From b5ff5c8ba2b24b6ca2c8999a81a001cef2a2059f Mon Sep 17 00:00:00 2001 From: Nils Bandener Date: Tue, 2 Jul 2024 18:01:50 +0200 Subject: [PATCH] ActionPrivileges fixes Signed-off-by: Nils Bandener --- .../security/privileges/ActionPrivileges.java | 29 ++++++++----------- 1 file changed, 12 insertions(+), 17 deletions(-) diff --git a/src/main/java/org/opensearch/security/privileges/ActionPrivileges.java b/src/main/java/org/opensearch/security/privileges/ActionPrivileges.java index c931545861..ef40d3096b 100644 --- a/src/main/java/org/opensearch/security/privileges/ActionPrivileges.java +++ b/src/main/java/org/opensearch/security/privileges/ActionPrivileges.java @@ -116,12 +116,9 @@ public PrivilegesEvaluatorResponse hasIndexPrivilege( Set actions, IndexResolverReplacer.Resolved resolvedIndices ) { - if (resolvedIndices.isLocalAll()) { - PrivilegesEvaluatorResponse response = this.index.providesWildcardPrivilege(context, actions); - - if (response != null) { - return response; - } + PrivilegesEvaluatorResponse response = this.index.providesWildcardPrivilege(context, actions); + if (response != null) { + return response; } if (resolvedIndices.getAllIndices().isEmpty()) { @@ -593,20 +590,17 @@ PrivilegesEvaluatorResponse providesPrivilege( */ PrivilegesEvaluatorResponse providesWildcardPrivilege(PrivilegesEvaluationContext context, Set actions) { ImmutableSet effectiveRoles = context.getMappedRoles(); - CheckTable checkTable = CheckTable.create(ImmutableSet.of("*"), actions); for (String action : actions) { ImmutableSet rolesWithWildcardIndexPrivileges = this.actionToRolesWithWildcardIndexPrivileges.get(action); - if (rolesWithWildcardIndexPrivileges != null - && CollectionUtils.containsAny(rolesWithWildcardIndexPrivileges, effectiveRoles)) { - if (checkTable.check("*", action)) { - return PrivilegesEvaluatorResponse.ok(); - } + if (rolesWithWildcardIndexPrivileges == null + || !CollectionUtils.containsAny(rolesWithWildcardIndexPrivileges, effectiveRoles)) { + return null; } } - return null; + return PrivilegesEvaluatorResponse.ok(); } PrivilegesEvaluatorResponse providesExplicitPrivilege( @@ -810,18 +804,19 @@ PrivilegesEvaluatorResponse providesPrivilege( if (indexToRoles != null) { for (String index : resolvedIndices.getAllIndices()) { + String lookupIndex = index; + if (index.startsWith(DataStream.BACKING_INDEX_PREFIX)) { // If we have a backing index of a data stream, we will not try to test // the backing index here, as we filter backing indices during initialization. // Instead, we look up the containing data stream and check whether this has privileges. - index = backingIndexToDataStream(index, indexMetadata); + lookupIndex = backingIndexToDataStream(index, indexMetadata); } - Set rolesWithPrivileges = indexToRoles.get(index); + Set rolesWithPrivileges = indexToRoles.get(lookupIndex); if (rolesWithPrivileges != null && CollectionUtils.containsAny(rolesWithPrivileges, effectiveRoles)) { - checkTable.check(index, action); - if (checkTable.isComplete()) { + if (checkTable.check(index, action)) { return PrivilegesEvaluatorResponse.ok(); } }