From 38174169f7281714e9a38ee29a2bc7b3661e5e92 Mon Sep 17 00:00:00 2001 From: Nils Bandener Date: Tue, 11 Jun 2024 09:14:50 +0200 Subject: [PATCH] Replaced uses of SecurityRoles by Set mappedRoles where the SecurityRoles functionality is not needed. Signed-off-by: Nils Bandener --- .../security/privileges/PrivilegesEvaluator.java | 10 +++++----- .../privileges/ProtectedIndexAccessEvaluator.java | 12 +++++------- 2 files changed, 10 insertions(+), 12 deletions(-) diff --git a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java index e075f787b4..23a8022945 100644 --- a/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java +++ b/src/main/java/org/opensearch/security/privileges/PrivilegesEvaluator.java @@ -296,7 +296,7 @@ public PrivilegesEvaluatorResponse evaluate( "No cluster-level perm match for {} [Action [{}]] [RolesChecked {}]. No permissions for {}", user, action0, - securityRoles.getRoleNames(), + mappedRoles, presponse.missingPrivileges ); } else { @@ -333,7 +333,7 @@ public PrivilegesEvaluatorResponse evaluate( } // Protected index access - if (protectedIndexAccessEvaluator.evaluate(request, task, action0, requestedResolved, presponse, securityRoles).isComplete()) { + if (protectedIndexAccessEvaluator.evaluate(request, task, action0, requestedResolved, presponse, mappedRoles).isComplete()) { return presponse; } @@ -374,7 +374,7 @@ public PrivilegesEvaluatorResponse evaluate( user, requestedResolved, action0, - securityRoles.getRoleNames(), + mappedRoles, presponse.missingPrivileges ); return presponse; @@ -471,7 +471,7 @@ public PrivilegesEvaluatorResponse evaluate( if (isDebugEnabled) { log.debug("Requested resolved index types: {}", requestedResolved); - log.debug("Security roles: {}", securityRoles.getRoleNames()); + log.debug("Security roles: {}", mappedRoles); } // TODO exclude Security index @@ -561,7 +561,7 @@ public PrivilegesEvaluatorResponse evaluate( user, requestedResolved, action0, - securityRoles.getRoleNames() + mappedRoles ); log.info("No permissions for {}", presponse.missingPrivileges); } else { diff --git a/src/main/java/org/opensearch/security/privileges/ProtectedIndexAccessEvaluator.java b/src/main/java/org/opensearch/security/privileges/ProtectedIndexAccessEvaluator.java index e4fd404daa..877e6fd787 100644 --- a/src/main/java/org/opensearch/security/privileges/ProtectedIndexAccessEvaluator.java +++ b/src/main/java/org/opensearch/security/privileges/ProtectedIndexAccessEvaluator.java @@ -13,6 +13,7 @@ import java.util.ArrayList; import java.util.List; +import java.util.Set; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; @@ -23,7 +24,6 @@ import org.opensearch.common.settings.Settings; import org.opensearch.security.auditlog.AuditLog; import org.opensearch.security.resolver.IndexResolverReplacer; -import org.opensearch.security.securityconf.SecurityRoles; import org.opensearch.security.support.ConfigConstants; import org.opensearch.security.support.WildcardMatcher; import org.opensearch.tasks.Task; @@ -73,7 +73,7 @@ public PrivilegesEvaluatorResponse evaluate( final String action, final IndexResolverReplacer.Resolved requestedResolved, final PrivilegesEvaluatorResponse presponse, - final SecurityRoles securityRoles + final Set mappedRoles ) { if (!protectedIndexEnabled) { return presponse; @@ -81,23 +81,21 @@ public PrivilegesEvaluatorResponse evaluate( if (!requestedResolved.isLocalAll() && indexMatcher.matchAny(requestedResolved.getAllIndices()) && deniedActionMatcher.test(action) - && !allowedRolesMatcher.matchAny(securityRoles.getRoleNames())) { + && !allowedRolesMatcher.matchAny(mappedRoles)) { auditLog.logMissingPrivileges(action, request, task); log.warn("{} for '{}' index/indices is not allowed for a regular user", action, indexMatcher); presponse.allowed = false; return presponse.markComplete(); } - if (requestedResolved.isLocalAll() - && deniedActionMatcher.test(action) - && !allowedRolesMatcher.matchAny(securityRoles.getRoleNames())) { + if (requestedResolved.isLocalAll() && deniedActionMatcher.test(action) && !allowedRolesMatcher.matchAny(mappedRoles)) { auditLog.logMissingPrivileges(action, request, task); log.warn("{} for '_all' indices is not allowed for a regular user", action); presponse.allowed = false; return presponse.markComplete(); } if ((requestedResolved.isLocalAll() || indexMatcher.matchAny(requestedResolved.getAllIndices())) - && !allowedRolesMatcher.matchAny(securityRoles.getRoleNames())) { + && !allowedRolesMatcher.matchAny(mappedRoles)) { final boolean isDebugEnabled = log.isDebugEnabled(); if (request instanceof SearchRequest) {