@ PrivilegesEvaluatorResponse providesPrivilege(

if (indexToRoles != null) {
for (String index : resolvedIndices.getAllIndices()) {
String lookupIndex = index;

if (index.startsWith(DataStream.BACKING_INDEX_PREFIX)) {
// If we have a backing index of a data stream, we will not try to test
// the backing index here, as we filter backing indices during initialization.
// Instead, we look up the containing data stream and check whether this has privileges.
index = backingIndexToDataStream(index, indexMetadata);
lookupIndex = backingIndexToDataStream(index, indexMetadata);
}

Set<String> rolesWithPrivileges = indexToRoles.get(index);
Set<String> rolesWithPrivileges = indexToRoles.get(lookupIndex);

if (rolesWithPrivileges != null && CollectionUtils.containsAny(rolesWithPrivileges, effectiveRoles)) {
checkTable.check(index, action);
if (checkTable.isComplete()) {
if (checkTable.check(index, action)) {
return PrivilegesEvaluatorResponse.ok();
}
}
Expand Down

0 comments on commit b5ff5c8

Please sign in to comment.